The content in this web site is classified into different categories / topics. In particular:
|Legal Framework||After a long consultation, on January 25 2012, the Commission published the first draft of the proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
The ordinary legislative procedure is still pending. The Regulation is currently being negotiated in the second reading by Parliament and Council. A common position on the final text is expected before the middle of 2016.
After publication on the Official Journal of the European Union, pursuant to art. 91 of the Regulation, a two year transitional period will apply. At the of this period the Regulation will be directly applicable in every EU Member state, without requiring implementation through national law.
In this category you will find news and information about the road map of legislative procedure.
|Roles and Liability||In essence, the main subjects still remain Controller and Processor, together with Data Subject but a new figure appeared between Controller and Processor, the Data Protection Officer (see the specified category), as expert counsel into data protection issues.
Pursuant to art. 77 of the Regulation, any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with the Regulation, shall have the right to receive compensation from the Controller or the Processor for the damage suffered. Each Controller or Processor shall be jointly and severally liable for the entire amount of the damage.
Here we discuss about relationship between subjects, their roles and consequences of their liability.
|Data Protection Officer||Controller is required to appoint a Data Protection Officer (DPO), basing on professional skills, on the deep knowledge of data protection law and practices, and according to the type of operations carried out and the protection required for processed personal data. DPO is a key role in the pyramid of data protection actors.
This topic covers all aspects related to the DPO, for example which are the professional characteristics of the DPO, how to recruit a good DPO, how the DPO should organize his/her job, what is the role intersection between DPO and CISO, etc.
|Impact, Risk and Measures||Regulation states that Privacy Impact Assessment is the first step of company’s security strategy, that consequentially enhance the analysis of risks related to personal data processing and security measures adopted to protect information.
More than setting specific security measures, the Regulation requires Controller to implement organizational and technical processes to identify, reduce and mitigate risks threaten personal information.
Into this section you will find organizational and technical actions appropriate for the specific processing activity and assessed considering also costs of implementation.
|Data Breach||The Regulation requires the Controller, without undue delay, notify the personal data breach to the supervisory authority and when the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject, to communicate the personal data breach to the data subject.
This topic covers all aspects related to the Data Breach such as for example how to define a correct organizational process to manage a data breach, how to estimate the brand and reputation damage in case an incident is disclosed, which contractual clauses to put in contracts with vendors and how to manage the communication related to the response to a data breach on social networks.
|Privacy by Design||Regulation introduces the concept of “privacy by design”. Pursuant to art. 23 of the Regulation, the Controller shall implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
This principle is already in the current Directive, but it is now introduced as a specific, stand-alone concept so it is fundamental to discuss a new approach that every internal work-flow must have in the future in order to comply with Regulation principles.
|Sanctions||Regulation requires, as prescribed by art. 78, that every Member States will lay down rules on penalties applicable to infringements of the Regulation.
Differently, pursuant to the next art. 79, supervisory authorities shall impose administrative fines, depending on the specific unlawful action committed: up from 250,000 EUR or 0.5% of the annual worldwide turnover of an enterprise, and up to 1,000,000 EUR or 2% of the annual worldwide turnover of an enterprise.
In this context it is important to discuss about different executions of penalties and fines that every Member States will impose.
|Codes of conduct and certification||Articles 40, 41, 42, 43 define the soft law tools available to make the compliance process easier: this category refers to the posts which are dedicated to these issues.|
|Open Forum||Any other argument that is not within the topics Legal Framework, Roles and Liability, Data Protection Officer, Impact Risks and Measures, Data Breach, Privacy by Design and Sanctions could be written into this category.|