Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
CNIL’s activity (2017)
2CNIL
Personal data
3
Any information relating to an identified or identifiable
natural person
Directly of indirectly
Take into account all the means likely reasonably to be used
Opinion 4/2007 of WP29 (June 2007) on personal data
Opinion 5/2014 on anonymisation techniques
Who
When
Where
New powers
TITRE DE LA PRESENTATION4
Online inspections (2014)
Freedom of expression / Blocking websites
(since 2015)
- Pedopornography / terrorism
- redirecting in DNS or removing search results
Right to delisting (2014) :
Currently implemented on all TLD if IP
address is in the country of the plaintiff
Some open questions to be clarified by
CJEU
5
GDPR chronology
EU comProposal
TRILOGUE
EP
vote
Council
vote
Political
agreement
GPDR is
applicable
and repeals
95/46/CE
1er lecture
Adoption
6
GDPR applies if
- data controller or processor is established in the EU
- The processing activities are related to the offering of goods or services to persons in the EUmonitoring of persons in the EU
Territorial scope
New tools for compliance
7
DPO compulsory if
Public authority or body
Regular and systematicmonitoring of data subjects on a large scaleOR processing on a large scale of sensitive data
7
Security of processingArt.32
804/06/2018
Risks
Security measures
Controller
+
Processor
> Technical or organizational
> Takes into account state of the
art and costs of implementation
> Proportional to risks
> Aim to treat the risk
Processing
> Nature, scope,
context, purposes
> Varying likehood
and severity
Guiding principlesArt.32
904/06/2018
Achieving a secure processing
> Ensure confidentiality,
integrity, availability and
resilience of processing
systems and services
> Able to restore the
availability and access to
personal data in a timely
manner in the event of
physical or technical
incident
Goals> Pseudonymisation
> Encryption
> Ensure that any natural
person having access to
personal data shall not
process them otherwise than
what the controller or
processor has authorised him
to
Measures
> Regularly check the
measures used to ensure
the security of the
processing by testing
them, assessing them
and evaluating their
effectiveness
Continuous
improvement
> Approved code of
conduct (art.40)
> Approved certification
mechanism (art.42)
Compliance
1004/06/2018
DPIA
Process for building
and demonstrating
compliance
Goals
Carried out by the data
controller with the help
of the DPO and data
processor
Who
Before the processing
Should be updated each time
the risks change
or every 3 years
When
Created after May 2018
A DPIA can apply for
a group of similar
processings
Processing
14 GDPR Guidelines adopted
1212
Personal data
breach
Destruction
Loss
Alteration
Unauthorized
disclosure
Unauthorized access
Accidental or
unlawful
DPIA
Process for building
and demonstrating
compliance
Goals
Carried out by the
data controller with
the help
of the DPO and data
processor
WhoBefore the
processing
Should be updated
each time the risks
change
or every 3 years
When
Created after May
2018
A DPIA can apply for
a group of similar
processings
Processing
1304/06/2018
Portability in practice
Store
Personal storage
Trust service provider
Data subject
Data controller 1 Data controller 2
Provides personal data in a
structured, commonly used
and machine-readable format
Store data and help
to prove data subject
identity as well as
data integrity
Share
Directly share with
authorized controller
Provides data
subject’s data
Share with controller
authorized by the
data suject
1404/06/2018
Eligible data
1Is it personal data
concerning the
data subject?
2Is the data
processing carried
out by automated
means?
3Is the legal basis
for data collection
consent or
contract ?
4Is it data provided
by the data
subject?
5Would the
portability
adversely affect
the rights and
freedoms of
others?
If yes to all, then the data are portable
Some challenges
1504/06/2018Gwendal Le Grand – Director of Technology
and Innovation
17
Conclusion
Continuity of the principles
GDPR restores the balance with GAFAFines up to 4% of annual turnover
Regulation scales with one stop shop
14 guidelines adopted by GDPR and endorsed by EDPB
CNILAcompanies (information, opinion, DPO, authorisations, compliance packs…)
Enforces
National law still to be promulgated