the complete gdpr checklist
TRANSCRIPT
THE COMPLETEGDPR CHECKLIST
TABLE OF CONTENTSFor many organizations, the processing and exchange of data, including sensitive/personal occurs daily. With the increase of usage of technology and advent of technology, the European Commission passed the General Data Protection Regulation (GDPR). The overall goal of the GDPR is to protect data for all individuals residing within the European Union (EU).
This checklist introduces the 99 articles of the GPDR, in a condensed format, and can be used as a checklist for organizations or individuals.
CHAPTER 1: GENERAL PROVISIONS .........................................................................................................................................3CHAPTER 2: PRINCIPLES ..............................................................................................................................................................4CHAPTER 3: RIGHTS OF THE DATA SUBJECT ..........................................................................................................................5CHAPTER 4: CONTROLLER AND PROCESSOR ........................................................................................................................7CHAPTER 5: TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS .......9CHAPTER 6: INDEPENDENT SUPERVISORY AUTHORITIES ................................................................................................10CHAPTER 7: COOPERATION AND CONSISTENCY .................................................................................................................11CHAPTER 8: REMEDIES LIABILITY AND PENALTIES ..............................................................................................................13CHAPTER 9: PROVISIONS RELATING TO SPECIFIC PROCESSING ....................................................................................14CHAPTER 10: DELEGATED ACTS AND IMPLEMENTING ACTS .............................................................................................15CHAPTER 11: FINAL PROVISIONS .............................................................................................................................................16SUMMARY: HOW CIMTRAK HELPS ...........................................................................................................................................17
2
This checklist serves as a guide and it not should not be considered legal advice for GDPR compliance. This checklist is merely a guide for organizations or individuals hoping to familiarize themselves with the GDPR. Cimcor, Inc. makes no warranties, express, implied or statutory as to the information in this material. For the complete General Data Protection Regulation, please visit www.eugdpr.org.
ARTICLE 1: SubjECT-mATTER And objECTIvESThe GDPR establishes rules relating to the protections, the fundamental rights and freedoms of natural persons and the processing of the personal data.
ARTICLE 2: mATERIAL SCopEDescribing the material scope, the GDPR applies to the processing of personal data which form a part of a filing systems or intended to form a part of a filing system.
ARTICLE 3: TERRIToRIAL SCopEDescribing the territorial scope, the GDPR applies to the processing of personal data of data subjects who are in the European Union, regardless of whether the processing take place in the Union or not.
ARTICLE 4: dEfInITIonSThis article contains the definitions to understand 26 different terms. Defined by the GDPR, terms include; personal data, processing, restriction of processing, profiling, pseudonymization, filing system, controller, processor, recipient, third-party, consent, personal data breach, genetic data, biometric data, data concerning health. Main establishment, representative, enterprise, group of undertakings, binding corporate rules, supervisory authority, supervisory authority concerned, cross-border processing, relevant and reasoned objection, information society service, international organization.
SUMMARYThis chapter contains much information and clearly defines the objective of the regulation, territorial scope, and specific terminology used throughout the GDPR. Article 4 is hard to summarize, as the specifications on what kind of data, businesses, people and processing of that data involves.For more information, visit https://gdpr-info.eu/chapter-1/
3
CHAPTER 1GENERAL PROVISIONS
CHAPTER 2PRINCIPLES
4
ARTICLE 5: pRInCIpLES RELATIng To pERSonAL dATA pRoCESSIngPersonal data should be processed lawfully, fairly and in a transparent manner, collected for specified, explicit and legitimate purposes, adequate and relevant, accurate and current, kept in a form permitting identification of data subjects no longer than necessary for purposes of processing, processed in a manner ensuring appropriate security of personal data. The controller holds the responsibility and must be compliant with the accountability of the principles to personal data processing.
ARTICLE 6: LAwfuLnESS of pRoCESSIngThis article states the processing must be lawful and describes 6 ways that make the processing lawful. Only one must be true for the processing to be lawful. Lawful processing includes but it not limited to consent, contractual, compliance, etc.
ARTICLE 7: CondITIonS foR ConSEnTThe conditions for consent on processed data must be proven, and the data subject can withdraw consent at any given time.
ARTICLE 8: CondITIonS AppLICAbLE To ChILd’S ConSEnT In RELATIon To InfoRmATIon SoCIETy SERvICESIf a child is at least 16 years old, the processing of personal data is lawful. If under 16 years of age, the consent must be given by parental consent.
ARTICLE 9: pRoCESSIng of SpECIAL CATEgoRIES of pERSonAL dATAProcessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited unless explicit consent is given, if its necessary to carry out the obligation of the controller, or it is necessary to protect interest of the data subject.
ARTICLE 10: pRoCESSIng of dATA RELATEd To CRImInAL ConvICTIonS And offEnSESThis article covers the processing of personal data relating to criminal convictions and offenses or related security measures can be carried out only under the control of official authority or when authorized by Union or Member State law.
ARTICLE 11: pRoCESSIng whICh doES noT REquIRE IdEnTIfICATIonThe controller will not be required to identify the data subject or acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
SUMMARYThis chapter discusses the how you should treat data, and is also discusses how the person who is processing the data has to demonstrate compliance. This chapter also brings in consent, and categories for personal data, along with when processing does NOT require identification (Article 11). In general, chapter 2 is long and will take time to review, but is worth the review for consent and conditions.For more information, visit https://gdpr-info.eu/chapter-2/
5
CHAPTER 3RIGHTS OF THE DATA SUBJECT
ARTICLE 12: TRAnSpAREnT InfoRmATIon, CommunICATIon And modALITIES foR ThE ExERCISE of ThE RIghTS of ThE dATA SubjECTThe controller must provide information in a transparent, concise, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information can be provided in writing or by electronic means within one month of receipt of the request. This may be extended by two further months where necessary, taking into account the complexity and number of the requests.
ARTICLE 13: InfoRmATIon To bE pRovIdEd whERE pERSonAL dATA ARE CoLLECTEd fROm ThE dATA SubjECTThe parameters to be provided where personal data is collected, including; identity and the contact details of the controller, contact details of the data protection officer, purposes of the processing for which the personal data are intended as well as the legal basis for the processing; recipients or categories of recipients of the personal data, if any; where applicable, the fact that the controller intends to transfer personal data to a third country or international organization, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
ARTICLE 14: InfoRmATIon To bE pRovIdEd whERE pERSonAL dATA hAvE noT bEEn obTAInEd fRom ThE dATA SubjECTIf personal data have not been obtained, the controller must provide the identity and the contact details of the controller and, where applicable, of the controller’s representative; contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; categories of personal data concerned; recipients or categories of recipients of the personal data, if any; if applicable, that the controller intends to transfer personal data to a recipient in a third country or international organization, and reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
ARTICLE 15: RIghT of ACCESS by ThE dATA SubjECTThe data subject has the right to know whether his/her personal data is being processed, and if data is being transferred, appropriate safeguards are in place.
ARTICLE 16: RIghT To RECTIfICATIonThe data subject has the right to have the controller rectify any inaccurate personal data, concerning him or her.
ARTICLE 17: RIghT To ERASuRE (RIghT bE foRgoTTEn)The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
ARTICLE 18: RIghT To RESTRICTIon of pRoCESSIngThe rights the data subject has in restricting processing, including data no longer being needed, accuracy, unlawfulness, etc.
ARTICLE 19: noTIfICATIon obLIgATIon REgARdIng RECTIfICATIon of ERASuRE of pERSonAL dATA oR RESTRICTIon of pRoCESSIngThe controller must communicate erasure, restriction, or rectification of personal data to the data subject.
ARTICLE 20: RIghT To dATA poRTAbILITyThe data subject has the right to decide where his/her data can go. The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, machine-readable format and have the right to transmit to another controller.
ARTICLE 21: RIghT To objECTThe data subject has the right to object, on grounds relating to his or her situation, at any time to processing of personal data concerning him or her. The controller cannot process unless demonstrating legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.
ARTICLE 22: AuTomATEd IndIvIduAL dECISIon-mAkIng, InCLudIng pRofILIngData subjects have the right not to be profiled. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
ARTICLE 23: RESTRICTIonSIn this article, restrictions of obligations and rights are listed. Restrictions by the data controller or processor may restrict by way of a legislative measure when its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard nation security, defense, public security, etc.
6
SUMMARYThe chapter explains the rights of the person, or “data subject” whose data is handles by processor, controller, or by someone who receives the data. As with the previous, chapter 3 contains a large amount of information, including the right to be forgotten (Article 17).For more information, visit https://gdpr-info.eu/chapter-3/
7
CHAPTER 4CONTROLLER AND PROCESSOR
ARTICLE 24: RESponSIbILITy of ThE ConTRoLLERThe controller shall implement appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with this Regulation.
ARTICLE 25: dATA pRoTECTIon by dESIgn And dEfAuLTThe controller must implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
ARTICLE 26: joInT ConTRoLLERSJoint controllers must determine their responsibilities for compliance and jointly determine the purposes and means of processing.
ARTICLE 27: REpRESEnTATIvES of ConTRoLLERS noT ESTAbLIShEd In ThE unIonIf the controller or processor is not established in the union, they will have to establish a representative in the Union.
ARTICLE 28: pRoCESSoRWhere processing is to be carried out on behalf of a controller, the controller must use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR, ensuring the protection of the rights of the data subject.
ARTICLE 29: pRoCESSIng undER ThE AuThoRITy of ThE ConTRoLLER oR pRoCESSoRThe processor and any person acting under the authority of the controller or of the processor, who has access to personal data, cannot process without instruction from the controller, unless required to do so by Union or Member State law.
ARTICLE 30: RECoRd of pRoCESSIng ACTIvITIESEach controller and/or processor must maintain a record of processing activities. Records must contain name and contact details of the controller the joint controller, the controller’s representative and the data protection officer, purpose of processing, description of the categories of data subjects and categories of personal data, categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations.
ARTICLE 31: CoopERATIon wITh ThE SupERvISoRy AuThoRITyThe controller and the processor and, where applicable, their representatives, must cooperate, , with the supervisory authority in the performance of its tasks.
ARTICLE 32: SECuRITy of pRoCESSIngThe controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data, ability to ensure confidentiality or processing systems and services. Ability to restore, process for testing, assessing and evaluating technical measures.
ARTICLE 33: noTIfICATIon of A pERSonAL dATA bREACh To ThE SupERvISoRy AuThoRITyThis article discusses the time allocated for announcing a personal data breach. In the case of a personal data breach, the controller must notify the personal data breach to the supervisory authority within 72 hours. If notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay. All data breach information must be documented.
8
ARTICLE 34: CommunICATIon of A pERSonAL dATA bREACh To ThE dATA SubjECTWhen the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects, the personal data breach must be communicated immediately.
ARTICLE 35: dATA pRoTECTIon ImpACT ASSESSmEnTWhen using new technologies, and taking into account the nature, scope, context and purposes of the processing, the risk must be weighed and the controller must assess the impact and the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
ARTICLE 36: pRIoR ConSuLTATIonThe controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that processing would result in a high risk. The supervisory authority must provide advice within eight weeks of receiving the request for consultation.
ARTICLE 37: dESIgnATIon of ThE dATA pRoTECTIon offICERThe controller and the processor must designate a data protection officer (DPO) if processing is carried out by a public authority or body, except for courts acting in their judicial capacity, core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
ARTICLE 38: poSITIon of ThE dATA pRoTECTIon offICERThe DPO must work in conjunction with controller and processor regarding personal data issues. The DPO can have other tasks/duties as long as there is not a conflict of interest.
ARTICLE 39: TASkS of ThE dATA pRoTECTIon offICERThe data protection officer must inform and advise the controller or processor regarding compliance, with the GPDR, and policies regarding responsibilities, training of staff for processing and act as contact point for supervisory authority.
ARTICLE 40: CodES of ConduCTMember States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
ARTICLE 41: monIToRIng of AppRovEd CodES of ConduCTThe monitoring of compliance with a code of conduct may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory authority.
ARTICLE 42: CERTIfICATIonMember States, the supervisory authorities, the Board, and the Commission shall encourage the establishment of data protection certification mechanisms to demonstrate compliance.
ARTICLE 43: CERTIfICATIon bodIESCertification bodies accredited by Member States can issue and renew certifications.
SUMMARYThis chapter covers quite a bit of information. Data Protection by Design is introduced here, and encourages organizations to think about looking at all enterprise products and how GDPR is worked into processes. It also covers the Security of Processing, (Article 32) which explains how processors and controllers of data must implement specific measures to keep data secure. This chapter also discusses the requirements for personal data breach notifications, and the role, position, and tasks of the DPO. For more information, visit https://gdpr-info.eu/chapter-4/
9
CHAPTER 5TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
ARTICLE 44: gEnERAL pRInCIpLE foR TRAnSfERThe transfer of personal data after processing to a third country or to an international organization shall take place only if, the GPDR conditions are complied with by the controller and processor within Chapter 5.
ARTICLE 45: TRAnSfERS of ThE bASIS of An AdEquACy dECISIonA transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.
ARTICLE 46: TRAnSfERS SubjECT To AppRopRIATE SAfEguARdSThe controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
ARTICLE 47: bIndIng CoRpoRATE RuLESThe competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63.
ARTICLE 48: TRAnSfERS oR dISCLoSuRE noT AuThoRIzEd by unIon LAwAny judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement.
ARTICLE 49: dERogATIonS foR SpECIfIC SITuATIonSIn the absence of an adequacy decision of Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organization can take place if meeting the requirements listed in Article 49.
ARTICLE 50: InTERnATIonAL CoopERATIon foR ThE pRoTECTIon of pERSonAL dATAWith third countries and international organizations, the Commission and supervisory authorities must take appropriate steps to cooperate.
SUMMARYThis chapter focuses on data being transfered from one organization to another, and how that data is protected.For more information, visit https://gdpr-info.eu/chapter-5/
10
CHAPTER 6INDEPENDENT SUPERVISORY AUTHORITIES
ARTICLE 51: SupERvISoRy AuThoRITyEach Member State must have one or more independent public authorities to be responsible for monitoring the application of the GDPR.
ARTICLE 52: IndEpEndEnCEEach supervisory authority must act with complete independence in performing its tasks and exercising its powers in accordance with the GDPR.
ARTICLE 53: gEnERAL CondITIonS foR ThE mEmbERS of ThE SupERvISoRy AuThoRITyEach member of the supervisory authorities must be qualified and appointed via transparency.
ARTICLE 54: RuLES on ThE ESTAbLIShmEnT of SupERvISoRy AuThoRITyEach Member State needs to provide, in law, the establishment of each supervisory authority, qualifications for members, rules for appointment, conditions for obligations of members.
ARTICLE 55: CompETEnCEEach supervisory authority must be competent for the performance of the tasks assigned in accordance with the GDPR on the territory of its own Member State.
ARTICLE 56: CompETEnCE of ThE LEAd SupERvISoRy AuThoRITyThe supervisory authority of the main establishment or of the single establishment of the controller or processor must be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.
ARTICLE 57: TASkSSpecific tasks (22) are listed for the supervisory authority. They include but are not limited to: monitor and enforce the application of the GDPR, promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Provide information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, cooperate with the supervisory authorities in other Member States to that end; handle complaints lodged by a data subject, or by a body, organization or association, cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GPDR, approve binding corporate rules pursuant to Article 47, contribute to the activities of the Board; tasks related to the protection of personal data.
ARTICLE 58: powERSEach supervisory will have investigative, corrective, authorization, and advisory powers.
ARTICLE 59: ACTIvITy REpoRTSEach supervisory authority must draw up an annual report on its activities.
SUMMARYThis chapter focuses on requirements for EU member states. Article 59 is important to understand as annual reports must be generated on activities, and these reports must be available to the public, governmental authorities, and European Commission and the European Data Board.For more information, visit https://gdpr-info.eu/chapter-6/
11
CHAPTER 7COOPERATION AND CONSISTENCY
ARTICLE 60: CoopERATIon bETwEEn ThE LEAd SupERvISoRy AuThoRITy And ThE oThER SupERvISoRy AuThoRITIES ConCERnEdThe lead supervisory authority must cooperate with the other supervisory authorities in an endeavor to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.
ARTICLE 61: muTuAL ASSISTAnCESupervisory authorities will provide one another with relevant information and mutual assistance in order to implement and apply the GDPR in a consistent manner, and put in place measures for effective cooperation with one another. Mutual assistance will cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorizations and consultations, inspections and investigations.
ARTICLE 62: joInT opERATIonS of SupERvISoRy AuThoRITIESSupervisory authorities will conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.
ARTICLE 63: ConSISTEnCy mEChAnISmThe supervisory authorities will cooperate with each other and with the Commission, through the consistency mechanism in this section.
ARTICLE 64: opInIon of ThE boARdThe board will issue an opinion when a supervisory authority adopts new measures.
ARTICLE 65: dISpuTE RESoLuTIon by ThE boARdIn order to ensure the correct and consistent application of the GDPR, the Board can resolve disputes within supervisory authorities.
ARTICLE 66: uRgEnCy pRoCEduREA supervisory authority may adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity to not exceed three months. The supervisory authority will communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the Board and to the Commission.
ARTICLE 67: ExChAngE of InfoRmATIonThe Commission may adopt implementing acts of general scope in order to specify the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board
ARTICLE 68: EuRopEAn dATA pRoTECTIon boARdThe European Data Protection Board (the ‘Board’) is established as a body of the Union and shall have legal personality, be represented by its Chair, and be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.
ARTICLE 69: IndEpEndEnCEThe Board shall act independently when performing its tasks or exercising its powers.
ARTICLE 70: TASkS of ThE boARdThe Board needs to monitor and ensure correct application of the GDPR, advise the Commission, issue guidelines, recommendations, and best practices, etc.
12
ARTICLE 71: REpoRTSThe Board will annually report regarding the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organizations. The report will be public and transmitted to the European Parliament, to the Council and to the Commission.
ARTICLE 72: pRoCEduREThe Board will make decisions by a majority of members, unless otherwise noted.
ARTICLE 73: ChAIRThe Board shall elect a chair and two deputy chairs from amongst its members by simple majority.
ARTICLE 74: TASkS of ThE ChAIRThe task of the Chair include but are not limited to; convene the Board and agenda, notify decision adopted by the Board, ensure tasks of the Board are performed.
ARTICLE 75: SECRETARIATThe European Data Protection Supervisor will appoint a secretariat that exclusively performs tasks under the instruction of the Chair of the Board, mainly to provide analytical, administrative, and logistical support to the Board.
ARTICLE 76: ConfIdEnTIALITyThe discussions of the Board shall be confidential where the Board deems it necessary.
SUMMARYThis chapter discusses how supervisory authorities can remain consistent and cooperate with one another. It also defines the purpose of the European Data Protection Board, and discusses its purpose.For more information, visit https://gdpr-info.eu/chapter-7/
13
CHAPTER 8REMEDIES, LIABILITY AND PENALTIES
ARTICLE 77: RIghT To LodgE A CompLAInT wITh A SupERvISoRy AuThoRITyEvery data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
ARTICLE 78 : RIghT To An EffECTIvE judICIAL REmEdy AgAInST A SupERvISoRy AuThoRITyEach natural or legal person has the right to a judicial remedy against a decision of a supervisory authority concerning them.
ARTICLE 79: RIghT To An EffECTIvE judICIAL REmEdy AgAInST A ConTRoL oR pRoCESSoREach data subject has the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.
ARTICLE 80: REpRESEnTATIon of dATA SubjECTSData subjects have the right to mandate a not-for-profit body, organization or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf
ARTICLE 81: SuSpEnSIon of pRoCEEdIngSAny court in a Member State that realizes proceedings for the same subject that is already occurring in another Member State can suspend its proceedings.
ARTICLE 82: RIghT To CompEnSATIon And LIAbILITyA person who has suffered damage from infringement of the GDPR has the right to receive compensation from the controller or processor or both.
ARTICLE 83: gEnERAL CondITIonS foR ImpoSIng AdmInISTRATIvE fInESEach supervisory authority shall ensure that fines are effective, proportionate, and dissuasive. For infringements of Articles 8, 11, 25 to 39, 41, 42, and 43 fines can be up to $10,000,000 or two percent global annual turnover. For infringements of Articles 5, 6, 7, 9, 12, 22, 44 to 49, and 58 fines can be up to $20,000,000 or four percent of global annual turnover.
ARTICLE 84: pEnALTIESAdditional penalties for infringements can be made by Member States.
SUMMARYThis chapter covers the rights of data subjects and how they proceed with complaints. It also covers penalties for processors and controllers.For more information, visit https://gdpr-info.eu/chapter-8/
14
CHAPTER 9PROVISIONS RELATING TO SPECIFIC PROCESSING
ARTICLE 85: pRoCESSIng fREEdom of ExpRESSIon And InfoRmATIonMember States have the right to the protection of personal data pursuant to the GDPR with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
ARTICLE 86: pRoCESSIng And pubLIC ACCESS To offICIAL doCumEnTSPersonal data in official documents for tasks carried out in the public interest may be disclosed for public access in accordance with Union or Member State.
ARTICLE 87: pRoCESSIng of nATIonAL IdEnTIfICATIon numbER Member States can determine specific conditions for processing national identification numbers or any other identifier.
ARTICLE 88: pRoCESSIng In ThE ConTExT of EmpLoymEnTMember States can provide more specific rules for processing employees’ personal data.
ARTICLE 89: SAfEguARdS And dERogATIonS RELATIng To pRoCESSIng foR ARChIvIng puRpoSEd In ThE pubLIC InTEREST, SCIEnTIfIC oR hISToRICAL RESEARCh puRpoSES oR STATISTICAL puRpoSESProcessing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, is subject to appropriate safeguards, for the rights and freedoms of the data subject. Those safeguards ensure that technical and organizational measures are in place in particular to ensure respect for the principle of data minimization.
ARTICLE 90: obLIgATIonS of SECRECyMember States can adopt specific rules for the powers of the supervisory authorities regarding controllers’ and processors’ obligation to secrecy.
ARTICLE 91: ExISTIng dATA pRoTECTIon RuLES of ChuRChEd And RELIgIouS ASSoCIATIonSChurches and religious associations and communities who set their own rules for processing in order to protect natural persons may continue with those rules as long as they are in line with the GDPR.
SUMMARYThis chapter covers the exceptions or provision to the rules. For more information, visit https://gdpr-info.eu/chapter-9/
15
CHAPTER 10DELEGATED ACTS AND IMPLEMENTING ACTS
ARTICLE 92: ExERCISE of ThE dELEgATIonThe Commission has the power to adopt delegated acts. Delegation of power can be revoked at any time by the European Parliament or the Council.
ARTICLE 93: CommITTEE pRoCEduREThe Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
SUMMARYThis chapter discusses the Commission’s power to adopt delegated acts and the process in which that occurs.For more information, visit https://gdpr-info.eu/chapter-10/
16
CHAPTER 11FINAL PROVISIONS
ARTICLE 94: REpEAL of dIRECTIvE 95/46/ECThe old personal data processing law: Directive 95/46/EC is repealed beginning 25 May 2018.
ARTICLE 95: RELATIonShIp wITh dIRECTIvE 2002/58/ECThe GDPR will not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks as stated in Directive 2002/58/EC.
ARTICLE 96: RELATIonShIp wITh pREvIouSLy ConCLudEd AgREEmEnTSInternational agreements involving the transfer of data to third countries or organizations that were setup before 24 May 2016 will stay in effect.
ARTICLE 97: CommISSIon REpoRTSThe Commission must report on the GDPR every four years to the European Parliament and to the Council.
ARTICLE 98: REvIEw of oThER unIon LEgAL ACTS on dATA pRoTECTIonThe Commission can submit legislative proposals to amend other Union legal acts on the protection of personal data.
ARTICLE 99: EnTRy InTo foRCE And AppLICATIonThe GDPR goes into effect May 25, 2018.
SUMMARYThis chapter explains how the Commission must report on the regulation every 4 years. Additionally, it discusses the differences between the previous directives and the current regulation, as many are familiar with the old data processing laws.For more information, visit https://gdpr-info.eu/chapter-11/
AWARENESS Educate yourself on the regulation. Know the responsibilities for your organization.
Locate all data sources. Understand what needs to be protected. Familiarize
yourself with all data points in your organization.
IDENTIFYDetermine what identified data falls under the scope of GDPR, and in essence what
sensitive or personal data needs to be protected. This includes identifying who
internally has access, and if specific individuals/groups should have access or not.
GOVERNDecide if you need to designate A DPO. Determine who is to manage GDPR
processes for your organization. Decide who has access to sensitive/personal
data, and who should/should not have access.
INTEGRATEImplement and adopt a privacy by design approach. Integrate the usage of software
aiding in compliance into your policies. Review current software usage for all
business procedures. There is not a one-model-fits-all for every GDPR article.
ADOPT & REVIEWEnsure your organization adopts and reviews policies that prioritize consent and
transparency.
AUDIT & MONITORAudit and monitor continuously. Be prepared to deal with a breach should one
occur.
123456
SUMMARYNEXT STEPS FOR GDPR READINESSAs your organization begins to move forward with GDPR compliance, there are steps you can take to help ensure GDPR readiness.
17
REquIREmEnT
ARTICLE 25: dATA pRoTECTIon by dESIgn And dEfAuLT(2) The controller shall implement appropriate technical and organizationalmeasures for ensuring that, by default, only personal data which arenecessary for each specific purpose of the processing are processed. Thatobligation applies to the amount of personal data collected, the extent of theirprocessing, the period of their storage and their accessibility.
ARTICLE 32: SECuRITy of pRoCESSIng(1) Taking into account the state of the art, the costs of implementation andthe nature, scope, context and purposes of processing as well as the risk ofvarying likelihood and severity for the rights and freedoms of natural persons,the controller and the processor shall implement appropriate technical andorganizational measures to ensure a level of security appropriate to the risk,including inter alia as appropriate:
(b) the ability to ensure the ongoing confidentiality, integrity, availability andresilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in atimely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating theeffectiveness of technical and organizational measures for ensuring thesecurity of the processing.
ARTICLE 39: TASkS of ThE dATA pRoTECTIon offICERThe data protection officer shall have at least the following tasks: (b): to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
ARTICLE 57: TASkS57(1) Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory: (h): conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;
ARTICLE 59: ACTIvITy REpoRTSEach supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2).
how CImTRAk hELpS
CimTrak can support this requirement with instant alerts to system changes that can affect what data is processed and get complete audit trails of all activities and unauthorized changes.
CimTrak can help ensure confidentiality, integrity, and availability by monitoring your configurations. Providing a deep insight into your system’s state with increased situational awareness, your security posture is improved with continuous monitoring, aiding in your GDPR compliance efforts.
CimTrak has the ability to instantaneously take action to reverse a change upon detection. This effectively allows a system to self-heal. CimTrak is the only integrity tool with this feature.
CimTrak helps monitor your critical configurations to ensure a compliant state.
CimTrak can provide detailed reports to ensure the appropriate security measures are operating in place.
CimTrak has the ability to provide complete details on changes within an organization’s assets.
CimTrak can provide details contributing to annual reporting required with the GDPR. Identifying changes occurring on a particular system, CimTrak’s reports provide information in formats needed, including customization.
CimTrak is easy to set up, configure and use, so your IT staff can spend time on more pressing issues. By providing key insight into your IT environment, personnel can pinpoint issues and react quickly, maximizing time and saving money. It’s why enterprises and government agencies rely on CimTrak to ensure integrity and maintain compliance with regulations such as HIPAA, GDPR, PCI DSS, and others.
HOW CIMTRAK HELPS
18
© 2018 Cimcor, All Rights Reserved
THE DEFINITIVE GUIDE TOFILE INTEGRITYMONITORINGWHAT YOU NEED TO KNOW
THE DEFINITIVE GUIDE TOFILE INTEGRITY MONITORINGFile Integrity Monitoring (FIM) is a solution to a complicated problem, but the solution itself doesn’t have to be complicated. With the right methodology and solution, you can easily install, configure and manage the integrity of your systems.