Data Protection Kick-Off

Data Protection is a legal requirement for every business and organisation which must be able to demonstrate measures have been taken to ensure confidentiality and the safe handling of information. This is a legal duty on all sectors who collect and store any kind of information.

This document introduces basic terminology for understanding the General Data Protection Regulation.

Motivation: GDPR is Approaching

What is GDPR and DS-GVO?

GDPR and DS-GVO stands for: 

  1. English: GDPR (General Data Protection Regulation)
  2. German: DS-GVO  (Datenschutz-Grundverordnung)

It is a regulation - a legal act of the European Union that becomes immediately enforceable as law in member states

What fundamental rights are addressed by GDPR?

GDPR protects the  fundamental rights of a natural person regarding:

  • processing
  • movement 

of their personal data : Article 1 (1)

What is Personal Data?

Personal data is:

 any information relating to an identifiable natural person such as:

  •  name, 
  •  ID number,
  •  location data, 
  • an online identifier;
  • factors specific to the physical, physiological, genetic, mental, economic,cultural or social identity

What  Data Protection Goals are addressed by GDPR?

Allocation of the articles of the GDPR to the Protection Goals

The protection goals Integrity, Availability, Confidentiality, Transparency and Data Minimisation can be found in numerous Articles in the GDPR.The following tables provide an overview of the Articles an and Sections where the protection goals may be found

  • Availability
    ability to restore access to personal data in a timely manner in the event of a physical or technical incident;
  • Integrity
    protection against unauthorized modifications and deletions
  • Confidentiality
    protection against unauthorized and unlawful access
  • Unlinkability / Minimization
    adequate, relevant and limited to what is necessary in relation to the purposes for which data are processed Article 5 (1c)
  • Transparency
    requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Recital 58
  • Intervenability
    ensures the data subject's rights to rectification, blocking, erasure, and objection

What date does GDPR take effect?

GDP will start to apply

on  25.5.2018 (Art. 99).3

GDPR Article 4: Definitions

GDPR Roles

  • Controller
    determines the purposes and means for processing personal data
  • Processor
    processes personal data on behalf of the controller
  • Recipient
    entity to whom personal data are disclosed,
  • Third Party
    under the direct authority of the controller or processor,and authorised to process personal data
  • Data Protection Officer
    Designated person with expert knowledge of data protection law and practices

What GDPR Role is the The Data Works

Processor-Controller Aggreement

how we handle personal data is based on terms defined by Controller

  • Controller
  • Third Party
  • Processor
  • None

What does Processing mean?

  • collection
  • recording,
  • organisation,
  • structuring
  • storage
  • adaptation or alteration
  • retrieval
  • consultation
  • use
  • disclosure by transmission
  • alignment or combination
  • restriction
  • erasure or destruction

What is Profiling

Profiling Means :

any form of automated processing of personal data   to evaluate certain personal aspects of  a natural person,

  •  predict aspects of  that natural person's performance :
  • at work, 
  • economic situation,
  • health,
  •  personal preferences,
  •  interests, reliability
  • behavior,
  • location or movements;

GDPR Articles 12-23: Rights of Data Subject:

What are the rights of the Data Subject

GDPR Article 5: Principles relating to processing of Personal Data

What Principles Must be followed for processing of personal data?

Personal Data Shall Be : Article 5

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;  (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; 
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, (‘integrity and confidentiality’).