GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
Suitable Recitals
(75) Risks to the rights and freedoms of natural persons; (84) Risk evaluation and impact assessment; (89) Elimination of the general reporting requirement; (90) Data protection impact assessment; (91) Necessity of a data protection impact assessment; (92) Broader data protection impact assessment; (93) Data protection impact assessment at authorities.
COMMENTARY:
A data protection impact assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. You must do a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. You can use our screening checklist to help you decide when to do a DPIA. It is also good practice to do a DPIA for any other major project, which requires the processing of personal data.
Your DPIA must:
describe the nature, scope, context and purposes of the processing;
assess necessity, proportionality and compliance measures;
identify and assess risks to individuals; and
identify any additional measures to mitigate those risks.
To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
You should consult your DPO (if you have one) and, where appropriate, individuals and relevant experts. Processors may need to assist.
If you identify a high risk and you cannot mitigate that risk, you must consult the expert CO before starting the processing.
The expert will give written advice within eight weeks, or 14 weeks in complex cases. In appropriate cases we may issue a formal warning not to process the data, or ban the processing altogether.
What’s new under the GDPR?
The GDPR introduces a new obligation to do a DPIA before carrying out processing likely to result in high risk to individuals’ interests. If your DPIA identifies a high risk, which you cannot mitigate, you must consult the expert. This is a key element of the new focus on accountability and data protection by design, and a more risk-based approach to compliance. Some organisations will already carry out privacy impact assessments (PIAs) as a matter of good practice. If so, you will need to review your processes to make sure they comply with GDPR requirements. The big changes are that DPIAs are now mandatory in some cases, and there are specific requirements for content and process.
If you have not already got a PIA process, you will need to design a new DPIA process and embed this into your organisational policies and procedures. In the run- up to 25th May 2018, you also need to review your existing processing operations and decide whether you need to do a DPIA for anything, which is likely to be high risk. You will not need to do a DPIA if you have already considered the relevant risks and safeguards, unless there has been a significant change to the nature, scope, context or purposes of the processing.
What is a DPIA?
A DPIA is a process to systematically analyse your processing and help you identify and minimise data protection risks. It must:
Describe the processing and your purposes;
Assess necessity and proportionality;
Identify and assess risks to individuals; and
Identify any measures to mitigate those risks and protect the data.
It does not have to eradicate the risk, but should help to minimise risks and consider whether or not they are justified. You must do a DPIA for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability more generally and building trust and engagement with individuals.
A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA. It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise and should be seen as an ongoing process, kept under regular review.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – whether physical, material or non-material - to individuals or to society at large. To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. It should look at risk based on the specific nature, scope, context and purposes of the processing.
When do you need to do a DPIA?
You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although the actual level of risk has not been assessed yet, you need to screen for factors, which point to the potential for a widespread or serious impact on individuals.
In particular, the GDPR says you must do a DPIA if you plan to:
Use systematic and extensive profiling with significant effects;
Process special category or criminal offence data on a large scale; or
Systematically monitor publicly accessible places on a large scale. You suppose to do a DPIA if you plan to:
Use new technologies;
Use profiling or special category data to decide on access to services;
Profile individuals on a large scale;
Process biometric data;
Process genetic data;
Match data or combine datasets from different sources;
Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
Track individuals’ location or behaviour;
Profile children or target services at them; or
Process data that might endanger the individual’s physical health or safety in the event of a security breach.
You should also think carefully about doing a DPIA for any other processing which is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no
specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
Art. 36 GDPR Prior Consultations
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.
When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with:
Where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
The purposes and means of the intended processing;
The measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;
Where applicable, the contact details of the data protection officer;
The data protection impact assessment provided for in Article 35; and
Any other information requested by the supervisory authority.
Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the
controller in the public interest, including processing in relation to social protection and public health.
Suitable Recitals
(94) Consultation of the supervisory authority; (95) Support by the processor; (96) Consultation of the supervisory authority in the course of a legislative process.
COMMENTARY:
The controller must consult the supervisory authority before the implementation of the processing only when the impact assessment conducted by the controller in application of Article 35 indicates that the processing would result in a high risk in the absence of appropriate measures taken by the controller in order to mitigate the risk (Article 36). If the authority considers that the treatment is not compliant with the Regulation, in particular if the controller has not sufficiently identified or mitigated the risk inherent to the processing, the authority then has a period of eight weeks (which may be extended by six weeks if the processing complexity so required) to advise the controller in writing - or if applicable, the processor - by exercising, if necessary, the powers referred to in Article 58 to require the provision of information, carry out investigations in the form of audit, obtain access to personal data, as well as to the premises of the controller or the processor. The final version of the Regulation specifies that the period within which the authority must give its opinion is suspended until the authority receives the information requested.
Paragraph 6 determines the terms of the request for consultation: the controller must inform the supervisory authority on the allocation of responsibilities between the controller, the possible joint controllers and the processors; the purposes and the methods of processing; measures and safeguards provided to protect the rights and freedoms of data subjects; if necessary, contact details of the data protection officer; the impact analysis carried out and any other information requested by the supervisory authority.
As this already existed in some countries, the Regulation provides that Member States shall consult the supervisory authority as part of the preparation of a proposal for a legislative measure or a regulatory measure relating to personal data processing (paragraph 4). Member States may also require that the controllers consult the supervisory authority and have its prior approval for the processing of data carried out in the context of a task performed in the public interest, including the processing of data relating to social protection and public health.
Article 20 of the Directive required Member States to define categories of processing called "at risk" i.e., those likely to present specific risks to the rights and freedoms of the data subjects. These included categories of processing that, because of their nature, scope or purposes are likely to exclude individuals from benefiting from a right, provision or contract, or those who may present risks, due to the particular use of a new technology (see recital 53). Before these categories of processing are carried out, prior evaluations were to be made by the supervisory authority or the data protection officer in cooperation with the supervisory authority.
Such prior evaluation could also be made in the context of preparation either of a measure of the national parliament or of a measure based on such a legislative measure, which define the nature of the processing and lay down appropriate safeguards.
Section 4: Data Protection Officer
Art. 37 GDPR Designation of the data protection officer
The controller and the processor shall designate a data protection officer in any case where:
The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.
The data protection officer may be a staff member of the controller or processor, or fulfill the tasks on the basis of a service contract.
The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.
Suitable Recitals
(97) Data protection officer.
COMMENTARY:
Under Article 37 of the General Data Protection Regulation (GDPR), all public authorities and bodies will be required to designate a Data Protection Officer (DPO). Private sector organisations that on a large scale as part of their core activities regularly and systematically monitor data subjects or process sensitive personal data will also have to appoint a DPO.
On December 16, the Article 29 Working Party (WP29) published its draft guidelines on the role of the DPO, clarifying its interpretation
Comments (0)