Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following
my supervisor’s advice, VUB couldn’t accept this proposal.
I am ok to discuss alternative solutions with the PO.
I will keep you and TRI team posted via the mailing list.
Best regards and stay safe,
Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 11:14 AM
To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be>
Cc: 'STAR' <star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.hu
Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating
that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of
the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest
to me.
Best,
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be]
Sent: Monday, March 16, 2020 10:58 AM
To: Kulitsán Gábor <kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.hu
Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should
request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project,
apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could
propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards,
Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 10:39 AM
To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.hu
Cc: 'STAR' <star@listserv.vub.ac.be>
Subject: RE: feedback on STAR II 4.1
Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable
circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be]
Sent: Friday, March 13, 2020 10:54 AM
To: David Barnard-Wills <david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.be>;
nagy.renata@naih.hu
Subject: RE: feedback on STAR II 4.1
@David
Barnard-Wills many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán
Gábor' at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably
to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot
ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime
of the project?
Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about
the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards,
Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com>
Sent: Tuesday, March 10, 2020 4:22 PM
To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be>;
nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.be>
Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted?
On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him
at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine
being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be
the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to
be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the
true intent / meaning.
P9. 3.4 Typo in second paragraph.
It also could be considered
e the most
P10.
It appeared that most DPAs do not use internal guidance to direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph
This initiative allowed to
be confirmed that
It allowed to
be obtained
P11.4. Would stress the importance of standardisation of response
& P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate.
Approaches do differ between different DPAs.
P13. 4.2.1
It was decided to create a dedicated part
Following up
on from this decision
P15. 4.2.3
I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph
We are included
inclined to
P21 6.2 last paragraph
DPAs across the EU have reported
to engage that they have engaged in
P22 6.3 4.5 last paragraph
Slovic suggests that the following elements play a role when evaluating risk:
P23 6.3 2nd paragraph
Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the
development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1
Typically, the risk based approach
formula approach in the GDPR includes the following elements
to be taken into account:
P24 6.3.2
I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
P24 6.3.5
I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph
…that the principle of accountability as an
elements of good
P.26 first line
… that the demonstration
of compliance
P.26 6.3.6 (b)
(not that clear in the text.)
P.27 6.3.6 (c)
It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where
personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph
It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added
to, have entries removed when obsolete, and amend entries
it as necessary. However paper documentation is regarded
as being appropriate for SMEs and micro enterprises. It should be
added that SMEs (entities having less than 250 employees) are
technically exempt from this obligation
if provided they are undertaking:
• processing that is
not likely to result in a risk to the rights and freedoms of data subjects;
• processing that is
not occasional (meaning that it is
not
regularly / frequently undertaken); or
• processing that
does not include
special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be
are available on the websites….
P.29 6.3.8 (a) 2
Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating
a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that:
• the DPO shall be provided
of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.;
• the DPO shall not receive instructions for the exercise of his/her tasks;
• the DPO shall not
be dismissed or penalized for the performance of his/her tasks;
• the DPO shall report to the highest
level of management; and
• the DPO should not
be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c)
Task of DPOs |
DPOs cannot
|
Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions |
Be held accountable for the information and advice given to the SME
(I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) |
Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies
|
Be considered personally responsible for non-compliance with data protection requirements |
Carry on awareness raising activities and training for the staff of the SME dealing with data processing |
Perform the DPIA.
Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure
one is done remains with the Controller. |
Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) |
Represent the SME in front of the DPA or in a court in case of proceedings.
Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed
based on their monitoring of processing activities. I |
Act as contact point for the supervisory authority in case of prior consultation |
Be considered responsible for the
maintenance of the register
True but they are responsible for providing oversight as to whether it is maintained. |
Cooperate with the supervisory authority |
Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. |
Be contacted by data subjects
|
|
Create and maintain the register of processing (in the
|
P.31 6.3.9(a) Data Protection Impact Assessment
(a) Background
The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be
effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to
identify and help mitigate
anticipate the any potential
beneficial and adverse (i.e. negative) impacts
arising from the intended processing of personal data of such within the project. Impact assessments
are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives
while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small
and medium-sized enterprises.
Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c)
(c) What are the elements and characteristics of the processing
that may generate
the high risks to rights and freedoms of individuals?
The following elements that contribute to
the high risks
to data subjects from this provision were extracted by the
(d) What situations could require a DPIA?
Examples of processing operations that could trigger a DPIA:
• If the SME is implementing a new tool to monitor access to office combining use of fingerprints and
face facial recognition
technology;
• If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks
• If the SME is providing CCTV surveillance
for
a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA?
Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility
on for the DPIA process
relies on rests with the data controller.
(f) When
is a DPIA is not required?
• When the data processing operations are included in
any list of data processing operations compiled by the DPA
non which do
not requiring a DPIA
P.33 6.3.9(g)
4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase
of the assessment process.
This consultation must be meaningful.
P.33 6.3.9(h)
(h) When a new (revised) DPIA is required?
A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations
are to change, for example because a new technology
is to
be has been introduced,
a new processor is to be engaged under contract, or because personal data is
being to be used for a different purpose
In that case, the review of the risk analysis
made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b)
(b) How
the security obligation is related to other provisions?
This obligation also requires the controller
wishing to engage a processor under contract to
undertake due diligence and assess whether the guarantees offered by the data processor,
in this case the cloud service provider, are sufficient.
A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance
with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the
processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources.
A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable,
it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort.
and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant
and meeting their obligations
either by auditing using their own staff or a trusted third party.
When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller
should must conclude a contract, another legal act or binding arrangement with the other entity
already setting out clear and precise data protection obligations
and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c)
An information security policy foreseeing the role of each user and
the required permission levels (access control) appropriate to the role
which minimises access to only that data necessary for that role.
This includies the system administrator accounts
is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can
a SME take?
Technical measures
must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as:
• system security – the security of your network and information systems, including
especially those which process personal data;
• data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely
through the use of suitable levels of encryption;
P.36 6.3.10(e)
Would add:
Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11
This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b)
Consequently, this means that the controller must have an internal procedures
defined, tested and documented
allowing to confirm to appropriately identify and handle
any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should
precede be in place before processing of personal data begins so that
any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d)
Would add a final paragraph.
As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland
has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious
beaches should they arise.
I hope you find this useful.
Alan
From:
star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be>
On Behalf Of Lina JASMONTAITE
Sent: 28 February 2020 13:09
To: nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.be>
Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A.
We believe that the pfd version can be submitted.
We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards,
Lina
From:
star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be>
On Behalf Of Lina JASMONTAITE
Sent: Friday, February 28, 2020 8:45 AM
To: nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.be>
Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits.
The document to be submitted to the EC will reach you shortly after noon.
Best regards,
Lina
From:
nagy.renata@naih.hu <nagy.renata@naih.hu>
Sent: Thursday, February 27, 2020 4:31 PM
To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.be>
Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina!
Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts
are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.be>
Sent: Thursday, February 20, 2020 10:32 AM
To: nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.be>
Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it.
It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured,
rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations.
There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In
particular, further additions could be made to the concluding remarks part.
As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards,
Lina
From:
nagy.renata@naih.hu <nagy.renata@naih.hu>
Sent: Tuesday, January 28, 2020 4:16 PM
To: 'Kulitsán Gábor' <kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.com>
Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com>;
'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.hu>
Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.hu>
Sent: Tuesday, January 28, 2020 10:09 AM
To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.com>
Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com>;
'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.be>;
'Sziklay Júlia' <sziklay.julia@naih.hu>
Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
Best,
Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com]
Sent: Monday, January 27, 2020 6:25 PM
To: Kulitsán Gábor <kulitsan.gabor@naih.hu>
Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.com>;
Angelo Napolano <Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.be>;
Sziklay Júlia <sziklay.julia@naih.hu>
Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved
deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes,
Leanne
Leanne Cochrane Senior Research Analyst | Policy, Ethics and Emerging Technologies Team leanne.cochrane@trilateralresearch.com Mobile: +44 (0) 7545 955 242 Skype:@ljcochrane |
|