Cover of book: New European General Data Protection Regulation
Buy in shop
, to see if you have full access to this publication.
Comment Partial access

New European General Data Protection Regulation

A Practitioner's Guide
Authors:
,
Publisher:
 30.11.2017

Summary

The European General Data Protection Regulation introduces a uniform data protection legislation which will apply directly in all European Members States and which will also have to be observed by numerous companies outside the EU who have business in the EU. The new Regulation will essentially replace the national data protection legislation in the member states which has applied to date. Companies have two years to adapt their business models and processes to the new requirements.

The handbook “The European General Data Protection Regulation and its Impact on Corporate Practice”clearly and concisely addresses the key changes resulting from the General Data Protection Regulation in English. The data protection requirements the Regulation places on typical business processes and rapidly spreading new technologies are explained using practically relevant examples.

The handbook therefore provides the ideal basis for legal counsels and all international companies affected by the Regulation to review their existing business processes and ensure that new processes and business models are in line with these new data protection requirements.

This practical business handbook focuses on the following issues which are relevant for any company affected by the new Regulation:

  • Scope and logic of the General Data Protection Regulation and remaining areas regulated at national level
  • Mandatory data protection impact assessment
  • Appointment of a data protection officer
  • Transfer of personal data to third countries
  • Cloud computing, outsourcing
  • Advertising and data protection
  • Profiling and big data analysis
  • Requirements placed on IT security
  • Information and reporting obligations
  • Data breach notifications
  • Rights of persons affected
  • Liability and sanctions for data protection breaches

Keywords

Bibliographic data

Publication year
2017
Publication date
30.11.2017
ISBN-Print
978-3-8487-3262-3
ISBN-Online
978-3-8452-7609-0
Publisher
Nomos, Baden-Baden
Series
Kooperationswerke Beck - Hart – Nomos
Language
German
Pages
291
Product type
Comment

Table of contents

ChapterPages
  1. Titelei/Inhaltsverzeichnis I - XXVIII Download chapter (PDF)
      1. 1. Key steps within the legislative procedure No access
        1. a) Harmonisation of the level of protection No access
        2. b) Adaption to the technical progress No access
        3. c) Strengthening the rights of data subjects No access
        4. d) Free movement of personal data No access
        5. e) One-Stop-Shop-Principle No access
          1. aa) Legislative power and legal basis for adopting the GDPR No access
          2. bb) Fundamental rights in context with data protection No access
        2. b) Direct Applicability No access
        1. a) Need for a uniform European interpretation No access
            1. (1) Actual wording of the GDPR No access
            2. (2) Statements of supervisory authorities No access
            3. (3) Statements issued by the European Data Protection Board and the Art. 29 Working Party No access
          2. bb) Other suitable sources for interpreting the GDPR No access
    2. II. Importance of the GDPR for companies No access
          1. aa) Definition of “Processing” No access
          2. bb) Processing by manual means No access
          1. aa) Limits of applicability resulting from the technical way of processing No access
          2. bb) Household exemption No access
        1. a) “Any information” suitable for potentially being personal data No access
        2. b) Relationship required between the information and the data subject No access
          1. aa) Identified natural person No access
            1. (1) Direct or indirect identifiability No access
            2. (2) Criteria for determining indirect identifiability No access
            3. (3) Decision of the European Court of Justice on IP addresses No access
        4. d) Anonymous and anonymised data No access
        5. e) Pseudonymisation No access
        6. f) Encrypted data No access
        1. a) Dead persons No access
          1. aa) No protection under the GDPR No access
          2. bb) Indirect protection and protection under national law No access
      4. 4. Consequences of inapplicability of the GDPR No access
        1. a) Determination of the responsible body – natural person, legal person or any other body No access
            1. (1) Determination by law No access
            2. (2) Determination by way of factual influence No access
          2. bb) “Purposes and means” of data processing No access
          3. cc) Determination of the “purposes”/“why” of processing No access
          4. dd) Determination of the “means”/“how” of processing No access
          1. aa) Requirements for joint control under the GDPR No access
            1. (1) No privilege for transferring personal data between joint controllers No access
            2. (2) Transparent allocation of responsibilities No access
            3. (3) Joint liability No access
          1. aa) No factual influence of the processor on determining the purposes and means of processing No access
          2. bb) Processor subject to the instructions of the data controller No access
          3. cc) Factual compliance with the instructions of the data controller No access
          1. aa) Mandate of the processor No access
          2. bb) Choice of the right processor – provision of sufficient guarantees by the processor No access
          3. cc) Processing contract No access
          4. dd) Necessary content of a processing contract No access
          1. aa) Appropriate technical and organisational measures No access
          2. bb) Data protection officer No access
          3. cc) Records of processing activities No access
        4. d) Lawfulness of a data transfer to a data processor No access
        5. e) Consequenceach of the contractual relationship for the processor No access
        6. f) How to handle former mandates No access
      3. 3. Micro, small and medium-sized enterprises No access
      1. 1. Companies with an establishment in the EU (GDPR, art. 3, para 1) No access
        1. a) Offering of goods or services to data subjects in the EU No access
        2. b) Monitoring the behaviour of subjects in the EU No access
      3. 3. Application by virtue of public international law (GDPR, art. 3, para 3) No access
      4. 4. Summary assessment on changed scope of application No access
      1. 1. Basic principle: direct application of the Regulation irrespective of many opening clauses No access
        1. a) Data processing in employment contexts, GDPR, art. 88 No access
        2. b) Designation of a data protection officer in cases other than GDPR, art. 37, para 1 No access
        3. c) Processing carried out in the public interest or in compliance with a legal obligation No access
        4. d) Automated decisions and profiling No access
        5. e) Joint controllers No access
        6. f) Further examples No access
      3. 3. Data protection for online and electronic communication services No access
      4. 4. Data protection at public bodies No access
          1. aa) General prohibition of processing personal data No access
          2. bb) Legitimate basis for processing personal data as an exception No access
        2. b) Notion of fairness No access
        3. c) Notion of transparency No access
        4. d) No principle of collecting personal data directly from the data subject No access
          1. aa) “Specified” purpose No access
          2. bb) “Explicit” purpose No access
          3. cc) “Legitimate” purpose No access
          1. aa) (In)compatibility test requirement No access
          2. bb) Notion of “further processing” and scope of compatibility test No access
            1. (1) Assumed compatibility of further use for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes No access
            2. (2) Explicit legal exceptions from compatibility test No access
            1. (1) No change of purpose No access
            2. (2) Change of purpose No access
            1. (1) Link between the purposes No access
            2. (2) Context in which the personal data have been collected No access
            3. (3) Nature of the personal data No access
            4. (4) Possible consequences of the intended further processing No access
            5. (5) Existence of appropriate safeguards No access
            1. (1) Consequences of incompatibility No access
            2. (2) Consequences of compatibility No access
          7. gg) Documentation of compatibility test No access
        1. a) Notion of “necessity” No access
        2. b) Anonymisation and pseudonymisation No access
        3. c) Concept of data protection by design and by default No access
        1. a) Notion of “accurate data” No access
        2. b) Updating of inaccurate data No access
        3. c) Erasure and rectification of inaccurate data No access
        1. a) Notion of “necessity” No access
        2. b) Exception for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes No access
        3. c) Erasure, restriction and anonymisation of personal data no longer necessary No access
        4. d) Processing which does not require identification No access
      6. 6. Integrity and confidentiality No access
        1. a) Notion of accountability No access
        2. b) Possibilities to demonstrate compliance No access
      1. 1. Relevance and importance of the different legal grounds of the GDPR for processing of personal data from a business perspective No access
          1. aa) Performance of a contract to which the data subject is party No access
          2. bb) Steps at the request of the data subject prior to entering into a contract No access
          1. aa) Sources for legal obligations No access
          2. bb) Quality of legal basis and additional national provisions No access
        3. c) Vital interests No access
          1. aa) Relevance for the private sector No access
          2. bb) Legal basis for public interests or official authority No access
          3. cc) Quality of legal basis and additional national provisions No access
          1. aa) Legitimate interests pursued by the controller or by a third party No access
          2. bb) Interests or fundamental rights and freedoms of the data subject No access
            1. (1) Assessment of nature and source of the legitimate interest No access
            2. (2) Assessment of impact on data subjects No access
            3. (3) Provisional balance No access
            4. (4) Assessment of additional safeguards and final balance No access
            5. (5) Documentation of balance test No access
            1. (1) Statement or clear affirmative action No access
            2. (2) Written or oral consent No access
            3. (3) Consent by electronic means No access
            4. (4) Implied consent No access
            5. (5) Limitation to processing of personal data of the data subject No access
            1. (1) Clear imbalance between controller and data subject No access
            2. (2) Horizontal and vertical restriction of interconnection No access
          3. cc) Specific No access
          4. dd) Informed No access
          5. ee) Unambiguous No access
        2. b) Consent in the context of a written declaration which also concerns other matters No access
            1. (1) Information society services No access
            2. (2) Direct offer to a child No access
            3. (3) Age thresholds No access
            4. (4) Age and authorisation verification mechanisms No access
          2. bb) Other consent of children and other data subjects lacking full legal capacity No access
        4. d) Ability to demonstrate consent No access
        5. e) Right to withdraw consent No access
        6. f) Need for adaption and obtaining renewed consent No access
        1. a) Additional requirement of a legal ground No access
        2. b) Explicit consent No access
        3. c) Statutory exceptions No access
        4. d) Further conditions pursuant to Member State law No access
      5. 5. Processing of personal data relating to criminal convictions and offences No access
      1. 1. Company as controller No access
        1. a) Definition No access
        2. b) Forms No access
          1. aa) Fulfilment of data subject’s rights No access
          2. bb) Fulfilment of obligations to inform pursuant to GDPR, art. 13 and 14 No access
        4. d) Formal requirements, GDPR, art. 26, para 2, sentence 2 No access
        5. e) Joint and several responsibility and liability vis-a-vis data subject No access
        6. f) Administrative fine No access
        1. a) Principle: no group privilege No access
        2. b) Group privilege via concept of joint controllers No access
        3. c) Affiliation as a reasonable interest within GDPR, art. 6, para 1, subpara f) and Recital 48 No access
      4. 4. Responsibility for GDPR-compliance No access
      5. 5. Controllers/processors not established in the European Union, GDPR, art. 27 No access
      6. 6. Records of processing activities, GDPR, art. 30 No access
        1. a) Data protection by design No access
        2. b) Data protection by default No access
        3. c) Possible measures and scope No access
        4. d) Administrative fine No access
        1. a) Risk evaluation No access
        2. b) Appropriate measures No access
        3. c) Control of subordinate natural persons No access
        4. d) Administrative fine No access
        1. a) In which cases Data Protection Impact Assessments are to be carried out? No access
        2. b) Minimum content of Data Protection Impact Assessments No access
        3. c) Prior Consultation, GDPR, art. 36 No access
        4. d) Administrative fines No access
      1. 1. Drafting codes of conduct (GDPR, art. 40, para 2) No access
      2. 2. Approval procedure No access
      3. 3. Monitoring of approved codes of conduct No access
      4. 4. Relevance for business entities No access
      1. 1. Purpose of certifications and seals (GDPR, art. 42, paras 1 and 4) No access
      2. 2. Voluntariness (GDPR, art. 42, para 3) No access
      3. 3. Certification bodies (GDPR, art. 42, para 5 and GDPR, art. 43) No access
      4. 4. Certification Proceeding, GDPR, art. 42, para 6 No access
      5. 5. Maximum term of certificate/seal, GDPR, art. 42, para 7 No access
      6. 6. Register for certifications, data protection seals and marks No access
      7. 7. Relevance of certifications or seals for companies No access
        1. a) Deadline for fulfilment of data subject’s rights: One month pursuant to GDPR, art. 12, para 3 No access
        2. b) Form requirements No access
        3. c) Right to determine identity of individual wishing to enforce their rights pursuant to GDPR, art. 12, para 6: Controller’s right to request a copy of the claimant’s passport No access
        4. d) Processing which does not require identification, GDPR, art. 11, para 2 and no right to refuse (GDPR, recital 57) No access
        5. e) Free of charge, GDPR, art. 12, para 5 No access
        6. f) Information on legal remedies available, GDPR, art. 12, para 4 No access
        7. g) Administrative fines No access
        1. a) Information duties No access
        2. b) Point in time No access
        3. c) Exceptions of the information duties No access
        4. d) Administrative fines No access
        1. a) Obligation to provide information, GDPR, art. 15, para 1 No access
        2. b) Right of access, GDPR, art. 15, para 3 No access
        3. c) Exceptions, GDPR, art. 15, para 4 No access
        4. d) Administrative fines No access
        1. a) Correction No access
        2. b) Completion No access
        1. a) Prerequisites for right to erasure pursuant to GDPR, art. 17, para 1 No access
        2. b) Exceptions, GDPR, art. 17, para 3 No access
        3. c) Right to be forgotten, GDPR, art. 17, para 2 and GDPR, art. 19 No access
        4. d) Administrative fines No access
      6. 6. Right to restriction of processing, GDPR, art. 18 No access
        1. a) Prerequisites No access
        2. b) Performance of data portability No access
        3. c) What means “portability”? No access
        4. d) Receiving data controller No access
        5. e) Exceptions, GDPR, art. 20, paras 3 and 4 No access
        6. f) Administrative fines No access
        1. a) Right to object to processing for direct marketing purposes No access
        2. b) Obligation to inform the data subject about his right to object No access
        3. c) Modalities to exercise the right to object No access
        4. d) Deadline for the controller to respond to an objection No access
        5. e) Right to object to processing personal data for scientific or historical research purposes or statistical purposes pursuant to GDPR, art. 89, para 1 No access
        6. f) Administrative fines No access
        1. a) Legal or similar significant effects No access
        2. b) Exceptions and examples No access
        3. c) Right to review No access
        4. d) Special categories of personal data No access
        5. e) Administrative fines No access
        1. a) Obligation of the controller to notification No access
        2. b) Minimum content and form No access
        3. c) Exceptions No access
        4. d) Administrative fines No access
        1. a) Concept of lead and concerned authority No access
        2. b) Cooperation between authorities No access
        3. c) Consistency mechanism GDPR, art. 63 No access
      2. 2. Duty to cooperate (GDPR, art. 31) No access
      3. 3. Data breach notification to the supervisory authorities (GDPR, art. 33) No access
        1. a) Tasks of the supervisory authorities No access
        2. b) Enforcement empowerments No access
        3. c) Administrative fines, GDPR, art. 83 No access
        1. a) Risk based approach, GDPR, art. 37, para 1 No access
        2. b) Criteria to appoint a DPO in GDPR, art. 37, para 1, subparas b) and c) No access
        3. c) Processing on a large scale No access
        4. d) Regular and systematic monitoring of the data subjects No access
        5. e) Special categories of personal data No access
        6. f) Data relating to criminal convictions and offences No access
        1. a) Controllers No access
        2. b) Processors No access
      3. 3. Infringement to appoint a DPO No access
      4. 4. Group privilege, GDPR, art. 37, para 2 No access
      5. 5. Internal/external, GDPR, art. 37, para 6 No access
      6. 6. Full or part time No access
      7. 7. Qualification, GDPR, art. 37, para 5 No access
      8. 8. Publication/communication contact details, GDPR, art. 37, para 7 No access
        1. a) Secrecy obligation No access
        2. b) No instructions, privileged status No access
        3. c) Information obligation No access
        4. d) Necessary resources No access
        5. e) Direct reporting line, GDPR, art. 38, para 3, third sentence No access
        6. f) Contact for data subjects No access
        1. a) Inform No access
        2. b) Monitor No access
        3. c) Advice No access
        4. d) Cooperate with authorities/contact point No access
          1. aa) Level 1 infringements No access
          2. bb) Level 2 infringements No access
          3. cc) Concept of “undertaking” No access
          4. dd) Further criteria No access
          1. aa) Ex officio proceedings No access
          2. bb) Administrative complaints (GDPR, art. 77 and 78) No access
          3. cc) Proceedings against data controllers and data processors (GDPR, art. 79) No access
          4. dd) Capacity to sue for non-profit bodies, organisations or associations mandated by the data subject (GDPR, art. 80) No access
        1. a) Concept of damage No access
        2. b) Relevant infringements No access
        3. c) Exemption No access
        4. d) Joint processing No access
      3. 3. Liability based on national laws No access
        1. a) Procedure of implementing an adequacy decision No access
        2. b) Adequacy decisions under Directive 95/46 No access
        3. c) Special case: United States (Safe Harbour/EU-U.S. Privacy Shield) No access
          1. aa) Binding Corporate Rules under Directive 95/46 No access
          2. bb) Procedure to implement Binding Corporate Rules No access
          1. aa) Standard Contractual-Clauses under Directive 95/46 No access
          2. bb) Implementation and use of Standard Data Protection Clauses No access
        3. c) Codes of conduct No access
        4. d) Certification No access
        5. e) Individual authorisation of contractual clauses No access
        1. a) Consent of the data subject No access
        2. b) Performance of a contract No access
        3. c) Interest of the data subject No access
        4. d) Public interest No access
          1. aa) Interpretation of derogation Directive 95/46, art. 26, para 1, subpara d) No access
          2. bb) Uniform Interpretation and framework under the GDPR No access
          3. cc) Transfers or disclosures not authorised by Union law No access
        6. f) Vital interests No access
        7. g) Public register No access
        8. h) Special justification No access
      1. 1. Controller or processor No access
        1. a) Selection of service provider and commissioning as processor No access
          1. aa) Standard data protection clauses No access
          2. bb) Binding Corporate Rules No access
          3. cc) Approved codes of conduct and approved certifications No access
          4. dd) Other measures No access
          5. ee) Derogations No access
          1. aa) Prior authorisation No access
          2. bb) Contract between processor and sub-processor No access
          3. cc) Liability No access
          1. aa) Processor and sub-processor in third countries No access
          2. bb) Processor in the EU and sub-processor in a third country No access
        1. a) Cloud computing rollout and service models No access
          1. aa) Roles and responsibilities of parties involved No access
          2. bb) Commissioning as data processing and sub-processing No access
          3. cc) Documentation and information obligations No access
        1. a) Genetic data No access
        2. b) Biometric data No access
        3. c) Data concerning health No access
        1. a) Explicit Consent No access
          1. aa) Employment, social security and social protection law No access
          2. bb) Vital interests No access
          3. cc) Foundation, association or any other not-for-profit body No access
          4. dd) Personal data manifestly made public No access
          5. ee) Legal claims No access
          6. ff) Substantial public interest No access
          7. gg) Processing for medical purposes No access
          8. hh) Public interest in the area of public health No access
          9. ii) Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes No access
          10. jj) Limitations in Member State law No access
      3. 3. Additional protective measures No access
      1. 1. Definition of direct marketing No access
      2. 2. Direct Marketing in Directive 95/46 and the GDPR No access
        1. a) Directive 2002/58/EC (ePrivacy-Directive) No access
        2. b) Directive 2005/29/EC (Unfair Commercial Practices Directive) No access
          1. aa) GDPR No access
          2. bb) Directive 2002/58/EC (ePrivacy-Directive) No access
        2. b) Right to obtain erasure No access
        3. c) Principle of transparency No access
        4. d) Principle of purpose limitation No access
          1. aa) Freely given No access
          2. bb) Pre-formulated declaration of consent No access
          3. cc) Time limit No access
        2. b) Right to withdraw consent No access
        1. a) Contract or pre-contractual relations No access
        2. b) Advertising based on legitimate interests No access
          1. aa) Obligatory prior consent (opt-in) No access
          2. bb) Exceptions No access
          3. cc) Transparency and information No access
          1. aa) Automated calling No access
          2. bb) Direct marketing voice-to-voice calls No access
          3. cc) ePrivacy Regulation No access
        3. c) Postal advertising No access
        4. d) Sweepstake No access
        5. e) Tell-a-friend No access
        6. f) Address trading No access
      1. 1. Definition of profiling No access
        1. a) Data protection impact assessment No access
        2. b) Purpose limitation No access
        3. c) Data minimisation No access
        4. d) Obligation to inform No access
        5. e) Right to object No access
        6. f) Privacy by design and by default No access
        1. a) ePrivacy-Directive No access
        2. b) Consent to the use of cookies No access
        1. a) Statistical and aggregate data No access
          1. aa) Roles and responsibilities No access
          2. bb) Legal basis No access
          3. cc) Obligation to inform No access
          4. dd) Further obligations No access
        3. c) Customer Relationship Management No access
      1. 1. Web analytics No access
        1. a) Social media page No access
        2. b) Social plugins No access
      3. 3. Privacy policy No access
      4. 4. Right to be forgotten No access
        1. a) App developers No access
        2. b) App store operators No access
        3. c) OS and device manufactures No access
        1. a) Consent No access
        2. b) Processing necessary for performance of a contract No access
        3. c) Legitimate interests No access
      3. 3. Geolocation No access
      4. 4. Privacy Policy No access
  7. Index No access 287 - 291

Similar publications

from the topics "Law General, Comprehensive Works and Collections", "European Law & International Law & Comparative Law"
Cover of book: Wettbewerbs- und Kartellrecht
Educational Book No access
Wettbewerbs- und Kartellrecht
Cover of book: Sportmanagement
Edited Book No access
Praxishandbuch
Sportmanagement
Cover of book: Kartellschadensersatz bei Missbrauch einer beherrschenden Stellung auf den Postmärkten
Book Titles No access
Zum Einfluss der Postregulierung auf die parallele Durchsetzung kartellrechtlicher Schadensersatzansprüche
Kartellschadensersatz bei Missbrauch einer beherrschenden Stellung auf den Postmärkten
Cover of book: Die After-the-Event Insurance
Book Titles No access
Eine Untersuchung zur Entwicklung und rechtlichen Einordnung in England und Deutschland
Die After-the-Event Insurance
Cover of book: General Data Protection Regulation
Comment No access
Article-by-Article Commentary
General Data Protection Regulation

Notice

This work is protected by copyright and may only be used in accordance with the provisions of the Terms of Use and License Agreement. Any use of the work beyond this is expressly prohibited and will be prosecuted.

Give feedback

We welcome your feedback on content and features. Your message helps us to continuously improve our service.

Rating
Attach images
or drag and drop
PNG or JPG (max. 3 MB)

Welcome to Inlibra – Your Platform for Digital Professional Information

Nomos, C.H.Beck, VDI and over 100 other publishers combine their content here to create one of the largest platforms for digital professional information.

Research efficiently, cite long-term, use reliably – all united in one place.

Login

Forgotten your password?
Login via Open Athens
Don't have an account yet?
Register now

Cite publication

Download: RIS BibTex