Laws and regulations governing cybersecurity
Completion requirements
6. Protection of personal data in cyberspace
6.3. SUMMARY / MAIN OUTPUTS FROM THE CHAPTER
ℹ️
- The GDPR is a general legal framework for the protection of personal data, and it is valid and effective throughout the EU and, in certain cases, outside this territory. The main objective of the GDPR is to ensure comprehensive protection of the rights of data subjects against unauthorised treatment of their data and personal data, to strike a balance between the legitimate interests of controllers, processors and data subjects, to create a system of uniform law enforcement and a single sanction mechanism in this area, etc.
- However,
the GDPR applies in cases where:
- a controller or processor is established in the EU, regardless of whether the processing takes place in the EU,
- controllers
or processors are not established in the EU, but
- goods or services are offered to data subjects in the EU (regardless of remuneration),
- the conduct of data subjects within the EU is monitored.
- Pursuant to Article 4 (1) of the GDPR, personal data are “any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
- According to Article 4 (2) of the GDRP, the processing of personal data means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Taking into account the state of the art, the costs of implementation,
and the nature, scope, context and purposes of processing as well as the risk
of varying likelihood and severity for the rights and freedoms of natural
persons, the controller (or processor) shall implement appropriate
technical and organisational measures to ensure a level of security appropriate
to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data,
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- The Data Protection Impact Assessment (DPIA) is a tool to be used when a certain type of processing is likely, especially when using new technologies, taking into account the nature, scope, context and purposes of the processing, to result in a high risk to the rights and freedoms of individuals. It is a tool that can help controllers identify potential risks of personal data processing and implement appropriate measures.
🗝️
KEY WORDS TO REMEMBER
- GDPR
- Personal data
- Data controller
- Processing of personal data
- Data Protection
❓
KNOWLEDGE CHECK QUESTIONS
- What is the territorial scope of the GDPR?
- What overall is personal data?
- Is an IP address personal data?
- What are the responsibilities of a personal data controller?
- What is meant by the processing of personal data?
- What does Data Protection Impact Assessment mean?