AmCham s HR Committee s

Similar documents
Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Nissa Consultancy Ltd Data Protection Policy

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

General Personal Data Protection Policy

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

DATA PROTECTION POLICY

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

P Drive_GDPR_Data Protection Policy_May18_V1. Skills Direct Ltd ( the Company ) Data protection. Date: 21 st May Version: Version 1.

GDPR: What Every MSP Needs to Know

Preparing for the GDPR

Data Protection Policy

EU GENERAL DATA PROTECTION REGULATION

GENERAL DATA PROTECTION REGULATION Guidance Notes

DATA PROTECTION POLICY VERSION 1.0

Brasenose College Data Protection Policy Statement v1.2

DATA PROTECTION POLICY 2018

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

Preparing for the GDPR Orla O Hannaidh - Womble Bond Dickinson

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

UK Research and Innovation (UKRI) Data Protection Policy

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

Data Protection Policy

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

THE COMPETITION AND CONSUMER PROTECTION COMMISSION JOB APPLICANT PRIVACY NOTICE 1. INTRODUCTION... 2

Baptist Union of Scotland DATA PROTECTION POLICY

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

DATA PROTECTION POLICY

Policy Document for: Data Protection (GDPR) Approved by Directors: September Due for Review: September Statement of intent

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

Trinity is committed to protecting the privacy and security of personal data.

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Supplemental guide to the GDPR for HR professionals

PRIVACY NOTICE FOR JOB APPLICANTS

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

Foundation trust membership and GDPR

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

GDPR for Employers DUBLIN / BELFAST / LONDON / NEW YORK / SAN FRANCISCO / PALO ALTO

ACCENTURE BINDING CORPORATE RULES ( BCR )

THE GENERAL DATA PROTECTION REGULATION (GDPR) A GUIDE FOR CONGREGATIONS

Privacy Policy & Data Protection

GDPR for whom it may concern

Data Protection Employee Privacy Notice

December 28, 2018, New Delhi, INDIA

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris

Data Protection Policy. UK Policy May 2018

General Data Protection Regulation. What should community energy organisations be doing to prepare?

GDPR is coming soon. Are you ready. Steven Ringelberg.

Brasenose College is committed to protecting the privacy and security of personal data.

HEAVERS FARM PRIMARY SCHOOL. GDPR Data Protection Policy

CHANNING SCHOOL DATA PROTECTION POLICY

FPSS GDPR Data Protection Policy

DATA PROTECTION POLICY

St Michael s CE Primary School Data Protection Policy

RAW MARKETING DATA PROTECTION POLICY

Personal data: By Personal data we understand all information about identified or identifiable natural ( data subject ) according to GDPR

DATA PROTECTION POLICY

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

Data Protection for Landlords. David Smith Anthony Gold Solicitors

General Data Privacy Regulation: It s Coming Are You Ready?

The General Data Protection Regulation An Overview

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

Getting Ready for the GDPR

Responsible Business Alliance. Data Privacy and GDPR Compliance Policy

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

EU General Data Protection Regulation (GDPR)

Guidance and Example of a Privacy Notice Form

The Data Controller for all personal data stored and processed by Horiba MIRA Ltd is:

closer look at Definitions The General Data Protection Regulation

You can contact us directly at Dechert LLP, 160 Queen Victoria Street, London, EC4V 4QQ, United Kingdom or by ing

The General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2017

Data Protection (internal) Audit prior to May (In preparation for that date)

South Farnham Educational Trust. GDPR Data Protection Policy

How employers should comply with GDPR

Sample Data Management Policy Structure

SSI SERVICES (UK) LTD APPLICANT PRIVACY NOTICE

GDPR Privacy Notice for Staff

GDPR Impacts on Digital Transformation

UCD Human Resources. UCD HR Privacy Statement - Employee

Tourettes Action Data Protection Policy

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

The New EU General Data Protection Regulation 1

Genera Data Protection Regulation and the Public Sector

Swansea University Recruitment Privacy Policy

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

EDWARDS COMMERCIAL CLEANING SERVICES LTD and EDWARDS COMMERCIAL CLEANING (NORTH) LTD Data Protection Policy for Employees, Workers and Consultants

Transcription:

AmCham s HR Committee s GDPR / Data Privacy Roundtable 19. SEPTEMBER 2017

THE REGULATION REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)..among friends the GDPR A Regulation Applicable from 25 May 2018 Revolution or Evolution? Why is data protection suddenly a hot topic? 2

BRIEF OVERVIEW DATA CONTROLLER OBLIGATIONS Principles and Lawfulness of processing Security Accountability Data subject Rights General Obligations 3

LAWFULNESS OF PROCESSING Personal data Special Categories Principles Criminal records Information Processing is lawful Cpr. no. 3. 3rd country transfers 4

PRINCIPLES Lawfulness, fairness and transparency processed lawfully, fairly and in a transparent manner in relation to the data subject Purpose limitation collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Data minimisation adequate, relevant and limited to what is necessary in relation to the purposes Accuracy accurate and, where necessary, kept up to date Storage limitation no longer than is necessary for the purposes for which the personal data are processed Integrity and confidentiality Accountability ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures The controller shall be responsible for, and be able to demonstrate compliance 5

LAWFULNESS OF PROCESSING Personoplysninger GDPR Art 6 kategorier GDPR og Art behandlingsgrundlag 9 GDPR Art 10 GDPR Art 87 Personal data Special categories Criminal records CPR-no Name, adress, birthdate, sex etc Application, CV, education, experience, Responsibilities Salary and benefits Absence holiday - sickness Disciplinary measures, relatives Email/internet Photo - CCTV, Personality test racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data health sex life or sexual orientation List is exhaustive Transcript of criminal record 123456-7890 List not exhaustive Lawful processing Lawful processing Lawful processing consent Necessary for performance of contract Compliance with a legal obligation Protect Vital interest of data subject Balancing of interest..and more. Prohibited, except; Explicit consent Rights and obligations under employment law or collective agreement Establish, exercise or defend legal claims Data made public by data subject.and more Explicit consent Consent Compliance with legal obligation 6

LAWFULNESS OF PROCESSING Personal data Special Categories Principles Criminal records Information Processing is lawful Cpr. no. 3. 3rd country transfers 7

DATA SUBJECT RIGHTS Information and Access Right to receive certain information at the time of collection irrespective of source of collection Ret to subsequently request information (entitled to a copy) (Art 13-15 ) Rectification Right to be forgotten Restriction of Processing Data portability Right to object How to respond rectification of inaccurate personal data/ right to have incomplete personal data completed (Art. 16) communicate any rectification to each recipient to whom the personal data have been disclosed (modif: impossible/disproportionate effort. (Art 19) Right to erasure but right is not unconditional!(art 17) communicate any rectification to each recipient to whom the personal data have been disclosed (modif: impossible/disproportionate effort. (Art 19) Right under certain conditions to have processing restricted ( freezing of processing ) (Art 18) communicate any rectification to each recipient to whom the personal data have been disclosed (modif: impossible/disproportionate effort. (Art 19(Art 19) Right to receive the personal data which data subject has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (Art 20) Right to object, on grounds relating to data subjects particular situation, to processing of personal data which is based on the balancing of interest test (Art 21) Right to object against processing for direct marketing purposes and automated decisions (Art 22) in a concise, transparent, intelligible and easily accessible form, using clear and plain language- and free Within one month of receipt of request (Art 12) Exceptions and limitations apply (Art 23) and supplementing national law. 8

GENERAL OBLIGATIONS Accountability Implement, review and update appropriate technical and organisational measures to ensure and to be able to demonstrate compliance Data Protection Policies Where proportionate in relation to processing activities, the measures shall include the implementation of appropriate data protection policies Data Protection by Design Processing activities and products should be designed to implement data protection principles, Eg. data minimization, pseudonymisation, integrate safeguards etc. Data Protection by Default Responsibility for data processors Records of Processing Activities Cooperation with Supervisory Authority by default, only data which are necessary for each specific purpose of the processing are processed. E.g. the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility Only use data processors that guarantee compliance and protection of privacy Due diligence on data processor and the solution. Monitoring and audit Must be governed by written contract Purpose, categories of data subjects, personal data and recipients, timelimits for erasure, safety measures Exception for organisations employing fewer than 250 employees but only if processing is only occasional cooperate, on request, with the supervisory authority in the performance of its tasks Notification and approval of certain processing no longer required 9

SECURITY OF PERSONAL DATA Technical and organisational safety measures Risk based approach considering state of the art, the costs of implementation and the nature, scope, context and purposes of processing - No specific requirements but GDPR suggests to consider: Pseudonymisation and encryption of personal data ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems ability to restore the availability and access to personal data in a timely manner regularly testing, assessing and evaluating the effectiveness of safety measures Notification of a personal data breach without undue delay and not later than 72 hours after having become aware of the breach describe the nature of the breach including, the categories and approximate number of data subjects and data records concerned the likely consequences of the breach and measures taken to address the breach Be able to document the breach and the measures taken If breach is likely to result in a high risk to data subjects, the controller shall notify the data subjects Data Protection Impact Assessement If new or amended processing activities are likely to result in high risk for data privacy (e.g. new technology, large scale processing of special categories) the controller must perform a DPIA DPIA must include description of a) the intended processing activity and the purpose, b)an assessment of the necessity and proportionality c) an assessement of the risks involved and the measures taken to address the risks Where appropriate seek the view of the data subjects (e.g. work council) If still a high risk prior consultation with data protection authority Data Protection Officer (DPO) advise and monitor compliance serve as contact point for data subjects and authorities etc core activities require regular and systematic monitoring of data subjects on a large scale; or core activities consist of processing on a large scale of special categories of data Independent - protected 10

BRIEF OVERVIEW DATA CONTROLLER OBLIGATIONS Principles and Lawfulness of processing Security Accountability Data subject Rights General Obligations 11

LUNDGRENS TEAM MICHAEL GORM MADSEN ADVOKAT, PARTNER DIR: +45 3525 2930 / MOB: +45 2524 5130 MAIL: MGM@LUNDGRENS.DK Specialiseret i persondataretlige spørgsmål med betydelig erfaring med juridisk og strategisk rådgivning i alle aspekter af persondataretten Stor indsigt i juridiske problemstillinger i relation til Internet og e-handel I 2013 certificeret som Information Privacy Professional CIPP/E af The International Association of Privacy Professionals (IAPP) Medlem af Dansk Forening for Persondataret MAJA KRARUP ADVOKAT DIR: +45 3525 2935 / MOB: +45 2524 5135 MAIL: MHK@LUNDGRENS.DK Advokat i Lundgrens afdeling for persondataret. Mange års erfaring med at rådgive danske såvel som udenlandske klienter om alle aspekter af persondataretten. Særlig fokus på udarbejdelse og implementering af complianceprogrammer i forbindelse med EU Persondataforordningen. Medlem af Dansk Forening for Persondataret / MOB: DIR: +45 +45 @LUNDGRENS.DK 12

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback