Time
1 hour 7 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

The lawfulness of processing - Data privacy is a fundamental right - What is personal data - Principles of processing personal data - Lawfulness of processing - Conditions for consent - Special categories of data

Video Transcription

00:04
Hello. In this video we'll be looking at the lawfulness of processing, in particular a consent and special categories of personal data.
00:15
As I discussed in the previous video, the protection of individuals in the U in relation to their processing of their personal data is now fundamental, right?
00:24
This is regardless of nationality or residents.
00:27
So what are all these rights?
00:30
I'll cover this in more detail in the next video, but for now we'll summarize
00:35
the GDP up, revised the following rights for individuals,
00:39
the right to be informed,
00:41
the right of access to data,
00:43
the right to rectification,
00:45
the right to a ratio of data,
00:48
the right to restrict processing
00:50
the right to data portability,
00:53
the right to object to processing
00:55
and right in relation to automated decision making on profiling.
01:00
So what is personal data?
01:03
Like the previous Data protection directive,
01:04
the GDP are applies to personal data.
01:07
However, the GPS definition is more detailed and makes it clear that information such as online identifies e g. I. P addresses can be personal data.
01:18
This is a more expansive definition and provides for a wide range of personal identifiers to constitute personal data reflecting changes in technology on the way the organization's collect information about people.
01:30
The scope of the regulations applies to any processing activities of an establishment of a controller or process of based in the U, regardless of whether the processing actually takes place them.
01:42
So if you're an American company has a European office collecting data in the U and passing it to an Indian process, sir,
01:49
this is all covered by GDP. Are
01:53
we'll cover ways in which we might protect the data later.
01:57
But suffice it to say for now that the data controller must be able to show you how they comply with the law, which means not only providing the necessary protection but also being able to demonstrate it.
02:10
This slide is fairly self explanatory.
02:13
Personal data show be processed lawfully, fairly and in a transparent manner,
02:19
transparent, monetizing to consent, which will cover in a moment.
02:23
What it is saying is that data subject should give clear consent to the data processing,
02:28
which itself should be clearly explained on. The processing should be carried out in a clear and honest manner.
02:36
They should be collective, a specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with his purposes.
02:44
This is called purpose limitation.
02:49
Data should be adequate, relevant and limited What is necessary in relation to the purposes for which they are processed?
02:55
This is data minimization.
02:59
Data should be accurate and, when necessary, kept up to date.
03:02
Reasonable steps must be taken to ensure inaccurate data is rectified or erased.
03:08
We'll discuss later how this might be done.
03:12
They should be kept in a form of permits identification of data subjects for no longer than is necessary.
03:19
This is storage limitation
03:21
and we'll talk about the data lifecycle later.
03:24
Data should be processed in a manner that ensures appropriate security against unlawful processing, accident, loss, destruction or damage.
03:35
This is about the confidentiality and integrity of data
03:39
the controllers shall be responsible for and able to demonstrate compliance and all times
03:45
this is accountability
03:51
for processing of data To be lawful, you must identify a legal basis before you can begin processing personal data.
03:58
It is important that you determine your legal basis and document it.
04:01
Your legal basis for processing will affect the individual's rights. For example, if you rely on consent than the user has the right to request that their day to be deleted
04:13
for processed to be lawful. At least one of the following must apply.
04:16
The data subject has given their consent.
04:20
I'll cover this on the next slide
04:23
performance of a contract to which the data subject is party,
04:28
but only processing that is necessary under the terms of the contract is lawful
04:31
compliance of the legal obligation.
04:33
For example, anti money laundering on know your customer regulations.
04:39
This provision, particularly relevant to public authorities on highly regulated sectors such as financial service, is
04:46
to protect the vital interests of the data subject or another person.
04:50
This may come into play in areas like health Service's
04:56
It is in the public interest or in the exercise of official authority, vested in the controller
05:01
again relevant to public authorities.
05:05
It is necessary for the legitimate interests pursuit brother controller or her party, except where such interests are overwritten by the rights of the individual in particular. Whether data subject is a child,
05:18
this legitimate interest could be due to the relationship between the data subject and the controller.
05:24
For example, a client or employee relationship
05:27
this does not give car belongs to the process of however, and must not infringe upon the data. Subjects. Rights and data should not be processed beyond their reasonable expectations.
05:42
Consent under the GDP are requires some form of clear affirmative action. It should be freely given specific, informed on unambiguous
05:50
on the processing. Being consented to should be provided in clear, transparent, unambiguous language.
05:59
This consent to me in the form of, for example, taking a box a written statement or can be given verbally
06:05
silence. Pre ticked boxes or in activity do not constitute consent.
06:12
Consent must also be verifiable.
06:15
This means that some form of record must be kept of how unwilling consent was given.
06:18
It appears that separate consent is required for different processing activities that these cannot be lumped together.
06:27
Additionally, it may be necessary to provide granular privacy options and consent where applicable.
06:32
It is also important to consider that individuals have a right to withdraw consent at any time. On this should be as easy to do is to give consent
06:42
where you already rely on consent. That was sort under the EEC Data protection directive. You will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements. Under the GDP are
06:54
implementation of the GDP. I will require a review of consent mechanisms to ensure that they meet the standards required under the legislation.
07:02
If you cannot reach the high standard for consent that he must either find an alternative legal basis for processing or cease or not start processing it all
07:13
where service is offered directly to Children, controllers must ensure that the privacy notices written in a clear, plain way that a child can understand, for example, for online service is the control only to obtain the consent from a parent or guardian to process the child's data.
07:29
Generally, this age is 16 years old, but member states can lower the age of consent for Children to as low as 13.
07:39
Now we come to special categories of data
07:42
in general without specific consent of the individual processing. A personal data revealing special categories is prohibited.
07:48
These categories include
07:50
racial or ethnic origin,
07:54
political opinions or religious belief,
07:56
trade union membership,
07:57
genetic or biometric data for the purposes of uniquely identifying somebody.
08:01
Health data
08:03
sexual orientation.
08:05
Article nine sets out. The circumstances were processing of special categories of data is permitted
08:11
I'll cover them briefly. Here,
08:13
you can process thes special categories of data if
08:18
additional explicit consent is obtained, unless that consent is prohibited by you or member state law.
08:26
The processing is necessary for carrying our obligations under employment, Social Security or social Protection law, or by collective agreement.
08:35
Processing is necessary to protect the vital interests of the data subject or another individual
08:41
processing carrot up. I'm not for profit body with a political, philosophical, religious or trade union. Name
08:48
processing relates to personal data manifestly made public by the data subject.
08:54
Processing is necessary for the establishment, exercise or defense of a legal claim.
09:00
Processing is necessary for reasons of substantial public interest.
09:05
Processing is necessary for the purposes of preventative for occupational medicine.
09:11
Processing is necessary for reasons of public interest. In the area of public health.
09:16
Processing is necessary for archiving purposes in the public interest.
09:22
Otherwise, processing is prohibited.
09:24
Breaches in this area carry the highest category of fine,
09:28
so be sure about your grounds for processing these categories of data.
09:33
In the next video, we'll look at the responsibility of data controllers and processes in more detail
09:39
and look at the data subjects rights.
09:43
In the meantime, thank you for watching

Up Next

Introduction to General Data Protections

The General Data Protection Regulations (GDPR) are the new regulations governing the processing of personal data for citizens and residents in the European Union (EU). This course will provide an overview of those regulations

Instructed By

Instructor Profile Image
Angus Alderman
Information Security Officer at Boden
Instructor