(Data Protection News & Services)
Under the General Data Protection Regulation (GDPR), controllers mustnotify:
the competent authority of any personal data breach likely to result in a risk to the right and freedoms of the data subjects;
the individuals concerned of any personal data breach likely to result in a high risk to their rights and freedoms.
It is therefore important for a controller to understand what a personal data breach is and to be ready to react promptly and appropriately when it happens.
Under the European General Data Protection Regulation (GDPR), organisations processing personal data must maintain a record of their processing activities (ROPA) unless an exemption applies.
However, the type of information to maintain in this record differs depending on whether the organisations act as a controller or as a processor with regard to a specific processing activity.
Besides, some of the processing activities recorded may also be subject to a data protection impact assessment (DPIA), which requires additional information (see here).
Under the General Gata Protection Regulation (GDPR), controllers must now now:
Keep a record of their processing activities (see here for more details); and
Carry out a Data Protection Impact Assessment (DPIA) where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects.
A DPIA is a process designed to describe the processing, assess its necessity and proportionality and manage the risks to the individuals’ rights and freedoms resulting from thereof.
Under the European General Data Protection Regulation (GDPR), consent is one of the legal bases upon which controllers may rely to process personal data.
The GDPR defines a valid consent as a freely given, specific, informed and unambiguous indications of the individual’s wishes and restrictions apply to online services provided to children.
Under the European General Data Protection Regulation (GDPR), controllers (company or public authority using personal data for their purposes) are subject to new and/or more specific obligations than under the previous legislation (i.e. directive 95/46/EC).
Data controllers’ obligations under the GDPR are set out below.