CNPD Course: Data Protection Basics

Similar documents
CNPD Course: Data Protection Basics

The Role of the Data Protection Officer

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Motorola Mobility Binding Corporate Rules (BCRs)

General Data Protection Regulation (GDPR)

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Our agenda. The basics

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

NEWSFLASH GDPR N 8 - New Data Protection Obligations

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

GDPR - Are you ready?

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

DATA PROCESSING TERMS

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

ADMA Briefing Summary March

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Regulating Cyber: the UK s plans for the NIS Directive

Technical Requirements of the GDPR

Talenom Plc. Description of Data Protection and Descriptions of Registers

A comprehensive approach on personal data protection in the European Union

Implementing the new GDPR: what does it mean for Universities?

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Data Breaches and the EU GDPR

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

Data Processing Clauses

Data Leak Protection legal framework and managing the challenges of a security breach

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

EU General Data Protection Regulation (GDPR) Achieving compliance

Privacy by Design, Security by Design

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

This procedure sets out the usage of mobile CCTV units within Arhag.

ARTICLE 29 DATA PROTECTION WORKING PARTY

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

COMMISSION IMPLEMENTING DECISION (EU)

Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation

Data Processing Agreement

Data Processing Agreement

INFORMATION NOTE ON DATA PROCESSING

Introductory guide to data sharing. lewissilkin.com

Preparing for the GDPR

Privacy Notice - General Data Protection Regulation ( GDPR )

Privacy Notice. General Information Protection Regulation ( GDPR )

KSi Malta Privacy Policy

Data Processor Agreement

STATEMENT OF STRATEGY

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

NEWSLETTER DATA PROTECTION NOTICE. AImotive Ltd.

Eco Web Hosting Security and Data Processing Agreement

FileFacets for GDPR. Solution Overview for Compliance. Copyright 2017 FileFacets Corporation. All rights reserved

PS Mailing Services Ltd Data Protection Policy May 2018

GDPR Compliance. Clauses

GDPR Let s get operational

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

European Union Agency for Network and Information Security

RECRUITMENT DATA PROTECTION NOTICE. AImotive Ltd.

GDPR compliance: some basics & practical to do list

GDPR RECRUITMENT POLICY

Data Processing Agreement DPA

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

Data Sheet The PCI DSS

The Corporate Website and the Product Websites are together referred to hereafter as the website.

Data Breach Notification: what EU law means for your information security strategy

Directive on Security of Network and Information Systems

NOTICE OF PERSONAL DATA PROCESSING

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Latest version, please translate and adapt accordingly!

Cybersecurity Considerations for GDPR

The GDPR Are you ready?

DATA PROCESSING AGREEMENT

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

ILNAS/PSCQ/Pr004 Qualification of technical assessors

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

SCHOOL SUPPLIERS. What schools should be asking!

Data Processing Agreement for Oracle Cloud Services

Telecommunications Equipment Certification Scheme FEBRUARY 2017

Data Protection Policy

ENISA s Position on the NIS Directive

A Modern European Data Protection Framework

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

Privacy Notices under #GDPR: Have you noticed my notice?

DATA PROTECTION A GUIDE FOR USERS

PRIVACY NOTICE (TIER 4)

A Homeopath Registered Homeopath

Transcription:

CNPD Course: Data Protection Basics Presentation of Luxembourg s data protection authority Esch-sur-Alzette Dani Jeitz 7-8 February 2018 Service juridique

Programme 1. Introduction 2. Basic knowledge 3. The rights of the data subjects 4. The obligations of the controllers 5. The role of the CNPD 2

Outline Introduction Organisation and evolution of the CNPD Territorial jurisdiction Tasks Investigative and corrective powers Statistics Initiation to data protection 06-07/01/2018 3

Introduction Independent authority created by law Amended Act of 2 August 2002 Draft bill n 7184 Public institution with financial and administrative autonomy Recent trends: Sophisticated technologies: connected games, Smarthome, social media, smartphones, cloud, etc. Personal data breaches (Uber, Ashley Madison, etc.) Significant increase of complaints, requests for information and legislative opinions Initiation to data protection 06-07/01/2018 4

Compliance Guidance Administration New organizational setup (1/2) CNPD Sector Subject matter Data protection Subject matter experts Collaboration

Compliance Guidance Administration 6 New organizational setup (2/2) On-site inspection CNPD Sanctions Audit Certification Data breach Subject matter experts Stakeholders Commissioners Head of investigation Investigator Expert GDPR European cooperation General Data Protection Regulation

Evolution of the CNPD Annual funding 2014 2015 2016 2017 2018,0 500,000 1000,000 1500,000 2000,000 2500,000 3000,000 3500,000 4000,000 4500,000 Staff 2014 15 2017 25 2018 35

Territorial jurisdiction of the CNPD Jurisdiction on the territory of Luxembourg Introduction of the one stop shop One single point of contact for companies established in several Member States lead authority will be: authority of the main establishment of the controller place of the sole establishment of the controller Reinforced EU cooperation between the «lead authority» and «concerned» authorities Aim is to adopt a single decision In case of disagreement binding decision by the "European Data Protection Board" 8

A paradigm shift Removal of prior formalities (notifications / authorisations) prior monitoring Principle of Accountability subsequent control less bureaucracy, yet more demanding for controllers and processors

Tasks Monitor and enforce the application of the GDPR Advise the national parliament and government Raise public awareness and inform the general public Provide guidance to controllers / processors Handle complaints and conduct investigations Accredit the certification bodies Cooperate with other supervisory authorities Write and publish an annual activity report Initiation to data protection 06-07/01/2018 10

Tasks Widening of competence to include processing activities in criminal / national security matters: Currently: «Article 17» Supervisory Authority (State Public Prosecutor + 2 members of the CNPD) Draft bill n 7168 implementing Directive 2016/680: Processing operations by competent authorities for criminal purposes : competence of the CNPD Exception for processing operations by courts + public prosecutor when acting in their judicial capacity : competence of a judicial control authority ( CNPD) Initiation to data protection 06-07/01/2018 11

Investigative powers Article 58 Powers: Each supervisory authority shall have all of the following investigative powers: to carry out investigations in the form of data protection audits; to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks; to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law. Initiation to data protection 06-07/01/2018 12

The right balance (1/3) Compliance Procedures: On-site inspection, file investigation, audit Triggers: Complaint, sectoral / thematic review, incident, You Guidance Channels: EDPB, CNPD,. Means: meetings, conferences, website, CNPD regulations. Initiation to data protection 06-07/01/2018 13

The right balance (2/3)

The right balance (3/3) Intervention in the legislative procedure Raise public awareness to potential risks Raise the awareness of controllers Investigations following a complaint or on own initiative Intervention following a data breach Corrective measures Adm. fines 15

Different types of investigations On-site inspection Inspection at the premises of the controller / processor Specific/limited scope One-off visit where applicable triggers a file inspection File inspection Questionnaire including a document request Review of answers and other relevant documents Switch to on-site inspection or data protection audit according to preliminary results Data protection audit In depth review broader in scope Multiple exchanges in form of meetings communication to exchange information and documents Risk based approach refinement of scope during audit execution Initiation to data protection 06-07/01/2018 16

Corrective powers Issue warnings and reprimands Order the controller/processor to bring processing operations into compliance with the GDPR Impose a temporary or definitive limitation, including a ban on processing Power to impose administrative fines: Major innovation for the Grand Duchy Imposed in addition, or instead of, other corrective measures Infringements can be subject to a max. administrative fine of up to 20 million EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year. Initiation to data protection 06-07/01/2018

Legal remedies Right for every data subject to lodge a complaint with a supervisory authority of the MS of the data subject s habitual residence, place of work or place of the alleged infringement Right to an effective judicial remedy against a supervisory authority against a legally binding decision concerning a data subject against a failure to reply within 3 months competence of the courts of the MS where the supervisory authority is established: Competence of the Luxembourgish Tribunal administratif deciding on the merits of the case 18

Increase of complaints (2017) Evolution of the number of complaints 250 200 150 100 50 0 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 Lawfulness of certain administrative/commercial practices (30%) Refusal of the data subject's right of access (13,5%) Illicit communication to third parties (18.5%) Supervision at the workplace / video-surveillance (12%) Requests of erasure or rectification of data (12%) Objection for marketing purposes (5%) Right to be forgotten (5%) Other (4%) 19

Initiation to data protection 06-07/01/2018 20 Increase of written information requests (2017) 600 500 400 300 200 100 0 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Legal opinions (2017) 35 30 25 20 15 10 5 0 2009 2010 2011 2012 2013 2014 2015 2016 2017 Initiation to data protection 06-07/01/2018 21

Thank you for your attention! Initiation to data protection 06-07/01/2018

Commission nationale pour la protection des données 1, avenue du Rock n Roll L-4361 Esch-sur-Alzette (Belval) 261060-1 www.cnpd.lu info@cnpd.lu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback