šŖšŗ European Union
Informations
Extracts :
Extract :
"The GDPR does not take into account citizenship questions. It is only concerned with the location of the data subject, not the citizenship. So if an American company tracks the data of an EU citizen living in the U.S., it will not have to comply with the GDPR. It is only when the company handles data of folks in the EU is when the GDPR applies. "
2023
Reference :
Does GDPR Apply to Citizens Outside the EU?
Information on GDPR applicability
Link to reference Extracts :
Extract :
"The GDPR provides that it 'should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The GDPR only protects living individuals. The GDPR does not protect the personal data of deceased individuals, this being left to Member States to regulate. Asticle 4(1) of the GDPR clarifies that a data subject is an 'identified or identiable natural person'."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"In relation to extraterritorial scope, the GDPR applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to hte offering of goods or services to individuals in the EU, or to the monitoring of the behaviour of individuals in the EU."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"In relation to extraterritorial scope, the GDPR applies to the processing activities of data controllers and data processors that do not have any presence in the EU, where processing activities are related to hte offering of goods or services to individuals in the EU, or to the monitoring of the behaviour of individuals in the EU."
2021
Reference :
Italy Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The GDPR applies to organizations that have a presence in the EU. In particular, per Article 3, the GDPR applies to entities or organizations established in the EU, notably entities that have an 'establishment' in the EU or if processing of personal data takes place in the context of the activities of that establishment, irrespective of whether the data processing takes place in the EU or not."
2021
Reference :
Italy Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"The GDPR applies to organizations that have a presence in the EU. In particular, per Article 3, the GDPR applies to entities or organizations established in the EU, notably entities that have an 'establishment' in the EU or if processing of personal data takes place in the context of the activities of that establishment, irrespective of whether the data processing takes place in the EU or not."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"The GDPR applies to organizations that have a presence in the EU. In particular, per Article 3, the GDPR applies to entities or organizations established in the EU, notably entities that have an 'establishment' in the EU or if processing of personal data takes place in the context of the activities of that establishment, irrespective of whether the data processing takes place in the EU or not."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"The GDPR defines a data controller as a 'natural and legal person, public authority, agency or other body which, alone or jointly, with others, determines the purposes and means of the processing of personal data. The GDPR defines a data processor as a 'natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
2022
Reference :
Canada Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extract :
"The GDPR defines a data controller as a 'natural and legal person, public authority, agency or other body which, alone or jointly, with others, determines the purposes and means of the processing of personal data. The GDPR defines a data processor as a 'natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
2021
Reference :
Italy Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
" This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law."
Reference :
GDPR compliance guidance
Information on GDPR compliance
Link to reference Extracts :
Extract :
"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural personās sex life or sexual orientation shall be prohibited."
Reference :
GDPR compliance guidance
Information on GDPR compliance
Link to reference Extracts :
Extract :
"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural personās sex life or sexual orientation shall be prohibited."
Reference :
GDPR compliance guidance
Information on GDPR compliance
Link to reference Extracts :
Extract :
"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural personās sex life or sexual orientation shall be prohibited."
Reference :
GDPR compliance guidance
Information on GDPR compliance
Link to reference Extracts :
Extract :
"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural personās sex life or sexual orientation shall be prohibited."
Reference :
GDPR compliance guidance
Information on GDPR compliance
Link to reference Extracts :
Extract :
"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural personās sex life or sexual orientation shall be prohibited."
Reference :
GDPR compliance guidance
Information on GDPR compliance
Link to reference Extracts :
Extract :
"The following personal data is considered āsensitiveā and is subject to specific processing conditions:
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
trade-union membership;
genetic data, biometric data processed solely to identify a human being;
health-related data;
data concerning a personās sex life or sexual orientation."
Reference :
What personal data is considered sensitive?
Information on sensitive data in the GDPR
Link to reference Extracts :
Extract :
"The following personal data is considered āsensitiveā and is subject to specific processing conditions:
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
trade-union membership;
genetic data, biometric data processed solely to identify a human being;
health-related data;
data concerning a personās sex life or sexual orientation."
Reference :
What personal data is considered sensitive?
Information on sensitive data in the GDPR
Link to reference Extracts :
Extract :
"The following personal data is considered āsensitiveā and is subject to specific processing conditions:
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
trade-union membership;
genetic data, biometric data processed solely to identify a human being;
health-related data;
data concerning a personās sex life or sexual orientation."
Reference :
What personal data is considered sensitive?
Information on sensitive data in the GDPR
Link to reference Extracts :
Extract :
"The following personal data is considered āsensitiveā and is subject to specific processing conditions:
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
trade-union membership;
genetic data, biometric data processed solely to identify a human being;
health-related data;
data concerning a personās sex life or sexual orientation."
Reference :
What personal data is considered sensitive?
Information on sensitive data in the GDPR
Link to reference Extracts :
Extract :
There is nothing in the official text on this.
Reference :
What personal data is considered sensitive?
Information on sensitive data in the GDPR
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"Article 58(2) Each supervisory authority shall have all of the following corrective powers:"
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Depending on the violation occurred the penalty may be up to either: 2% of global annual turnover or ā¬10 million, whichever is higher; or 4% of global annual turnover or ā¬20 million, whichever is higher."
2016
Reference :
What are the GDPR Fines?
Information on GDPR fines
Link to reference Extracts :
Extract :
"Depending on the violation occurred the penalty may be up to either: 2% of global annual turnover or ā¬10 million, whichever is higher; or 4% of global annual turnover or ā¬20 million, whichever is higher."
2016
Reference :
What are the GDPR Fines?
Information on GDPR fines
Link to reference Extracts :
Extract :
"For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term āundertakingā is equivalent to that used in Art. 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). According to case law of the European Court of Justice, āthe concept of an undertaking encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financedā. An undertaking can therefore not only consist of one individual company in the sense of a legal person, but also out of several natural persons or corporate entities. Thus, a whole group can be treated as one undertaking and its total worldwide annual turnover can be used to calculate the fine for a GDPR infringement of one of its companies. In addition, each Member State shall lay down rules on other penalties for infringements of the Regulation which are not already covered by Art. 83. Those are most likely criminal penalties for certain violations of the GDPR or penalties for infringements of national rules which were adopted based on flexibility clauses of the GDPR. The national penalties must also be effective, proportionate and act as a deterrent."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Filled on the basis of extract ID 724/726 (for FRA/DEU) which should apply for the GDPR.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Filled on the basis of extract ID 1152/1155 (for FRA/DEU) which should apply for the GDPR.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Filled on the basis of extract ID 1124/1126 (for FRA/DEU) which should apply for the GDPR.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Article 79: Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term āundertakingā is equivalent to that used in Art. 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). According to case law of the European Court of Justice, āthe concept of an undertaking encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financedā. An undertaking can therefore not only consist of one individual company in the sense of a legal person, but also out of several natural persons or corporate entities. Thus, a whole group can be treated as one undertaking and its total worldwide annual turnover can be used to calculate the fine for a GDPR infringement of one of its companies. In addition, each Member State shall lay down rules on other penalties for infringements of the Regulation which are not already covered by Art. 83. Those are most likely criminal penalties for certain violations of the GDPR or penalties for infringements of national rules which were adopted based on flexibility clauses of the GDPR. The national penalties must also be effective, proportionate and act as a deterrent."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"According to Article 62 of the Act, the controller must carry out a DPIA prior to the processing of personal data in the conditions provided for in Article 35 of the GDPR."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 32(1): Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing"
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 34(1): When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 33(1): In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 33(2): The processor shall notify the controller without undue delay after becoming aware of a personal data breach."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"The LPPD does not explicitly refer to the principle of accountability. However, the LPPD implies a similar level of responsibility for the data controller and sets out various relevant obligations regarding, for example, data security, the application to VERBIS, responding to data subject requests, and providing the data subject with necessary information on the processing of their data. In addition, Article 12 states that: 'The controller shall be obliged to take any kind of necessary technical and administrative measures to ensure the appropriate level of security with the aim of: a) preventing unlawful processing of personal data; b) preventing unlawful access to personal data; c) ensuring that personal data are safeguarded.'"
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - TUR
Extracts :
Extract :
"Section 4(1): The conditions for the lawful processing of personal information by or for a responsible party are the following: (a) 'Accountability', as referred to in section 8.
Section 8: The responsible party must ensure that the conditions set out in this Chapter 3, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - ZAF
Extracts :
Extract :
Filled on the basis of extract ID 5647 which applies for FRA and should apply here as well (GDPR).
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The data subject has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him or her which is based (Article 21(1) of the GDPR):
ā¢ the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
ā¢ the purposes of the legitimate interests pursued by the controller or by a third party. Including profiling based on those provisions.
In such cases, the controller shall no longer process the personal data unless the controller demon- strates compelling legitimate grounds for the processing which override the interests, rights, and free- doms of the data subject, or for the establishment, exercise, or defence of legal claims (Article 21(1) of the GDPR)."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"More specifically, in exercising his/her right to data portability pursuant to Article 20(1) of the GDPR, the data subject has the right to have their personal data transmitted directly from one controller to an- other, where technically feasible."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"The data subject has the right not to be subject to a decision based solely on automated processing, in- cluding profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22(1) of the GDPR)."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Where personal data is obtained directly from a data subject, the following information must be pro- vided (Articles 13(1) and 13(2) of the GDPR):
ā¢ the identity and the contact details of the controller and, where applicable, of the controller's representative;
ā¢ the contact details of the DPO where applicable;
ā¢ the purposes of the processing and the legal basis for the processing;
ā¢ where the processing is based on Article 6(1)(f), the legitimate interests pursued by the con-
troller or by a third party; ....."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Where personal data is being processed by the controller, the controller must provide the following in- formation when requested (Article 15(1) of the GDPR):
ā¢ the purposes of the processing;
ā¢ the categories of personal data concerned;
ā¢ the recipients or categories of recipient to whom the personal data have been or will be dis-
closed, in particular recipients in third countries or international organisations;
ā¢ where possible, the envisaged period for which the personal data will be stored or, if not possi-
ble, the criteria used to determine that period;
ā¢ the existence of the right to request from the controller rectification or erasure of personal
data or restriction of processing of personal data concerning the data subject, or to object to
such processing;
ā¢ the right to lodge a complaint with a supervisory authority;
ā¢ where the personal data is not collected from the data subject, any available information as to
their source; and
ā¢ the existence of automated decision-making, including profiling, referred to in Articles 22(1)
and 22(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data is transferred to a third country or to an international organisation, data subjects also have the right to be informed of the appropriate safeguards pursuant to Article 46 (Article 15(2) of the GDPR)."
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"The data subject has the right to obtain from the controller without undue delay the rectification of in- accurate personal data concerning him/her (Article 16 of the GDPR). Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, in- cluding by means of providing a supplementary statement (Article 16 of the GDPR)."
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
"The data subject will have the right to obtain from the controller the erasure of personal data concern- ing him/her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies (Article 17(1) of the GDPR):
ā¢ the personal data are no longer necessary in relation to the purposes for which they were col- lected or otherwise processed;
ā¢ the data subject withdraws consent on which the processing is based according to Article 6(1)(a) of the GDPR, or Article 9(2)(a) of the GDPR, and where there is no other legal ground for the processing;
ā¢ the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
ā¢ the personal data have been unlawfully processed;
ā¢ the personal data have to be erased for compliance with a legal obligation in EU or Member
State law to which the controller is subject; or
ā¢ the personal data have been collected in relation to the offer of information society services
referred to in Article 8(1) of the GDPR."
2022
Reference :
EU/GDPR Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Filled on the basis of extract IDs 1381/1373 which apply to FRA/GER (and therefore the GDPR).
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Filled on the basis of extract ID 5706/5704 (for FRA/DEU) which should apply for the GDPR.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
There is no explicit information on data localization in the GDPR.
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
There is no explicit information on data localization in the GDPR.
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
There is no explicit information on data localization in the GDPR.
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
There is no explicit information on data localization in the GDPR.
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
There is no explicit information on data localization in the GDPR.
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
There is no explicit information on data localization in the GDPR.
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 36(1): The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. [Article 36 goes on to detail requirements related to such prior consultation]. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Article 57 of the Act provides that the controller shall appoint a data protection officer ('DPO') under the conditions of Chapter IV, Section 4 of the GDPR. Article 103 of the Act also provides for the mandatory appointment of a DPO but only for competent authorities (i.e., public authority or any other body or entity entrusted with the exercise or prerogatives of public authority, such as the judicial authority, the police and repressive authorities) for the purposes of prevention, investigation, prosecution of criminal offences or the enforcement of criminal convictions, when acting as controllers.
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 37(5): The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 39(1): The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; (d) to cooperate with the supervisory authority; and (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 37(2): A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Filled on the bases of extract ID 5500/5501 etc. (GDPR)
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"If a DPO is appointed, then data subjects may contact the DPO with regard to the processing of their personal data as well as the exercising of their rights. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
"Article 34(3): The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption; (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. "
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Extract :
"If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
The identity and contact details of the organization, its representative, and its Data Protection Officer
The purpose for the organization to process an individualās personal data and its legal basis
The legitimate interests of the organization (or third party, where applicable)
Any recipient or categories of recipients of an individualās data
The details regarding any transfer of personal data to a third country and the safeguards taken
The retention period or criteria used to determine the retention period of the data
The existence of each data subjectās rights
The right to withdraw consent at any time (where relevant)
The right to lodge a complaint with a supervisory authority
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences
If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
And instead must add:
The categories of personal data obtained"
Reference :
Writing a GDPR-compliant privacy notice
Information on GDPR subject privacy notice requirements
Link to reference Extracts :
Extract :
Extract :
"If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
The identity and contact details of the organization, its representative, and its Data Protection Officer
The purpose for the organization to process an individualās personal data and its legal basis
The legitimate interests of the organization (or third party, where applicable)
Any recipient or categories of recipients of an individualās data
The details regarding any transfer of personal data to a third country and the safeguards taken
The retention period or criteria used to determine the retention period of the data
The existence of each data subjectās rights
The right to withdraw consent at any time (where relevant)
The right to lodge a complaint with a supervisory authority
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences
If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
And instead must add:
The categories of personal data obtained"
Reference :
Writing a GDPR-compliant privacy notice
Information on GDPR subject privacy notice requirements
Link to reference Extracts :
Extract :
Extract :
"If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
The identity and contact details of the organization, its representative, and its Data Protection Officer
The purpose for the organization to process an individualās personal data and its legal basis
The legitimate interests of the organization (or third party, where applicable)
Any recipient or categories of recipients of an individualās data
The details regarding any transfer of personal data to a third country and the safeguards taken
The retention period or criteria used to determine the retention period of the data
The existence of each data subjectās rights
The right to withdraw consent at any time (where relevant)
The right to lodge a complaint with a supervisory authority
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences
If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
And instead must add:
The categories of personal data obtained"
Reference :
Writing a GDPR-compliant privacy notice
Information on GDPR subject privacy notice requirements
Link to reference Extracts :
Extract :
Extract :
"If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
The identity and contact details of the organization, its representative, and its Data Protection Officer
The purpose for the organization to process an individualās personal data and its legal basis
The legitimate interests of the organization (or third party, where applicable)
Any recipient or categories of recipients of an individualās data
The details regarding any transfer of personal data to a third country and the safeguards taken
The retention period or criteria used to determine the retention period of the data
The existence of each data subjectās rights
The right to withdraw consent at any time (where relevant)
The right to lodge a complaint with a supervisory authority
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences
If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
And instead must add:
The categories of personal data obtained"
Reference :
Writing a GDPR-compliant privacy notice
Information on GDPR subject privacy notice requirements
Link to reference Extracts :
Extract :
Extract :
"If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:
The identity and contact details of the organization, its representative, and its Data Protection Officer
The purpose for the organization to process an individualās personal data and its legal basis
The legitimate interests of the organization (or third party, where applicable)
Any recipient or categories of recipients of an individualās data
The details regarding any transfer of personal data to a third country and the safeguards taken
The retention period or criteria used to determine the retention period of the data
The existence of each data subjectās rights
The right to withdraw consent at any time (where relevant)
The right to lodge a complaint with a supervisory authority
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences
If an organization obtains your data indirectly (via another organization) its privacy notice must provide all the same information, except for:
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
And instead must add:
The categories of personal data obtained"
Reference :
Writing a GDPR-compliant privacy notice
Information on GDPR subject privacy notice requirements
Link to reference Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Article 30(5): The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10."
2016
Reference :
General Data Protection Regulation
GDPR articles and chapters
Link to reference Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| General Data Protection Regulation (GDPR) | Data Protection Directive | General privacy/data protection law | 1995 | Active | 1995 | 2016 | 2018 |