Appunti Information and technology law (parte 3)

b Categories data

of .

. Recipients

c

. .

d Retention period

. data

Source of

.

e .

Identities

f of controllers

processor

. .

profiling

decision

Automated making

f are

. .

Data subjects Regulation

rights under the

h . .

Other rights Art GDPR

16

.

Data subjects request

· can :

Retification incorrect

of data

incomplete

or .

("right

Erasure forgotten") data

to their

be of . processing)

halting

Restriction temporarily

(e

of processing g.

. .

Portability data format

personal structured

right to transmit

in and to

it

receive

: a automated

based contract

another controller and

if consent is

is

processing ore

on

, .

Right (2)

Forgotten

Be

to Art GSPR

17

.

An form

enhanced right

of

· eracure :

If has been made

data controllers

personal other

must

controller

public the inform processing

,

data

that of the request

erasure .

to

Applies links

all data

the

reproductions of

copies or

,

,

Right to Object GDPR

Art 21

.

The has

data right

subject object

the to their data

· personal

the of

to processing :

which specified

to

grounds

On the

their particular

relating request

must be

situation in

, .

direct

when objection

the

Without justification marketing purposes

concerns .

This the

be

right and unless

the

exercised must

time controller

at stop

processing

can any ,

demonstrates legitimate that averride the data

grounds interests of subject

compelling .

Data Protection Supervisory Authorities

Supervisory the

authorities application the

of

. GDPR

o versee :

EDPB Board) Party"

Data

European Protection formere "Article

replaced the Working

29

: .

National each has Italy

In

authorities State the Ga

Member it

EU

supervisory is

: one. . ,

rante dati

dei personali

protezione

la .

per engaged

mechanism

One-Stop-Shop deal

allows cross-border to

companies in processing

:

lead

single

With authority

supervisory

a .

and

Tasks Supervisory

of

Powers Authorities

According have

have

to fol.

article the

and authorities

authorities

· 58 GDPR supervisory

57 ,

lowing powers :

and

Monitoring enforcement compliance

of GDPR .

Advisory guidance protection

data

and

role issuing issues

opinions .

on

:

Investigative including data and conducting on-site

to inspections

access

powers : .

Handling .

data

submitted (Art

complaints by subjects 77)

.

such admini

and

Corrective restrict

to

order rectify processing

Warnings

powers as or

, ,

,

(Art .

58(2)

fines

strative .

Administrative Sanctions the

under GDPR Art 83

.

Supervisory fines for

(DPAS)

· authorities violations

GDPR

impose

can .

levels

Two fines

of

· :

to higher

which

the global

milion % of annual

Up turnover

i is

2

10 evere

or

. .

, whichever

annual

global higher

turnover

the

milion of

to %

E20

ii Up is

4

or

. ,

actual

The such

depends factors

· nature

fine the the its the

of violation and

severity

as

on ,

,

level data

the

of cooperation controller

shown by processor

or .

and

Technical Organisational Measures Art 24

.

The controller and

technical

implement organisational to

must appropriate

· ensure

measures

These

performed

that accordance

and demonstrate With the GDPR

is in

processing measures

.

based

be

must :

on

The context

nature and of processing

purpose .

, , freedoms

likelihood natural

The and the and

rights

for

of of

severity

risks varying per

1011 . reviewed

These and

be

· when

must updated

measures necessary

Data Protection by Design by Default

and Art 25

.

The the

both determining

controller and

of

the during

time

must at

· of processing

means

,

the itself

processing : misation)

I

Apply principles like pseudony

data

data protection minimisation .

,

organizational

and

technical

appropriate

Use measures .

Take into the nature context and

the

account of

art

state of cost scope purpose pro

: , , ,

,

and individuals

to

the risks

cessing .

, Integrate

Objective design activities protect

safeguards to the

the

· rights

into of processing

:

subjects

data

of .

Security Art

Processing

of 32

.

Both and based

implement

controller appropriate

must security

· processore on

measures

State of the .

art

Cost implementation

of .

context

Nature and of processing

purpose

scope

, , .

Risk likelihood and individuals' freedoms

and

of to

severity rights

varying .

Measures include

· may :

Pseudonymisation and encryption .

Ensuring confidentiality availability resilience

and

integrity .

, , ,

Restoring incidents

availability after .

Regular testing evaluation effectiveness

and security

of

Risk assessment consider

especially

must

· :

Accidental unlawful destruction disclosure

unauthorized

Loss alteration access

or

, ,

Data (DPIA)

Protection Impact Assessment Art 35

.

When likely

operation freedoms

high

to to and

the

· rights

result risk

is

processing in

a technologies

individuals

of the controller before

DPIA

must conduct

especially with pro

new a

, ,

cassing .

DPIA

The must

· assess :

The impact protection

of personal

operations data

processing on .

likelihood

The and severity of risks .

DPIA

One similar comparable

· multiple with

operations risks

cover

may .

"Risk"

Definition of

"risk"

A to and which

describing

refer estimated

event

· its

scenario in

is

consequences

a an ,

terms likelihood.

and

severity

both

of

Recital Risk Catalogue

75

The lists

GDPR data phy

possible to which

natural due

to

risks result

processing in

persons may

,

such

sical non-material damage

material as

or :

,

,

,

Discrimination financial

fraud to

identity theft damage

loss reputation .

, ,

,

,

Loss (e from pseudonymisation)

confidentiality

of reversal of

g. .

.

Loss personal data

control

of over . )

health orientation

(ethnicity sexual

beliefs

Processing sensitive data ecc .

,

, ,

,

/Work

Profiling l

behavior

performance preferences ecc .

, , , le

Processing chil

large personal individuale

vulnerable

data

involving of

amounts g.

or .

den)

DPIA Data

Effects of processing

The include

negative DPIA

overall to

· effects aims assess :

a

Damage to reputation

.

Discrimination ·

Identity theft .

Financial loss

Physical psychological harm

or

Loss data

of control over

social

Other disadvantages

economic

or .

Inability to rights opportunities

services

access or .

, ,

Risk assessment

A coordinated guide

to based

and

actions

set regarding

of organization rick

· manage an

On : Origin

nature

severity

likelihood freedoms individuals

and

the

the rights

impact of

of risk on .

(Data

DPIA Assessment)

Protection Impact

When DPIA required ?

· is a high

DPIA likely

only when

mandatory to

A activity result in

is is

processing

a a

(Art (1) GDPR)

freedoms individuals

the and of

rights

to

risk 35

. .

have

However always general to

controllers duty appropriately

risks

, manage

a

What does it practice ?

· in

mean

Controllers their

evaluate determine

continually

must to if

activities

processing any pro

high and thus

lead to DPIA

type risks

cassing require a

may .

What DPIA ?

is a

While defined

formally

not 3517)

the including

· its content

Art specifies

GDPR

in minimum :

. ,

,

detailed (including legitimate

planned

description and

A the inte

its

of

.

1 processing purposes

rest) .

evaluation and

An of necessity

the proportionality the

of

2 processing

. .

An assessment individuals

to

potential

of

3

. risks .

Planned euch

those and

safeguareds

to mitigate mechanisms

security

4 risks

. as

measures , .

Which ?

operations DPIA

processing require a high

SPIA when likely

. A particularly

to risk,

result

is processing is in in

necessary ,

such

cases as : and extensive legal

Automated profiling effects

similarly

producing significant

a or .

.

b Large- scale data criminal

categories

special

of of convictions

processing or .

. .

publicly large

Systematic accessible

of scale

areas

.

c on a

When DPIA !

required

not

is DPIA

WP29 when

guidelines that

· state not

is necessary

a :

The high

does individuals

not involve to

risk

processing . changed

Similar already

has has .

ascessed

been and nothing

processing

The unchanged

before

approved and .

May 2018

processing remains

was

The SPIA has

legally already been .

and

required performed

is

processing a

It published

list exempted

optional operations

of by authority

supervisory

appears on an a .

How to When

DPIA ? done ?

should

out be

it

corry a

Data

A Impact

Protection conducted

(DPIA) be li

before begins

Assessment must

· processing in

,

data design

by and default

with by

protection .

ne SPIA

The regarding

decision-making data

support tool

· is processing

a .

It should started details

be phase

during design

possible the

early all

· if processing

even

as as ,

not yet known

are .

It should updated throughout lifecycle and

be the compliance

to maintain contin

· privacy is

ensure

considered

.

nuously

SPIA

A task but

one-time

not

is angoing process

an

a ,

What DPIA ?

to

obliged out the

is carry

The for

controllar SPIA completed

res