Information Technology Reference
In-Depth Information
-
Incident Response / Notification: According to Article 31 ”Notification of
a personal data breach to the supervisory authority”; the controller has to
notify the personal data breach to the supervisory authority without un-
due delay and where feasible within 24 hours after getting aware of it. The
processor has to alert and inform the controller immediately after the estab-
lishment of a personal data breach. According to Article 32 ”Communication
of a personal data breach to the data subject”; the controller has to notify
the data subjects after informing the supervisory authority without undue
delay.
-
Sanctions: A breach could result in a fine up to 1.000.000 EUR or in case of
an enterprise up to 2% of its annual worldwide turnover. The fines will be
imposed by the supervisory authority.
Data / Vendor-Lock in:
According to Article 18 ”Right to data portability”; a
data subject has the right to obtain from the controller a copy of data that is
undergoing processing in an electronic and structured format which is commonly
used. That means if a controller is choosing a provider the controller is respon-
sible for the provision of those data, this should be stated within a contract.
Data Lifecycle:
According to Article 17 ”Right to be forgotten and to erasure”;
a data subject has the right to obtain from the controller the erasure of personal
data relating to them. Further the controller has to implement mechanisms to
ensure that the time limits established for the erasure of personal data or for a
periodic review of the need for the storage of the data are observed.
Data Location / International Transfer:
The transfer of personal data to third
countries or international organization is stated within chapter five of the EU
data protection regulation. A controller has to consider the following points:
-
According to Article 40 ”General principle for transfers”; any processing of
personal data to a third country or to an international organization is just
permitted if the controller and the processor comply with the conditions of
the proposed regulation.
-
According to Article 41 ”Transfers with an adequacy decision”; if the com-
mission states that the third country, territory or the international orga-
nization has an adequate level of protection the transfer may take place.
Therefore, the commission publishes in the ”Ocial Journal of the European
Union” a list of those countries, territories and international organizations
with an adequate level of security and a list of those which don't have an
adequate level of security.
-
Article 42 ”Transfer by way of appropriate safeguards”; discusses the sce-
nario if the commission has taken no decision. In that case the controller or
processor has to adduce appropriate safeguards in a legally binding instru-
ment. These safeguards can be provided by
