A. Training of staff in Data Protection Compliance under the European Union General Data Protection Regulation (“EUGDPR”):
As a EUGDPR complaint Company, we need to ensure that all our team members are aware of the provisions of the EUGDPR and the data protection requirements envisaged under the same. Under Article 39 of the EUGDPR, it is necessary to provide training and raise awareness amongst the team members on the subject matter.
1. KEY TERMS USED UNDER EUGDPR (Article 4):
a) Personal Data-
Data which relates to a living individual who can be identified: from the data, or from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
b) Data Controller
Any person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
c) Data processor
A natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller.
d) Data subject
EUGDPR applies to the processing of Personal Data of individuals/Data subjects who are in the European Union by a controller or processor, situated in Europe or anywhere in the world.
e) Processing
Means obtaining, recording, holding information or data or carrying out any operation or set of operations on information or data, such as:
· Organisation, adaptation or alteration;
· Retrieval, consultation or use;
· Disclosure by transmission, dissemination or otherwise making available, or
· Alignment, combination, blocking, erasure or destruction.
The definition of processing is very wide, and so most operations in relation to personal data will constitute processing.
NOTE: Inscripts is both a data controller and a data processor under the EUGDPR. This is because Inscripts determines the purposes for which and the manner in which any personal data is processed, as well as overseeing the storage of the data as well.
2. PRINCIPLES RELATING TO DATA PROTECTION (Article 5-11)
a) Personal Data is to be processed fairly and lawfully.
b) Only such personal data must be collected which is necessary for the performance of a contract to which the data subject is party.
c) Personal data must not be excessive. It must be sufficient and relevant. (Adequacy)
d) Personal data must be kept up to date and must not be stored longer than required. (Accuracy & Retention)
e) The rights of the data subjects must be kept in mind while processing personal data.
3. PROCESSING OF PERSONAL DATA
Personal Data is to be processed in a fair and lawful manner.
a) Personal data must be collected on legitimate grounds. Personal data must be obtained only for one or more specified lawful purposes. There must not be any further processing of personal data in a way that is incompatible with the specified purposes.
b) There needs to be transparency regarding the intended use of the Personal Data collected.
c) Making sure Personal Data is used in a way that does not have adverse effects on the Data Subject(s).
d) Data Subjects need to be given adequate privacy notices at the time of collection of Personal Data. A Company must display a privacy notice containing details such as company name, purpose and intention to collect Personal Data and with whom such Personal Data will be shared.
4. PROCESSING OF SENSITIVE PERSONAL DATA (Article 9)
The following personal data is classified as Sensitive Personal Data:
Ø racial or ethnic origin
Ø political opinions
Ø religious beliefs or other beliefs of a similar nature.
Ø trade union membership
Ø genetic data, biometric data
Ø physical or mental health or condition
Ø sexual life or sexual orientation
Ø any offense the data subject has actually or allegedly committed, or
Ø any proceedings for any offense committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings
Processing of the above-mentioned data must be done in accordance with Art. 9 of the EU GDPR
5. RIGHTS OF DATA SUBJECTS. (Article 12-23)
Personal Data must be processed in accordance with the rights of data subjects. Some of these rights are as follows:
a) Data Subjects have the right to access personal data. (Art. 15)
b) Data Subjects have the right to the restriction of processing, i.e. right to prevent such processing as could cause them harm or distress. (Art. 18)
c) Data Subjects also have a right to not be subject to automated decision-making which produces legal effects concerning him or her or similarly significantly affects him or her.
d) Data Subjects have a right to have inaccurate personal data rectified, blocked, erased or destroyed. (Art. 16, 17)
e) Data Subjects have a right to claim compensation for damages caused to them by a breach of the provisions of the EUGDPR.
REMEDIES AVAILABLE UNDER EUGDPR
6. SECURITY MEASURES AND MANAGING DATA SECURITY BREACHES
a) It is important to implement appropriate technical and organizational security measures to be GDPR compliant. These may include technical measures such as data encryption, data minimization, pseudonymization, firewalls, anti-virus software’s and organizational measures such as a strong data security policy, restricted access to data location and secure destruction of data. (Art. 25- Data Protection by Design & by Default, Art. 30- Records of Processing activities)
b) It is also necessary to implement a transparent breach management plan throughout the organization. According to the EUGDPR, a breach management plan should cover, inter alia, containment and recovery of data, assessment of ongoing risk, notification to Supervisory authority in case of breach. (Art. 33, 34)
7. REMEDIES, LIABILITIES AND PENALTIES UNDER EUGDPR (Art. 77-84)
a) Every Data Subject has the right to lodge a complaint with supervisory authority, in particular in the member state of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of Personal Data relating to him or her infringes the provisions of the EUGDPR.
b) Every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
c) Every Data Subject has the right to an effective judicial remedy where he or she considers that his or her rights under the EUGDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the EUGDPR.
d) Any person who has suffered material or non-material damage as a result of an infringement of the EUGDPR shall have the right to receive compensation from the controller or processor for the damage suffered.
e) The EUGDPR imposes stiff fines on data controllers and processors for non-compliance. Fine under EUGDPR goes up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher.