Swipe to navigate through the chapters of this book
This chapter will provide an overview of international data protection norms. It will specifically discuss and explain the recent evolution in Europe with the adoption of the European General Data Protection Regulation and its impact on other countries. It will clarify the main concepts and the differences among the various geographic areas.
Please log in to get access to this content
To get access to this content you need the following product:
Accountability is dependent on, and completed by, the respect of the above principles and the capacity of the data controller/processor to prove the compliance; the data controller is required to put in place appropriate and effective measures to demonstrate, at the request of the supervisory authority, the compliance of the processing activities with the GDPR, including the effectiveness of the mentioned measures.
The data controller is defined by Article 4.1.7 GDPR as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by Union or Member State law and the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
The data processor is defined by Article 4.1.8 GDPR as a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Article 9.1 prescribed that processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation shall be prohibited, unless one of the exception listed in Article 9.2 applies.
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
Processing on a large scale of special categories of data referred to in Article 9 (1) or of personal data relating to criminal convictions and offences referred to in Article 10.
A systematic monitoring of a publicly accessible area on a large scale.
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. Available at http://ec.europa.eu/newsroom/document.cfm?doc_id=44137.
For more information, please also refer to the article available at the following link http://www.istitutoitalianoprivacy.it/it/2017/09/12/dpia-guidelines-new-recommendations-from-the-italian-institute-for-privacy/.
L. BOLOGNINI, E. PELINO, C. BISTOLFI, Il regolamento privacy europeo. Commentario alla nuova disciplina sulla protezione dei dati personali, Milano, 2016, p. 336.
Joint Statement of the Japan-US Cyber Dialogue. Available at https://www.state.gov/r/pa/prs/ps/2017/07/272815.htm.
J. VAN DEN HOVE, R. WEBER, A. GUIMARAES PEREIRA, F. DECHESNE, Fact Sheet-ethics Subgroup Iot -version 4.0,2012, 17.
Opinion 8/2014, cit.
Which shall include:
The identity and the contact details of the controller and, where applicable, of the controller’s representative, including reference to the agreement under Article 26 GDPR, and of the DPO, where appointed.
The purposes of the processing for which the personal data are collected (e.g. marketing, for performing the service).
Obligations imposed by law or by a contract under which the data are collected and consequence of not providing consent.
Lawful basis under Article 6 GDPR (consent, contract, legal obligation, public interest, legitimate interest). If the processing is based on point (f) of Article 6 (1), such legitimate interests pursued by the controller shall be described.
The recipients or categories of recipients of the personal data, to whom data shall or might be communicated (whether data processor or persons in charge of the processing).
The fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission or of an agreement such as the EU-US Privacy Shield, standard contractual clauses, binding corporate rules, code of conduct, and certification mechanism, as well as reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
The period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period.
The existence of the right to withdraw consent at any time, the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability and the right to lodge a complaint with a supervisory authority.
The existence of automated decision-making, including the creation of profiles on the preferences and habits of the data subject (“profiling”), and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The following information shall be added to the ones listed in the previous note:
From which source the personal data originate and, if applicable, whether it came from publicly accessible sources.
The categories of the personal data and if such data belong to common, special, or judicial data.
Also, the information notice may not be provided insofar as:
The provision of such information proves impossible or would involve a disproportionate effort.
Obtaining or disclosure is expressly laid down by law, which provides appropriate measures to protect the data subject’s legitimate interests.
Where the personal data must remain confidential subject to an obligation of professional secrecy.
In addition to the information provided in the direct information, the following additional information shall be added:
Indication of the new purpose.
Data retention times with respect to the new purpose and, if not possible, the criteria used to determine this period.
Any legal or contractual obligations underlying the provision of personal data and consequences of the refusal.
The existence of automated decision-making processes, including profiling, and, in that case, the indication of the applied logic, as well as the importance and consequences of such processing for the data subject.
The rights of the data subject to withdraw consent, access the data, or request rectification or erasure of personal data, or the limitation of the processing of personal data concerning him; the right to data portability, to object to the processing, and to lodge a complaint with the supervisory authority.
If the data controller has not collected the data directly from the data subject, the additional information must contain the following further information:
The origin of personal data (i.e. how and from what sources have been collected), in particular any expressed indication that the data comes from sources accessible to the public.
Legal basis of the processing (e.g. consent, contract, legal obligation, public interest) and, if there is a legitimate interest of the data controller or the third party, the specification of such legitimate interest.
Internet of Things (IoT) Cybersecurity Improvement Act of 2017 available at https://www.congress.gov/bill/115th-congress/senate-bill/1691/text.
L. BOLOGNINI, E. PELINO, C. BISTOLFI, op. cit., 723.
- Evolution of Data Protection Norms and Their Impact on the Internet of Things
- Springer International Publishing
- Sequence number
- Chapter number
- Chapter 6