Date post: | 22-Jan-2018 |
Category: |
Law |
Upload: | browne-jacobson-llp |
View: | 56 times |
Download: | 2 times |
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
How to implement GDPR forthe public sector
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Connect with Dmitrije
+44 (0)115 976 6238
Connect with Patrick
patrick.o‘[email protected]
+44 (0)330 045 2149
How to implement GDPR forthe public sector
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• key definitions• legal grounds for processing• guidance and tips• questions
GDPR
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Article 4(1)‘personal data’ means anyinformation relating to anidentified or identifiable naturalperson (the data subject)
Key definitions
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Article 4(7)‘controller’ means the natural orlegal person, public authority,agency or other body which,alone or jointly with others,determines the purposes andmeans of the processing ofpersonal data;
Key definitions
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Article 4(7)where the purposes and meansof such processing aredetermined by Union or MemberState law, the controller or thespecific criteria for itsnomination may be provided forby Union or Member State law
Key definitions
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Requirement for alawful basis forprocessing
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
1. processed lawfully, fairly and ina transparent manner
2. only processed for specified,explicit and legitimate purposes
3. adequate, relevant and limited tothe purposes for which processed
4. must be accurate5. kept for no longer than necessary6. kept securely
Data protectionprinciples
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• personal data– Article 6 GDPR
• special categories of personaldata– Article 9 GDPR
Bases for processing
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• Article 13 GDPR– information to be provided
where personal data arecollected from the datasubject
• Article 14 GDPR– information to be provided
where personal data havenot been obtained from thedata subject
Information to beprovided to datasubjects
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
“means any information relating to an identified or identifiable natural person(‘data subject’)an identifiable natural person is one who can be identified, directly orindirectly, in particular by reference to an identifier such as a name, anidentification number, location data, an online identifier or to one or morefactors specific to the physical, physiological, genetic, mental, economic,cultural or social identity of that natural person”
Personal data
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• (1)(c) – processing is necessaryfor compliance with a legalobligation to which thecontroller is subject
• (1)(e) – processing is necessaryfor the performance of a taskcarried out in the public interestor in the exercise of officialauthority vested in thecontroller
Article 6
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• (1)(b) – processing is necessaryfor the performance of acontract to which the datasubject is party or in order totake steps at the request of thedata subject prior to enteringinto a contract
• (1)(d) – processing is necessary inorder to protect the vitalinterests of the data subject orof another natural person
Article 6
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• the processing of genetic data,biometric data for the purposeof uniquely identifying a naturalperson
• data concerning health• data concerning a natural
person's sex life or sexualorientation
Processing special categories ofpersonal data• racial or ethnic origin• political opinions• religious or philosophical beliefs• trade union membership
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• Article 9(2)(b) – employment,social security and socialprotection
• Article 9(2)(h) – health or socialcare purposes
• Article 9(2)(i) – public health
Bases for processing
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Processing is necessary for reasonsof substantial public interest, on thebasis of Union or Member State lawwhich shall be proportionate to theaim pursued, respect the essence ofthe right to data protection andprovide for suitable and specificmeasures to safeguard thefundamental rights and interests ofthe data subject
Article 9(2)(g)
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Explains the controller’s:• procedures for securing
compliance with the dataprotection principles inconnection with the processingof that personal data
• policies as regards the retentionand erasure of that personaldata, giving an indication of howlong such personal data is likelyto be retained
Appropriate policydocument
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
processing data• consent and legitimate interestsother legal grounds• contractual necessity• statutory basis/public function• compliance with a legal
obligation
Schedule 2 to the DataProtection Act 1998
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
‘consent’ of the data subject meansany freely given, specific, informedand unambiguous indication of thedata subject's wishes by which he orshe, by a statement or by a clearaffirmative action, signifiesagreement to the processing ofpersonal data relating to him or her
Article 4(11)
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
In order to ensure that consent is freely given, consent should not provide avalid legal ground for the processing of personal data in a specific case wherethere is a clear imbalance between the data subject and the controller, inparticular where the controller is a public authority and it is therefore unlikelythat consent was freely given in all the circumstances of that specific situation
Recital 43
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
‘consent’ of the data subject meansany freely given, specific, informedand unambiguous indication of thedata subject's wishes by which he orshe, by a statement or by a clearaffirmative action, signifiesagreement to the processing ofpersonal data relating to him or her
Article 4(11)
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
The data subject shall have the rightto withdraw his or her consent atany time. The withdrawal of consentshall not affect the lawfulness ofprocessing based on consent beforeits withdrawal. Prior to givingconsent, the data subject shall beinformed thereof. It shall be as easyto withdraw as to give consent.
Article 7(3)
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
processing is necessary for thepurposes of the legitimate interestspursued by the controller or by athird party, except where suchinterests are overridden by theinterests or fundamental rights andfreedoms of the data subject whichrequire protection of personal data,in particular where the data subjectis a child.
Article 6(1)(f)
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Point (f) of the first subparagraphshall not apply to processing carriedout by public authorities in theperformance of their tasks.
Article 6(1)
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
‘consent’ of the data subject meansany freely given, specific, informedand unambiguous indication of thedata subject's wishes by which he orshe, by a statement or by a clearaffirmative action, signifiesagreement to the processing ofpersonal data relating to him or her
Article 4(11)
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
processing is necessary for thepurposes of the legitimate interestspursued by the controller or by athird party, except where suchinterests are overridden by theinterests or fundamental rights andfreedoms of the data subject whichrequire protection of personal data,in particular where the data subjectis a child.
Article 6(1)(f)
Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Connect with Dmitrije
+44 (0)115 976 6238
Connect with Patrick
patrick.o‘[email protected]
+44 (0)330 045 2149
Get in touch with yourquestions