ashandtoryumaquest@gmail.com

GDPR and compliance

sexy gdpr and compliance

The European Regulation n. 679/2016 on the protection of personal data, known as GDPR (General Data Protection Regulation), came into force on 24 May 2016 and became applicable from 25 May 2018 (deadline for compliance), effectively repealing Directive 95/46/CE. The new regulatory framework provides for greater protection in the processing of personal data, more complex requirements and heavier sanctions. The processing of personal data is placed at the center of corporate organizations and new professional figures are foreseen in this area.

The General Data Protection Regulation imposes on all companies and professionals operating in EU member countries a series of highly relevant innovations regarding the processing of personal data. Where data processing means any information relating to an identified or identifiable natural person (therefore, for example, it concerns personal data: the e-mail address provided, the personal data provided, the mobile number provided…)


The GDPR introduces changes compared to the previous legislation, such as:


1 ▪ RESPONSIBILITY OF THE DATA CONTROLLER (RESPONSIBILITY):

The person who determines the purposes and means of the processing of personal data is called the “data controller” and can be a natural or legal person, a public authority or another service body. You have the task of implementing all technical and organizational measures suitable to ensure that such processing is carried out in compliance with the Regulation. The owner must demonstrate the concrete adoption of technical and organizational measures to ensure that such processing is consistent with the law. To this end, the owner must respect the following principles:

  • Principle of privacy by design: data processing must provide essential guarantees from the outset to protect the rights and freedoms of those directly involved;
  • Principle of privacy by default: i.e. the need to implement adequate technical and organizational measures to ensure that in this context only the personal data necessary for the specific purpose of the processing are processed.

2 ▪ LAWFULNESS OF THE PROCESSING:

The Regulation pays particular attention to the principle of lawfulness, correctness and transparency. The fundamentals of lawfulness of the processing are:

  • The explicit consent of the interested party;
  • the fulfillment of contractual obligations;
  • The fulfillment of legal obligations to which the Data Controller is required;
  • The protection of the vital interests of a natural person;
  • The public interest or the exercise of public authority;
  • The pursuit of a legitimate interest of the Data Controller or of third parties to whom the data are communicated. Tacit or presumed consent is no longer permitted. The data controller must always be able to demonstrate that the interested party has given consent to the processing of data.

3 ▪ INFORMATION:

The information must be provided to the interested party before data collection. The owner must provide the interested party with a long series of information, listed exhaustively in articles 13 and 14 of the Regulation. The information that the data controller must provide to the interested party must always be provided in a concise, transparent, intelligible and easily accessible form, in simple and clear language.


4 ▪ THE RIGHTS OF INTERESTED PARTIES AND THE METHODS OF EXERCISE:

The GDPR regulates data processing on five fundamental rights:

  • Right of access: this is the right of the interested party to request and obtain information from the data controller on the processing of their personal data;
  • Right to be forgotten: i.e. the interested party’s right to have their personal data deleted;
  • Right of rectification: right of the interested party to request that the data concerning him or her be modified, rectified or updated;
  • The right of limitation consists in the right recognized to the interested party to request the owner that the processing of his data be limited to storage only;
  • Right to data portability: the interested party has the right to receive from the owner a copy of the personal data being processed in a structured, commonly used and machine-readable format.

If the interested party is the natural person to whom the personal data refers (example: natural person customer, company customer or employee). In particular, it is underlined that the data controller is required to facilitate the exercise of the data subject’s rights. If the interested party requests this from the owner, the response period for all rights is 1 month, extendable by 3 months in cases of particular complexity.


5 ▪ ASSESSMENT OF THE IMPACT ON PRIVACY:

“Impact assessment” means the analysis of the origin, nature and severity of the risk to the protection of the right to data protection. Only at the end of this evaluation will the owner be able to decide whether to proceed with the processing of the data according to the measures he has prepared. If he deems it necessary, he can consult the supervisory authorities for information on the management of residual risk.


6 ▪ DATA PROTECTION OFFICER:

The Regulation introduces the figure of the “Data Protection Officer” (DPO) or the “Data Protection Officer” (DPO) who is entrusted with important tasks for the purposes of data protection and, first of all, that of monitoring compliance with the Regulation. The data protection officer must have specialized knowledge of data protection legislation and practices and must possess the necessary skills to carry out the tasks entrusted to him. The appointment of the DPO is mandatory:

  • When the processing is carried out by a public authority or public body (with the exception of judicial authorities in the exercise of these functions);
  • Where the processing, by its nature, scope and/or purpose, requires regular and systematic monitoring of data subjects on a large scale;
  • When the main activities of the data controller or controller consist of the processing, on a large scale, of particular categories of personal data (sensitive data) or data relating to criminal convictions.

7 ▪ RESPONSIBLE FOR DATA PROCESSING:

The data controller can designate a data controller, who will protect the personal data on his behalf. The latter must provide sufficient guarantees to implement adequate technical and organizational measures, in order to guarantee the protection of the rights of the interested party. The entrusting of the processing to the person responsible must take place with a contract stipulated with written information and which strictly regulates the matters indicated in the Regulation.


8 ▪ NOTIFICATION OF PERSONAL DATA BREACHES:

In the event of a personal data breach, the data controller must notify the breach to the supervisory authority within 72 hours of becoming aware of it, unless the personal data breach is unlikely to present a risk to data subjects. rights and freedoms of individuals.


9 ▪ TREATMENT REGISTER:

The owner must keep a register of processing operations. Although the GDPR excludes from this obligation subjects with fewer than 250 employees (only if they do not carry out risky processing or limit the rights and freedoms of the interested party), the Privacy Guarantor strongly recommends its conservation by all subjects who process personal data as it is a fundamental tool for having an updated list of all treatments carried out.


In relation to the need to adapt to the new European Regulation, the following operating mode is envisaged:


• PRIVACY ASSESTMENT new mapping of processing and roles in order to plan the implementation of a structured Privacy Governance System capable of increasing the level of data protection and awareness of processing, with particular attention to:
▫ Identification of databases;
▫ Vulnerability and criticality of the treatments carried out;
▫ Internet procedures and policies;
▫ Management and regulation of treatments;
▫ Management and discipline of employees;
▫ System documentation;
▫ Analysis of the information system and security measures implemented according to the legal provisions aimed at defining a gap analysis aimed at highlighting deviations from the implementation in compliance with the new Regulation mentioned above.

  • Evaluation and application definition of the “Privacy by Default and Privacy By Design” principle on which the new Regulation is based;
  • Risk assessment for the treatments carried out;
  • Identification, planning and application of minimum physical and logical security measures for data protection;
  • Drafting of system documentation (processing register, internal processing tasks, external processing tasks and tasks, technical and information tasks, etc.);
  • Definition and implementation of activities relating to “Data Breach” including the definition of the alert system;
  • Training of data controllers;
  • Appointment of the DPO (if necessary).
    The regulation provides only administrative sanctions. The sanctions provided must be effective, proportionate and dissuasive in each individual case. Two types of sanctions have been distinguished in relation to the type of violation:
  • Administrative fines of up to 10,000,000 euros, or for businesses, up to 2% of the total annual global turnover of the previous year, if higher (e.g. if adequate data security measures are not implemented);
  • Administrative sanctions of up to 20,000,000 euros, or for companies, up to 4% of the total annual global turnover of the previous year, if higher (e.g. in case of violation of the basic principles of processing, including the conditions relating to consent).
    Individual national laws may provide for criminal sanctions.

NOTE ON THE PROCESSING OF PERSONAL DATA AND THEIR CANCELLATION:

When the user browses the website www.ashandtor.com he will be informed that by continuing to browse he consents to the processing of personal data, for the purposes indicated in the privacy policy of the website, only with prior explicit consent. This means that if the user does not click on the “OK” button located inside the information banner, no personal data will be retained by ashandtor.com.

Furthermore, the user will be able to personalize and manage their consent by clicking on the various items in the banner and can cancel their browsing preferences at any time.

Ash and Tor
© 2023 ashandtor.com - All rights reserved