GDPR合规

什么是GDPR?

The GDPR was approved 和 adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period 和, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.

鉴于不确定的“脱欧”——我代表英国的一名数据控制人员,想知道我是否应该继续进行GDPR规划和准备工作?

如果您在向其他欧盟国家的公民销售商品或服务的背景下处理个人数据,那么您将需要遵守GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. 如果你的活动仅限于英国, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, 鉴于ICO和英国政府此前作为有效的隐私标准向GDPR提供的支持, 同时,GDPR提供了一个清晰的基线,英国企业可以据此寻求继续进入欧盟数字市场. (参考:http://www.lexology.com/library/detail.aspx?g = 07 a6d19f - 19 - ae - 4648 - 9 - f69 - 44 - ea289726a0)

GDPR影响谁?

GDPR不仅适用于欧盟内部的组织,如果欧盟以外的组织向其提供商品或服务,它也将适用, 或监视…的行为, 欧盟数据对象. 它适用于所有处理和持有居住在欧盟的数据主体的个人数据的公司, 不管公司在哪里.

什么构成个人资料?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. 它可以是任何东西,从名字, 一张照片, 一个电子邮件地址, 银行资料, 社交网站上的帖子, 医疗信息, 或计算机IP地址.

What is the difference between a data processor 和 a data controller?

A controller is the entity that determines the purposes, 处理个人资料的条件及方法, while the processor is an entity which processes personal data on behalf of the controller.

数据处理器需要“明确的”或“明确的”数据主体同意吗?它们的区别是什么?

同意的条件已得到加强, 因为公司将不再能够使用冗长难懂的充满法律术语的条款和条件, as the request for consent must be given in an intelligible 和 easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. 同意必须清楚,与其他事项区分开来,并以易于理解和理解的形式提供, 使用清晰明了的语言. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, 除了“选择加入”之外,什么都不够. However, for non-sensitive data, “unambiguous” consent will suffice.

16岁以下的数据对象呢?

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

What is the difference between a regulation 和 a directive?

规章是有约束力的立法行为. 它必须在整个欧盟实施, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. 需要注意的是,GDPR是一项法规, 与之前的立法相反, 这是一个指令.

How does the GDPR affect policy surrounding data breaches?

拟议中有关数据泄露的法规主要涉及被泄露公司的通知政策. 可能对个人构成风险的数据泄露必须在72小时内通知DPA和受影响的个人,不得无故拖延.