News
20Q&A – The latest CPC project
The 20Q&A project is intended to give the reader a quick overview and short summary of the most urgent questions regarding the General Data Protection Regulation (GDPR). It is intended to raise awareness especially of the changes and partly of what needs to be done before deadline-day, May 25th 2018.
The project was necessary, because the GDPR will for the first time fully regulate data privacy within the European Union. The GDPR is directly applicable and binding within the Union. No transformation into national law is necessary for the regulation to apply to the everyday work life concerning data privacy. Although there have been data protection laws before, the GDPR puts data protection on a new level.
To create the 20Q&A a request was sent to all members of the CPC network to find the relevant questions. Twenty questions were selected out of the many that were sent. The project editor drafted answers to the questions and started a survey within the CPC network. There were two rounds of input until the final result. The 20Q&A is designed to point out the changes that go along with the GDPR.
The Content
Probably the biggest change comes with the extended jurisdiction of the GDPR, as it applies to all companies processing personal data of data subjects residing in the Union, regardless of the company’s location. Non-EU businesses that want to process personal data of data subjects residing in the Union will have to appoint a representative in the EU. On a material scope, the GDPR in general applies to natural and legal persons that process personal data by automated means.
The GDPR states more requirements for processing, especially what has to be included in a contract. The GDPR also states more detailed requirements concerning the security measures that have to be implemented. And according to the GDPR all the requirements and implementations have to be documented.
New Principles
New principles and regulations are – to name a few – the obligation to notify whenever there is a personal data breach or the data protection impact assessment according to Art. 35 GDPR.
The GDPR states new rights of the data subject. New are the data subject’s right to be forgotten - also known as data erasure - and the right to data portability, meaning the right to transmit personal data from one controller to another.
Regarding the lawfulness of processing, the GDPR does not necessarily require consent by the data subject. The lawfulness can also result from a legal permissibility regulation, stated in Art. 6 Section 1 GDPR. Pre-existing consent does not have to be obtained anew as long as the consent conforms to the requirements of the GDPR.
In most Member States, the records of processing activities are a new way to document the lawfulness of processing. The records are a register of all processing activities by the controller or – and this is also new – the processor. The records are upmost meant to make them aware of their processing activities. Their other purpose is to simplify control of the processing activities by the supervisory authority.
New Obligations
Controllers are obligated to notify the supervisory authority of a personal data breach when there is a risk to the rights and freedoms of natural persons. The data subject has to be notified when there is a high risk to the rights and freedoms of natural persons.
Art. 37 GDPR states, when a Data Protection Officer (DPO) has to be designated. The Member States have the explicit right to define further circumstances, when a DPO has to be designated. The DPO can be a staff member or an external DPO, as long as the legal requirements stated in the GDPR are fulfilled.
A Data Protection Impact Assessment (DPIA) is supposed to help the controller to estimate risks regarding the protection of personal data. It has to be carried out if a type of processing is likely to result in a “high risk” to the rights and freedoms of natural persons. There are several models being developed to execute a DPIA, but the GDPR does not state how to proceed exactly.
In case of data infringements, the controller is directly liable to the data subject. But the processor is liable as well. Art. 82 Section 4 GDPR states that controller and processor can be jointly and severally liable. Although there are some restrictions, this is the main statement. The processor is not privileged or even free of liability, even though he does not control the processing of data.
25 May 2018
The GDPR as a whole will be directly applicable starting May 25th 2018. There will be no additional transition time or a grace period after May 25th. May 25th 2018 is the definitive final deadline for GDPR compliance.
Conclusion
The 20Q&A is a helpful overview of what has changed and what needs to be done before deadline day. It takes into account the current situation within the CPC network and is a great way to get started being GDPR compliant.
Article provided by: Dr. Jens Eckhardt and Nils Steffen (Derra, Meyer & Partner)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010