JULY SOFT .NET BLOG

About GEYSIR ENTERPRISE SEARCH, .NET, TECHNOLOGY and MORE

Regulamentul general privind protectia datelor (DGPR) - Ce trebuie sa stiti


 

 

 

 

 

 

 

 

 

Regulamentul general privind protectia datelor (GDPR)

- Ce trebuie sa stiti - Oportunitati si riscuri pentru compania dvs.

 

Cui se adreseaza?

Daca detineti sau lucrati pentru(departament IT/Juridic) o intreprindere mica sau pentru o multinationala(grup de companii) care proceseaza sau stocheaza datele personale ale cetatenilor din UE, indiferent daca compania dvs. sau procesarea datelor personale are sau nu loc in UE, sau daca pur si simplu va intereseaza sa cunoasteti, ca persoana, drepturile dvs. de confidentialitate a datelor dvs. personale – va invitam sa cititi mai departe!

 

Problema

Protectia datelor personale este un nou regulament legal pe care compania dvs. trebuie sa-l respect. In caz contrar, exista riscuri de amenzi de pana la 20 milioane EUR.

 

Solutia

Sa cunoasteti obligatiile dvs. GDPR si sa investiti in instrumente de securitate, administrare si gestionarea datelor care va ajuta sa domonstrati ca sunteti conform cu respectarea normelor GDPR. July Soft ofera astfel de instrumente precum: Geysir Enterprise Search, Hekla DMS and/or Laki Extranet.

 

 

Context

Sa aveti in vedere ca ca sunt o persoana tehnica IT cu o vasta experienta in domeniul “big-data”, in procesarea automata a datelor, guvernanta si gestiunea datelor, fara a avea o formare juridica. Aceasta lucrare este “asa cum este” (fara garantii sau garantii exprese sau implicite si nu ne asumam nici o raspundere pentru nici o pierdere sau dauna directa sau indirecta pentru tine/afacerea ta care implica prezentul document).

Acest document este un ghid general – un sumar – al GDPR, care va poate ajuta, si va incurajam sa indepliniti aceste noi cerinte prin obtinerea de asistenta juridica profesionala.

 

Definitii

PD - Date Personale – orice informatie referitoare la o persoana (indentificata sau indentificabila)

REG - Regulamentul 2016/679 privind Protectia Datelor Personale

Operator - persoana fizica sau juridica care decide scopurile si mijloacele de procesare PD

Persoana Imputernicita de Operator - procesatorul PD in numele Operator-ului (Ex: Cloud Provider)

 

In timp ce Protectia Datelor cu Caracter Personal de catre autoritati este reglementata de Directiva 2016/680, Protectia Datelor cu Caracter Personal in general si libera circulatie a datelor cu caracter personal in UE este reglementata de Regulamentul 2016/679.

 

Diferenta intre directiva si regulament, este urmatoarea: in timp ce directiva va fi “clonata” de catre fiecare stat membru EU cu mai multa sau mai putina acuratete, regulamentul se aplica in mod exact si automat asa cum este pentru toate statele membre EU.

 

Scopul regulamentului 2016/679

  1. Scopul materialului: “Prezentul regulament se aplica prelucrarii datelor cu caracter personal, efectuata total sau partial prin mijloace automatizate, precum si prelucrarii prin alte mijloace decat cele automatizate a datelor cu caracter personal care fac parte dintr-un sistem de evidenta a datelor sau care sunt destinate sa faca parte dintr-un sistem de evidenta a datelor.” - Art. 2, p. 1

  2. Scopul teritorial: ”Prezentul regulament se aplica prelucrarii datelor cu caracter personal in cadrul activitatilor unui sediu al unui operator sau al unei persoane imputernicite de operator pe teritoriul Uniunii, indiferent daca prelucrarea are loc sau nu pe teritoriul Uniunii.” - Art. 3, p. 1

Ca regula generala, REG include in scopul sau orice procesare PD ale cetatenilor UE indiferent de locul de procesare sau de locul Operator-ului/Persoanei Imputernicite de Operator pe teritoriul UE.

Oportunitati de business

  1. Libera circulatie a datelor cu caracter personal in interiorul Uniunii nu poate fi restrictionată sau interzisa din motive legate de protectia persoanelor fizice în ceea ce priveste prelucrarea datelor cu caracter personal.” -Capitolul 1, Art. 1, p. 3 REG

Astfel, grupul dvs. de companii poate incepand cu 25 Mai 2018, cand REG se va aplica, sa mute fara restrictii PD intre entitatile sale din UE – avand in vedere ca va respecta toate cerintele REG.

  1. Mai simplu, costuri mai mici si mai convenabile – Evident, si inainte de REG, daca compania dvs./grupul opera in 5 state membre, atunci trebuia sa angajeze 5 firme de avocatura pentru a se asigura ca respecta toate reglementarile nationale specifice; acum, o data cu REG se va respecta o singura lege.

  2. Multi ar putea vedea acest nou regulament ca pe o cheltuiala, dar de fapt, este o noua oportunitate. Respectand REG inseamna ca veti investi in instrumente de securitate, de guvernanta si audit al datelor, deoarece dupa cum veti vedea, daca nu faceti asta va plasati compania intr-un zona de risc si de nerespectare a regulilor REG si acest lucru va poate aduce amenzi de pana la 20 milioane de EUR sau de pana la 4% din cifra de afaceri anuala globala!

Drepturile pe care Operatorul trebuie sa le asigure persoanei vizate:

- “Informare si acces la datele personale”: Cand cere persoana vizata, in maxim 1 luna, operatorul trebuie sa trimita acesteia, in mod gratuit, in format scris/electronic toate PD ale acesteia pe care le detine, alaturi de celelalte date precum: date de contact ale Ofiterului de Protectie a Datelor(angajat sau contractor al Operatorului pentru REG – care exista in anumite conditii -, scopul procesarii, lista tertelor parti carora li s-a transmis PD si de ce, etc.. Nerespectarea acestor solicitari poate permite persoanei vizate sa completeze o plangere la UE Protectia Datelor Personale si, de asemenea, poate solicita despagubiri materiale in termenii REG. (Art. 12, Art. 13).

-”Dreptul de a fi uitat” - “Persoana vizata are dreptul de a obtine din partea operatorului stergerea datelor cu caracter personal care o privesc, fără intarzieri nejustificate, iar operatorul are obligatia de a sterge datele cu caracter personal fara intarzieri nejustificate ...” - Art. 17, p.1

-”Dreptul la restrictionarea prelucrarii” - Persoana vizata poate cere Operatorului sa nu-i mai proceseze PD - Art. 18

-”Obligatia de notificare privind rectificarea sau stergerea datelor cu caracter personal sau restrictionarea prelucrarii” - Art. 19 – Operatorul trebuie sa notifice persoana vizata dupa orice stergere/actualizare a PD realizata sub termenii REG - Art. 16, 17, 18

-”Dreptul la transferabilitatea datelor” - “Persoana vizata are dreptul de a primi datele cu caracter personal care o privesc si pe care le-a furnizat operatorului intr-un format structurat, utilizati in mod curent si care poate fi citit automat si are dreptul de a transmite aceste date altui operator, fara obstacole din partea operatorului caruia i-au fost furnizate datele cu caracter personal ...” - Art. 20, p.1

Obligatii generale ale Operatorului si ale Persoanei Imputernicita de Operator

Tinand seama de natura, domeniul de aplicare, contextul si scopurile prelucrarii, precum si de riscurile cu grade diferite de probabilitate si gravitate pentru drepturile si libertatile persoanelor fizice, operatorul pune în aplicare masuri tehnice si organizatorice adecvate pentru a garanta si a fi în măsură sa demonstreze ca prelucrarea se efectueaza in conformitate cu prezentul regulament. Respectivele masuri se revizuiesc si se actualizeaza daca este necesar.” - Art. 24, p.1

Declaratia generala de mai sus implica faptul ca Operatorul trebuie sa asigure securitatea si protectia PD, si anume sa previna disponibilitatea acesteia unui numar nelimitat de persoane – PD trebuie pastratat din punct de vedere tehnic in mod privat. De asemeni, orice Operator care colecteaza PD trebuie sa aiba un motiv rezonabil sa proceseze PD, motiv pe care il poate justifica si orice procesare realizata de catre Operator/Persoanei Imputernicita de Operator trebuie sa fie trasabila.

Alte obligatii sunt:

- Notificarea unei incalcari a datelor cu caracter personal catre autoritatea de supraveghere – Art. 33

- Communication of a personal data breach to the data subject – Art. 34

- Comunicarea unei incalcari a datelor cu caracter personal catre persoana vizata – Art 35, Art. 36

- Ofiter de Protectie a Datelor – Art. 37, Art. 38, Art. 39

- Codurile de conduita – Art. 40, Art. 41, Art. 42

Referinte: http://ec.europa.eu/justice/data-protection/

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Stelian de la www.JulySoft.Net – Bucuresti, 27 Noiembrie 2017

General Data Protection Regulation (DGPR) – What You Should Know

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

General Data Protection Regulation (GDPR)

- What You Should Know - Opportunities & Risks For Your Company

 

Who is this for?

 

If you own or work for (IT or legal dep.) a small business or a multinational group of companies that process or stores personal data of persons from EU, regardless your company or processing of personal data takes place or not in EU, or simply you are interested in your data privacy rights as person – please read on!

 

Issue

Personal Data Protection is a legal regulation your company must comply with. Failing to do so may put your company at risks of fines up to 20M EUR.

 

Solution

Know your DGPR obligations and invest in data security, data-governance and management tools that help you prove and enforce your company's compliance with GDPR. July Soft offers such tools as:

Geysir Enterprise Search, Hekla DMS, Hekla CRM or Laki Extranet tools.

 

Disclaimer

Note that I'm a Technical IT person with extensive experience in big-data, automated data processing, data governance and management, but without any formal legal background.

This paper is "as is" (with no warranties or guaratees, express or implied and we don't assume any resposibility of any loss or damage – directly or indirectly to you/your business involving present).

This is a general guide – summary – of GDPR – that may help you – and we strongly encourage you to do so – while getting professional legal assistance.

 

Definitions:

PD - Personal Data – any information regarding a person (identified or identifiable)

REG - Regulation 2016/679 on Personal Data Protection

Controller - person or legal entity that decides purposes and means of PD processing

Processor - PD processor on Controller's behalf (Ex: Cloud Provider)

 

While Personal Data Protection by authorities is regulated by Directive 2016/680, Personal Data Protection in general and free movement of personal data within EU is regulated by Regulation 2016/679.

The difference between Directive and Regulation is that while Directive will be "cloned" in every member state with more or less accuracy while Regulation applies exactely as is to all member states automatically!

 

Scope of REG:

a) Material scope: "This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." - Art. 2, p.1

 

b) Territorial scope: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the Union, regardless of whether the processing takes place in the Union or not" – Art. 3, p. 1

As a general rule REG includes in its scope any PD processing on EU citizens regardless the place of processing or Controller/Processor!

 

Opportunities for businesses:

a) "The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data." - Chapter 1, Art. 1, 3rd p. of REG

 

This implies your business group can, starting 25th May 2018 from when REG will apply, move without any restriction PD between its entities from EU - given it comply with all other requirements REG imposes.

 

b) Simpler, cheaper compliancy / legal costs – Obviously, as before REG if your company/group operates in 5 member states then you need to hire 5 law firms just to make sure you comply with all national specific regulations, now starting REG will apply you have to deal with only 1 law – namely REG.

 

c) Many may see this as an expense but is in fact an opportunity. Being REG compliant implies you have to invest in security, data governance and audit tools, because as you will see, not doing so will place your company in a great risk of non-compliance with REG and this can expose your company to risk of fines up to 20M EUR or up to 4% of your global yearly turnover!

But, if instead you decide to buy / implement a CRM (like Julysoft Hekla DMS CRM) and/or an Enterprise Search (like Julysoft Geysir Enterprise Search) not only your company has data privacy by default / data privacy by design implemented but also your company data governance is more efficient, your operational costs decrease and in fact your business may grow just using better and faster its data – being it personal or no. Bottom line is: REG will force companies see security and data governance as an important compliance task and not only an afterthought – and this in itself is a benefical aspect or REG!

 

Rights of data subject that Controller must support:

- "Information and access to personal data": When asked by data subject, in maximum 1 month, Controller must reply to requestor, free of charge, in paper or electronical form all PD he has on data subject, along a list of other data, like:contact data of Protection Data Officer (employee or contractor of Controller that REG - in some conditions – requires to exist), the purposes of the processing, list of third parties that PD has been transmitted and why, etc. Failing to comply with this request may allow to data subject to fill a compliant to EU Data Protection Authority and also can ask material compensations under REG terms (Art. 12, Art. 13).

- "Rectification and erasure": When asked by a subject, Controller must without undue delay delete parts or modify data as asked by the subject.

- "Right to be forgotten" - "The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay.." Art. 17, p.1

- "Right to restriction of processing" – subject can ask Controller that its PD not to be processed – Art. 18

- "Notification obligation regarding rectification or erasure of personal data or restriction of processing" – Art. 19 – Controller must notificate data subject after any data deletion or update has been done under terms of any of articles: 16, 17, 18

- "Right to data portability" : "The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided..." (Art. 20, p.1)

General obligations of Controller and Processor:

"Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary" – Art. 24, p.1

 

In plain english the general large above statement implies Controller must ensure PD security and privacy namely prevent its availability to an indeterminate number of persons – PD must be kept technically private. Also for any PD Controller collects must have a resonable processing reasons he can demonstrate and any processing by Controller and or its Processor must be traceable!

 

Other obligations are:

- Notification of a personal data breach to the supervisory authority – Art. 33

- Communication of a personal data breach to the data subject – Art. 34

- Data protection impact assessment and prior consultation – Art 35, Art. 36

- Data Protection Officer – Art. 37, Art. 38, Art. 39

- Codes of conduct – Art. 40, Art. 41, Art. 42

 

References:

http://ec.europa.eu/justice/data-protection/

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

 

Stelian from www.JulySoft.net - Bucharest, 27 Nov 2017

July Soft participated at Indagra 2017

I'm honored to share with you this article published, as well as below image, after July Soft's participation at Indagra 2017 and to emphasize the importance of working with our partners on the development of BlueBus software application for remote management and control of industrial equipment for irrigation.

Geysir software suite offers you the ability to streamline your operations at minimal cost!
We would be honored to serve your urgent IT needs and generate a real positive impact on your business,

Iulia from www.julysoft.net

July Soft a participat la Indagra 2017

Sunt onorata sa va impartasesc acest articol publicat, precum si imaginea de mai jos, in urma participarii July Soft la Indagra 2017 si sa subliniez importanta colaborarii cu partenerii nostri la realizarea aplicatiei software BlueBus care permite managementul si controlul la distanta al echipamentelor industriale de irigat.

Aplicatiile software din suita Geysir va ofera posibilitatea eficientizarii operatiunilor dvs. cu costuri minime!
 Ne-ar onora sa servim nevoilor dvs. urgente IT si sa generam un real impact pozitiv in activitatea dvs.
,

Iulia de la www.JulySoft.Net