Hello. In this video we'll be looking at the lawfulness of processing, in particular a consent and special categories of personal data.
As I discussed in the previous video, the protection of individuals in the U in relation to their processing of their personal data is now fundamental, right?
This is regardless of nationality or residents.
So what are all these rights?
I'll cover this in more detail in the next video, but for now we'll summarize
the GDP up, revised the following rights for individuals,
the right to be informed,
the right of access to data,
the right to rectification,
the right to a ratio of data,
the right to restrict processing
the right to data portability,
the right to object to processing
and right in relation to automated decision making on profiling.
So what is personal data?
Like the previous Data protection directive,
the GDP are applies to personal data.
However, the GPS definition is more detailed and makes it clear that information such as online identifies e g. I. P addresses can be personal data.
This is a more expansive definition and provides for a wide range of personal identifiers to constitute personal data reflecting changes in technology on the way the organization's collect information about people.
The scope of the regulations applies to any processing activities of an establishment of a controller or process of based in the U, regardless of whether the processing actually takes place them.
So if you're an American company has a European office collecting data in the U and passing it to an Indian process, sir,
this is all covered by GDP. Are
we'll cover ways in which we might protect the data later.
But suffice it to say for now that the data controller must be able to show you how they comply with the law, which means not only providing the necessary protection but also being able to demonstrate it.
This slide is fairly self explanatory.
Personal data show be processed lawfully, fairly and in a transparent manner,
transparent, monetizing to consent, which will cover in a moment.
What it is saying is that data subject should give clear consent to the data processing,
which itself should be clearly explained on. The processing should be carried out in a clear and honest manner.
They should be collective, a specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with his purposes.
This is called purpose limitation.
Data should be adequate, relevant and limited What is necessary in relation to the purposes for which they are processed?
This is data minimization.
Data should be accurate and, when necessary, kept up to date.
Reasonable steps must be taken to ensure inaccurate data is rectified or erased.
We'll discuss later how this might be done.
They should be kept in a form of permits identification of data subjects for no longer than is necessary.
This is storage limitation
and we'll talk about the data lifecycle later.
Data should be processed in a manner that ensures appropriate security against unlawful processing, accident, loss, destruction or damage.
This is about the confidentiality and integrity of data
the controllers shall be responsible for and able to demonstrate compliance and all times
this is accountability
for processing of data To be lawful, you must identify a legal basis before you can begin processing personal data.
It is important that you determine your legal basis and document it.
Your legal basis for processing will affect the individual's rights. For example, if you rely on consent than the user has the right to request that their day to be deleted
for processed to be lawful. At least one of the following must apply.
The data subject has given their consent.
I'll cover this on the next slide
performance of a contract to which the data subject is party,
but only processing that is necessary under the terms of the contract is lawful
compliance of the legal obligation.
For example, anti money laundering on know your customer regulations.
This provision, particularly relevant to public authorities on highly regulated sectors such as financial service, is
to protect the vital interests of the data subject or another person.
This may come into play in areas like health Service's
It is in the public interest or in the exercise of official authority, vested in the controller
again relevant to public authorities.
It is necessary for the legitimate interests pursuit brother controller or her party, except where such interests are overwritten by the rights of the individual in particular. Whether data subject is a child,
this legitimate interest could be due to the relationship between the data subject and the controller.
For example, a client or employee relationship
this does not give car belongs to the process of however, and must not infringe upon the data. Subjects. Rights and data should not be processed beyond their reasonable expectations.
Consent under the GDP are requires some form of clear affirmative action. It should be freely given specific, informed on unambiguous
on the processing. Being consented to should be provided in clear, transparent, unambiguous language.
This consent to me in the form of, for example, taking a box a written statement or can be given verbally
silence. Pre ticked boxes or in activity do not constitute consent.
Consent must also be verifiable.
This means that some form of record must be kept of how unwilling consent was given.
It appears that separate consent is required for different processing activities that these cannot be lumped together.
Additionally, it may be necessary to provide granular privacy options and consent where applicable.
It is also important to consider that individuals have a right to withdraw consent at any time. On this should be as easy to do is to give consent
where you already rely on consent. That was sort under the EEC Data protection directive. You will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements. Under the GDP are
implementation of the GDP. I will require a review of consent mechanisms to ensure that they meet the standards required under the legislation.
If you cannot reach the high standard for consent that he must either find an alternative legal basis for processing or cease or not start processing it all
where service is offered directly to Children, controllers must ensure that the privacy notices written in a clear, plain way that a child can understand, for example, for online service is the control only to obtain the consent from a parent or guardian to process the child's data.
Generally, this age is 16 years old, but member states can lower the age of consent for Children to as low as 13.
Now we come to special categories of data
in general without specific consent of the individual processing. A personal data revealing special categories is prohibited.
These categories include
racial or ethnic origin,
political opinions or religious belief,
trade union membership,
genetic or biometric data for the purposes of uniquely identifying somebody.
Article nine sets out. The circumstances were processing of special categories of data is permitted
I'll cover them briefly. Here,
you can process thes special categories of data if
additional explicit consent is obtained, unless that consent is prohibited by you or member state law.
The processing is necessary for carrying our obligations under employment, Social Security or social Protection law, or by collective agreement.
Processing is necessary to protect the vital interests of the data subject or another individual
processing carrot up. I'm not for profit body with a political, philosophical, religious or trade union. Name
processing relates to personal data manifestly made public by the data subject.
Processing is necessary for the establishment, exercise or defense of a legal claim.
Processing is necessary for reasons of substantial public interest.
Processing is necessary for the purposes of preventative for occupational medicine.
Processing is necessary for reasons of public interest. In the area of public health.
Processing is necessary for archiving purposes in the public interest.
Otherwise, processing is prohibited.
Breaches in this area carry the highest category of fine,
so be sure about your grounds for processing these categories of data.
In the next video, we'll look at the responsibility of data controllers and processes in more detail
and look at the data subjects rights.
In the meantime, thank you for watching