|
1 Introduction and `Checklist' |
|
|
1 | (8) |
|
1.1 Legislative Purpose and Previous Legal Provisions |
|
|
1 | (2) |
|
1.1.1 The Data Protection Directive |
|
|
1 | (1) |
|
1.1.2 The General Data Protection Regulation |
|
|
2 | (1) |
|
1.2 Checklist: Most Important Data Protection Obligations |
|
|
3 | (6) |
|
1.2.1 Organisational Requirements |
|
|
3 | (2) |
|
1.2.2 Lawfulness of the Processing Activities |
|
|
5 | (2) |
|
|
|
7 | (2) |
|
2 Scope of Application of the GDPR |
|
|
9 | (22) |
|
2.1 In Which Case Does the Regulation Apply? |
|
|
9 | (8) |
|
|
|
9 | (2) |
|
|
|
11 | (5) |
|
2.1.3 Exemptions from the Scope of Application |
|
|
16 | (1) |
|
2.2 To Whom Does the Regulation Apply? |
|
|
17 | (4) |
|
|
|
17 | (3) |
|
|
|
20 | (1) |
|
2.2.3 Beneficiaries of Protection Under the GDPR |
|
|
20 | (1) |
|
2.3 Where Does the Regulation Apply? |
|
|
21 | (10) |
|
2.3.1 Data Processing in the Context of the Activities of an EU Establishment |
|
|
22 | (4) |
|
2.3.2 Processing of Personal Data of Data Subjects in the EU |
|
|
26 | (3) |
|
|
|
29 | (2) |
|
3 Organisational Requirements |
|
|
31 | (56) |
|
|
|
31 | (2) |
|
|
|
33 | (5) |
|
3.2.1 Responsibility, Liability and General Obligations of the Controller |
|
|
33 | (1) |
|
3.2.2 The Allocation of Responsibility Between Joint Controllers |
|
|
34 | (3) |
|
3.2.3 Cooperation with Supervisory Authorities |
|
|
37 | (1) |
|
3.3 Technical and Organisational Measures |
|
|
38 | (6) |
|
3.3.1 Appropriate Data Protection Level |
|
|
38 | (1) |
|
3.3.2 Minimum Requirements |
|
|
39 | (1) |
|
3.3.3 Risk-Based Approach Towards Data Security |
|
|
40 | (2) |
|
|
|
42 | (2) |
|
3.4 Records of Processing Activities |
|
|
44 | (3) |
|
3.4.1 Content and Purpose of the Records |
|
|
44 | (1) |
|
3.4.2 Exemption from the Obligation to Maintain Records |
|
|
45 | (2) |
|
3.5 Data Protection Impact Assessment |
|
|
47 | (6) |
|
3.5.1 Affected Types of Data Processing |
|
|
47 | (2) |
|
3.5.2 Scope of the Assessment |
|
|
49 | (4) |
|
3.6 Data Protection Officer |
|
|
53 | (9) |
|
3.6.1 Designation Obligation |
|
|
53 | (3) |
|
3.6.2 Aspects Regarding the Designation of the Data Protection Officer |
|
|
56 | (2) |
|
|
|
58 | (2) |
|
|
|
60 | (2) |
|
3.7 Privacy by Design and Privacy by Default |
|
|
62 | (3) |
|
3.8 Personal Data Breaches |
|
|
65 | (6) |
|
3.8.1 Personal Data Breach |
|
|
65 | (1) |
|
3.8.2 Notification to the Supervisory Authority |
|
|
65 | (4) |
|
3.8.3 Communication to the Data Subjects |
|
|
69 | (2) |
|
3.9 Codes of Conduct, Certifications, Seals, Etc. |
|
|
71 | (9) |
|
3.9.1 Relationship Between Codes of Conduct and Certifications |
|
|
71 | (1) |
|
|
|
72 | (5) |
|
3.9.3 Certifications, Seals, Marks |
|
|
77 | (3) |
|
|
|
80 | (7) |
|
3.10.1 Privileged Position of the Processor |
|
|
80 | (1) |
|
3.10.2 Obligation of the Controller When Choosing a Processor |
|
|
81 | (2) |
|
3.10.3 Obligations of the Processor |
|
|
83 | (1) |
|
3.10.4 Designation of a Sub-Processor |
|
|
84 | (1) |
|
|
|
84 | (3) |
|
|
|
87 | (54) |
|
|
|
87 | (5) |
|
4.1.1 Lawfulness, Fairness and Transparency |
|
|
88 | (1) |
|
|
|
88 | (2) |
|
|
|
90 | (1) |
|
|
|
91 | (1) |
|
|
|
92 | (1) |
|
4.1.6 Integrity and Confidentiality |
|
|
92 | (1) |
|
4.2 Legal Justifications for Data Processing |
|
|
92 | (24) |
|
4.2.1 Processing Based on Consent |
|
|
93 | (7) |
|
4.2.2 Processing Based on a Legal Permission |
|
|
100 | (10) |
|
4.2.3 Processing of Special Categories of Personal Data |
|
|
110 | (6) |
|
4.3 Data Transfers to Third Countries |
|
|
116 | (19) |
|
4.3.1 Safe Third Countries |
|
|
117 | (1) |
|
|
|
118 | (1) |
|
4.3.3 Standard Contractual Clauses |
|
|
119 | (3) |
|
4.3.4 EU--U.S. Privacy Shield |
|
|
122 | (3) |
|
4.3.5 Binding Corporate Rules |
|
|
125 | (4) |
|
4.3.6 Codes of Conduct, Certifications, Etc. |
|
|
129 | (1) |
|
4.3.7 Derogations for Specific Situations |
|
|
130 | (3) |
|
4.3.8 Appointment of a Representative by Non-EU Entities |
|
|
133 | (2) |
|
4.4 Limited Privilege for Intra-Group Processing Activities |
|
|
135 | (6) |
|
4.4.1 Separate Data Protection Responsibility of Each Group Member |
|
|
136 | (1) |
|
4.4.2 Facilitations Regarding Material Requirements |
|
|
137 | (1) |
|
4.4.3 Facilitation Regarding Organisational Requirements |
|
|
138 | (1) |
|
|
|
138 | (3) |
|
5 Rights of Data Subjects |
|
|
141 | (48) |
|
5.1 Transparency and Modalities |
|
|
141 | (2) |
|
5.1.1 The Manner of Communicating with the Data Subject |
|
|
142 | (1) |
|
5.1.2 The Form of Communication |
|
|
143 | (1) |
|
5.2 Information Obligation of the Controller Prior to Processing |
|
|
143 | (4) |
|
5.2.1 Time of Information |
|
|
144 | (1) |
|
5.2.2 Collection of the Data from the Data Subject |
|
|
144 | (2) |
|
5.2.3 Obtainment of the Data from Another Source |
|
|
146 | (1) |
|
5.2.4 Practical Implications |
|
|
147 | (1) |
|
5.3 Response to Data Subjects' Requests |
|
|
147 | (3) |
|
|
|
147 | (2) |
|
|
|
149 | (1) |
|
5.3.3 Information in Case of Inaction |
|
|
149 | (1) |
|
5.3.4 Verification of the Data Subject's Identity |
|
|
150 | (1) |
|
|
|
150 | (4) |
|
5.4.1 Scope of the Right to Access |
|
|
150 | (2) |
|
5.4.2 Provision of Access to the Personal Data |
|
|
152 | (1) |
|
5.4.3 Practical Implications |
|
|
153 | (1) |
|
5.5 Rights to Erasure, Rectification and Restriction |
|
|
154 | (14) |
|
5.5.1 Right to Rectification |
|
|
154 | (2) |
|
|
|
156 | (8) |
|
5.5.3 Right to Restriction of Processing |
|
|
164 | (3) |
|
5.5.4 Notification of Third Parties Regarding the Rights to Erasure, Rectification and Restriction, Art. 19 |
|
|
167 | (1) |
|
5.6 Right to Data Portability |
|
|
168 | (8) |
|
5.6.1 Scope and Exercise of the Right to Data Portability |
|
|
169 | (5) |
|
5.6.2 Technical Specifications |
|
|
174 | (1) |
|
5.6.3 Transmission of the Data |
|
|
174 | (1) |
|
5.6.4 Relation to the Right to Erasure |
|
|
175 | (1) |
|
5.6.5 Exclusion of the Right to Data Portability |
|
|
175 | (1) |
|
|
|
176 | (4) |
|
5.7.1 Grounds for an Objection to Processing |
|
|
177 | (2) |
|
5.7.2 Exercise of the Right and Legal Consequences |
|
|
179 | (1) |
|
5.7.3 Information Obligation |
|
|
180 | (1) |
|
5.8 Automated Decision-Making |
|
|
180 | (4) |
|
5.8.1 Scope of Application of the Prohibition |
|
|
181 | (2) |
|
5.8.2 Exceptions from the Prohibition |
|
|
183 | (1) |
|
5.8.3 Appropriate Safeguards |
|
|
184 | (1) |
|
5.9 Restrictions of the Data Subjects' Rights |
|
|
184 | (5) |
|
|
|
185 | (4) |
|
6 Interaction with the Supervisory Authorities |
|
|
189 | (12) |
|
6.1 Determination of the Competent Supervisory Authority |
|
|
189 | (2) |
|
6.2 One-Stop-Shop Mechanism |
|
|
191 | (1) |
|
6.3 Determination of the Competent Lead Supervisory Authority |
|
|
192 | (5) |
|
6.3.1 Determination Based on an Entity's Main Establishment |
|
|
192 | (3) |
|
6.3.2 Determination in the Absence of an EU Establishment |
|
|
195 | (1) |
|
6.3.3 Exception: Local Competences |
|
|
195 | (2) |
|
6.4 Cooperation and Consistency Mechanism |
|
|
197 | (4) |
|
6.4.1 European Data Protection Board |
|
|
197 | (1) |
|
6.4.2 Cooperation Mechanism |
|
|
198 | (1) |
|
6.4.3 Consistency Mechanism |
|
|
198 | (1) |
|
|
|
199 | (2) |
|
7 Enforcement and Fines Under the GDPR |
|
|
201 | (18) |
|
7.1 Tasks and Investigative Powers of the Supervisory Authorities |
|
|
201 | (3) |
|
7.1.1 Greater Consistency of Investigative Powers Throughout the EU |
|
|
202 | (1) |
|
7.1.2 Scope of Investigative Powers |
|
|
202 | (2) |
|
7.1.3 Exercise of the Powers |
|
|
204 | (1) |
|
|
|
204 | (4) |
|
7.2.1 Right to Claim Compensation |
|
|
205 | (2) |
|
|
|
207 | (1) |
|
7.2.3 Exemption from Liability |
|
|
208 | (1) |
|
7.3 Administrative Sanctions and Fines |
|
|
208 | (6) |
|
7.3.1 Corrective Powers of the Supervisory Authorities |
|
|
209 | (1) |
|
7.3.2 Grounds for and Amounts of Administrative Fines |
|
|
210 | (1) |
|
7.3.3 Imposition of Fines, Including Mitigating Factors |
|
|
211 | (1) |
|
7.3.4 Sanctioning of Groups of Undertakings |
|
|
212 | (1) |
|
7.3.5 Practical Implications |
|
|
213 | (1) |
|
|
|
214 | (5) |
|
7.4.1 Remedies Available to Data Processing Entities |
|
|
214 | (1) |
|
7.4.2 Remedies Available to Data Subjects |
|
|
215 | (1) |
|
|
|
216 | (3) |
|
|
|
219 | (16) |
|
8.1 Various Opening Clauses |
|
|
219 | (5) |
|
8.1.1 Opening Clauses Included in General Provisions of the GDPR |
|
|
219 | (4) |
|
8.1.2 EU Member State Competence for Specific Processing Situations |
|
|
223 | (1) |
|
8.2 Employee Data Protection |
|
|
224 | (6) |
|
|
|
225 | (1) |
|
8.2.2 Co-determination Bodies Provided for in Selected EU Member States |
|
|
226 | (4) |
|
8.3 Telemedia Data Protection |
|
|
230 | (5) |
|
|
|
232 | (3) |
|
9 Special Data Processing Activities |
|
|
235 | (10) |
|
|
|
235 | (3) |
|
9.1.1 Applicability of the GDPR |
|
|
236 | (1) |
|
|
|
237 | (1) |
|
9.1.3 Safeguarding the Basic Principles of Lawful Processing |
|
|
237 | (1) |
|
|
|
238 | (2) |
|
9.2.1 Allocation of Responsibilities |
|
|
239 | (1) |
|
9.2.2 Choosing a Suitable Cloud Service Provider |
|
|
239 | (1) |
|
9.2.3 Third-Country Cloud Service Providers |
|
|
240 | (1) |
|
|
|
240 | (5) |
|
9.3.1 Legal Basis for Processing in the IoT |
|
|
241 | (1) |
|
9.3.2 Privacy by Design and Privacy by Default |
|
|
242 | (1) |
|
|
|
242 | (3) |
|
10 Practical Implementation of the Requirements Under the GDPR |
|
|
245 | (6) |
|
10.1 Step 1: `Gap' Analysis |
|
|
246 | (1) |
|
10.2 Step 2: Risk Analysis |
|
|
246 | (1) |
|
10.3 Step 3: Project Steering and Resource/Budget Planning |
|
|
247 | (1) |
|
10.4 Step 4: Implementation |
|
|
247 | (2) |
|
10.5 Step 5: National Add-On Requirements |
|
|
249 | (2) |
|
|
|
249 | (2) |
| Annex I Juxtaposition of the Provisions and Respective Recitals of the GDPR |
|
251 | (130) |
| Index |
|
381 | |
Biežāk uzdotie jautājumi par e-grāmatām