Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.hu; 'Kulitsán Gábor' kulitsan.gabor@naih.hu Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
* The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information. * I have no further information on the validation workshop planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
[A képet a feladó eltávolította.]http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear David,
Dear All,
Thanks for this feedback. Yes, Deliverable D4.1 has been submitted, but as you wrote, the feedback can be included in the finalised version (Deliverable D4.3).
Deliverable D4.2 has been re-submitted as well.
Next deliverables are:
D3.2 Report on the hotline
Description: Summary of the establishment and running of the hotline, including the infrastructure, policies, internal guidelines, difficulties and lessons learned during the operation.
Lead beneficiary: NAIH
Deadline: 31 March
D3.3 Report on the statistics and efficiency of the hotline
Description: Report based on a statistical analysis of the most frequently asked questions including the number and nature of issues, frequency of contacts, response time, effects of awareness-raising campaigns and public appearances, etc.
Lead beneficiary: TRI
Deadline: 31 March
D5.4 Trade Press Articles
Description: Two trade press articles (at least one in English, one in Hungarian) will be prepared. The first trade press article will be prepared at launch of the project and the second one in the dissemination phase.
Lead beneficiary: NAIH
Deadline: 31 March
I suggest to have a skype call next week, preferably on Monday or Tuesday, starting at 2 pm CET, but of course I’m open to other suggestions.
Best,
Gábor
From: David Barnard-Wills [mailto:David.Barnard-Wills@trilateralresearch.com] Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; nagy.renata@naih.hu; 'Kulitsán Gábor' kulitsan.gabor@naih.hu Cc: 'STAR' star@listserv.vub.ac.be Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted?
On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph.
It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph
This initiative allowed to be confirmed that
It allowed to be obtained
P11.4. Would stress the importance of standardisation of response
& P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1
It was decided to create a dedicated part
Following up on from this decision
P15. 4.2.3
I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph
We are included inclined to
P21 6.2 last paragraph
DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph
Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph
Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1
Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2
I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5
I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph
…that the principle of accountability as an elements of good
P.26 first line
… that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself.
(not that clear in the text.)
P.27 6.3.6 (c)
It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph
It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking:
• processing that is not likely to result in a risk to the rights and freedoms of data subjects;
• processing that is not occasional (meaning that it is not regularly / frequently undertaken); or
• processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2
Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that:
• the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.;
• the DPO shall not receive instructions for the exercise of his/her tasks;
• the DPO shall not be dismissed or penalized for the performance of his/her tasks;
• the DPO shall report to the highest level of management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c)
Task of DPOs
DPOs cannot
Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions
Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent)
Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies
Be considered personally responsible for non-compliance with data protection requirements
Carry on awareness raising activities and training for the staff of the SME dealing with data processing
Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller.
Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required)
Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I
Act as contact point for the supervisory authority in case of prior consultation
Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained.
Cooperate with the supervisory authority
Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data.
Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment
(a) Background
The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c)
(c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals?
The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA?
Examples of processing operations that could trigger a DPIA:
• If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology;
• If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks
• If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA?
Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required?
• When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g)
4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h)
(h) When a new (revised) DPIA is required?
A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b)
(b) How the security obligation is related to other provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c)
An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take?
Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as:
• system security – the security of your network and information systems, including especially those which process personal data;
• data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e)
Would add:
Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11
This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b)
Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d)
Would add a final paragraph.
As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be > On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A.
We believe that the pfd version can be submitted.
We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards,
Lina
From: star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be > On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits.
The document to be submitted to the EC will reach you shortly after noon.
Best regards,
Lina
From: nagy.renata@naih.hu mailto:nagy.renata@naih.hu <nagy.renata@naih.hu mailto:nagy.renata@naih.hu > Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina!
Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be > Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it.
It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations.
There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part.
As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards,
Lina
From: nagy.renata@naih.hu mailto:nagy.renata@naih.hu <nagy.renata@naih.hu mailto:nagy.renata@naih.hu > Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu >; Leanne Cochrane <leanne.cochrane@trilateralresearch.com mailto:leanne.cochrane@trilateralresearch.com > Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Sziklay Júlia' <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.com mailto:leanne.cochrane@trilateralresearch.com > Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com >; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; 'Nagy Renáta' <nagy.renata@naih.hu mailto:nagy.renata@naih.hu >; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Sziklay Júlia' <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop planned for March-April 2020.
Best,
Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com >; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; Angelo Napolano <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; 'Nagy Renáta' <nagy.renata@naih.hu mailto:nagy.renata@naih.hu >; Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; Sziklay Júlia <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels.
Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes,
Leanne
http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
mailto:leanne.cochrane@trilateralresearch.com leanne.cochrane@trilateralresearch.com
http://www.trilateralresearch.com www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Hi Gabor, Yes, I can make Monday or Tuesday.
Regarding D3.3 – It would be super helpful to understand what data we can use for this analysis. I see that you have been collecting and reporting things though the various presentations you’ve given during the project. And I think you already have a sense of what are the most common queries? But I think for this deliverable, we have to try and go a bit deeper.
A key question would be, can we (TRI) have access to the emails and the responses? (presumably anonymised would help, but keeping dates and times would be useful). Otherwise, we’re going to have to ask you some questions and you’ll have to find the answers yourselves! I’m scoping with one of my colleagues if we can apply some natural language processing techniques to see if we can get any additional insight out of the data. What sort of volume of emails/responses are we looking at? If we want to try and related public appearances/awareness raising efforts to hotline inquiries, then we’d probably need a list of dates of such events/activities.
Regarding the trade press article, I’ve reached out to Privacy, Law and Business, and they’d be interested in publishing an article based on the project research. Deadline for submission would be 6th April, but we could have something with them and accepted by 31st March.
Best wishes, DBW
Dr David Barnard-Wills Senior Research Manager (Policy, Ethics and Emerging Technologies) Trilateral Research Ltd.
1 Knightsbridge Green London SW1X 7QA
www.trilateralresearch.comhttp://www.trilateralresearch.com/ www.twitter.com/dbarnardwillshttp://www.twitter.com/dbarnardwills https://twitter.com/TRIResearch_
I’m part time – Working hours: 9.30 to 17.00 Mon & Tues, 9.30 to 14.40 Weds, Thurs & Fri
From: Kulitsán Gábor kulitsan.gabor@naih.hu Sent: 11 March 2020 08:58 To: David Barnard-Wills David.Barnard-Wills@trilateralresearch.com; 'Lina JASMONTAITE' Lina.Jasmontaite@vub.be; Leanne Cochrane leanne.cochrane@trilateralresearch.com; nagy.renata@naih.hu Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: feedback on STAR II 4.1
Dear David, Dear All,
Thanks for this feedback. Yes, Deliverable D4.1 has been submitted, but as you wrote, the feedback can be included in the finalised version (Deliverable D4.3). Deliverable D4.2 has been re-submitted as well.
Next deliverables are:
D3.2 Report on the hotline Description: Summary of the establishment and running of the hotline, including the infrastructure, policies, internal guidelines, difficulties and lessons learned during the operation. Lead beneficiary: NAIH Deadline: 31 March
D3.3 Report on the statistics and efficiency of the hotline Description: Report based on a statistical analysis of the most frequently asked questions including the number and nature of issues, frequency of contacts, response time, effects of awareness-raising campaigns and public appearances, etc. Lead beneficiary: TRI Deadline: 31 March
D5.4 Trade Press Articles Description: Two trade press articles (at least one in English, one in Hungarian) will be prepared. The first trade press article will be prepared at launch of the project and the second one in the dissemination phase. Lead beneficiary: NAIH Deadline: 31 March
I suggest to have a skype call next week, preferably on Monday or Tuesday, starting at 2 pm CET, but of course I’m open to other suggestions.
Best, Gábor
From: David Barnard-Wills [mailto:David.Barnard-Wills@trilateralresearch.com] Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
* The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information. * I have no further information on the validation workshop planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
[A képet a feladó eltávolította.]http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear David, Dear All,
please, find enclosed the recent version of the Excel sheet for the statistical analysis of the SME hotline.
The personal data can be removed from the emails and responses sent and can be sent to you early next week. If you identify the factors that are still missing but are needed for the analysis and should be added to the Excel file, I gladly add the required – more detailed - information.
The final version of the Excel file will be provided as soon as the last email was registered and responded.
Best,
Renáta
2020-03-12 10:39 időpontban David Barnard-Wills ezt írta:
Hi Gabor,
Yes, I can make Monday or Tuesday.
Regarding D3.3 – It would be super helpful to understand what data we can use for this analysis. I see that you have been collecting and reporting things though the various presentations you’ve given during the project. And I think you already have a sense of what are the most common queries? But I think for this deliverable, we have to try and go a bit deeper.
A key question would be, can we (TRI) have access to the emails and the responses? (presumably anonymised would help, but keeping dates and times would be useful).
Otherwise, we’re going to have to ask you some questions and you’ll have to find the answers yourselves!
I’m scoping with one of my colleagues if we can apply some natural language processing techniques to see if we can get any additional insight out of the data.
What sort of volume of emails/responses are we looking at?
If we want to try and related public appearances/awareness raising efforts to hotline inquiries, then we’d probably need a list of dates of such events/activities.
Regarding the trade press article, I’ve reached out to Privacy, Law and Business, and they’d be interested in publishing an article based on the project research. Deadline for submission would be 6th April, but we could have something with them and accepted by 31st March.
Best wishes,
DBW
Dr David Barnard-Wills
Senior Research Manager (Policy, Ethics and Emerging Technologies)
Trilateral Research Ltd.
1 Knightsbridge Green
London SW1X 7QA
www.trilateralresearch.com [1]
www.twitter.com/dbarnardwills [2]
https://twitter.com/TRIResearch_ [3]
I’m part time – Working hours: 9.30 to 17.00 Mon & Tues, 9.30 to 14.40 Weds, Thurs & Fri
FROM: Kulitsán Gábor kulitsan.gabor@naih.hu SENT: 11 March 2020 08:58 TO: David Barnard-Wills David.Barnard-Wills@trilateralresearch.com; 'Lina JASMONTAITE' Lina.Jasmontaite@vub.be; Leanne Cochrane leanne.cochrane@trilateralresearch.com; nagy.renata@naih.hu CC: 'STAR' star@listserv.vub.ac.be SUBJECT: RE: feedback on STAR II 4.1
Dear David,
Dear All,
Thanks for this feedback. Yes, Deliverable D4.1 has been submitted, but as you wrote, the feedback can be included in the finalised version (Deliverable D4.3).
Deliverable D4.2 has been re-submitted as well.
Next deliverables are:
D3.2 Report on the hotline
Description: Summary of the establishment and running of the hotline, including the infrastructure, policies, internal guidelines, difficulties and lessons learned during the operation.
Lead beneficiary: NAIH
Deadline: 31 March
D3.3 Report on the statistics and efficiency of the hotline
Description: Report based on a statistical analysis of the most frequently asked questions including the number and nature of issues, frequency of contacts, response time, effects of awareness-raising campaigns and public appearances, etc.
Lead beneficiary: TRI
Deadline: 31 March
D5.4 Trade Press Articles
Description: Two trade press articles (at least one in English, one in Hungarian) will be prepared. The first trade press article will be prepared at launch of the project and the second one in the dissemination phase.
Lead beneficiary: NAIH
Deadline: 31 March
I suggest to have a skype call next week, preferably on Monday or Tuesday, starting at 2 pm CET, but of course I’m open to other suggestions.
Best,
Gábor
FROM: David Barnard-Wills [mailto:David.Barnard-Wills@trilateralresearch.com] SENT: Tuesday, March 10, 2020 4:22 PM TO: Lina JASMONTAITE Lina.Jasmontaite@vub.be; nagy.renata@naih.hu; 'Kulitsán Gábor' kulitsan.gabor@naih.hu CC: 'STAR' star@listserv.vub.ac.be SUBJECT: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted?
On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 SECTION 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAS The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph.
It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph
This initiative allowed to be confirmed that
It allowed to be obtained
P11.4. Would stress the importance of standardisation of response
& P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1
It was decided to create a dedicated part
Following up on from this decision
P15. 4.2.3
I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph
We are included inclined to
P21 6.2 last paragraph
DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph
Slovic suggests that the following elements play a role when evaluating risk:
- The degree to which an individual feels in control
- The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph
Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1
Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
- The state of the art in terms of technology for of the means of
processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2
I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
- Documented understanding of the how the system works
- Known points of integration with other systems
- Assigning accountability
- Ensuring organisational standards (security / access etc) are being
complied with
- Demonstrated commitment to GDPR
- General piece of mind / greater organisational resilience
P24 6.3.5
I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (B) What does SMEs need to do to be accountable?
Second paragraph
…that the principle of accountability as an elements of good
P.26 first line
… that the demonstration of compliance
P.26 6.3.6 (B)
- Implement data protection principles (see Article 5) and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner;
- This should done at the time of the determination of the means for
processing and implemented before the time of the processing itself.
(not that clear in the text.)
P.27 6.3.6 (C)
It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (B) 2nd paragraph
It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking:
• processing that is not likely to
result in a risk to the rights and freedoms of data subjects;
• processing that is not occasional
(meaning that it is not regularly / frequently undertaken); or
• processing that does not include
special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (A) 2
Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (B)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that:
• the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.;
• the DPO shall not receive instructions for the exercise of his/her tasks;
• the DPO shall not be dismissed or penalized for the performance of his/her tasks;
• the DPO shall report to the highest level of management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (C)
TASK OF DPOS
DPOS CANNOT
Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions
Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent)
Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies
Be considered personally responsible for non-compliance with data protection requirements
Carry on awareness raising activities and training for the staff of the SME dealing with data processing
Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller.
Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required)
Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I
Act as contact point for the supervisory authority in case of prior consultation
Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained.
Cooperate with the supervisory authority
Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data.
Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(A) DATA PROTECTION IMPACT ASSESSMENT
(a) Background
The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(C)
(c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals?
The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA?
Examples of processing operations that could trigger a DPIA:
• If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology;
• If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks
• If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA?
Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required?
• When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(G)
Involve data subjects and/or their representatives, the
data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(H)
(h) When a new (revised) DPIA is required?
A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(B)
(b) How the security obligation is related to other provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c)
An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take?
Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as:
• system security – the security of your network and information systems, including especially those which process personal data;
• data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e)
Would add:
Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11
This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(B)
Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(D)
Would add a final paragraph.
As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
FROM: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be ON BEHALF OF Lina JASMONTAITE SENT: 28 February 2020 13:09 TO: nagy.renata@naih.hu; 'Kulitsán Gábor' kulitsan.gabor@naih.hu CC: 'STAR' star@listserv.vub.ac.be SUBJECT: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A.
We believe that the pfd version can be submitted.
We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards,
Lina
FROM: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be ON BEHALF OF Lina JASMONTAITE SENT: Friday, February 28, 2020 8:45 AM TO: nagy.renata@naih.hu; 'Kulitsán Gábor' kulitsan.gabor@naih.hu CC: 'STAR' star@listserv.vub.ac.be SUBJECT: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits.
The document to be submitted to the EC will reach you shortly after noon.
Best regards,
Lina
FROM: nagy.renata@naih.hu nagy.renata@naih.hu SENT: Thursday, February 27, 2020 4:31 PM TO: Lina JASMONTAITE Lina.Jasmontaite@vub.be; 'Kulitsán Gábor' kulitsan.gabor@naih.hu CC: 'STAR' star@listserv.vub.ac.be SUBJECT: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina!
Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
FROM: Lina JASMONTAITE Lina.Jasmontaite@vub.be SENT: Thursday, February 20, 2020 10:32 AM TO: nagy.renata@naih.hu; 'Kulitsán Gábor' kulitsan.gabor@naih.hu CC: 'STAR' star@listserv.vub.ac.be SUBJECT: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it.
It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations.
There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part.
As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards,
Lina
FROM: nagy.renata@naih.hu nagy.renata@naih.hu SENT: Tuesday, January 28, 2020 4:16 PM TO: 'Kulitsán Gábor' kulitsan.gabor@naih.hu; Leanne Cochrane leanne.cochrane@trilateralresearch.com CC: David Barnard-Wills david.barnard-wills@trilateralresearch.com; 'Corinna Pannofino' Corinna.Pannofino@trilateralresearch.com; 'Angelo Napolano' Angelo.Napolano@trilateralresearch.com; Lina JASMONTAITE Lina.Jasmontaite@vub.be; 'Sziklay Júlia' sziklay.julia@naih.hu SUBJECT: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
FROM: Kulitsán Gábor kulitsan.gabor@naih.hu SENT: Tuesday, January 28, 2020 10:09 AM TO: 'Leanne Cochrane' leanne.cochrane@trilateralresearch.com CC: 'David Barnard-Wills' David.Barnard-Wills@trilateralresearch.com; 'Corinna Pannofino' Corinna.Pannofino@trilateralresearch.com; 'Angelo Napolano' Angelo.Napolano@trilateralresearch.com; 'Nagy Renáta' nagy.renata@naih.hu; 'Lina JASMONTAITE' Lina.Jasmontaite@vub.be; 'Sziklay Júlia' sziklay.julia@naih.hu SUBJECT: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the handbook
at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop planned
for March-April 2020.
Best,
Gábor
FROM: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] SENT: Monday, January 27, 2020 6:25 PM TO: Kulitsán Gábor kulitsan.gabor@naih.hu CC: David Barnard-Wills David.Barnard-Wills@trilateralresearch.com; Corinna Pannofino Corinna.Pannofino@trilateralresearch.com; Angelo Napolano Angelo.Napolano@trilateralresearch.com; 'Nagy Renáta' nagy.renata@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be; Sziklay Júlia sziklay.julia@naih.hu SUBJECT: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
- A presentation by NAIH to the EDPB on the STAR II project planned
for the February EDPB plenary (18th-19th) in Brussels.
- A Validation workshop for the STAR II outputs, namely a 'A Risk
Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels.
Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes,
Leanne
[1]
LEANNE COCHRANE
SENIOR RESEARCH ANALYST | POLICY, ETHICS AND EMERGING TECHNOLOGIES TEAM
leanne.cochrane@trilateralresearch.com
www.trilateralresearch.com [4]
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Links:
[1] http://www.trilateralresearch.com/ [2] http://www.twitter.com/dbarnardwills [3] https://twitter.com/TRIResearch_ [4] http://www.trilateralresearch.com
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills David.Barnard-Wills@trilateralresearch.com Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; nagy.renata@naih.hu; 'Kulitsán Gábor' kulitsan.gabor@naih.hu Cc: 'STAR' star@listserv.vub.ac.be Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
* The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information. * I have no further information on the validation workshop planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
[A képet a feladó eltávolította.]http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills david.barnard-wills@trilateralresearch.com; 'Kulitsán Gábor' kulitsan.gabor@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
mailto:David.Barnard-Wills@trilateralresearch.com @David Barnard-Wills many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
mailto:kulitsan.gabor@naih.hu @'Kulitsán Gábor' at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project?
Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards,
Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com > Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted?
On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph.
It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph
This initiative allowed to be confirmed that
It allowed to be obtained
P11.4. Would stress the importance of standardisation of response
& P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1
It was decided to create a dedicated part
Following up on from this decision
P15. 4.2.3
I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph
We are included inclined to
P21 6.2 last paragraph
DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph
Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph
Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1
Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2
I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5
I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph
…that the principle of accountability as an elements of good
P.26 first line
… that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself.
(not that clear in the text.)
P.27 6.3.6 (c)
It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph
It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking:
• processing that is not likely to result in a risk to the rights and freedoms of data subjects;
• processing that is not occasional (meaning that it is not regularly / frequently undertaken); or
• processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2
Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that:
• the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.;
• the DPO shall not receive instructions for the exercise of his/her tasks;
• the DPO shall not be dismissed or penalized for the performance of his/her tasks;
• the DPO shall report to the highest level of management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c)
Task of DPOs
DPOs cannot
Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions
Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent)
Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies
Be considered personally responsible for non-compliance with data protection requirements
Carry on awareness raising activities and training for the staff of the SME dealing with data processing
Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller.
Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required)
Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I
Act as contact point for the supervisory authority in case of prior consultation
Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained.
Cooperate with the supervisory authority
Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data.
Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment
(a) Background
The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c)
(c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals?
The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA?
Examples of processing operations that could trigger a DPIA:
• If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology;
• If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks
• If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA?
Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required?
• When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g)
4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h)
(h) When a new (revised) DPIA is required?
A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b)
(b) How the security obligation is related to other provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c)
An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take?
Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as:
• system security – the security of your network and information systems, including especially those which process personal data;
• data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e)
Would add:
Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11
This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b)
Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d)
Would add a final paragraph.
As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be > On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A.
We believe that the pfd version can be submitted.
We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards,
Lina
From: star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be > On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits.
The document to be submitted to the EC will reach you shortly after noon.
Best regards,
Lina
From: nagy.renata@naih.hu mailto:nagy.renata@naih.hu <nagy.renata@naih.hu mailto:nagy.renata@naih.hu > Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina!
Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be > Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it.
It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations.
There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part.
As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards,
Lina
From: nagy.renata@naih.hu mailto:nagy.renata@naih.hu <nagy.renata@naih.hu mailto:nagy.renata@naih.hu > Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu >; Leanne Cochrane <leanne.cochrane@trilateralresearch.com mailto:leanne.cochrane@trilateralresearch.com > Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Sziklay Júlia' <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.com mailto:leanne.cochrane@trilateralresearch.com > Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com >; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; 'Nagy Renáta' <nagy.renata@naih.hu mailto:nagy.renata@naih.hu >; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Sziklay Júlia' <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop planned for March-April 2020.
Best,
Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com >; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; Angelo Napolano <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; 'Nagy Renáta' <nagy.renata@naih.hu mailto:nagy.renata@naih.hu >; Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; Sziklay Júlia <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels.
Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes,
Leanne
http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
mailto:leanne.cochrane@trilateralresearch.com leanne.cochrane@trilateralresearch.com
http://www.trilateralresearch.com www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards, Lina
From: Kulitsán Gábor kulitsan.gabor@naih.hu Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; nagy.renata@naih.hu Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
* The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information. * I have no further information on the validation workshop planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
[A képet a feladó eltávolította.]http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best,
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor kulitsan.gabor@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards,
Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
mailto:David.Barnard-Wills@trilateralresearch.com @David Barnard-Wills many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
mailto:kulitsan.gabor@naih.hu @'Kulitsán Gábor' at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project?
Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards,
Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com > Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted?
On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph.
It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph
This initiative allowed to be confirmed that
It allowed to be obtained
P11.4. Would stress the importance of standardisation of response
& P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1
It was decided to create a dedicated part
Following up on from this decision
P15. 4.2.3
I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph
We are included inclined to
P21 6.2 last paragraph
DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph
Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph
Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1
Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2
I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5
I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph
…that the principle of accountability as an elements of good
P.26 first line
… that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself.
(not that clear in the text.)
P.27 6.3.6 (c)
It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph
It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking:
• processing that is not likely to result in a risk to the rights and freedoms of data subjects;
• processing that is not occasional (meaning that it is not regularly / frequently undertaken); or
• processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2
Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that:
• the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.;
• the DPO shall not receive instructions for the exercise of his/her tasks;
• the DPO shall not be dismissed or penalized for the performance of his/her tasks;
• the DPO shall report to the highest level of management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c)
Task of DPOs
DPOs cannot
Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions
Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent)
Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies
Be considered personally responsible for non-compliance with data protection requirements
Carry on awareness raising activities and training for the staff of the SME dealing with data processing
Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller.
Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required)
Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I
Act as contact point for the supervisory authority in case of prior consultation
Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained.
Cooperate with the supervisory authority
Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data.
Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment
(a) Background
The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c)
(c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals?
The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA?
Examples of processing operations that could trigger a DPIA:
• If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology;
• If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks
• If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA?
Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required?
• When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g)
4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h)
(h) When a new (revised) DPIA is required?
A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b)
(b) How the security obligation is related to other provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c)
An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take?
Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as:
• system security – the security of your network and information systems, including especially those which process personal data;
• data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e)
Would add:
Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11
This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b)
Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d)
Would add a final paragraph.
As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be > On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A.
We believe that the pfd version can be submitted.
We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards,
Lina
From: star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be > On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits.
The document to be submitted to the EC will reach you shortly after noon.
Best regards,
Lina
From: nagy.renata@naih.hu mailto:nagy.renata@naih.hu <nagy.renata@naih.hu mailto:nagy.renata@naih.hu > Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina!
Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be > Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it.
It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations.
There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part.
As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards,
Lina
From: nagy.renata@naih.hu mailto:nagy.renata@naih.hu <nagy.renata@naih.hu mailto:nagy.renata@naih.hu > Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu >; Leanne Cochrane <leanne.cochrane@trilateralresearch.com mailto:leanne.cochrane@trilateralresearch.com > Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Sziklay Júlia' <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.com mailto:leanne.cochrane@trilateralresearch.com > Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com >; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; 'Nagy Renáta' <nagy.renata@naih.hu mailto:nagy.renata@naih.hu >; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Sziklay Júlia' <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop planned for March-April 2020.
Best,
Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com >; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; Angelo Napolano <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; 'Nagy Renáta' <nagy.renata@naih.hu mailto:nagy.renata@naih.hu >; Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; Sziklay Júlia <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels.
Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes,
Leanne
http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
mailto:leanne.cochrane@trilateralresearch.com leanne.cochrane@trilateralresearch.com
http://www.trilateralresearch.com www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor kulitsan.gabor@naih.hu Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards, Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
* The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information. * I have no further information on the validation workshop planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
[A képet a feladó eltávolította.]http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear David and Leanne,
Could you please let us know your position on this situation?
Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE Lina.Jasmontaite@vub.be wrote:
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor kulitsan.gabor@naih.hu Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards, Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
* The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information. * I have no further information on the validation workshop planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
http://www.trilateralresearch.com/ <image001.jpg>
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear Colleagues,
I think both proposals can be reasonable but nevertheless with quite the same effect: we will be stuck in the project till the end of a prolonged deadline (presumably till autumn 2020 instead of July). I am sure the Commission is working on the issue (the world epidemic situation affects all the ongoing projects in general) so we shall keep our dialogue going on.
Julia
From: star-bounces@listserv.vub.ac.be [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: STAR star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation?
Best regards,
Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be > wrote:
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal.
I am ok to discuss alternative solutions with the PO.
I will keep you and TRI team posted via the mailing list.
Best regards and stay safe,
Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be >; David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best,
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be >; David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards,
Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
mailto:David.Barnard-Wills@trilateralresearch.com @David Barnard-Wills many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
mailto:kulitsan.gabor@naih.hu @'Kulitsán Gábor' at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project?
Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards,
Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com > Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted?
On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph.
It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph
This initiative allowed to be confirmed that
It allowed to be obtained
P11.4. Would stress the importance of standardisation of response
& P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1
It was decided to create a dedicated part
Following up on from this decision
P15. 4.2.3
I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph
We are included inclined to
P21 6.2 last paragraph
DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph
Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph
Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1
Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2
I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5
I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph
…that the principle of accountability as an elements of good
P.26 first line
… that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself.
(not that clear in the text.)
P.27 6.3.6 (c)
It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph
It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking:
• processing that is not likely to result in a risk to the rights and freedoms of data subjects;
• processing that is not occasional (meaning that it is not regularly / frequently undertaken); or
• processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2
Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that:
• the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.;
• the DPO shall not receive instructions for the exercise of his/her tasks;
• the DPO shall not be dismissed or penalized for the performance of his/her tasks;
• the DPO shall report to the highest level of management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c)
Task of DPOs
DPOs cannot
Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions
Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent)
Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies
Be considered personally responsible for non-compliance with data protection requirements
Carry on awareness raising activities and training for the staff of the SME dealing with data processing
Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller.
Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required)
Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I
Act as contact point for the supervisory authority in case of prior consultation
Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained.
Cooperate with the supervisory authority
Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data.
Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment
(a) Background
The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c)
(c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals?
The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA?
Examples of processing operations that could trigger a DPIA:
• If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology;
• If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks
• If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA?
Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required?
• When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g)
4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h)
(h) When a new (revised) DPIA is required?
A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b)
(b) How the security obligation is related to other provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c)
An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take?
Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as:
• system security – the security of your network and information systems, including especially those which process personal data;
• data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e)
Would add:
Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11
This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b)
Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d)
Would add a final paragraph.
As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be > On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A.
We believe that the pfd version can be submitted.
We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards,
Lina
From: star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.be mailto:star-bounces@listserv.vub.ac.be > On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits.
The document to be submitted to the EC will reach you shortly after noon.
Best regards,
Lina
From: nagy.renata@naih.hu mailto:nagy.renata@naih.hu <nagy.renata@naih.hu mailto:nagy.renata@naih.hu > Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina!
Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be > Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.hu mailto:nagy.renata@naih.hu ; 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.be mailto:star@listserv.vub.ac.be > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it.
It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations.
There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part.
As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards,
Lina
From: nagy.renata@naih.hu mailto:nagy.renata@naih.hu <nagy.renata@naih.hu mailto:nagy.renata@naih.hu > Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu >; Leanne Cochrane <leanne.cochrane@trilateralresearch.com mailto:leanne.cochrane@trilateralresearch.com > Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.com mailto:david.barnard-wills@trilateralresearch.com >; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; 'Sziklay Júlia' <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.com mailto:leanne.cochrane@trilateralresearch.com > Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com >; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; 'Nagy Renáta' <nagy.renata@naih.hu mailto:nagy.renata@naih.hu >; 'Lina JASMONTAITE' Lina.Jasmontaite@vub.be; 'Sziklay Júlia' <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop planned for March-April 2020.
Best,
Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.hu mailto:kulitsan.gabor@naih.hu > Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.com mailto:David.Barnard-Wills@trilateralresearch.com >; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.com mailto:Corinna.Pannofino@trilateralresearch.com >; Angelo Napolano <Angelo.Napolano@trilateralresearch.com mailto:Angelo.Napolano@trilateralresearch.com >; 'Nagy Renáta' <nagy.renata@naih.hu mailto:nagy.renata@naih.hu >; Lina JASMONTAITE <Lina.Jasmontaite@vub.be mailto:Lina.Jasmontaite@vub.be >; Sziklay Júlia <sziklay.julia@naih.hu mailto:sziklay.julia@naih.hu > Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels.
Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes,
Leanne
http://www.trilateralresearch.com/
http://www.trilateralresearch.com/ <image001.jpg>
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
mailto:leanne.cochrane@trilateralresearch.com leanne.cochrane@trilateralresearch.com
http://www.trilateralresearch.com www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear Julia and David,
Thank you for your replies. Indeed, the end result of the extension of the timeline or a temporary suspension would be rather similar – the project would run longer. After consulting internally our finance and legal departments, however, we are of opinion that less restrictive measures (i.e., extension of the timeline) would be more appropriate. This is also message that we sent to PO.
Best regards, Lina
From: Sziklay Júlia sziklay.julia@naih.hu Sent: Monday, March 16, 2020 3:26 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: [star] feedback on STAR II 4.1
Dear Colleagues, I think both proposals can be reasonable but nevertheless with quite the same effect: we will be stuck in the project till the end of a prolonged deadline (presumably till autumn 2020 instead of July). I am sure the Commission is working on the issue (the world epidemic situation affects all the ongoing projects in general) so we shall keep our dialogue going on. Julia
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards, Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
* The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information. * I have no further information on the validation workshop planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
<image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Julia and David,
Thank you for your replies. Indeed, the end result of the extension of the timeline or a temporary suspension would be rather similar – the project would run longer. After consulting internally our finance and legal departments, however, we are of opinion that less restrictive measures (i.e., extension of the timeline) would be more appropriate. This is also message that we sent to PO.
Best regards, Lina
From: Sziklay Júlia sziklay.julia@naih.hu Sent: Monday, March 16, 2020 3:26 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: [star] feedback on STAR II 4.1
Dear Colleagues, I think both proposals can be reasonable but nevertheless with quite the same effect: we will be stuck in the project till the end of a prolonged deadline (presumably till autumn 2020 instead of July). I am sure the Commission is working on the issue (the world epidemic situation affects all the ongoing projects in general) so we shall keep our dialogue going on. Julia
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards, Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
- The degree to which an individual feels in control
- The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
- The state of the art in terms of technology for of the means
of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
- Documented understanding of the how the system works
- Known points of integration with other systems
- Assigning accountability
- Ensuring organisational standards (security / access etc) are
being complied with
- Demonstrated commitment to GDPR
- General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
- Implement data protection principles (see Article 5) and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner;
- This should done at the time of the determination of the means
for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the
handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop
planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
- A presentation by NAIH to the EDPB on the STAR II project
planned for the February EDPB plenary (18th-19th) in Brussels.
- A Validation workshop for the STAR II outputs, namely a 'A
Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
<image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
> Dear Julia and David, > > Thank you for your replies. Indeed, the end result of the extension > of the timeline or a temporary suspension would be rather similar – > the project would run longer. > After consulting internally our finance and legal departments, > however, we are of opinion that less restrictive measures (i.e., > extension of the timeline) would be more appropriate. This is also > message that we sent to PO. > > Best regards, > Lina > > From: Sziklay Júlia sziklay.julia@naih.hu > Sent: Monday, March 16, 2020 3:26 PM > To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills > david.barnard-wills@trilateralresearch.com; Leanne Cochrane > leanne.cochrane@trilateralresearch.com > Cc: 'STAR' star@listserv.vub.ac.be > Subject: RE: [star] feedback on STAR II 4.1 > > Dear Colleagues, > I think both proposals can be reasonable but nevertheless with quite > the same effect: we will be stuck in the project till the end of a > prolonged deadline (presumably till autumn 2020 instead of July). I > am sure the Commission is working on the issue (the world epidemic > situation affects all the ongoing projects in general) so we shall > keep our dialogue going on. > Julia > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE > Sent: Monday, March 16, 2020 1:38 PM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] feedback on STAR II 4.1 > > Dear David and Leanne, > > Could you please let us know your position on this situation? > Best regards, > Lina > > On 16 Mar 2020, at 11:39, Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: > > Dear Gabor, > > I understand your point of view but I believe that all three > partners should have agreed to the suspension before sending a > request to the PO. Following my supervisor’s advice, VUB couldn’t > accept this proposal. > I am ok to discuss alternative solutions with the PO. > I will keep you and TRI team posted via the mailing list. > > Best regards and stay safe, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 11:14 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Lina, > > And how should I ask any extension if I don’t know any exact dates > or anything for sure? I think the suspension is better, indicating > that the project would resume where it left off once the situation > returns to normal or at least to less serious. I already sent the > message to the PO, but If you have any other idea, feel free to > share with her via the portal adding the turn “on behalf of the > coordinator”. I’m really sorry, but now I have neither time nor > energy to act as a contact person. If you want, you can have the > call as well, but I probably won’t to be available. And no offense, > but to be honest, currently the project is of least interest to me. > > Best, > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Monday, March 16, 2020 10:58 AM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Gabor, > > Thanks for your email. I am not sure what would a suspension mean in > terms of financial implications for VUB, so at this point I think we > should request for an extension in these unforeseen circumstances > rather than a suspension. > > While the situation is full of uncertainty and many of us need to > adapt to it, we can still proceed further and work on deliverables > for the project, apart from the workshop. We need to discuss a > scenario with the PO what to do if the situation does not improve in > upcoming weeks. If that is the case, perhaps, we should ask for the > adjustment in the DOW and instead of a workshop to obtain feedback > we could propose having an online consultation. This would of course > affect our funding. > > I think we should still have a call if not this week, then a week after. > > Best regards, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 10:39 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: feedback on STAR II 4.1 > Importance: High > > Dear Lina & All > > Due to the current situation I will ask the PO to temporarily > suspend the project including all deadlines by reason of > unforeseeable circumstances of force majeure. I’ll keep you updated. > > Secondly, I can’t make tomorrow’s call, but I don’t think that’s the > most important thing now anyway. > > Best wishes, stay safe and take care of yourselves! > > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Friday, March 13, 2020 10:54 AM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > > @David > Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com > many thanks for sharing the extensive feedback. It’s much > appreciated and we’ll implement it as soon as possible. > > @'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university > we were receiving daily updates on the situation concerning the > virus. For now all external events are cancelled until the end of > April. In view of this, we can suggest to reschedule the event for > the later date (probably to mid or late June) in a hope that by then > the situation improves and we can host the event. This would > consequently require more time to finalise the handbook for the > final event and then July wouldn’t be a realistic date. My > understanding is that we cannot ask for the extension of the project > to the end of October/November because it is funded by the grant > action. Could we ask however the PO for the cost of the final > workshop as well as travelling to be eligible for the later date > that would go beyond the lifetime of the project? > Perhaps, before proceeding with the official communication, it would > be possible to get in touch with the PO via a phone call, so we are > aware about the position taken by the EC considering the current > situation? > > Having a call on Tuesday works well for our team. > > > Best regards, > Lina > > > > > > From: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> > Sent: Tuesday, March 10, 2020 4:22 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: feedback on STAR II 4.1 > > Dear all, > > First, I sincerely apologise for not getting this feedback to you > earlier. I assume that D4.1 was submitted? > On the positive side, this feedback can presumably be included in > the final version of these deliverables. > > We got Alan Moore, one of our DPO team, with good practical > expertise with various commercial clients to review the guidance > document (You met him at the Brussels workshop). His feedback is > below. > > Best wishes, > > DBW > > I have gone through the document and have a few suggestions: > > P7 Section 3.2 It can be suggested that to compensate for being > awarded with limited enforcement powers….. > > I would hold they have significant powers beyond the ability to > fine. Their powers to instruct controllers / processor top cease > processing data, among others, can ultimately shut down a business > without a fine being levied. To ignore these instructions can land a > director in jail for up to 5 years! > > P8. DPAs The focus on standardisation and EDPB. Art 60 was an after > thought and the general view is the it cannot operate within the > prescribed timelines. The ECJ will be the ultimate arbiter for > standardisation of approaches / laws / requirements but each > National Authority must be free to interpret facts presented in its > own way. Their independence is anchored in the EU treaties. A > complication that will eventually need to be addressed. > > P8. 3.3 Should be aware that translation into romance languages can > carry a different commutation the was intended by the Directive and > DPA have a key role to explain the true intent / meaning. > > P9. 3.4 Typo in second paragraph. > It also could be considered e the most > > P10. It appeared that most DPAs do not use internal guidance to direct…. > What has been the result of this? A key concern in the Irish DPC has > been delivering a consistent message and not providing a different > answer to the same or similar callers on different occasions. > > P11. 4 Unclear use of language - first paragraph > This initiative allowed to be confirmed that > It allowed to be obtained > > P11.4. Would stress the importance of standardisation of response > & P12 4 Add ‘c’? Implement a control process to ensure > standardisation of responses to similar questions / scenarios > > P13. 4.2 Might mention the concern that callers may have that > showing their hand may trigger an investigation. Callers need to be > reassured and encouraged to participate. Approaches do differ > between different DPAs. > > P13. 4.2.1 > It was decided to create a dedicated part > Following up on from this decision > > P15. 4.2.3 > I would stress the value of face to face more as context can be > complicated and the caller is subject to information and power > asymmetry. > > P16 4.5 last paragraph > We are included inclined to > > P21 6.2 last paragraph > DPAs across the EU have reported to engage that they have engaged in > > P22 6.3 4.5 last paragraph > Slovic suggests that the following elements play a role when evaluating risk: > > 1. The degree to which an individual feels in control > 2. The nature of consequences and the distribution of the impact > > P23 6.3 2nd paragraph > Which is perceived ‘as the coordinated activities to direct and > control an organisation with regard to risk’ 47 This is most > practically evidenced by the development and maintaining of a formal > risk register. > > (This risk section is very cerebral I fear and wont help with the ‘how’) > > P23 6.3.1 > Typically, the risk based approach formula approach in the GDPR > includes the following elements to be taken into account: > > * The state of the art in terms of technology for of the means > of processing (state of the art needs to be explained – does not > mean the best there is but rather the minimum expectable / expected) > > P24 6.3.2 > I would add a sentence or two on the benefits undertaking a > voluntary DPIA which include: > > * Documented understanding of the how the system works > * Known points of integration with other systems > * Assigning accountability > * Ensuring organisational standards (security / access etc) are > being complied with > * Demonstrated commitment to GDPR > * General piece of mind / greater organisational resilience > > P24 6.3.5 > I would add a piece on keeping a formal risk register of risks to > data subjects, separate from ant organisation risk register of risks > to the organisation in which all risks are assigned an owner and a > review date. > > P25 6.3.5 (b) What does SMEs need to do to be accountable? > > Second paragraph > …that the principle of accountability as an elements of good > > P.26 first line > … that the demonstration of compliance > > P.26 6.3.6 (b) > > * Implement data protection principles (see Article 5) and to > integrate the necessary safeguards into the processing in order to > meet the requirements of this Regulation and protect the rights of > data subjects (see Chapter III) in an effective manner; > * This should done at the time of the determination of the means > for processing and implemented before the time of the processing > itself. > (not that clear in the text.) > > P.27 6.3.6 (c) > It should be noted that some DPAs while note defining and technical > or organisation measures will nonetheless express an expectation > such as the Irish DPC in terms of the use of encryption whenever > possible where personal data is at rest or in transit. > > P.28 6.3.7 (b) 2nd paragraph > It is assumed that organisations will, however, benefit more from > maintaining their documentation electronically as such documentation > can they can easily added to, have entries removed when obsolete, > and amend entries it as necessary. However paper documentation is > regarded as being appropriate for SMEs and micro enterprises. It > should be added that SMEs (entities having less than 250 employees) > are technically exempt from this obligation if provided they are > undertaking: > • processing that is not likely to > result in a risk to the rights and freedoms of > data subjects; > • processing that is not occasional > (meaning that it is not regularly / > frequently undertaken); or > • processing that does not include > special categories of data or personal data > relating to criminal convictions and offences. > > In reality, very few SMEs can avail of this exemption unless the > process very little data. Most SMEs will usually have some special > category data as part of their HR files. > > They can be are available on the websites…. > > P.29 6.3.8 (a) 2 > Large scale is not defined by the legislation though different DPAs > have given some guidance relevant to different activities. > > For SMEs who provide services into other organisations, the > voluntary appointment of an internal or outsourced DPO can provide > commercial and strategic advantage by communicating a commitment to > data protection and promoting higher levels of trust. > > P.29 6.3.8 (b) > > A DPO may either be an employee of the SME or an external expert, > but in both cases, it is fundamental that he or she is independent, > in the sense that: > • the DPO shall be provided of with all the necessary > resources to carry on his/her tasks, in terms of money, time, > workforce, time to devote to professional development > etc.; > • the DPO shall not receive instructions for the > exercise of his/her tasks; > • the DPO shall not be dismissed or penalized for the > performance of his/her tasks; > • the DPO shall report to the highest level of management; and > • the DPO should not be in have any conflict of > interest in respect to other tasks and duties (e.g. > determining objects and purposes of the processing, > representing the SME in legal proceeding). > > P.30 6.3.8 (c) > Task of DPOs > DPOs cannot > Inform and advice the SME on the obligations arising from the GDPR > and the national data protection provisions > Be held accountable for the information and advice given to the SME > (I do not agree with this. They are not accountable for whether > their advice is implemented or not but they can be held accountable > for being negligent) > Monitor the compliance of the SME with the GDPR, the national data > protection provisions and (eventual) its internal data policies > Be considered personally responsible for non-compliance with data > protection requirements > Carry on awareness raising activities and training for the staff of > the SME dealing with data processing > Perform the DPIA. Not true. There is no reason why a DPO cannot take > the lead in undertaking a DPIA especially where the skills do not > exist elsewhere in the organization. but the responsibility to > ensure one is done remains with the Controller. > Provide advice to the SME and monitor the performance in relation to > the DPIA (when a DPIA is required) > Represent the SME in front of the DPA or in a court in case of > proceedings. Not quite so. The DPO remains the first point of > contact for data subjects and the DPAs and may be called to account > for advice / provide an explanation as to how data was processed > based on their monitoring of processing activities. I > Act as contact point for the supervisory authority in case of prior > consultation > Be considered responsible for the maintenance of the register True > but they are responsible for providing oversight as to whether it is > maintained. > Cooperate with the supervisory authority > Simultaneously hold another position in the organization that helps > define the means and purposes of processing of any personal data. > Be contacted by data subjects willing wishing to exercise their rights > > Create and maintain the register of processing (in the exceptional > situations where SME are required to have it one) Not True, under > Art 30 it is the responsibility of the Controller > > P.31 6.3.9(a) Data Protection Impact Assessment > (a) Background > The DPIA is a new addition to the EU data protection framework. It > builds on the rich experience of conducting impact assessments in > other fields, in particular, on the environmental impact > assessments. To be effective, impact assessments are carried out at > the early stage of a project (proactive initiative), at the phase of > planning or designing, and are aimed to identify and help mitigate > anticipate the any potential beneficial and adverse (i.e. negative) > impacts arising from the intended processing of personal data of > such within the project. Impact assessments are risk based exercises > that help decision-makers find the best and most beneficial > solutions for the development and deployment of initiatives while > protecting the rights and freedoms of data subjects. To be > practical, impact assessments must be scalable, flexible and > applicable inter alia for large organisations, consortia or for > small and medium-sized enterprises. Any risks identified will be > entered into the Data Protection Risk Register. > > P.32 6.3.9(c) > (c) What are the elements and characteristics of the > processing that may generate the high risks to rights and freedoms > of individuals? > The following elements that contribute to the high risks to data > subjects from this provision were extracted by the > > (d) What situations could require a DPIA? > Examples of processing operations that could trigger a DPIA: > • If the SME is implementing a new tool to monitor > access to office combining use of fingerprints and face facial > recognition technology; > • If the SME is a biotechnology company offering > genetic tests directly to consumers in order to assess and predict > the disease/health risks > • If the SME is providing CCTV surveillance for a > shopping centre or using a large number of cameras in their own > premises > > (e) Who and when should perform a DPIA? > Albeit the data processor and the data protection officer shall > assist the data controller (i.e., SME), the final responsibility on > for the DPIA process relies on rests with the data controller. > > (f) When is a DPIA is not required? > • When the data processing operations are included in > any list of data processing operations compiled by the DPA non > which do not requiring a DPIA > > P.33 6.3.9(g) > 4) Involve data subjects and/or their representatives, > the data protection officer and any other expert (e.g. information > security officer) and the data processor in the process, ideally in > each phase of the assessment process. This consultation must be > meaningful. > > P.33 6.3.9(h) > (h) When a new (revised) DPIA is required? > A new (i.e. revised version of) DPIA could be required if the risks > resulting from the processing operations are to change, for example > because a new technology is to be has been introduced, a new > processor is to be engaged under contract, or because personal data > is being to be used for a different purpose > > In that case, the review of the risk analysis made can show that the > performance of a DPIA is no longer required. > > P.34 6.3.10(b) > (b) How the security obligation is related to other provisions? > This obligation also requires the controller wishing to engage a > processor under contract to undertake due diligence and assess > whether the guarantees offered by the data processor, in this case > the cloud service provider, are sufficient. A controller must only > engage such a processor where they have faith in their ability to > comply with the obligations under GDPR. During this process, the > controller may take into account whether the processor provides > adequate documentation proving compliance with data protection > principles that could be found in privacy policies, records > management policies, information security policies, external audit > reports, certifications and similar documentation. The controller in > particular should take into account the processor’s expert knowledge > (e.g. technical expertise when dealing with data breaches and > security measures), reliability and its resources. A site visit may > also be necessary. After carrying out the due diligence process, the > controller should be able to take a decision with sufficient > evidence demonstrating that the processor is suitable, it can then > enter into a binding arrangement. It should be added that this due > diligence process is not a one-time effort. and it needs to be > regularly repeated in order The controller will have an ongoing > obligation to check whether the processor is compliant and meeting > their obligations either by auditing using their own staff or a > trusted third party. When outsourcing the processing of personal > data (e.g. for the provision of technical assistance or cloud > services), the controller should must conclude a contract, another > legal act or binding arrangement with the other entity already > setting out clear and precise data protection obligations and the > nature of processing in a detailed data processing agreement. > > > P.35 6.3.10(c) > An information security policy foreseeing the role of each user and > the required permission levels (access control) appropriate to the > role which minimises access to only that data necessary for that > role. This includies the system administrator accounts is as an > example of an appropriate organisational measure. > > P.35 6.3.10(d) What technical security measures can a SME take? > Technical measures must therefore include both physical and computer > or IT security. > > When considering cybersecurity, you should look at factors such as: > • system security – the security of your network and > information systems, including especially those which process > personal data; > • data security – the security of the data you hold > within your systems, e.g., ensuring appropriate access controls are > in place and that data is held securely through the use of suitable > levels of encryption; > > P.36 6.3.10(e) > Would add: > Where Special Category Data is processed (such as health data) or > personal data relating to minors, higher levels of security will be > expected to be implemented and documented. > > P.36 6.3.11 > This section should start with the definition of what is meant by a > breach and explain the difference between an incident and a breach. > It is confusing otherwise. > > P.37 6.3.11(b) > Consequently, this means that the controller must have an internal > procedures defined, tested and documented allowing to confirm to > appropriately identify and handle any breach of security concerning > personal data. > > In an ideal scenario, an information incident response policy should > precede be in place before processing of personal data begins so > that any the occurrence of an incident so that it could be used > should a data breach take place. > > P.37 6.3.11(d) > Would add a final paragraph. > As GDPR is maturing, different DPAs are expressing different > thresholds for the reporting of breaches. Where originally there was > a fear of over reporting, the DPC in Ireland has requested a breach > be reported when there is any risk identified to the data subject. > This allows the Commission to identify trends and to have confidence > that controllers are identifying the minor breaches and thus are > able to identify the more serious beaches should they arise. > > I hope you find this useful. > > Alan > > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: 28 February 2020 13:09 > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Here comes D4.1 with both parts now included. We made further minor > edits to Part A. > We believe that the pfd version can be submitted. > We look forward to your comments on Part B, which unfortunately > comes a bit later than planned. > > Best regards, > Lina > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: Friday, February 28, 2020 8:45 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Thank you for your additions and edits. > The document to be submitted to the EC will reach you shortly after noon. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Thursday, February 27, 2020 4:31 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Lina! > Dear All! > > Thank you for sharing the restructured version of the guidance for > DPAs. We only added minor additions/corrections. We confirm that the > yellow parts are accurate. > > We are looking forward to the handbook (the submission deadline is > 29.02.2020) > > > Best regards, > > Renáta > > > From: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Sent: Thursday, February 20, 2020 10:32 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Once again, thank you for preparing a revised version of the > guidance for DPAs. We reviewed it now enclose an improved version of > it. > It includes nearly all of your report (see the document you shared; > we marked in yellow parts that were used). However, the current > version is restructured, rephrased and embedded in a wider context > of DPAs’ awareness raising duties. We also extracted recommendations > from your report and developed a graph presenting these > recommendations. > There are two parts marked in yellow that need to be checked for > accuracy. Perhaps, you will want to add some other clarifications in > the text. In particular, further additions could be made to the > concluding remarks part. > As we provided contributions to the initial text, we would like to > be considered co-authors of this guidance. What do you think about > this? > > The part B – the handbook for SMEs – is on a way. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Tuesday, January 28, 2020 4:16 PM > To: 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne > Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear All! > > Please, find enclosed the updated version of the guidance. > > Best, > > Renáta > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Tuesday, January 28, 2020 10:09 AM > To: 'Leanne Cochrane' > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: 'David Barnard-Wills' > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Hi Leanne, > > Thanks for the update on the newsletter. > > Regarding the upcoming events: > > * The plan is to present the drafts of the guidance and the > handbook at the EDPB plenary in February. However, as this is > scheduled for 18-19 February, we can only do this, if the drafts are > ready by then. Renáta will circulate the updated version of the > guidance soon. As for the other document (handbook), Lina can > provide further information. > * I have no further information on the validation workshop > planned for March-April 2020. > > Best, > Gábor > > > From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] > Sent: Monday, January 27, 2020 6:25 PM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: STAR II - Update on EDPB and validation workshop? > > Hi Gabor, > > I hope you are keeping well. > > Our dissemination team is preparing to send out the STAR II > newsletter we mentioned on our previous calls. It will be sent out > this Thursday with links to the approved deliverables and some > blogs. We are also including a section on upcoming events and I > wanted to check with NAIH if we had any further information on the > following two events: > > > * A presentation by NAIH to the EDPB on the STAR II project > planned for the February EDPB plenary (18th-19th) in Brussels. > * A Validation workshop for the STAR II outputs, namely a 'A > Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned > for March-April 2020 in Brussels. > Can I just check this information is still current and there is > nothing more specific we can add at this stage? > > I would be grateful if you can cc all in the reply as I am off > tomorrow and the dissemination team are in need of the confirmation. > > Thanks and best wishes, > Leanne > > > > <image001.jpg>http://www.trilateralresearch.com/ > > > Leanne Cochrane > > Senior Research Analyst | Policy, Ethics and Emerging Technologies Team > > leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com > > www.trilateralresearch.comhttp://www.trilateralresearch.com > > Mobile: +44 (0) 7545 955 242 > > Skype:@ljcochrane
_______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
> Dear Julia and David, > > Thank you for your replies. Indeed, the end result of the extension > of the timeline or a temporary suspension would be rather similar – > the project would run longer. > After consulting internally our finance and legal departments, > however, we are of opinion that less restrictive measures (i.e., > extension of the timeline) would be more appropriate. This is also > message that we sent to PO. > > Best regards, > Lina > > From: Sziklay Júlia sziklay.julia@naih.hu > Sent: Monday, March 16, 2020 3:26 PM > To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills > david.barnard-wills@trilateralresearch.com; Leanne Cochrane > leanne.cochrane@trilateralresearch.com > Cc: 'STAR' star@listserv.vub.ac.be > Subject: RE: [star] feedback on STAR II 4.1 > > Dear Colleagues, > I think both proposals can be reasonable but nevertheless with quite > the same effect: we will be stuck in the project till the end of a > prolonged deadline (presumably till autumn 2020 instead of July). I > am sure the Commission is working on the issue (the world epidemic > situation affects all the ongoing projects in general) so we shall > keep our dialogue going on. > Julia > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE > Sent: Monday, March 16, 2020 1:38 PM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] feedback on STAR II 4.1 > > Dear David and Leanne, > > Could you please let us know your position on this situation? > Best regards, > Lina > > On 16 Mar 2020, at 11:39, Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: > > Dear Gabor, > > I understand your point of view but I believe that all three > partners should have agreed to the suspension before sending a > request to the PO. Following my supervisor’s advice, VUB couldn’t > accept this proposal. > I am ok to discuss alternative solutions with the PO. > I will keep you and TRI team posted via the mailing list. > > Best regards and stay safe, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 11:14 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Lina, > > And how should I ask any extension if I don’t know any exact dates > or anything for sure? I think the suspension is better, indicating > that the project would resume where it left off once the situation > returns to normal or at least to less serious. I already sent the > message to the PO, but If you have any other idea, feel free to > share with her via the portal adding the turn “on behalf of the > coordinator”. I’m really sorry, but now I have neither time nor > energy to act as a contact person. If you want, you can have the > call as well, but I probably won’t to be available. And no offense, > but to be honest, currently the project is of least interest to me. > > Best, > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Monday, March 16, 2020 10:58 AM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Gabor, > > Thanks for your email. I am not sure what would a suspension mean in > terms of financial implications for VUB, so at this point I think we > should request for an extension in these unforeseen circumstances > rather than a suspension. > > While the situation is full of uncertainty and many of us need to > adapt to it, we can still proceed further and work on deliverables > for the project, apart from the workshop. We need to discuss a > scenario with the PO what to do if the situation does not improve in > upcoming weeks. If that is the case, perhaps, we should ask for the > adjustment in the DOW and instead of a workshop to obtain feedback > we could propose having an online consultation. This would of course > affect our funding. > > I think we should still have a call if not this week, then a week after. > > Best regards, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 10:39 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: feedback on STAR II 4.1 > Importance: High > > Dear Lina & All > > Due to the current situation I will ask the PO to temporarily > suspend the project including all deadlines by reason of > unforeseeable circumstances of force majeure. I’ll keep you updated. > > Secondly, I can’t make tomorrow’s call, but I don’t think that’s the > most important thing now anyway. > > Best wishes, stay safe and take care of yourselves! > > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Friday, March 13, 2020 10:54 AM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > > @David > Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com > many thanks for sharing the extensive feedback. It’s much > appreciated and we’ll implement it as soon as possible. > > @'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university > we were receiving daily updates on the situation concerning the > virus. For now all external events are cancelled until the end of > April. In view of this, we can suggest to reschedule the event for > the later date (probably to mid or late June) in a hope that by then > the situation improves and we can host the event. This would > consequently require more time to finalise the handbook for the > final event and then July wouldn’t be a realistic date. My > understanding is that we cannot ask for the extension of the project > to the end of October/November because it is funded by the grant > action. Could we ask however the PO for the cost of the final > workshop as well as travelling to be eligible for the later date > that would go beyond the lifetime of the project? > Perhaps, before proceeding with the official communication, it would > be possible to get in touch with the PO via a phone call, so we are > aware about the position taken by the EC considering the current > situation? > > Having a call on Tuesday works well for our team. > > > Best regards, > Lina > > > > > > From: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> > Sent: Tuesday, March 10, 2020 4:22 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: feedback on STAR II 4.1 > > Dear all, > > First, I sincerely apologise for not getting this feedback to you > earlier. I assume that D4.1 was submitted? > On the positive side, this feedback can presumably be included in > the final version of these deliverables. > > We got Alan Moore, one of our DPO team, with good practical > expertise with various commercial clients to review the guidance > document (You met him at the Brussels workshop). His feedback is > below. > > Best wishes, > > DBW > > I have gone through the document and have a few suggestions: > > P7 Section 3.2 It can be suggested that to compensate for being > awarded with limited enforcement powers….. > > I would hold they have significant powers beyond the ability to > fine. Their powers to instruct controllers / processor top cease > processing data, among others, can ultimately shut down a business > without a fine being levied. To ignore these instructions can land a > director in jail for up to 5 years! > > P8. DPAs The focus on standardisation and EDPB. Art 60 was an after > thought and the general view is the it cannot operate within the > prescribed timelines. The ECJ will be the ultimate arbiter for > standardisation of approaches / laws / requirements but each > National Authority must be free to interpret facts presented in its > own way. Their independence is anchored in the EU treaties. A > complication that will eventually need to be addressed. > > P8. 3.3 Should be aware that translation into romance languages can > carry a different commutation the was intended by the Directive and > DPA have a key role to explain the true intent / meaning. > > P9. 3.4 Typo in second paragraph. > It also could be considered e the most > > P10. It appeared that most DPAs do not use internal guidance to direct…. > What has been the result of this? A key concern in the Irish DPC has > been delivering a consistent message and not providing a different > answer to the same or similar callers on different occasions. > > P11. 4 Unclear use of language - first paragraph > This initiative allowed to be confirmed that > It allowed to be obtained > > P11.4. Would stress the importance of standardisation of response > & P12 4 Add ‘c’? Implement a control process to ensure > standardisation of responses to similar questions / scenarios > > P13. 4.2 Might mention the concern that callers may have that > showing their hand may trigger an investigation. Callers need to be > reassured and encouraged to participate. Approaches do differ > between different DPAs. > > P13. 4.2.1 > It was decided to create a dedicated part > Following up on from this decision > > P15. 4.2.3 > I would stress the value of face to face more as context can be > complicated and the caller is subject to information and power > asymmetry. > > P16 4.5 last paragraph > We are included inclined to > > P21 6.2 last paragraph > DPAs across the EU have reported to engage that they have engaged in > > P22 6.3 4.5 last paragraph > Slovic suggests that the following elements play a role when evaluating risk: > > 1. The degree to which an individual feels in control > 2. The nature of consequences and the distribution of the impact > > P23 6.3 2nd paragraph > Which is perceived ‘as the coordinated activities to direct and > control an organisation with regard to risk’ 47 This is most > practically evidenced by the development and maintaining of a formal > risk register. > > (This risk section is very cerebral I fear and wont help with the ‘how’) > > P23 6.3.1 > Typically, the risk based approach formula approach in the GDPR > includes the following elements to be taken into account: > > * The state of the art in terms of technology for of the means > of processing (state of the art needs to be explained – does not > mean the best there is but rather the minimum expectable / expected) > > P24 6.3.2 > I would add a sentence or two on the benefits undertaking a > voluntary DPIA which include: > > * Documented understanding of the how the system works > * Known points of integration with other systems > * Assigning accountability > * Ensuring organisational standards (security / access etc) are > being complied with > * Demonstrated commitment to GDPR > * General piece of mind / greater organisational resilience > > P24 6.3.5 > I would add a piece on keeping a formal risk register of risks to > data subjects, separate from ant organisation risk register of risks > to the organisation in which all risks are assigned an owner and a > review date. > > P25 6.3.5 (b) What does SMEs need to do to be accountable? > > Second paragraph > …that the principle of accountability as an elements of good > > P.26 first line > … that the demonstration of compliance > > P.26 6.3.6 (b) > > * Implement data protection principles (see Article 5) and to > integrate the necessary safeguards into the processing in order to > meet the requirements of this Regulation and protect the rights of > data subjects (see Chapter III) in an effective manner; > * This should done at the time of the determination of the means > for processing and implemented before the time of the processing > itself. > (not that clear in the text.) > > P.27 6.3.6 (c) > It should be noted that some DPAs while note defining and technical > or organisation measures will nonetheless express an expectation > such as the Irish DPC in terms of the use of encryption whenever > possible where personal data is at rest or in transit. > > P.28 6.3.7 (b) 2nd paragraph > It is assumed that organisations will, however, benefit more from > maintaining their documentation electronically as such documentation > can they can easily added to, have entries removed when obsolete, > and amend entries it as necessary. However paper documentation is > regarded as being appropriate for SMEs and micro enterprises. It > should be added that SMEs (entities having less than 250 employees) > are technically exempt from this obligation if provided they are > undertaking: > • processing that is not likely to > result in a risk to the rights and freedoms of > data subjects; > • processing that is not occasional > (meaning that it is not regularly / > frequently undertaken); or > • processing that does not include > special categories of data or personal data > relating to criminal convictions and offences. > > In reality, very few SMEs can avail of this exemption unless the > process very little data. Most SMEs will usually have some special > category data as part of their HR files. > > They can be are available on the websites…. > > P.29 6.3.8 (a) 2 > Large scale is not defined by the legislation though different DPAs > have given some guidance relevant to different activities. > > For SMEs who provide services into other organisations, the > voluntary appointment of an internal or outsourced DPO can provide > commercial and strategic advantage by communicating a commitment to > data protection and promoting higher levels of trust. > > P.29 6.3.8 (b) > > A DPO may either be an employee of the SME or an external expert, > but in both cases, it is fundamental that he or she is independent, > in the sense that: > • the DPO shall be provided of with all the necessary > resources to carry on his/her tasks, in terms of money, time, > workforce, time to devote to professional development > etc.; > • the DPO shall not receive instructions for the > exercise of his/her tasks; > • the DPO shall not be dismissed or penalized for the > performance of his/her tasks; > • the DPO shall report to the highest level of management; and > • the DPO should not be in have any conflict of > interest in respect to other tasks and duties (e.g. > determining objects and purposes of the processing, > representing the SME in legal proceeding). > > P.30 6.3.8 (c) > Task of DPOs > DPOs cannot > Inform and advice the SME on the obligations arising from the GDPR > and the national data protection provisions > Be held accountable for the information and advice given to the SME > (I do not agree with this. They are not accountable for whether > their advice is implemented or not but they can be held accountable > for being negligent) > Monitor the compliance of the SME with the GDPR, the national data > protection provisions and (eventual) its internal data policies > Be considered personally responsible for non-compliance with data > protection requirements > Carry on awareness raising activities and training for the staff of > the SME dealing with data processing > Perform the DPIA. Not true. There is no reason why a DPO cannot take > the lead in undertaking a DPIA especially where the skills do not > exist elsewhere in the organization. but the responsibility to > ensure one is done remains with the Controller. > Provide advice to the SME and monitor the performance in relation to > the DPIA (when a DPIA is required) > Represent the SME in front of the DPA or in a court in case of > proceedings. Not quite so. The DPO remains the first point of > contact for data subjects and the DPAs and may be called to account > for advice / provide an explanation as to how data was processed > based on their monitoring of processing activities. I > Act as contact point for the supervisory authority in case of prior > consultation > Be considered responsible for the maintenance of the register True > but they are responsible for providing oversight as to whether it is > maintained. > Cooperate with the supervisory authority > Simultaneously hold another position in the organization that helps > define the means and purposes of processing of any personal data. > Be contacted by data subjects willing wishing to exercise their rights > > Create and maintain the register of processing (in the exceptional > situations where SME are required to have it one) Not True, under > Art 30 it is the responsibility of the Controller > > P.31 6.3.9(a) Data Protection Impact Assessment > (a) Background > The DPIA is a new addition to the EU data protection framework. It > builds on the rich experience of conducting impact assessments in > other fields, in particular, on the environmental impact > assessments. To be effective, impact assessments are carried out at > the early stage of a project (proactive initiative), at the phase of > planning or designing, and are aimed to identify and help mitigate > anticipate the any potential beneficial and adverse (i.e. negative) > impacts arising from the intended processing of personal data of > such within the project. Impact assessments are risk based exercises > that help decision-makers find the best and most beneficial > solutions for the development and deployment of initiatives while > protecting the rights and freedoms of data subjects. To be > practical, impact assessments must be scalable, flexible and > applicable inter alia for large organisations, consortia or for > small and medium-sized enterprises. Any risks identified will be > entered into the Data Protection Risk Register. > > P.32 6.3.9(c) > (c) What are the elements and characteristics of the > processing that may generate the high risks to rights and freedoms > of individuals? > The following elements that contribute to the high risks to data > subjects from this provision were extracted by the > > (d) What situations could require a DPIA? > Examples of processing operations that could trigger a DPIA: > • If the SME is implementing a new tool to monitor > access to office combining use of fingerprints and face facial > recognition technology; > • If the SME is a biotechnology company offering > genetic tests directly to consumers in order to assess and predict > the disease/health risks > • If the SME is providing CCTV surveillance for a > shopping centre or using a large number of cameras in their own > premises > > (e) Who and when should perform a DPIA? > Albeit the data processor and the data protection officer shall > assist the data controller (i.e., SME), the final responsibility on > for the DPIA process relies on rests with the data controller. > > (f) When is a DPIA is not required? > • When the data processing operations are included in > any list of data processing operations compiled by the DPA non > which do not requiring a DPIA > > P.33 6.3.9(g) > 4) Involve data subjects and/or their representatives, > the data protection officer and any other expert (e.g. information > security officer) and the data processor in the process, ideally in > each phase of the assessment process. This consultation must be > meaningful. > > P.33 6.3.9(h) > (h) When a new (revised) DPIA is required? > A new (i.e. revised version of) DPIA could be required if the risks > resulting from the processing operations are to change, for example > because a new technology is to be has been introduced, a new > processor is to be engaged under contract, or because personal data > is being to be used for a different purpose > > In that case, the review of the risk analysis made can show that the > performance of a DPIA is no longer required. > > P.34 6.3.10(b) > (b) How the security obligation is related to other provisions? > This obligation also requires the controller wishing to engage a > processor under contract to undertake due diligence and assess > whether the guarantees offered by the data processor, in this case > the cloud service provider, are sufficient. A controller must only > engage such a processor where they have faith in their ability to > comply with the obligations under GDPR. During this process, the > controller may take into account whether the processor provides > adequate documentation proving compliance with data protection > principles that could be found in privacy policies, records > management policies, information security policies, external audit > reports, certifications and similar documentation. The controller in > particular should take into account the processor’s expert knowledge > (e.g. technical expertise when dealing with data breaches and > security measures), reliability and its resources. A site visit may > also be necessary. After carrying out the due diligence process, the > controller should be able to take a decision with sufficient > evidence demonstrating that the processor is suitable, it can then > enter into a binding arrangement. It should be added that this due > diligence process is not a one-time effort. and it needs to be > regularly repeated in order The controller will have an ongoing > obligation to check whether the processor is compliant and meeting > their obligations either by auditing using their own staff or a > trusted third party. When outsourcing the processing of personal > data (e.g. for the provision of technical assistance or cloud > services), the controller should must conclude a contract, another > legal act or binding arrangement with the other entity already > setting out clear and precise data protection obligations and the > nature of processing in a detailed data processing agreement. > > > P.35 6.3.10(c) > An information security policy foreseeing the role of each user and > the required permission levels (access control) appropriate to the > role which minimises access to only that data necessary for that > role. This includies the system administrator accounts is as an > example of an appropriate organisational measure. > > P.35 6.3.10(d) What technical security measures can a SME take? > Technical measures must therefore include both physical and computer > or IT security. > > When considering cybersecurity, you should look at factors such as: > • system security – the security of your network and > information systems, including especially those which process > personal data; > • data security – the security of the data you hold > within your systems, e.g., ensuring appropriate access controls are > in place and that data is held securely through the use of suitable > levels of encryption; > > P.36 6.3.10(e) > Would add: > Where Special Category Data is processed (such as health data) or > personal data relating to minors, higher levels of security will be > expected to be implemented and documented. > > P.36 6.3.11 > This section should start with the definition of what is meant by a > breach and explain the difference between an incident and a breach. > It is confusing otherwise. > > P.37 6.3.11(b) > Consequently, this means that the controller must have an internal > procedures defined, tested and documented allowing to confirm to > appropriately identify and handle any breach of security concerning > personal data. > > In an ideal scenario, an information incident response policy should > precede be in place before processing of personal data begins so > that any the occurrence of an incident so that it could be used > should a data breach take place. > > P.37 6.3.11(d) > Would add a final paragraph. > As GDPR is maturing, different DPAs are expressing different > thresholds for the reporting of breaches. Where originally there was > a fear of over reporting, the DPC in Ireland has requested a breach > be reported when there is any risk identified to the data subject. > This allows the Commission to identify trends and to have confidence > that controllers are identifying the minor breaches and thus are > able to identify the more serious beaches should they arise. > > I hope you find this useful. > > Alan > > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: 28 February 2020 13:09 > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Here comes D4.1 with both parts now included. We made further minor > edits to Part A. > We believe that the pfd version can be submitted. > We look forward to your comments on Part B, which unfortunately > comes a bit later than planned. > > Best regards, > Lina > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: Friday, February 28, 2020 8:45 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Thank you for your additions and edits. > The document to be submitted to the EC will reach you shortly after noon. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Thursday, February 27, 2020 4:31 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Lina! > Dear All! > > Thank you for sharing the restructured version of the guidance for > DPAs. We only added minor additions/corrections. We confirm that the > yellow parts are accurate. > > We are looking forward to the handbook (the submission deadline is > 29.02.2020) > > > Best regards, > > Renáta > > > From: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Sent: Thursday, February 20, 2020 10:32 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Once again, thank you for preparing a revised version of the > guidance for DPAs. We reviewed it now enclose an improved version of > it. > It includes nearly all of your report (see the document you shared; > we marked in yellow parts that were used). However, the current > version is restructured, rephrased and embedded in a wider context > of DPAs’ awareness raising duties. We also extracted recommendations > from your report and developed a graph presenting these > recommendations. > There are two parts marked in yellow that need to be checked for > accuracy. Perhaps, you will want to add some other clarifications in > the text. In particular, further additions could be made to the > concluding remarks part. > As we provided contributions to the initial text, we would like to > be considered co-authors of this guidance. What do you think about > this? > > The part B – the handbook for SMEs – is on a way. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Tuesday, January 28, 2020 4:16 PM > To: 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne > Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear All! > > Please, find enclosed the updated version of the guidance. > > Best, > > Renáta > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Tuesday, January 28, 2020 10:09 AM > To: 'Leanne Cochrane' > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: 'David Barnard-Wills' > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Hi Leanne, > > Thanks for the update on the newsletter. > > Regarding the upcoming events: > > * The plan is to present the drafts of the guidance and the > handbook at the EDPB plenary in February. However, as this is > scheduled for 18-19 February, we can only do this, if the drafts are > ready by then. Renáta will circulate the updated version of the > guidance soon. As for the other document (handbook), Lina can > provide further information. > * I have no further information on the validation workshop > planned for March-April 2020. > > Best, > Gábor > > > From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] > Sent: Monday, January 27, 2020 6:25 PM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: STAR II - Update on EDPB and validation workshop? > > Hi Gabor, > > I hope you are keeping well. > > Our dissemination team is preparing to send out the STAR II > newsletter we mentioned on our previous calls. It will be sent out > this Thursday with links to the approved deliverables and some > blogs. We are also including a section on upcoming events and I > wanted to check with NAIH if we had any further information on the > following two events: > > > * A presentation by NAIH to the EDPB on the STAR II project > planned for the February EDPB plenary (18th-19th) in Brussels. > * A Validation workshop for the STAR II outputs, namely a 'A > Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned > for March-April 2020 in Brussels. > Can I just check this information is still current and there is > nothing more specific we can add at this stage? > > I would be grateful if you can cc all in the reply as I am off > tomorrow and the dissemination team are in need of the confirmation. > > Thanks and best wishes, > Leanne > > > > <image001.jpg>http://www.trilateralresearch.com/ > > > Leanne Cochrane > > Senior Research Analyst | Policy, Ethics and Emerging Technologies Team > > leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com > > www.trilateralresearch.comhttp://www.trilateralresearch.com > > Mobile: +44 (0) 7545 955 242 > > Skype:@ljcochrane
_______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All, Response of the PO (see research portal - process communications) "Dear coordinator, Thank you for contacting us. In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension? Kind regards, Angeelika" If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change. Best, Gábor Idézet (Lina JASMONTAITE <Lina.Jasmontaite@vub.be>): > Dear Julia and David, > > Thank you for your replies. Indeed, the end result of the extension > of the timeline or a temporary suspension would be rather similar – > the project would run longer. > After consulting internally our finance and legal departments, > however, we are of opinion that less restrictive measures (i.e., > extension of the timeline) would be more appropriate. This is also > message that we sent to PO. > > Best regards, > Lina > > From: Sziklay Júlia <sziklay.julia@naih.hu> > Sent: Monday, March 16, 2020 3:26 PM > To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be>; David Barnard-Wills > <david.barnard-wills@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.com> > Cc: 'STAR' <star@listserv.vub.ac.be> > Subject: RE: [star] feedback on STAR II 4.1 > > Dear Colleagues, > I think both proposals can be reasonable but nevertheless with quite > the same effect: we will be stuck in the project till the end of a > prolonged deadline (presumably till autumn 2020 instead of July). I > am sure the Commission is working on the issue (the world epidemic > situation affects all the ongoing projects in general) so we shall > keep our dialogue going on. > Julia > > From: > star-bounces@listserv.vub.ac.be<mailto:star-bounces@listserv.vub.ac.be> > [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE > Sent: Monday, March 16, 2020 1:38 PM > To: David Barnard-Wills >
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] feedback on STAR II 4.1 > > Dear David and Leanne, > > Could you please let us know your position on this situation? > Best regards, > Lina > > On 16 Mar 2020, at 11:39, Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: > > Dear Gabor, > > I understand your point of view but I believe that all three > partners should have agreed to the suspension before sending a > request to the PO. Following my supervisor’s advice, VUB couldn’t > accept this proposal. > I am ok to discuss alternative solutions with the PO. > I will keep you and TRI team posted via the mailing list. > > Best regards and stay safe, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 11:14 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Lina, > > And how should I ask any extension if I don’t know any exact dates > or anything for sure? I think the suspension is better, indicating > that the project would resume where it left off once the situation > returns to normal or at least to less serious. I already sent the > message to the PO, but If you have any other idea, feel free to > share with her via the portal adding the turn “on behalf of the > coordinator”. I’m really sorry, but now I have neither time nor > energy to act as a contact person. If you want, you can have the > call as well, but I probably won’t to be available. And no offense, > but to be honest, currently the project is of least interest to me. > > Best, > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Monday, March 16, 2020 10:58 AM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Gabor, > > Thanks for your email. I am not sure what would a suspension mean in > terms of financial implications for VUB, so at this point I think we > should request for an extension in these unforeseen circumstances > rather than a suspension. > > While the situation is full of uncertainty and many of us need to > adapt to it, we can still proceed further and work on deliverables > for the project, apart from the workshop. We need to discuss a > scenario with the PO what to do if the situation does not improve in > upcoming weeks. If that is the case, perhaps, we should ask for the > adjustment in the DOW and instead of a workshop to obtain feedback > we could propose having an online consultation. This would of course > affect our funding. > > I think we should still have a call if not this week, then a week after. > > Best regards, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 10:39 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: feedback on STAR II 4.1 > Importance: High > > Dear Lina & All > > Due to the current situation I will ask the PO to temporarily > suspend the project including all deadlines by reason of > unforeseeable circumstances of force majeure. I’ll keep you updated. > > Secondly, I can’t make tomorrow’s call, but I don’t think that’s the > most important thing now anyway. > > Best wishes, stay safe and take care of yourselves! > > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Friday, March 13, 2020 10:54 AM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > > @David > Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com > many thanks for sharing the extensive feedback. It’s much > appreciated and we’ll implement it as soon as possible. > > @'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university > we were receiving daily updates on the situation concerning the > virus. For now all external events are cancelled until the end of > April. In view of this, we can suggest to reschedule the event for > the later date (probably to mid or late June) in a hope that by then > the situation improves and we can host the event. This would > consequently require more time to finalise the handbook for the > final event and then July wouldn’t be a realistic date. My > understanding is that we cannot ask for the extension of the project > to the end of October/November because it is funded by the grant > action. Could we ask however the PO for the cost of the final > workshop as well as travelling to be eligible for the later date > that would go beyond the lifetime of the project? > Perhaps, before proceeding with the official communication, it would > be possible to get in touch with the PO via a phone call, so we are > aware about the position taken by the EC considering the current > situation? > > Having a call on Tuesday works well for our team. > > > Best regards, > Lina > > > > > > From: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> > Sent: Tuesday, March 10, 2020 4:22 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: feedback on STAR II 4.1 > > Dear all, > > First, I sincerely apologise for not getting this feedback to you > earlier. I assume that D4.1 was submitted? > On the positive side, this feedback can presumably be included in > the final version of these deliverables. > > We got Alan Moore, one of our DPO team, with good practical > expertise with various commercial clients to review the guidance > document (You met him at the Brussels workshop). His feedback is > below. > > Best wishes, > > DBW > > I have gone through the document and have a few suggestions: > > P7 Section 3.2 It can be suggested that to compensate for being > awarded with limited enforcement powers….. > > I would hold they have significant powers beyond the ability to > fine. Their powers to instruct controllers / processor top cease > processing data, among others, can ultimately shut down a business > without a fine being levied. To ignore these instructions can land a > director in jail for up to 5 years! > > P8. DPAs The focus on standardisation and EDPB. Art 60 was an after > thought and the general view is the it cannot operate within the > prescribed timelines. The ECJ will be the ultimate arbiter for > standardisation of approaches / laws / requirements but each > National Authority must be free to interpret facts presented in its > own way. Their independence is anchored in the EU treaties. A > complication that will eventually need to be addressed. > > P8. 3.3 Should be aware that translation into romance languages can > carry a different commutation the was intended by the Directive and > DPA have a key role to explain the true intent / meaning. > > P9. 3.4 Typo in second paragraph. > It also could be considered e the most > > P10. It appeared that most DPAs do not use internal guidance to direct…. > What has been the result of this? A key concern in the Irish DPC has > been delivering a consistent message and not providing a different > answer to the same or similar callers on different occasions. > > P11. 4 Unclear use of language - first paragraph > This initiative allowed to be confirmed that > It allowed to be obtained > > P11.4. Would stress the importance of standardisation of response > & P12 4 Add ‘c’? Implement a control process to ensure > standardisation of responses to similar questions / scenarios > > P13. 4.2 Might mention the concern that callers may have that > showing their hand may trigger an investigation. Callers need to be > reassured and encouraged to participate. Approaches do differ > between different DPAs. > > P13. 4.2.1 > It was decided to create a dedicated part > Following up on from this decision > > P15. 4.2.3 > I would stress the value of face to face more as context can be > complicated and the caller is subject to information and power > asymmetry. > > P16 4.5 last paragraph > We are included inclined to > > P21 6.2 last paragraph > DPAs across the EU have reported to engage that they have engaged in > > P22 6.3 4.5 last paragraph > Slovic suggests that the following elements play a role when evaluating risk: > > 1. The degree to which an individual feels in control > 2. The nature of consequences and the distribution of the impact > > P23 6.3 2nd paragraph > Which is perceived ‘as the coordinated activities to direct and > control an organisation with regard to risk’ 47 This is most > practically evidenced by the development and maintaining of a formal > risk register. > > (This risk section is very cerebral I fear and wont help with the ‘how’) > > P23 6.3.1 > Typically, the risk based approach formula approach in the GDPR > includes the following elements to be taken into account: > > * The state of the art in terms of technology for of the means > of processing (state of the art needs to be explained – does not > mean the best there is but rather the minimum expectable / expected) > > P24 6.3.2 > I would add a sentence or two on the benefits undertaking a > voluntary DPIA which include: > > * Documented understanding of the how the system works > * Known points of integration with other systems > * Assigning accountability > * Ensuring organisational standards (security / access etc) are > being complied with > * Demonstrated commitment to GDPR > * General piece of mind / greater organisational resilience > > P24 6.3.5 > I would add a piece on keeping a formal risk register of risks to > data subjects, separate from ant organisation risk register of risks > to the organisation in which all risks are assigned an owner and a > review date. > > P25 6.3.5 (b) What does SMEs need to do to be accountable? > > Second paragraph > …that the principle of accountability as an elements of good > > P.26 first line > … that the demonstration of compliance > > P.26 6.3.6 (b) > > * Implement data protection principles (see Article 5) and to > integrate the necessary safeguards into the processing in order to > meet the requirements of this Regulation and protect the rights of > data subjects (see Chapter III) in an effective manner; > * This should done at the time of the determination of the means > for processing and implemented before the time of the processing > itself. > (not that clear in the text.) > > P.27 6.3.6 (c) > It should be noted that some DPAs while note defining and technical > or organisation measures will nonetheless express an expectation > such as the Irish DPC in terms of the use of encryption whenever > possible where personal data is at rest or in transit. > > P.28 6.3.7 (b) 2nd paragraph > It is assumed that organisations will, however, benefit more from > maintaining their documentation electronically as such documentation > can they can easily added to, have entries removed when obsolete, > and amend entries it as necessary. However paper documentation is > regarded as being appropriate for SMEs and micro enterprises. It > should be added that SMEs (entities having less than 250 employees) > are technically exempt from this obligation if provided they are > undertaking: > • processing that is not likely to > result in a risk to the rights and freedoms of > data subjects; > • processing that is not occasional > (meaning that it is not regularly / > frequently undertaken); or > • processing that does not include > special categories of data or personal data > relating to criminal convictions and offences. > > In reality, very few SMEs can avail of this exemption unless the > process very little data. Most SMEs will usually have some special > category data as part of their HR files. > > They can be are available on the websites…. > > P.29 6.3.8 (a) 2 > Large scale is not defined by the legislation though different DPAs > have given some guidance relevant to different activities. > > For SMEs who provide services into other organisations, the > voluntary appointment of an internal or outsourced DPO can provide > commercial and strategic advantage by communicating a commitment to > data protection and promoting higher levels of trust. > > P.29 6.3.8 (b) > > A DPO may either be an employee of the SME or an external expert, > but in both cases, it is fundamental that he or she is independent, > in the sense that: > • the DPO shall be provided of with all the necessary > resources to carry on his/her tasks, in terms of money, time, > workforce, time to devote to professional development > etc.; > • the DPO shall not receive instructions for the > exercise of his/her tasks; > • the DPO shall not be dismissed or penalized for the > performance of his/her tasks; > • the DPO shall report to the highest level of management; and > • the DPO should not be in have any conflict of > interest in respect to other tasks and duties (e.g. > determining objects and purposes of the processing, > representing the SME in legal proceeding). > > P.30 6.3.8 (c) > Task of DPOs > DPOs cannot > Inform and advice the SME on the obligations arising from the GDPR > and the national data protection provisions > Be held accountable for the information and advice given to the SME > (I do not agree with this. They are not accountable for whether > their advice is implemented or not but they can be held accountable > for being negligent) > Monitor the compliance of the SME with the GDPR, the national data > protection provisions and (eventual) its internal data policies > Be considered personally responsible for non-compliance with data > protection requirements > Carry on awareness raising activities and training for the staff of > the SME dealing with data processing > Perform the DPIA. Not true. There is no reason why a DPO cannot take > the lead in undertaking a DPIA especially where the skills do not > exist elsewhere in the organization. but the responsibility to > ensure one is done remains with the Controller. > Provide advice to the SME and monitor the performance in relation to > the DPIA (when a DPIA is required) > Represent the SME in front of the DPA or in a court in case of > proceedings. Not quite so. The DPO remains the first point of > contact for data subjects and the DPAs and may be called to account > for advice / provide an explanation as to how data was processed > based on their monitoring of processing activities. I > Act as contact point for the supervisory authority in case of prior > consultation > Be considered responsible for the maintenance of the register True > but they are responsible for providing oversight as to whether it is > maintained. > Cooperate with the supervisory authority > Simultaneously hold another position in the organization that helps > define the means and purposes of processing of any personal data. > Be contacted by data subjects willing wishing to exercise their rights > > Create and maintain the register of processing (in the exceptional > situations where SME are required to have it one) Not True, under > Art 30 it is the responsibility of the Controller > > P.31 6.3.9(a) Data Protection Impact Assessment > (a) Background > The DPIA is a new addition to the EU data protection framework. It > builds on the rich experience of conducting impact assessments in > other fields, in particular, on the environmental impact > assessments. To be effective, impact assessments are carried out at > the early stage of a project (proactive initiative), at the phase of > planning or designing, and are aimed to identify and help mitigate > anticipate the any potential beneficial and adverse (i.e. negative) > impacts arising from the intended processing of personal data of > such within the project. Impact assessments are risk based exercises > that help decision-makers find the best and most beneficial > solutions for the development and deployment of initiatives while > protecting the rights and freedoms of data subjects. To be > practical, impact assessments must be scalable, flexible and > applicable inter alia for large organisations, consortia or for > small and medium-sized enterprises. Any risks identified will be > entered into the Data Protection Risk Register. > > P.32 6.3.9(c) > (c) What are the elements and characteristics of the > processing that may generate the high risks to rights and freedoms > of individuals? > The following elements that contribute to the high risks to data > subjects from this provision were extracted by the > > (d) What situations could require a DPIA? > Examples of processing operations that could trigger a DPIA: > • If the SME is implementing a new tool to monitor > access to office combining use of fingerprints and face facial > recognition technology; > • If the SME is a biotechnology company offering > genetic tests directly to consumers in order to assess and predict > the disease/health risks > • If the SME is providing CCTV surveillance for a > shopping centre or using a large number of cameras in their own > premises > > (e) Who and when should perform a DPIA? > Albeit the data processor and the data protection officer shall > assist the data controller (i.e., SME), the final responsibility on > for the DPIA process relies on rests with the data controller. > > (f) When is a DPIA is not required? > • When the data processing operations are included in > any list of data processing operations compiled by the DPA non > which do not requiring a DPIA > > P.33 6.3.9(g) > 4) Involve data subjects and/or their representatives, > the data protection officer and any other expert (e.g. information > security officer) and the data processor in the process, ideally in > each phase of the assessment process. This consultation must be > meaningful. > > P.33 6.3.9(h) > (h) When a new (revised) DPIA is required? > A new (i.e. revised version of) DPIA could be required if the risks > resulting from the processing operations are to change, for example > because a new technology is to be has been introduced, a new > processor is to be engaged under contract, or because personal data > is being to be used for a different purpose > > In that case, the review of the risk analysis made can show that the > performance of a DPIA is no longer required. > > P.34 6.3.10(b) > (b) How the security obligation is related to other provisions? > This obligation also requires the controller wishing to engage a > processor under contract to undertake due diligence and assess > whether the guarantees offered by the data processor, in this case > the cloud service provider, are sufficient. A controller must only > engage such a processor where they have faith in their ability to > comply with the obligations under GDPR. During this process, the > controller may take into account whether the processor provides > adequate documentation proving compliance with data protection > principles that could be found in privacy policies, records > management policies, information security policies, external audit > reports, certifications and similar documentation. The controller in > particular should take into account the processor’s expert knowledge > (e.g. technical expertise when dealing with data breaches and > security measures), reliability and its resources. A site visit may > also be necessary. After carrying out the due diligence process, the > controller should be able to take a decision with sufficient > evidence demonstrating that the processor is suitable, it can then > enter into a binding arrangement. It should be added that this due > diligence process is not a one-time effort. and it needs to be > regularly repeated in order The controller will have an ongoing > obligation to check whether the processor is compliant and meeting > their obligations either by auditing using their own staff or a > trusted third party. When outsourcing the processing of personal > data (e.g. for the provision of technical assistance or cloud > services), the controller should must conclude a contract, another > legal act or binding arrangement with the other entity already > setting out clear and precise data protection obligations and the > nature of processing in a detailed data processing agreement. > > > P.35 6.3.10(c) > An information security policy foreseeing the role of each user and > the required permission levels (access control) appropriate to the > role which minimises access to only that data necessary for that > role. This includies the system administrator accounts is as an > example of an appropriate organisational measure. > > P.35 6.3.10(d) What technical security measures can a SME take? > Technical measures must therefore include both physical and computer > or IT security. > > When considering cybersecurity, you should look at factors such as: > • system security – the security of your network and > information systems, including especially those which process > personal data; > • data security – the security of the data you hold > within your systems, e.g., ensuring appropriate access controls are > in place and that data is held securely through the use of suitable > levels of encryption; > > P.36 6.3.10(e) > Would add: > Where Special Category Data is processed (such as health data) or > personal data relating to minors, higher levels of security will be > expected to be implemented and documented. > > P.36 6.3.11 > This section should start with the definition of what is meant by a > breach and explain the difference between an incident and a breach. > It is confusing otherwise. > > P.37 6.3.11(b) > Consequently, this means that the controller must have an internal > procedures defined, tested and documented allowing to confirm to > appropriately identify and handle any breach of security concerning > personal data. > > In an ideal scenario, an information incident response policy should > precede be in place before processing of personal data begins so > that any the occurrence of an incident so that it could be used > should a data breach take place. > > P.37 6.3.11(d) > Would add a final paragraph. > As GDPR is maturing, different DPAs are expressing different > thresholds for the reporting of breaches. Where originally there was > a fear of over reporting, the DPC in Ireland has requested a breach > be reported when there is any risk identified to the data subject. > This allows the Commission to identify trends and to have confidence > that controllers are identifying the minor breaches and thus are > able to identify the more serious beaches should they arise. > > I hope you find this useful. > > Alan > > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: 28 February 2020 13:09 > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Here comes D4.1 with both parts now included. We made further minor > edits to Part A. > We believe that the pfd version can be submitted. > We look forward to your comments on Part B, which unfortunately > comes a bit later than planned. > > Best regards, > Lina > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: Friday, February 28, 2020 8:45 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Thank you for your additions and edits. > The document to be submitted to the EC will reach you shortly after noon. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Thursday, February 27, 2020 4:31 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Lina! > Dear All! > > Thank you for sharing the restructured version of the guidance for > DPAs. We only added minor additions/corrections. We confirm that the > yellow parts are accurate. > > We are looking forward to the handbook (the submission deadline is > 29.02.2020) > > > Best regards, > > Renáta > > > From: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Sent: Thursday, February 20, 2020 10:32 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Once again, thank you for preparing a revised version of the > guidance for DPAs. We reviewed it now enclose an improved version of > it. > It includes nearly all of your report (see the document you shared; > we marked in yellow parts that were used). However, the current > version is restructured, rephrased and embedded in a wider context > of DPAs’ awareness raising duties. We also extracted recommendations > from your report and developed a graph presenting these > recommendations. > There are two parts marked in yellow that need to be checked for > accuracy. Perhaps, you will want to add some other clarifications in > the text. In particular, further additions could be made to the > concluding remarks part. > As we provided contributions to the initial text, we would like to > be considered co-authors of this guidance. What do you think about > this? > > The part B – the handbook for SMEs – is on a way. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Tuesday, January 28, 2020 4:16 PM > To: 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne > Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear All! > > Please, find enclosed the updated version of the guidance. > > Best, > > Renáta > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Tuesday, January 28, 2020 10:09 AM > To: 'Leanne Cochrane' > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: 'David Barnard-Wills' > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Hi Leanne, > > Thanks for the update on the newsletter. > > Regarding the upcoming events: > > * The plan is to present the drafts of the guidance and the > handbook at the EDPB plenary in February. However, as this is > scheduled for 18-19 February, we can only do this, if the drafts are > ready by then. Renáta will circulate the updated version of the > guidance soon. As for the other document (handbook), Lina can > provide further information. > * I have no further information on the validation workshop > planned for March-April 2020. > > Best, > Gábor > > > From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] > Sent: Monday, January 27, 2020 6:25 PM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: STAR II - Update on EDPB and validation workshop? > > Hi Gabor, > > I hope you are keeping well. > > Our dissemination team is preparing to send out the STAR II > newsletter we mentioned on our previous calls. It will be sent out > this Thursday with links to the approved deliverables and some > blogs. We are also including a section on upcoming events and I > wanted to check with NAIH if we had any further information on the > following two events: > > > * A presentation by NAIH to the EDPB on the STAR II project > planned for the February EDPB plenary (18th-19th) in Brussels. > * A Validation workshop for the STAR II outputs, namely a 'A > Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned > for March-April 2020 in Brussels. > Can I just check this information is still current and there is > nothing more specific we can add at this stage? > > I would be grateful if you can cc all in the reply as I am off > tomorrow and the dissemination team are in need of the confirmation. > > Thanks and best wishes, > Leanne > > > > <image001.jpg>http://www.trilateralresearch.com/ > > > Leanne Cochrane > > Senior Research Analyst | Policy, Ethics and Emerging Technologies Team > > leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com > > www.trilateralresearch.comhttp://www.trilateralresearch.com > > Mobile: +44 (0) 7545 955 242 > > Skype:@ljcochrane
_______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All, Response of the PO (see research portal - process communications) "Dear coordinator, Thank you for contacting us. In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension? Kind regards, Angeelika" If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change. Best, Gábor Idézet (Lina JASMONTAITE <Lina.Jasmontaite@vub.be>): > Dear Julia and David, > > Thank you for your replies. Indeed, the end result of the extension > of the timeline or a temporary suspension would be rather similar – > the project would run longer. > After consulting internally our finance and legal departments, > however, we are of opinion that less restrictive measures (i.e., > extension of the timeline) would be more appropriate. This is also > message that we sent to PO. > > Best regards, > Lina > > From: Sziklay Júlia <sziklay.julia@naih.hu> > Sent: Monday, March 16, 2020 3:26 PM > To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be>; David Barnard-Wills > <david.barnard-wills@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.com> > Cc: 'STAR' <star@listserv.vub.ac.be> > Subject: RE: [star] feedback on STAR II 4.1 > > Dear Colleagues, > I think both proposals can be reasonable but nevertheless with quite > the same effect: we will be stuck in the project till the end of a > prolonged deadline (presumably till autumn 2020 instead of July). I > am sure the Commission is working on the issue (the world epidemic > situation affects all the ongoing projects in general) so we shall > keep our dialogue going on. > Julia > > From: > star-bounces@listserv.vub.ac.be<mailto:star-bounces@listserv.vub.ac.be> > [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE > Sent: Monday, March 16, 2020 1:38 PM > To: David Barnard-Wills >
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] feedback on STAR II 4.1 > > Dear David and Leanne, > > Could you please let us know your position on this situation? > Best regards, > Lina > > On 16 Mar 2020, at 11:39, Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: > > Dear Gabor, > > I understand your point of view but I believe that all three > partners should have agreed to the suspension before sending a > request to the PO. Following my supervisor’s advice, VUB couldn’t > accept this proposal. > I am ok to discuss alternative solutions with the PO. > I will keep you and TRI team posted via the mailing list. > > Best regards and stay safe, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 11:14 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Lina, > > And how should I ask any extension if I don’t know any exact dates > or anything for sure? I think the suspension is better, indicating > that the project would resume where it left off once the situation > returns to normal or at least to less serious. I already sent the > message to the PO, but If you have any other idea, feel free to > share with her via the portal adding the turn “on behalf of the > coordinator”. I’m really sorry, but now I have neither time nor > energy to act as a contact person. If you want, you can have the > call as well, but I probably won’t to be available. And no offense, > but to be honest, currently the project is of least interest to me. > > Best, > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Monday, March 16, 2020 10:58 AM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Gabor, > > Thanks for your email. I am not sure what would a suspension mean in > terms of financial implications for VUB, so at this point I think we > should request for an extension in these unforeseen circumstances > rather than a suspension. > > While the situation is full of uncertainty and many of us need to > adapt to it, we can still proceed further and work on deliverables > for the project, apart from the workshop. We need to discuss a > scenario with the PO what to do if the situation does not improve in > upcoming weeks. If that is the case, perhaps, we should ask for the > adjustment in the DOW and instead of a workshop to obtain feedback > we could propose having an online consultation. This would of course > affect our funding. > > I think we should still have a call if not this week, then a week after. > > Best regards, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 10:39 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: feedback on STAR II 4.1 > Importance: High > > Dear Lina & All > > Due to the current situation I will ask the PO to temporarily > suspend the project including all deadlines by reason of > unforeseeable circumstances of force majeure. I’ll keep you updated. > > Secondly, I can’t make tomorrow’s call, but I don’t think that’s the > most important thing now anyway. > > Best wishes, stay safe and take care of yourselves! > > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Friday, March 13, 2020 10:54 AM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > > @David > Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com > many thanks for sharing the extensive feedback. It’s much > appreciated and we’ll implement it as soon as possible. > > @'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university > we were receiving daily updates on the situation concerning the > virus. For now all external events are cancelled until the end of > April. In view of this, we can suggest to reschedule the event for > the later date (probably to mid or late June) in a hope that by then > the situation improves and we can host the event. This would > consequently require more time to finalise the handbook for the > final event and then July wouldn’t be a realistic date. My > understanding is that we cannot ask for the extension of the project > to the end of October/November because it is funded by the grant > action. Could we ask however the PO for the cost of the final > workshop as well as travelling to be eligible for the later date > that would go beyond the lifetime of the project? > Perhaps, before proceeding with the official communication, it would > be possible to get in touch with the PO via a phone call, so we are > aware about the position taken by the EC considering the current > situation? > > Having a call on Tuesday works well for our team. > > > Best regards, > Lina > > > > > > From: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> > Sent: Tuesday, March 10, 2020 4:22 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: feedback on STAR II 4.1 > > Dear all, > > First, I sincerely apologise for not getting this feedback to you > earlier. I assume that D4.1 was submitted? > On the positive side, this feedback can presumably be included in > the final version of these deliverables. > > We got Alan Moore, one of our DPO team, with good practical > expertise with various commercial clients to review the guidance > document (You met him at the Brussels workshop). His feedback is > below. > > Best wishes, > > DBW > > I have gone through the document and have a few suggestions: > > P7 Section 3.2 It can be suggested that to compensate for being > awarded with limited enforcement powers….. > > I would hold they have significant powers beyond the ability to > fine. Their powers to instruct controllers / processor top cease > processing data, among others, can ultimately shut down a business > without a fine being levied. To ignore these instructions can land a > director in jail for up to 5 years! > > P8. DPAs The focus on standardisation and EDPB. Art 60 was an after > thought and the general view is the it cannot operate within the > prescribed timelines. The ECJ will be the ultimate arbiter for > standardisation of approaches / laws / requirements but each > National Authority must be free to interpret facts presented in its > own way. Their independence is anchored in the EU treaties. A > complication that will eventually need to be addressed. > > P8. 3.3 Should be aware that translation into romance languages can > carry a different commutation the was intended by the Directive and > DPA have a key role to explain the true intent / meaning. > > P9. 3.4 Typo in second paragraph. > It also could be considered e the most > > P10. It appeared that most DPAs do not use internal guidance to direct…. > What has been the result of this? A key concern in the Irish DPC has > been delivering a consistent message and not providing a different > answer to the same or similar callers on different occasions. > > P11. 4 Unclear use of language - first paragraph > This initiative allowed to be confirmed that > It allowed to be obtained > > P11.4. Would stress the importance of standardisation of response > & P12 4 Add ‘c’? Implement a control process to ensure > standardisation of responses to similar questions / scenarios > > P13. 4.2 Might mention the concern that callers may have that > showing their hand may trigger an investigation. Callers need to be > reassured and encouraged to participate. Approaches do differ > between different DPAs. > > P13. 4.2.1 > It was decided to create a dedicated part > Following up on from this decision > > P15. 4.2.3 > I would stress the value of face to face more as context can be > complicated and the caller is subject to information and power > asymmetry. > > P16 4.5 last paragraph > We are included inclined to > > P21 6.2 last paragraph > DPAs across the EU have reported to engage that they have engaged in > > P22 6.3 4.5 last paragraph > Slovic suggests that the following elements play a role when evaluating risk: > > 1. The degree to which an individual feels in control > 2. The nature of consequences and the distribution of the impact > > P23 6.3 2nd paragraph > Which is perceived ‘as the coordinated activities to direct and > control an organisation with regard to risk’ 47 This is most > practically evidenced by the development and maintaining of a formal > risk register. > > (This risk section is very cerebral I fear and wont help with the ‘how’) > > P23 6.3.1 > Typically, the risk based approach formula approach in the GDPR > includes the following elements to be taken into account: > > * The state of the art in terms of technology for of the means > of processing (state of the art needs to be explained – does not > mean the best there is but rather the minimum expectable / expected) > > P24 6.3.2 > I would add a sentence or two on the benefits undertaking a > voluntary DPIA which include: > > * Documented understanding of the how the system works > * Known points of integration with other systems > * Assigning accountability > * Ensuring organisational standards (security / access etc) are > being complied with > * Demonstrated commitment to GDPR > * General piece of mind / greater organisational resilience > > P24 6.3.5 > I would add a piece on keeping a formal risk register of risks to > data subjects, separate from ant organisation risk register of risks > to the organisation in which all risks are assigned an owner and a > review date. > > P25 6.3.5 (b) What does SMEs need to do to be accountable? > > Second paragraph > …that the principle of accountability as an elements of good > > P.26 first line > … that the demonstration of compliance > > P.26 6.3.6 (b) > > * Implement data protection principles (see Article 5) and to > integrate the necessary safeguards into the processing in order to > meet the requirements of this Regulation and protect the rights of > data subjects (see Chapter III) in an effective manner; > * This should done at the time of the determination of the means > for processing and implemented before the time of the processing > itself. > (not that clear in the text.) > > P.27 6.3.6 (c) > It should be noted that some DPAs while note defining and technical > or organisation measures will nonetheless express an expectation > such as the Irish DPC in terms of the use of encryption whenever > possible where personal data is at rest or in transit. > > P.28 6.3.7 (b) 2nd paragraph > It is assumed that organisations will, however, benefit more from > maintaining their documentation electronically as such documentation > can they can easily added to, have entries removed when obsolete, > and amend entries it as necessary. However paper documentation is > regarded as being appropriate for SMEs and micro enterprises. It > should be added that SMEs (entities having less than 250 employees) > are technically exempt from this obligation if provided they are > undertaking: > • processing that is not likely to > result in a risk to the rights and freedoms of > data subjects; > • processing that is not occasional > (meaning that it is not regularly / > frequently undertaken); or > • processing that does not include > special categories of data or personal data > relating to criminal convictions and offences. > > In reality, very few SMEs can avail of this exemption unless the > process very little data. Most SMEs will usually have some special > category data as part of their HR files. > > They can be are available on the websites…. > > P.29 6.3.8 (a) 2 > Large scale is not defined by the legislation though different DPAs > have given some guidance relevant to different activities. > > For SMEs who provide services into other organisations, the > voluntary appointment of an internal or outsourced DPO can provide > commercial and strategic advantage by communicating a commitment to > data protection and promoting higher levels of trust. > > P.29 6.3.8 (b) > > A DPO may either be an employee of the SME or an external expert, > but in both cases, it is fundamental that he or she is independent, > in the sense that: > • the DPO shall be provided of with all the necessary > resources to carry on his/her tasks, in terms of money, time, > workforce, time to devote to professional development > etc.; > • the DPO shall not receive instructions for the > exercise of his/her tasks; > • the DPO shall not be dismissed or penalized for the > performance of his/her tasks; > • the DPO shall report to the highest level of management; and > • the DPO should not be in have any conflict of > interest in respect to other tasks and duties (e.g. > determining objects and purposes of the processing, > representing the SME in legal proceeding). > > P.30 6.3.8 (c) > Task of DPOs > DPOs cannot > Inform and advice the SME on the obligations arising from the GDPR > and the national data protection provisions > Be held accountable for the information and advice given to the SME > (I do not agree with this. They are not accountable for whether > their advice is implemented or not but they can be held accountable > for being negligent) > Monitor the compliance of the SME with the GDPR, the national data > protection provisions and (eventual) its internal data policies > Be considered personally responsible for non-compliance with data > protection requirements > Carry on awareness raising activities and training for the staff of > the SME dealing with data processing > Perform the DPIA. Not true. There is no reason why a DPO cannot take > the lead in undertaking a DPIA especially where the skills do not > exist elsewhere in the organization. but the responsibility to > ensure one is done remains with the Controller. > Provide advice to the SME and monitor the performance in relation to > the DPIA (when a DPIA is required) > Represent the SME in front of the DPA or in a court in case of > proceedings. Not quite so. The DPO remains the first point of > contact for data subjects and the DPAs and may be called to account > for advice / provide an explanation as to how data was processed > based on their monitoring of processing activities. I > Act as contact point for the supervisory authority in case of prior > consultation > Be considered responsible for the maintenance of the register True > but they are responsible for providing oversight as to whether it is > maintained. > Cooperate with the supervisory authority > Simultaneously hold another position in the organization that helps > define the means and purposes of processing of any personal data. > Be contacted by data subjects willing wishing to exercise their rights > > Create and maintain the register of processing (in the exceptional > situations where SME are required to have it one) Not True, under > Art 30 it is the responsibility of the Controller > > P.31 6.3.9(a) Data Protection Impact Assessment > (a) Background > The DPIA is a new addition to the EU data protection framework. It > builds on the rich experience of conducting impact assessments in > other fields, in particular, on the environmental impact > assessments. To be effective, impact assessments are carried out at > the early stage of a project (proactive initiative), at the phase of > planning or designing, and are aimed to identify and help mitigate > anticipate the any potential beneficial and adverse (i.e. negative) > impacts arising from the intended processing of personal data of > such within the project. Impact assessments are risk based exercises > that help decision-makers find the best and most beneficial > solutions for the development and deployment of initiatives while > protecting the rights and freedoms of data subjects. To be > practical, impact assessments must be scalable, flexible and > applicable inter alia for large organisations, consortia or for > small and medium-sized enterprises. Any risks identified will be > entered into the Data Protection Risk Register. > > P.32 6.3.9(c) > (c) What are the elements and characteristics of the > processing that may generate the high risks to rights and freedoms > of individuals? > The following elements that contribute to the high risks to data > subjects from this provision were extracted by the > > (d) What situations could require a DPIA? > Examples of processing operations that could trigger a DPIA: > • If the SME is implementing a new tool to monitor > access to office combining use of fingerprints and face facial > recognition technology; > • If the SME is a biotechnology company offering > genetic tests directly to consumers in order to assess and predict > the disease/health risks > • If the SME is providing CCTV surveillance for a > shopping centre or using a large number of cameras in their own > premises > > (e) Who and when should perform a DPIA? > Albeit the data processor and the data protection officer shall > assist the data controller (i.e., SME), the final responsibility on > for the DPIA process relies on rests with the data controller. > > (f) When is a DPIA is not required? > • When the data processing operations are included in > any list of data processing operations compiled by the DPA non > which do not requiring a DPIA > > P.33 6.3.9(g) > 4) Involve data subjects and/or their representatives, > the data protection officer and any other expert (e.g. information > security officer) and the data processor in the process, ideally in > each phase of the assessment process. This consultation must be > meaningful. > > P.33 6.3.9(h) > (h) When a new (revised) DPIA is required? > A new (i.e. revised version of) DPIA could be required if the risks > resulting from the processing operations are to change, for example > because a new technology is to be has been introduced, a new > processor is to be engaged under contract, or because personal data > is being to be used for a different purpose > > In that case, the review of the risk analysis made can show that the > performance of a DPIA is no longer required. > > P.34 6.3.10(b) > (b) How the security obligation is related to other provisions? > This obligation also requires the controller wishing to engage a > processor under contract to undertake due diligence and assess > whether the guarantees offered by the data processor, in this case > the cloud service provider, are sufficient. A controller must only > engage such a processor where they have faith in their ability to > comply with the obligations under GDPR. During this process, the > controller may take into account whether the processor provides > adequate documentation proving compliance with data protection > principles that could be found in privacy policies, records > management policies, information security policies, external audit > reports, certifications and similar documentation. The controller in > particular should take into account the processor’s expert knowledge > (e.g. technical expertise when dealing with data breaches and > security measures), reliability and its resources. A site visit may > also be necessary. After carrying out the due diligence process, the > controller should be able to take a decision with sufficient > evidence demonstrating that the processor is suitable, it can then > enter into a binding arrangement. It should be added that this due > diligence process is not a one-time effort. and it needs to be > regularly repeated in order The controller will have an ongoing > obligation to check whether the processor is compliant and meeting > their obligations either by auditing using their own staff or a > trusted third party. When outsourcing the processing of personal > data (e.g. for the provision of technical assistance or cloud > services), the controller should must conclude a contract, another > legal act or binding arrangement with the other entity already > setting out clear and precise data protection obligations and the > nature of processing in a detailed data processing agreement. > > > P.35 6.3.10(c) > An information security policy foreseeing the role of each user and > the required permission levels (access control) appropriate to the > role which minimises access to only that data necessary for that > role. This includies the system administrator accounts is as an > example of an appropriate organisational measure. > > P.35 6.3.10(d) What technical security measures can a SME take? > Technical measures must therefore include both physical and computer > or IT security. > > When considering cybersecurity, you should look at factors such as: > • system security – the security of your network and > information systems, including especially those which process > personal data; > • data security – the security of the data you hold > within your systems, e.g., ensuring appropriate access controls are > in place and that data is held securely through the use of suitable > levels of encryption; > > P.36 6.3.10(e) > Would add: > Where Special Category Data is processed (such as health data) or > personal data relating to minors, higher levels of security will be > expected to be implemented and documented. > > P.36 6.3.11 > This section should start with the definition of what is meant by a > breach and explain the difference between an incident and a breach. > It is confusing otherwise. > > P.37 6.3.11(b) > Consequently, this means that the controller must have an internal > procedures defined, tested and documented allowing to confirm to > appropriately identify and handle any breach of security concerning > personal data. > > In an ideal scenario, an information incident response policy should > precede be in place before processing of personal data begins so > that any the occurrence of an incident so that it could be used > should a data breach take place. > > P.37 6.3.11(d) > Would add a final paragraph. > As GDPR is maturing, different DPAs are expressing different > thresholds for the reporting of breaches. Where originally there was > a fear of over reporting, the DPC in Ireland has requested a breach > be reported when there is any risk identified to the data subject. > This allows the Commission to identify trends and to have confidence > that controllers are identifying the minor breaches and thus are > able to identify the more serious beaches should they arise. > > I hope you find this useful. > > Alan > > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: 28 February 2020 13:09 > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Here comes D4.1 with both parts now included. We made further minor > edits to Part A. > We believe that the pfd version can be submitted. > We look forward to your comments on Part B, which unfortunately > comes a bit later than planned. > > Best regards, > Lina > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: Friday, February 28, 2020 8:45 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Thank you for your additions and edits. > The document to be submitted to the EC will reach you shortly after noon. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Thursday, February 27, 2020 4:31 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Lina! > Dear All! > > Thank you for sharing the restructured version of the guidance for > DPAs. We only added minor additions/corrections. We confirm that the > yellow parts are accurate. > > We are looking forward to the handbook (the submission deadline is > 29.02.2020) > > > Best regards, > > Renáta > > > From: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Sent: Thursday, February 20, 2020 10:32 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Once again, thank you for preparing a revised version of the > guidance for DPAs. We reviewed it now enclose an improved version of > it. > It includes nearly all of your report (see the document you shared; > we marked in yellow parts that were used). However, the current > version is restructured, rephrased and embedded in a wider context > of DPAs’ awareness raising duties. We also extracted recommendations > from your report and developed a graph presenting these > recommendations. > There are two parts marked in yellow that need to be checked for > accuracy. Perhaps, you will want to add some other clarifications in > the text. In particular, further additions could be made to the > concluding remarks part. > As we provided contributions to the initial text, we would like to > be considered co-authors of this guidance. What do you think about > this? > > The part B – the handbook for SMEs – is on a way. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Tuesday, January 28, 2020 4:16 PM > To: 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne > Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear All! > > Please, find enclosed the updated version of the guidance. > > Best, > > Renáta > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Tuesday, January 28, 2020 10:09 AM > To: 'Leanne Cochrane' > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: 'David Barnard-Wills' > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Hi Leanne, > > Thanks for the update on the newsletter. > > Regarding the upcoming events: > > * The plan is to present the drafts of the guidance and the > handbook at the EDPB plenary in February. However, as this is > scheduled for 18-19 February, we can only do this, if the drafts are > ready by then. Renáta will circulate the updated version of the > guidance soon. As for the other document (handbook), Lina can > provide further information. > * I have no further information on the validation workshop > planned for March-April 2020. > > Best, > Gábor > > > From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] > Sent: Monday, January 27, 2020 6:25 PM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: STAR II - Update on EDPB and validation workshop? > > Hi Gabor, > > I hope you are keeping well. > > Our dissemination team is preparing to send out the STAR II > newsletter we mentioned on our previous calls. It will be sent out > this Thursday with links to the approved deliverables and some > blogs. We are also including a section on upcoming events and I > wanted to check with NAIH if we had any further information on the > following two events: > > > * A presentation by NAIH to the EDPB on the STAR II project > planned for the February EDPB plenary (18th-19th) in Brussels. > * A Validation workshop for the STAR II outputs, namely a 'A > Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned > for March-April 2020 in Brussels. > Can I just check this information is still current and there is > nothing more specific we can add at this stage? > > I would be grateful if you can cc all in the reply as I am off > tomorrow and the dissemination team are in need of the confirmation. > > Thanks and best wishes, > Leanne > > > > <image001.jpg>http://www.trilateralresearch.com/ > > > Leanne Cochrane > > Senior Research Analyst | Policy, Ethics and Emerging Technologies Team > > leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com > > www.trilateralresearch.comhttp://www.trilateralresearch.com > > Mobile: +44 (0) 7545 955 242 > > Skype:@ljcochrane
_______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
_______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All, Response of the PO (see research portal - process communications) "Dear coordinator, Thank you for contacting us. In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension? Kind regards, Angeelika" If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change. Best, Gábor Idézet (Lina JASMONTAITE <Lina.Jasmontaite@vub.be>): > Dear Julia and David, > > Thank you for your replies. Indeed, the end result of the extension > of the timeline or a temporary suspension would be rather similar – > the project would run longer. > After consulting internally our finance and legal departments, > however, we are of opinion that less restrictive measures (i.e., > extension of the timeline) would be more appropriate. This is also > message that we sent to PO. > > Best regards, > Lina > > From: Sziklay Júlia <sziklay.julia@naih.hu> > Sent: Monday, March 16, 2020 3:26 PM > To: Lina JASMONTAITE <Lina.Jasmontaite@vub.be>; David Barnard-Wills > <david.barnard-wills@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.com> > Cc: 'STAR' <star@listserv.vub.ac.be> > Subject: RE: [star] feedback on STAR II 4.1 > > Dear Colleagues, > I think both proposals can be reasonable but nevertheless with quite > the same effect: we will be stuck in the project till the end of a > prolonged deadline (presumably till autumn 2020 instead of July). I > am sure the Commission is working on the issue (the world epidemic > situation affects all the ongoing projects in general) so we shall > keep our dialogue going on. > Julia > > From: >
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE > Sent: Monday, March 16, 2020 1:38 PM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] feedback on STAR II 4.1 > > Dear David and Leanne, > > Could you please let us know your position on this situation? > Best regards, > Lina > > On 16 Mar 2020, at 11:39, Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: > > Dear Gabor, > > I understand your point of view but I believe that all three > partners should have agreed to the suspension before sending a > request to the PO. Following my supervisor’s advice, VUB couldn’t > accept this proposal. > I am ok to discuss alternative solutions with the PO. > I will keep you and TRI team posted via the mailing list. > > Best regards and stay safe, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 11:14 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Lina, > > And how should I ask any extension if I don’t know any exact dates > or anything for sure? I think the suspension is better, indicating > that the project would resume where it left off once the situation > returns to normal or at least to less serious. I already sent the > message to the PO, but If you have any other idea, feel free to > share with her via the portal adding the turn “on behalf of the > coordinator”. I’m really sorry, but now I have neither time nor > energy to act as a contact person. If you want, you can have the > call as well, but I probably won’t to be available. And no offense, > but to be honest, currently the project is of least interest to me. > > Best, > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Monday, March 16, 2020 10:58 AM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Gabor, > > Thanks for your email. I am not sure what would a suspension mean in > terms of financial implications for VUB, so at this point I think we > should request for an extension in these unforeseen circumstances > rather than a suspension. > > While the situation is full of uncertainty and many of us need to > adapt to it, we can still proceed further and work on deliverables > for the project, apart from the workshop. We need to discuss a > scenario with the PO what to do if the situation does not improve in > upcoming weeks. If that is the case, perhaps, we should ask for the > adjustment in the DOW and instead of a workshop to obtain feedback > we could propose having an online consultation. This would of course > affect our funding. > > I think we should still have a call if not this week, then a week after. > > Best regards, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 10:39 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: feedback on STAR II 4.1 > Importance: High > > Dear Lina & All > > Due to the current situation I will ask the PO to temporarily > suspend the project including all deadlines by reason of > unforeseeable circumstances of force majeure. I’ll keep you updated. > > Secondly, I can’t make tomorrow’s call, but I don’t think that’s the > most important thing now anyway. > > Best wishes, stay safe and take care of yourselves! > > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Friday, March 13, 2020 10:54 AM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > > @David > Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com > many thanks for sharing the extensive feedback. It’s much > appreciated and we’ll implement it as soon as possible. > > @'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university > we were receiving daily updates on the situation concerning the > virus. For now all external events are cancelled until the end of > April. In view of this, we can suggest to reschedule the event for > the later date (probably to mid or late June) in a hope that by then > the situation improves and we can host the event. This would > consequently require more time to finalise the handbook for the > final event and then July wouldn’t be a realistic date. My > understanding is that we cannot ask for the extension of the project > to the end of October/November because it is funded by the grant > action. Could we ask however the PO for the cost of the final > workshop as well as travelling to be eligible for the later date > that would go beyond the lifetime of the project? > Perhaps, before proceeding with the official communication, it would > be possible to get in touch with the PO via a phone call, so we are > aware about the position taken by the EC considering the current > situation? > > Having a call on Tuesday works well for our team. > > > Best regards, > Lina > > > > > > From: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> > Sent: Tuesday, March 10, 2020 4:22 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: feedback on STAR II 4.1 > > Dear all, > > First, I sincerely apologise for not getting this feedback to you > earlier. I assume that D4.1 was submitted? > On the positive side, this feedback can presumably be included in > the final version of these deliverables. > > We got Alan Moore, one of our DPO team, with good practical > expertise with various commercial clients to review the guidance > document (You met him at the Brussels workshop). His feedback is > below. > > Best wishes, > > DBW > > I have gone through the document and have a few suggestions: > > P7 Section 3.2 It can be suggested that to compensate for being > awarded with limited enforcement powers….. > > I would hold they have significant powers beyond the ability to > fine. Their powers to instruct controllers / processor top cease > processing data, among others, can ultimately shut down a business > without a fine being levied. To ignore these instructions can land a > director in jail for up to 5 years! > > P8. DPAs The focus on standardisation and EDPB. Art 60 was an after > thought and the general view is the it cannot operate within the > prescribed timelines. The ECJ will be the ultimate arbiter for > standardisation of approaches / laws / requirements but each > National Authority must be free to interpret facts presented in its > own way. Their independence is anchored in the EU treaties. A > complication that will eventually need to be addressed. > > P8. 3.3 Should be aware that translation into romance languages can > carry a different commutation the was intended by the Directive and > DPA have a key role to explain the true intent / meaning. > > P9. 3.4 Typo in second paragraph. > It also could be considered e the most > > P10. It appeared that most DPAs do not use internal guidance to direct…. > What has been the result of this? A key concern in the Irish DPC has > been delivering a consistent message and not providing a different > answer to the same or similar callers on different occasions. > > P11. 4 Unclear use of language - first paragraph > This initiative allowed to be confirmed that > It allowed to be obtained > > P11.4. Would stress the importance of standardisation of response > & P12 4 Add ‘c’? Implement a control process to ensure > standardisation of responses to similar questions / scenarios > > P13. 4.2 Might mention the concern that callers may have that > showing their hand may trigger an investigation. Callers need to be > reassured and encouraged to participate. Approaches do differ > between different DPAs. > > P13. 4.2.1 > It was decided to create a dedicated part > Following up on from this decision > > P15. 4.2.3 > I would stress the value of face to face more as context can be > complicated and the caller is subject to information and power > asymmetry. > > P16 4.5 last paragraph > We are included inclined to > > P21 6.2 last paragraph > DPAs across the EU have reported to engage that they have engaged in > > P22 6.3 4.5 last paragraph > Slovic suggests that the following elements play a role when evaluating risk: > > 1. The degree to which an individual feels in control > 2. The nature of consequences and the distribution of the impact > > P23 6.3 2nd paragraph > Which is perceived ‘as the coordinated activities to direct and > control an organisation with regard to risk’ 47 This is most > practically evidenced by the development and maintaining of a formal > risk register. > > (This risk section is very cerebral I fear and wont help with the ‘how’) > > P23 6.3.1 > Typically, the risk based approach formula approach in the GDPR > includes the following elements to be taken into account: > > * The state of the art in terms of technology for of the means > of processing (state of the art needs to be explained – does not > mean the best there is but rather the minimum expectable / expected) > > P24 6.3.2 > I would add a sentence or two on the benefits undertaking a > voluntary DPIA which include: > > * Documented understanding of the how the system works > * Known points of integration with other systems > * Assigning accountability > * Ensuring organisational standards (security / access etc) are > being complied with > * Demonstrated commitment to GDPR > * General piece of mind / greater organisational resilience > > P24 6.3.5 > I would add a piece on keeping a formal risk register of risks to > data subjects, separate from ant organisation risk register of risks > to the organisation in which all risks are assigned an owner and a > review date. > > P25 6.3.5 (b) What does SMEs need to do to be accountable? > > Second paragraph > …that the principle of accountability as an elements of good > > P.26 first line > … that the demonstration of compliance > > P.26 6.3.6 (b) > > * Implement data protection principles (see Article 5) and to > integrate the necessary safeguards into the processing in order to > meet the requirements of this Regulation and protect the rights of > data subjects (see Chapter III) in an effective manner; > * This should done at the time of the determination of the means > for processing and implemented before the time of the processing > itself. > (not that clear in the text.) > > P.27 6.3.6 (c) > It should be noted that some DPAs while note defining and technical > or organisation measures will nonetheless express an expectation > such as the Irish DPC in terms of the use of encryption whenever > possible where personal data is at rest or in transit. > > P.28 6.3.7 (b) 2nd paragraph > It is assumed that organisations will, however, benefit more from > maintaining their documentation electronically as such documentation > can they can easily added to, have entries removed when obsolete, > and amend entries it as necessary. However paper documentation is > regarded as being appropriate for SMEs and micro enterprises. It > should be added that SMEs (entities having less than 250 employees) > are technically exempt from this obligation if provided they are > undertaking: > • processing that is not likely to > result in a risk to the rights and freedoms of > data subjects; > • processing that is not occasional > (meaning that it is not regularly / > frequently undertaken); or > • processing that does not include > special categories of data or personal data > relating to criminal convictions and offences. > > In reality, very few SMEs can avail of this exemption unless the > process very little data. Most SMEs will usually have some special > category data as part of their HR files. > > They can be are available on the websites…. > > P.29 6.3.8 (a) 2 > Large scale is not defined by the legislation though different DPAs > have given some guidance relevant to different activities. > > For SMEs who provide services into other organisations, the > voluntary appointment of an internal or outsourced DPO can provide > commercial and strategic advantage by communicating a commitment to > data protection and promoting higher levels of trust. > > P.29 6.3.8 (b) > > A DPO may either be an employee of the SME or an external expert, > but in both cases, it is fundamental that he or she is independent, > in the sense that: > • the DPO shall be provided of with all the necessary > resources to carry on his/her tasks, in terms of money, time, > workforce, time to devote to professional development > etc.; > • the DPO shall not receive instructions for the > exercise of his/her tasks; > • the DPO shall not be dismissed or penalized for the > performance of his/her tasks; > • the DPO shall report to the highest level of management; and > • the DPO should not be in have any conflict of > interest in respect to other tasks and duties (e.g. > determining objects and purposes of the processing, > representing the SME in legal proceeding). > > P.30 6.3.8 (c) > Task of DPOs > DPOs cannot > Inform and advice the SME on the obligations arising from the GDPR > and the national data protection provisions > Be held accountable for the information and advice given to the SME > (I do not agree with this. They are not accountable for whether > their advice is implemented or not but they can be held accountable > for being negligent) > Monitor the compliance of the SME with the GDPR, the national data > protection provisions and (eventual) its internal data policies > Be considered personally responsible for non-compliance with data > protection requirements > Carry on awareness raising activities and training for the staff of > the SME dealing with data processing > Perform the DPIA. Not true. There is no reason why a DPO cannot take > the lead in undertaking a DPIA especially where the skills do not > exist elsewhere in the organization. but the responsibility to > ensure one is done remains with the Controller. > Provide advice to the SME and monitor the performance in relation to > the DPIA (when a DPIA is required) > Represent the SME in front of the DPA or in a court in case of > proceedings. Not quite so. The DPO remains the first point of > contact for data subjects and the DPAs and may be called to account > for advice / provide an explanation as to how data was processed > based on their monitoring of processing activities. I > Act as contact point for the supervisory authority in case of prior > consultation > Be considered responsible for the maintenance of the register True > but they are responsible for providing oversight as to whether it is > maintained. > Cooperate with the supervisory authority > Simultaneously hold another position in the organization that helps > define the means and purposes of processing of any personal data. > Be contacted by data subjects willing wishing to exercise their rights > > Create and maintain the register of processing (in the exceptional > situations where SME are required to have it one) Not True, under > Art 30 it is the responsibility of the Controller > > P.31 6.3.9(a) Data Protection Impact Assessment > (a) Background > The DPIA is a new addition to the EU data protection framework. It > builds on the rich experience of conducting impact assessments in > other fields, in particular, on the environmental impact > assessments. To be effective, impact assessments are carried out at > the early stage of a project (proactive initiative), at the phase of > planning or designing, and are aimed to identify and help mitigate > anticipate the any potential beneficial and adverse (i.e. negative) > impacts arising from the intended processing of personal data of > such within the project. Impact assessments are risk based exercises > that help decision-makers find the best and most beneficial > solutions for the development and deployment of initiatives while > protecting the rights and freedoms of data subjects. To be > practical, impact assessments must be scalable, flexible and > applicable inter alia for large organisations, consortia or for > small and medium-sized enterprises. Any risks identified will be > entered into the Data Protection Risk Register. > > P.32 6.3.9(c) > (c) What are the elements and characteristics of the > processing that may generate the high risks to rights and freedoms > of individuals? > The following elements that contribute to the high risks to data > subjects from this provision were extracted by the > > (d) What situations could require a DPIA? > Examples of processing operations that could trigger a DPIA: > • If the SME is implementing a new tool to monitor > access to office combining use of fingerprints and face facial > recognition technology; > • If the SME is a biotechnology company offering > genetic tests directly to consumers in order to assess and predict > the disease/health risks > • If the SME is providing CCTV surveillance for a > shopping centre or using a large number of cameras in their own > premises > > (e) Who and when should perform a DPIA? > Albeit the data processor and the data protection officer shall > assist the data controller (i.e., SME), the final responsibility on > for the DPIA process relies on rests with the data controller. > > (f) When is a DPIA is not required? > • When the data processing operations are included in > any list of data processing operations compiled by the DPA non > which do not requiring a DPIA > > P.33 6.3.9(g) > 4) Involve data subjects and/or their representatives, > the data protection officer and any other expert (e.g. information > security officer) and the data processor in the process, ideally in > each phase of the assessment process. This consultation must be > meaningful. > > P.33 6.3.9(h) > (h) When a new (revised) DPIA is required? > A new (i.e. revised version of) DPIA could be required if the risks > resulting from the processing operations are to change, for example > because a new technology is to be has been introduced, a new > processor is to be engaged under contract, or because personal data > is being to be used for a different purpose > > In that case, the review of the risk analysis made can show that the > performance of a DPIA is no longer required. > > P.34 6.3.10(b) > (b) How the security obligation is related to other provisions? > This obligation also requires the controller wishing to engage a > processor under contract to undertake due diligence and assess > whether the guarantees offered by the data processor, in this case > the cloud service provider, are sufficient. A controller must only > engage such a processor where they have faith in their ability to > comply with the obligations under GDPR. During this process, the > controller may take into account whether the processor provides > adequate documentation proving compliance with data protection > principles that could be found in privacy policies, records > management policies, information security policies, external audit > reports, certifications and similar documentation. The controller in > particular should take into account the processor’s expert knowledge > (e.g. technical expertise when dealing with data breaches and > security measures), reliability and its resources. A site visit may > also be necessary. After carrying out the due diligence process, the > controller should be able to take a decision with sufficient > evidence demonstrating that the processor is suitable, it can then > enter into a binding arrangement. It should be added that this due > diligence process is not a one-time effort. and it needs to be > regularly repeated in order The controller will have an ongoing > obligation to check whether the processor is compliant and meeting > their obligations either by auditing using their own staff or a > trusted third party. When outsourcing the processing of personal > data (e.g. for the provision of technical assistance or cloud > services), the controller should must conclude a contract, another > legal act or binding arrangement with the other entity already > setting out clear and precise data protection obligations and the > nature of processing in a detailed data processing agreement. > > > P.35 6.3.10(c) > An information security policy foreseeing the role of each user and > the required permission levels (access control) appropriate to the > role which minimises access to only that data necessary for that > role. This includies the system administrator accounts is as an > example of an appropriate organisational measure. > > P.35 6.3.10(d) What technical security measures can a SME take? > Technical measures must therefore include both physical and computer > or IT security. > > When considering cybersecurity, you should look at factors such as: > • system security – the security of your network and > information systems, including especially those which process > personal data; > • data security – the security of the data you hold > within your systems, e.g., ensuring appropriate access controls are > in place and that data is held securely through the use of suitable > levels of encryption; > > P.36 6.3.10(e) > Would add: > Where Special Category Data is processed (such as health data) or > personal data relating to minors, higher levels of security will be > expected to be implemented and documented. > > P.36 6.3.11 > This section should start with the definition of what is meant by a > breach and explain the difference between an incident and a breach. > It is confusing otherwise. > > P.37 6.3.11(b) > Consequently, this means that the controller must have an internal > procedures defined, tested and documented allowing to confirm to > appropriately identify and handle any breach of security concerning > personal data. > > In an ideal scenario, an information incident response policy should > precede be in place before processing of personal data begins so > that any the occurrence of an incident so that it could be used > should a data breach take place. > > P.37 6.3.11(d) > Would add a final paragraph. > As GDPR is maturing, different DPAs are expressing different > thresholds for the reporting of breaches. Where originally there was > a fear of over reporting, the DPC in Ireland has requested a breach > be reported when there is any risk identified to the data subject. > This allows the Commission to identify trends and to have confidence > that controllers are identifying the minor breaches and thus are > able to identify the more serious beaches should they arise. > > I hope you find this useful. > > Alan > > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: 28 February 2020 13:09 > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Here comes D4.1 with both parts now included. We made further minor > edits to Part A. > We believe that the pfd version can be submitted. > We look forward to your comments on Part B, which unfortunately > comes a bit later than planned. > > Best regards, > Lina > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On > Behalf Of Lina JASMONTAITE > Sent: Friday, February 28, 2020 8:45 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Thank you for your additions and edits. > The document to be submitted to the EC will reach you shortly after noon. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Thursday, February 27, 2020 4:31 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Lina! > Dear All! > > Thank you for sharing the restructured version of the guidance for > DPAs. We only added minor additions/corrections. We confirm that the > yellow parts are accurate. > > We are looking forward to the handbook (the submission deadline is > 29.02.2020) > > > Best regards, > > Renáta > > > From: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Sent: Thursday, February 20, 2020 10:32 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Once again, thank you for preparing a revised version of the > guidance for DPAs. We reviewed it now enclose an improved version of > it. > It includes nearly all of your report (see the document you shared; > we marked in yellow parts that were used). However, the current > version is restructured, rephrased and embedded in a wider context > of DPAs’ awareness raising duties. We also extracted recommendations > from your report and developed a graph presenting these > recommendations. > There are two parts marked in yellow that need to be checked for > accuracy. Perhaps, you will want to add some other clarifications in > the text. In particular, further additions could be made to the > concluding remarks part. > As we provided contributions to the initial text, we would like to > be considered co-authors of this guidance. What do you think about > this? > > The part B – the handbook for SMEs – is on a way. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Tuesday, January 28, 2020 4:16 PM > To: 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne > Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear All! > > Please, find enclosed the updated version of the guidance. > > Best, > > Renáta > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Tuesday, January 28, 2020 10:09 AM > To: 'Leanne Cochrane' > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: 'David Barnard-Wills' > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Hi Leanne, > > Thanks for the update on the newsletter. > > Regarding the upcoming events: > > * The plan is to present the drafts of the guidance and the > handbook at the EDPB plenary in February. However, as this is > scheduled for 18-19 February, we can only do this, if the drafts are > ready by then. Renáta will circulate the updated version of the > guidance soon. As for the other document (handbook), Lina can > provide further information. > * I have no further information on the validation workshop > planned for March-April 2020. > > Best, > Gábor > > > From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] > Sent: Monday, January 27, 2020 6:25 PM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: STAR II - Update on EDPB and validation workshop? > > Hi Gabor, > > I hope you are keeping well. > > Our dissemination team is preparing to send out the STAR II > newsletter we mentioned on our previous calls. It will be sent out > this Thursday with links to the approved deliverables and some > blogs. We are also including a section on upcoming events and I > wanted to check with NAIH if we had any further information on the > following two events: > > > * A presentation by NAIH to the EDPB on the STAR II project > planned for the February EDPB plenary (18th-19th) in Brussels. > * A Validation workshop for the STAR II outputs, namely a 'A > Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned > for March-April 2020 in Brussels. > Can I just check this information is still current and there is > nothing more specific we can add at this stage? > > I would be grateful if you can cc all in the reply as I am off > tomorrow and the dissemination team are in need of the confirmation. > > Thanks and best wishes, > Leanne > > > > <image001.jpg>http://www.trilateralresearch.com/ > > > Leanne Cochrane > > Senior Research Analyst | Policy, Ethics and Emerging Technologies Team > > leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com > > www.trilateralresearch.comhttp://www.trilateralresearch.com > > Mobile: +44 (0) 7545 955 242 > > Skype:@ljcochrane
_______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Julia and David,
Thank you for your replies. Indeed, the end result of the extension of the timeline or a temporary suspension would be rather similar – the project would run longer. After consulting internally our finance and legal departments, however, we are of opinion that less restrictive measures (i.e., extension of the timeline) would be more appropriate. This is also message that we sent to PO.
Best regards, Lina
From: Sziklay Júlia sziklay.julia@naih.hu Sent: Monday, March 16, 2020 3:26 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: [star] feedback on STAR II 4.1
Dear Colleagues, I think both proposals can be reasonable but nevertheless with quite the same effect: we will be stuck in the project till the end of a prolonged deadline (presumably till autumn 2020 instead of July). I am sure the Commission is working on the issue (the world epidemic situation affects all the ongoing projects in general) so we shall keep our dialogue going on. Julia
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
[mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote:
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a
week after.
Best regards, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor'
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>
Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance
to direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when
evaluating risk:
- The degree to which an individual feels in control
- The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with
the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
- The state of the art in terms of technology for of the means
of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
- Documented understanding of the how the system works
- Known points of integration with other systems
- Assigning accountability
- Ensuring organisational standards (security / access etc) are
being complied with
- Demonstrated commitment to GDPR
- General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
- Implement data protection principles (see Article 5) and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner;
- This should done at the time of the determination of the means
for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of
management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other
provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On
Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On
Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly
after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane'
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: 'David Barnard-Wills'
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the
handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop
planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
- A presentation by NAIH to the EDPB on the STAR II project
planned for the February EDPB plenary (18th-19th) in Brussels.
- A Validation workshop for the STAR II outputs, namely a 'A
Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
<image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging
Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear All,
The PO informed us on the following (see reseach portal - process communication):
"Your project is foreseen to end in about 4 months, on 31/07/2020. According to your explanation there are still two events (validation workshop in Brussels and launch event for the guidance & handbook in Budapest) to be organized. Taking into consideration these two elements, I would suggest you to apply for 4 months long prolongation – eg project would be ending on 31/11/2020, which seems sufficient at this point to implement these 2 activities. If there would be a need to prolong it even further, we can evaluate it at the later stage. Would you agree?
Please be so kind to introduce the amendment request in the system ASAP you have clear idea around when would you consider it be possible to implement these 2 activities. Please do not forget to make modifications in narrative Part B (eg timeline, History of changes) and upload it as an attachment to your amendment request."
Following this message I asked whether it would be possible to postpone all of the activities and reports by 4 months. Her answer: "Yes, please launch the amendment with 4 months prolongation of the action and please change the submission deadlines of all the pending deliveries according to your evaluation provisions."
In light of the above, I think we should take the POs suggestion and apply for 4 months long prolongation, requesting it for all activities and deliverables, with the indication that in case we don’t need all of this time, we can finish the project earlier.
Would you agree? If so, please read the attached guidance document and please give me input on how we should justify the request for prolongation for each remaining activity and deliverable.
Thank you.
Best, Gábor
Idézet (sziklay.julia@naih.hu):
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Julia and David,
Thank you for your replies. Indeed, the end result of the extension of the timeline or a temporary suspension would be rather similar – the project would run longer. After consulting internally our finance and legal departments, however, we are of opinion that less restrictive measures (i.e., extension of the timeline) would be more appropriate. This is also message that we sent to PO.
Best regards, Lina
From: Sziklay Júlia sziklay.julia@naih.hu Sent: Monday, March 16, 2020 3:26 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: [star] feedback on STAR II 4.1
Dear Colleagues, I think both proposals can be reasonable but nevertheless with quite the same effect: we will be stuck in the project till the end of a prolonged deadline (presumably till autumn 2020 instead of July). I am sure the Commission is working on the issue (the world epidemic situation affects all the ongoing projects in general) so we shall keep our dialogue going on. Julia
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
[mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote:
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a
week after.
Best regards, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor'
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>
Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance
to direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when
evaluating risk:
- The degree to which an individual feels in control
- The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with
the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
- The state of the art in terms of technology for of the means
of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
- Documented understanding of the how the system works
- Known points of integration with other systems
- Assigning accountability
- Ensuring organisational standards (security / access etc) are
being complied with
- Demonstrated commitment to GDPR
- General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
- Implement data protection principles (see Article 5) and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner;
- This should done at the time of the determination of the means
for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of
management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other
provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On
Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On
Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly
after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane'
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: 'David Barnard-Wills'
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the
handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop
planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
- A presentation by NAIH to the EDPB on the STAR II project
planned for the February EDPB plenary (18th-19th) in Brussels.
- A Validation workshop for the STAR II outputs, namely a 'A
Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
<image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging
Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear All, just a short comment: all discussions concerning the NAIH hotline should be carried out without delay (taking no notice of the official prolongation) beacuse our colleague responsible for the operation of the hotline will be available only for a limited time. Kind regards, Julia
-----Original Message----- From: kulitsan.gabor@naih.hu [mailto:kulitsan.gabor@naih.hu] Sent: Thursday, March 19, 2020 11:42 AM To: sziklay.julia@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills David.Barnard-Wills@trilateralresearch.com; bazsa.peter bazsa.peter@naih.hu Subject: Re: [star] feedback on STAR II 4.1
Dear All,
The PO informed us on the following (see reseach portal - process communication):
"Your project is foreseen to end in about 4 months, on 31/07/2020. According to your explanation there are still two events (validation workshop in Brussels and launch event for the guidance & handbook in Budapest) to be organized. Taking into consideration these two elements, I would suggest you to apply for 4 months long prolongation – eg project would be ending on 31/11/2020, which seems sufficient at this point to implement these 2 activities. If there would be a need to prolong it even further, we can evaluate it at the later stage. Would you agree?
Please be so kind to introduce the amendment request in the system ASAP you have clear idea around when would you consider it be possible to implement these 2 activities. Please do not forget to make modifications in narrative Part B (eg timeline, History of changes) and upload it as an attachment to your amendment request."
Following this message I asked whether it would be possible to postpone all of the activities and reports by 4 months. Her answer: "Yes, please launch the amendment with 4 months prolongation of the action and please change the submission deadlines of all the pending deliveries according to your evaluation provisions."
In light of the above, I think we should take the POs suggestion and apply for 4 months long prolongation, requesting it for all activities and deliverables, with the indication that in case we don’t need all of this time, we can finish the project earlier.
Would you agree? If so, please read the attached guidance document and please give me input on how we should justify the request for prolongation for each remaining activity and deliverable.
Thank you.
Best, Gábor
Idézet (sziklay.julia@naih.hu):
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Julia and David,
Thank you for your replies. Indeed, the end result of the extension of the timeline or a temporary suspension would be rather similar – the project would run longer. After consulting internally our finance and legal departments, however, we are of opinion that less restrictive measures (i.e., extension of the timeline) would be more appropriate. This is also message that we sent to PO.
Best regards, Lina
From: Sziklay Júlia sziklay.julia@naih.hu Sent: Monday, March 16, 2020 3:26 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: [star] feedback on STAR II 4.1
Dear Colleagues, I think both proposals can be reasonable but nevertheless with quite the same effect: we will be stuck in the project till the end of a prolonged deadline (presumably till autumn 2020 instead of July). I am sure the Commission is working on the issue (the world epidemic situation affects all the ongoing projects in general) so we shall keep our dialogue going on. Julia
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
[mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote:
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a
week after.
Best regards, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Kulitsán Gábor'
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>
Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to
direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when
evaluating risk:
- The degree to which an individual feels in control
- The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with
the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
- The state of the art in terms of technology for of the means
of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
- Documented understanding of the how the system works
- Known points of integration with other systems
- Assigning accountability
- Ensuring organisational standards (security / access etc) are
being complied with
- Demonstrated commitment to GDPR
- General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
- Implement data protection principles (see Article 5) and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner;
- This should done at the time of the determination of the means
for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of
management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other
provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On
Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On
Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly
after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane'
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: 'David Barnard-Wills'
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the
handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop
planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
- A presentation by NAIH to the EDPB on the STAR II project
planned for the February EDPB plenary (18th-19th) in Brussels.
- A Validation workshop for the STAR II outputs, namely a 'A
Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
<image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging
Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear Gabor,
As the request for the amendment of our contract is concerned, we believe a message along similar lines could be communicated to the PO.
Formal part: The validation workshop (D4.2) for the draft versions of the guidance for running a hotline service for SMEs and the handbook facilitating SMEs compliance with the GDPR had to take place on 23 April 2020. The workshop agenda was prepared in mind with different interests and expectations of the representatives of DPAs and SMEs. The feedback sessions foreseen in the agenda had to result in suggestions and comments that could be used to finalise the two documents. Organising the event on the foreseen date at the premises of the Vrije Universiteit Brussel (VUB) is no longer possible due to measures taken to reduce the spread of coronavirus/ Covid-19. It is not possible to predict if the VUB will allow hosting any external events before the end of this school year as, together with the other Flemish universities, it has decided to keep all classes exclusively digital until the end of this semester (5 July 2020). Considering the uncertainty surrounding the current spread of Covid-19, we find the extension of 4 months reasonable. We propose to organise the validation workshop (D4.2) in (early) September. It is, however, difficult to propose the exact date. We would then estimate that during the remaining weeks of September and October we would implement edits in the two documents based on the feedback that we receive. Following this scenario, the final versions of the guidance and the handbook (D.4.3) then would be printed in early November. The final closing event presenting the two documents (D4.4) could be organised in the mid-November.
Informal part (and thus not legally binding): Recognising that anxiety caused by the coronavirus pandemic may affect travelling and social interactions in the months to come, we are considering a possibility of launching an online consultation to obtain feedback from the relevant stakeholders (i.e., DPA representatives for part A and SME representatives for part B). Such feedback then would complement feedback obtained during the validation workshop (D4.2).
On the same note, we want to invite NAIH to comment on D4.1. It would be great if you could make suggestions for the questions and answers included in part B. Btw how is the EDPB proceeding with its work?
Best regards, Lina
-----Original Message----- From: kulitsan.gabor@naih.hu kulitsan.gabor@naih.hu Sent: Thursday, March 19, 2020 11:42 AM To: sziklay.julia@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; bazsa.peter bazsa.peter@naih.hu Subject: Re: [star] feedback on STAR II 4.1
Dear All,
The PO informed us on the following (see reseach portal - process communication):
"Your project is foreseen to end in about 4 months, on 31/07/2020. According to your explanation there are still two events (validation workshop in Brussels and launch event for the guidance & handbook in Budapest) to be organized. Taking into consideration these two elements, I would suggest you to apply for 4 months long prolongation – eg project would be ending on 31/11/2020, which seems sufficient at this point to implement these 2 activities. If there would be a need to prolong it even further, we can evaluate it at the later stage. Would you agree?
Please be so kind to introduce the amendment request in the system ASAP you have clear idea around when would you consider it be possible to implement these 2 activities. Please do not forget to make modifications in narrative Part B (eg timeline, History of changes) and upload it as an attachment to your amendment request."
Following this message I asked whether it would be possible to postpone all of the activities and reports by 4 months. Her answer: "Yes, please launch the amendment with 4 months prolongation of the action and please change the submission deadlines of all the pending deliveries according to your evaluation provisions."
In light of the above, I think we should take the POs suggestion and apply for 4 months long prolongation, requesting it for all activities and deliverables, with the indication that in case we don’t need all of this time, we can finish the project earlier.
Would you agree? If so, please read the attached guidance document and please give me input on how we should justify the request for prolongation for each remaining activity and deliverable.
Thank you.
Best, Gábor
Idézet (sziklay.julia@naih.hu):
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Julia and David,
Thank you for your replies. Indeed, the end result of the extension of the timeline or a temporary suspension would be rather similar – the project would run longer. After consulting internally our finance and legal departments, however, we are of opinion that less restrictive measures (i.e., extension of the timeline) would be more appropriate. This is also message that we sent to PO.
Best regards, Lina
From: Sziklay Júlia sziklay.julia@naih.hu Sent: Monday, March 16, 2020 3:26 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: [star] feedback on STAR II 4.1
Dear Colleagues, I think both proposals can be reasonable but nevertheless with quite the same effect: we will be stuck in the project till the end of a prolonged deadline (presumably till autumn 2020 instead of July). I am sure the Commission is working on the issue (the world epidemic situation affects all the ongoing projects in general) so we shall keep our dialogue going on. Julia
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
[mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote:
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a
week after.
Best regards, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Kulitsán Gábor'
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>
Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to
direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when
evaluating risk:
- The degree to which an individual feels in control
- The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with
the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
- The state of the art in terms of technology for of the means
of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
- Documented understanding of the how the system works
- Known points of integration with other systems
- Assigning accountability
- Ensuring organisational standards (security / access etc) are
being complied with
- Demonstrated commitment to GDPR
- General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
- Implement data protection principles (see Article 5) and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner;
- This should done at the time of the determination of the means
for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of
management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other
provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On
Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On
Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly
after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane'
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: 'David Barnard-Wills'
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the
handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop
planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
- A presentation by NAIH to the EDPB on the STAR II project
planned for the February EDPB plenary (18th-19th) in Brussels.
- A Validation workshop for the STAR II outputs, namely a 'A
Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
<image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging
Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear Lina,
Thanks for the input. I launched the amendment procedure, composed the amendment and asked the PO to unoficially review it. Following the review, the amendment will be finalised, sined and submitted.
Regarding Deliverable D4.1: Sure, I'll provide you with my feeback in the next few days. Regarding the EDPB: If I'm not mistaken the plenary meetings are cancelled until the end of May. The expert subgroups can proceed with their work and can have telcos. That's all I know.
Best, Gábor
2020-03-23 16:15 időpontban Lina JASMONTAITE ezt írta:
Dear Gabor,
As the request for the amendment of our contract is concerned, we believe a message along similar lines could be communicated to the PO.
Formal part: The validation workshop (D4.2) for the draft versions of the guidance for running a hotline service for SMEs and the handbook facilitating SMEs compliance with the GDPR had to take place on 23 April 2020. The workshop agenda was prepared in mind with different interests and expectations of the representatives of DPAs and SMEs. The feedback sessions foreseen in the agenda had to result in suggestions and comments that could be used to finalise the two documents. Organising the event on the foreseen date at the premises of the Vrije Universiteit Brussel (VUB) is no longer possible due to measures taken to reduce the spread of coronavirus/ Covid-19. It is not possible to predict if the VUB will allow hosting any external events before the end of this school year as, together with the other Flemish universities, it has decided to keep all classes exclusively digital until the end of this semester (5 July 2020). Considering the uncertainty surrounding the current spread of Covid-19, we find the extension of 4 months reasonable. We propose to organise the validation workshop (D4.2) in (early) September. It is, however, difficult to propose the exact date. We would then estimate that during the remaining weeks of September and October we would implement edits in the two documents based on the feedback that we receive. Following this scenario, the final versions of the guidance and the handbook (D.4.3) then would be printed in early November. The final closing event presenting the two documents (D4.4) could be organised in the mid-November.
Informal part (and thus not legally binding): Recognising that anxiety caused by the coronavirus pandemic may affect travelling and social interactions in the months to come, we are considering a possibility of launching an online consultation to obtain feedback from the relevant stakeholders (i.e., DPA representatives for part A and SME representatives for part B). Such feedback then would complement feedback obtained during the validation workshop (D4.2).
On the same note, we want to invite NAIH to comment on D4.1. It would be great if you could make suggestions for the questions and answers included in part B. Btw how is the EDPB proceeding with its work?
Best regards, Lina
-----Original Message----- From: kulitsan.gabor@naih.hu kulitsan.gabor@naih.hu Sent: Thursday, March 19, 2020 11:42 AM To: sziklay.julia@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; bazsa.peter bazsa.peter@naih.hu Subject: Re: [star] feedback on STAR II 4.1
Dear All,
The PO informed us on the following (see reseach portal - process communication):
"Your project is foreseen to end in about 4 months, on 31/07/2020. According to your explanation there are still two events (validation workshop in Brussels and launch event for the guidance & handbook in Budapest) to be organized. Taking into consideration these two elements, I would suggest you to apply for 4 months long prolongation – eg project would be ending on 31/11/2020, which seems sufficient at this point to implement these 2 activities. If there would be a need to prolong it even further, we can evaluate it at the later stage. Would you agree?
Please be so kind to introduce the amendment request in the system ASAP you have clear idea around when would you consider it be possible to implement these 2 activities. Please do not forget to make modifications in narrative Part B (eg timeline, History of changes) and upload it as an attachment to your amendment request."
Following this message I asked whether it would be possible to postpone all of the activities and reports by 4 months. Her answer: "Yes, please launch the amendment with 4 months prolongation of the action and please change the submission deadlines of all the pending deliveries according to your evaluation provisions."
In light of the above, I think we should take the POs suggestion and apply for 4 months long prolongation, requesting it for all activities and deliverables, with the indication that in case we don’t need all of this time, we can finish the project earlier.
Would you agree? If so, please read the attached guidance document and please give me input on how we should justify the request for prolongation for each remaining activity and deliverable.
Thank you.
Best, Gábor
Idézet (sziklay.julia@naih.hu):
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Julia and David,
Thank you for your replies. Indeed, the end result of the
extension
of the timeline or a temporary suspension would be rather
similar –
the project would run longer. After consulting internally our finance and legal departments, however, we are of opinion that less restrictive measures
(i.e.,
extension of the timeline) would be more appropriate. This is
also
message that we sent to PO.
Best regards, Lina
From: Sziklay Júlia sziklay.julia@naih.hu Sent: Monday, March 16, 2020 3:26 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David
Barnard-Wills
david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: [star] feedback on STAR II 4.1
Dear Colleagues, I think both proposals can be reasonable but nevertheless with
quite
the same effect: we will be stuck in the project till the end
of a
prolonged deadline (presumably till autumn 2020 instead of
July). I
am sure the Commission is working on the issue (the world
epidemic
situation affects all the ongoing projects in general) so we
shall
keep our dialogue going on. Julia
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
[mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina
JASMONTAITE
Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: STAR
<star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>
Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>
wrote:
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB
couldn’t
accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>;
David
Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact
dates
or anything for sure? I think the suspension is better,
indicating
that the project would resume where it left off once the
situation
returns to normal or at least to less serious. I already sent
the
message to the PO, but If you have any other idea, feel free
to
share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have
the
call as well, but I probably won’t to be available. And no
offense,
but to be honest, currently the project is of least interest to
me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>;
David
Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension
mean in
terms of financial implications for VUB, so at this point I
think we
should request for an extension in these unforeseen
circumstances
rather than a suspension.
While the situation is full of uncertainty and many of us need
to
adapt to it, we can still proceed further and work on
deliverables
for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not
improve in
upcoming weeks. If that is the case, perhaps, we should ask for
the
adjustment in the DOW and instead of a workshop to obtain
feedback
we could propose having an online consultation. This would of
course
affect our funding.
I think we should still have a call if not this week, then a
week after.
Best regards, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>;
David
Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR'
<star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>
Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you
updated.
Secondly, I can’t make tomorrow’s call, but I don’t think
that’s the
most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Kulitsán Gábor'
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David
Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com
many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the
university
we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end
of
April. In view of this, we can suggest to reschedule the event
for
the later date (probably to mid or late June) in a hope that by
then
the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the
project
to the end of October/November because it is funded by the
grant
action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later
date
that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it
would
be possible to get in touch with the PO via a phone call, so we
are
aware about the position taken by the EC considering the
current
situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>
Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán
Gábor'
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR'
<star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>
Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to
you
earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included
in
the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the
guidance
document (You met him at the Brussels workshop). His feedback
is
below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top
cease
processing data, among others, can ultimately shut down a
business
without a fine being levied. To ignore these instructions can
land a
director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an
after
thought and the general view is the it cannot operate within
the
prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in
its
own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages
can
carry a different commutation the was intended by the Directive
and
DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to
direct….
What has been the result of this? A key concern in the Irish
DPC has
been delivering a consistent message and not providing a
different
answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of
response
& P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need
to be
reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have
engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when
evaluating risk:
- The degree to which an individual feels in control
- The nature of consequences and the distribution of the
impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a
formal
risk register.
(This risk section is very cerebral I fear and wont help with
the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
- The state of the art in terms of technology for of the
means
of processing (state of the art needs to be explained – does
not
mean the best there is but rather the minimum expectable /
expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
- Documented understanding of the how the system works
- Known points of integration with other systems
- Assigning accountability
- Ensuring organisational standards (security / access etc)
are
being complied with
- Demonstrated commitment to GDPR
- General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks
to
data subjects, separate from ant organisation risk register of
risks
to the organisation in which all risks are assigned an owner
and a
review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
- Implement data protection principles (see Article 5) and
to
integrate the necessary safeguards into the processing in order
to
meet the requirements of this Regulation and protect the rights
of
data subjects (see Chapter III) in an effective manner;
- This should done at the time of the determination of the
means
for processing and implemented before the time of the
processing
itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and
technical
or organisation measures will nonetheless express an
expectation
such as the Irish DPC in terms of the use of encryption
whenever
possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more
from
maintaining their documentation electronically as such
documentation
can they can easily added to, have entries removed when
obsolete,
and amend entries it as necessary. However paper documentation
is
regarded as being appropriate for SMEs and micro enterprises.
It
should be added that SMEs (entities having less than 250
employees)
are technically exempt from this obligation if provided they
are
undertaking: • processing that is not likely to result in a risk to the rights and
freedoms of
data subjects; • processing that is not
occasional
(meaning that it is not
regularly /
frequently undertaken); or • processing that does not include special categories of data or personal
data
relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless
the
process very little data. Most SMEs will usually have some
special
category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different
DPAs
have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can
provide
commercial and strategic advantage by communicating a
commitment to
data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external
expert,
but in both cases, it is fundamental that he or she is
independent,
in the sense that: • the DPO shall be provided of with all the
necessary
resources to carry on his/her tasks, in terms of money,
time,
workforce, time to devote to professional
development
etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for
the
performance of his/her tasks; • the DPO shall report to the highest level of
management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the
processing,
representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the
GDPR
and the national data protection provisions Be held accountable for the information and advice given to the
SME
(I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held
accountable
for being negligent) Monitor the compliance of the SME with the GDPR, the national
data
protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with
data
protection requirements Carry on awareness raising activities and training for the
staff of
the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot
take
the lead in undertaking a DPIA especially where the skills do
not
exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in
relation to
the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to
account
for advice / provide an explanation as to how data was
processed
based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of
prior
consultation Be considered responsible for the maintenance of the register
True
but they are responsible for providing oversight as to whether
it is
maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that
helps
define the means and purposes of processing of any personal
data.
Be contacted by data subjects willing wishing to exercise their
rights
Create and maintain the register of processing (in the
exceptional
situations where SME are required to have it one) Not True,
under
Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework.
It
builds on the rich experience of conducting impact assessments
in
other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried
out at
the early stage of a project (proactive initiative), at the
phase of
planning or designing, and are aimed to identify and help
mitigate
anticipate the any potential beneficial and adverse (i.e.
negative)
impacts arising from the intended processing of personal data
of
such within the project. Impact assessments are risk based
exercises
that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives
while
protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will
be
entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and
freedoms
of individuals? The following elements that contribute to the high risks to
data
subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and
predict
the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final
responsibility on
for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included
in
any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their
representatives,
the data protection officer and any other expert (e.g.
information
security officer) and the data processor in the process,
ideally in
each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the
risks
resulting from the processing operations are to change, for
example
because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal
data
is being to be used for a different purpose
In that case, the review of the risk analysis made can show
that the
performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other
provisions?
This obligation also requires the controller wishing to engage
a
processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this
case
the cloud service provider, are sufficient. A controller must
only
engage such a processor where they have faith in their ability
to
comply with the obligations under GDPR. During this process,
the
controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external
audit
reports, certifications and similar documentation. The
controller in
particular should take into account the processor’s expert
knowledge
(e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit
may
also be necessary. After carrying out the due diligence
process, the
controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can
then
enter into a binding arrangement. It should be added that this
due
diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and
meeting
their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of
personal
data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract,
another
legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and
the
nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user
and
the required permission levels (access control) appropriate to
the
role which minimises access to only that data necessary for
that
role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME
take?
Technical measures must therefore include both physical and
computer
or IT security.
When considering cybersecurity, you should look at factors such
as:
• system security – the security of your network
and
information systems, including especially those which process personal data; • data security – the security of the data you
hold
within your systems, e.g., ensuring appropriate access controls
are
in place and that data is held securely through the use of
suitable
levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data)
or
personal data relating to minors, higher levels of security
will be
expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant
by a
breach and explain the difference between an incident and a
breach.
It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an
internal
procedures defined, tested and documented allowing to confirm
to
appropriately identify and handle any breach of security
concerning
personal data.
In an ideal scenario, an information incident response policy
should
precede be in place before processing of personal data begins
so
that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally
there was
a fear of over reporting, the DPC in Ireland has requested a
breach
be reported when there is any risk identified to the data
subject.
This allows the Commission to identify trends and to have
confidence
that controllers are identifying the minor breaches and thus
are
able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On
Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR'
<star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>
Subject: Re: [star] STAR II - Update on EDPB and validation
workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further
minor
edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On
Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR'
<star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>
Subject: Re: [star] STAR II - Update on EDPB and validation
workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly
after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>;
'Kulitsán
Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR'
<star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>
Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance
for
DPAs. We only added minor additions/corrections. We confirm
that the
yellow parts are accurate.
We are looking forward to the handbook (the submission
deadline is
29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR'
<star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>
Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved
version of
it. It includes nearly all of your report (see the document you
shared;
we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider
context
of DPAs’ awareness raising duties. We also extracted
recommendations
from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked
for
accuracy. Perhaps, you will want to add some other
clarifications in
the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like
to
be considered co-authors of this guidance. What do you think
about
this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane'
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: 'David Barnard-Wills'
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the
handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the
drafts are
ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop
planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane
[mailto:leanne.cochrane@trilateralresearch.com]
Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent
out
this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on
the
following two events:
- A presentation by NAIH to the EDPB on the STAR II project
planned for the February EDPB plenary (18th-19th) in Brussels.
- A Validation workshop for the STAR II outputs, namely a
'A
Risk Focused Handbook for SMEs' and a 'Guidance for DPAs'
planned
for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the
confirmation.
Thanks and best wishes, Leanne
<image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging
Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear All,
Please be informed that due to incomplete filling of an annex (which the PO did not notice when I asked her to review the request) the amendment request had to be withdrawn and re-submitted. I hope that everything will be OK this time.
Best, Gábor
Idézet (kulitsan.gabor@naih.hu):
Dear Lina,
Thanks for the input. I launched the amendment procedure, composed the amendment and asked the PO to unoficially review it. Following the review, the amendment will be finalised, sined and submitted.
Regarding Deliverable D4.1: Sure, I'll provide you with my feeback in the next few days. Regarding the EDPB: If I'm not mistaken the plenary meetings are cancelled until the end of May. The expert subgroups can proceed with their work and can have telcos. That's all I know.
Best, Gábor
2020-03-23 16:15 időpontban Lina JASMONTAITE ezt írta:
Dear Gabor,
As the request for the amendment of our contract is concerned, we believe a message along similar lines could be communicated to the PO.
Formal part: The validation workshop (D4.2) for the draft versions of the guidance for running a hotline service for SMEs and the handbook facilitating SMEs compliance with the GDPR had to take place on 23 April 2020. The workshop agenda was prepared in mind with different interests and expectations of the representatives of DPAs and SMEs. The feedback sessions foreseen in the agenda had to result in suggestions and comments that could be used to finalise the two documents. Organising the event on the foreseen date at the premises of the Vrije Universiteit Brussel (VUB) is no longer possible due to measures taken to reduce the spread of coronavirus/ Covid-19. It is not possible to predict if the VUB will allow hosting any external events before the end of this school year as, together with the other Flemish universities, it has decided to keep all classes exclusively digital until the end of this semester (5 July 2020). Considering the uncertainty surrounding the current spread of Covid-19, we find the extension of 4 months reasonable. We propose to organise the validation workshop (D4.2) in (early) September. It is, however, difficult to propose the exact date. We would then estimate that during the remaining weeks of September and October we would implement edits in the two documents based on the feedback that we receive. Following this scenario, the final versions of the guidance and the handbook (D.4.3) then would be printed in early November. The final closing event presenting the two documents (D4.4) could be organised in the mid-November.
Informal part (and thus not legally binding): Recognising that anxiety caused by the coronavirus pandemic may affect travelling and social interactions in the months to come, we are considering a possibility of launching an online consultation to obtain feedback from the relevant stakeholders (i.e., DPA representatives for part A and SME representatives for part B). Such feedback then would complement feedback obtained during the validation workshop (D4.2).
On the same note, we want to invite NAIH to comment on D4.1. It would be great if you could make suggestions for the questions and answers included in part B. Btw how is the EDPB proceeding with its work?
Best regards, Lina
-----Original Message----- From: kulitsan.gabor@naih.hu kulitsan.gabor@naih.hu Sent: Thursday, March 19, 2020 11:42 AM To: sziklay.julia@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; bazsa.peter bazsa.peter@naih.hu Subject: Re: [star] feedback on STAR II 4.1
Dear All,
The PO informed us on the following (see reseach portal - process communication):
"Your project is foreseen to end in about 4 months, on 31/07/2020. According to your explanation there are still two events (validation workshop in Brussels and launch event for the guidance & handbook in Budapest) to be organized. Taking into consideration these two elements, I would suggest you to apply for 4 months long prolongation – eg project would be ending on 31/11/2020, which seems sufficient at this point to implement these 2 activities. If there would be a need to prolong it even further, we can evaluate it at the later stage. Would you agree?
Please be so kind to introduce the amendment request in the system ASAP you have clear idea around when would you consider it be possible to implement these 2 activities. Please do not forget to make modifications in narrative Part B (eg timeline, History of changes) and upload it as an attachment to your amendment request."
Following this message I asked whether it would be possible to postpone all of the activities and reports by 4 months. Her answer: "Yes, please launch the amendment with 4 months prolongation of the action and please change the submission deadlines of all the pending deliveries according to your evaluation provisions."
In light of the above, I think we should take the POs suggestion and apply for 4 months long prolongation, requesting it for all activities and deliverables, with the indication that in case we don’t need all of this time, we can finish the project earlier.
Would you agree? If so, please read the attached guidance document and please give me input on how we should justify the request for prolongation for each remaining activity and deliverable.
Thank you.
Best, Gábor
Idézet (sziklay.julia@naih.hu):
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
> Dear Julia and David, > > Thank you for your replies. Indeed, the end result of the extension > of the timeline or a temporary suspension would be rather similar – > the project would run longer. > After consulting internally our finance and legal departments, > however, we are of opinion that less restrictive measures (i.e., > extension of the timeline) would be more appropriate. This is also > message that we sent to PO. > > Best regards, > Lina > > From: Sziklay Júlia sziklay.julia@naih.hu > Sent: Monday, March 16, 2020 3:26 PM > To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills > david.barnard-wills@trilateralresearch.com; Leanne Cochrane > leanne.cochrane@trilateralresearch.com > Cc: 'STAR' star@listserv.vub.ac.be > Subject: RE: [star] feedback on STAR II 4.1 > > Dear Colleagues, > I think both proposals can be reasonable but nevertheless with quite > the same effect: we will be stuck in the project till the end of a > prolonged deadline (presumably till autumn 2020 instead of July). I > am sure the Commission is working on the issue (the world epidemic > situation affects all the ongoing projects in general) so we shall > keep our dialogue going on. > Julia > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE > Sent: Monday, March 16, 2020 1:38 PM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] feedback on STAR II 4.1 > > Dear David and Leanne, > > Could you please let us know your position on this situation? > Best regards, > Lina > > On 16 Mar 2020, at 11:39, Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: > > Dear Gabor, > > I understand your point of view but I believe that all three > partners should have agreed to the suspension before sending a > request to the PO. Following my supervisor’s advice, VUB couldn’t > accept this proposal. > I am ok to discuss alternative solutions with the PO. > I will keep you and TRI team posted via the mailing list. > > Best regards and stay safe, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 11:14 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Lina, > > And how should I ask any extension if I don’t know any exact dates > or anything for sure? I think the suspension is better, indicating > that the project would resume where it left off once the situation > returns to normal or at least to less serious. I already sent the > message to the PO, but If you have any other idea, feel free to > share with her via the portal adding the turn “on behalf of the > coordinator”. I’m really sorry, but now I have neither time nor > energy to act as a contact person. If you want, you can have the > call as well, but I probably won’t to be available. And no offense, > but to be honest, currently the project is of least interest to me. > > Best, > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Monday, March 16, 2020 10:58 AM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Gabor, > > Thanks for your email. I am not sure what would a suspension mean in > terms of financial implications for VUB, so at this point I think we > should request for an extension in these unforeseen circumstances > rather than a suspension. > > While the situation is full of uncertainty and many of us need to > adapt to it, we can still proceed further and work on deliverables > for the project, apart from the workshop. We need to discuss a > scenario with the PO what to do if the situation does not improve in > upcoming weeks. If that is the case, perhaps, we should ask for the > adjustment in the DOW and instead of a workshop to obtain feedback > we could propose having an online consultation. This would of course > affect our funding. > > I think we should still have a call if not this week, then a week after. > > Best regards, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 10:39 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: feedback on STAR II 4.1 > Importance: High > > Dear Lina & All > > Due to the current situation I will ask the PO to temporarily > suspend the project including all deadlines by reason of > unforeseeable circumstances of force majeure. I’ll keep you updated. > > Secondly, I can’t make tomorrow’s call, but I don’t think that’s the > most important thing now anyway. > > Best wishes, stay safe and take care of yourselves! > > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Friday, March 13, 2020 10:54 AM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > > @David > Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com > many thanks for sharing the extensive feedback. It’s much > appreciated and we’ll implement it as soon as possible. > > @'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university > we were receiving daily updates on the situation concerning the > virus. For now all external events are cancelled until the end of > April. In view of this, we can suggest to reschedule the event for > the later date (probably to mid or late June) in a hope that by then > the situation improves and we can host the event. This would > consequently require more time to finalise the handbook for the > final event and then July wouldn’t be a realistic date. My > understanding is that we cannot ask for the extension of the project > to the end of October/November because it is funded by the grant > action. Could we ask however the PO for the cost of the final > workshop as well as travelling to be eligible for the later date > that would go beyond the lifetime of the project? > Perhaps, before proceeding with the official communication, it would > be possible to get in touch with the PO via a phone call, so we are > aware about the position taken by the EC considering the current > situation? > > Having a call on Tuesday works well for our team. > > > Best regards, > Lina > > > > > > From: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> > Sent: Tuesday, March 10, 2020 4:22 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: feedback on STAR II 4.1 > > Dear all, > > First, I sincerely apologise for not getting this feedback to you > earlier. I assume that D4.1 was submitted? > On the positive side, this feedback can presumably be included in > the final version of these deliverables. > > We got Alan Moore, one of our DPO team, with good practical > expertise with various commercial clients to review the guidance > document (You met him at the Brussels workshop). His feedback is > below. > > Best wishes, > > DBW > > I have gone through the document and have a few suggestions: > > P7 Section 3.2 It can be suggested that to compensate for being > awarded with limited enforcement powers….. > > I would hold they have significant powers beyond the ability to > fine. Their powers to instruct controllers / processor top cease > processing data, among others, can ultimately shut down a business > without a fine being levied. To ignore these instructions can land a > director in jail for up to 5 years! > > P8. DPAs The focus on standardisation and EDPB. Art 60 was an after > thought and the general view is the it cannot operate within the > prescribed timelines. The ECJ will be the ultimate arbiter for > standardisation of approaches / laws / requirements but each > National Authority must be free to interpret facts presented in its > own way. Their independence is anchored in the EU treaties. A > complication that will eventually need to be addressed. > > P8. 3.3 Should be aware that translation into romance languages can > carry a different commutation the was intended by the Directive and > DPA have a key role to explain the true intent / meaning. > > P9. 3.4 Typo in second paragraph. > It also could be considered e the most > > P10. It appeared that most DPAs do not use internal guidance to direct…. > What has been the result of this? A key concern in the Irish DPC has > been delivering a consistent message and not providing a different > answer to the same or similar callers on different occasions. > > P11. 4 Unclear use of language - first paragraph > This initiative allowed to be confirmed that > It allowed to be obtained > > P11.4. Would stress the importance of standardisation of response > & P12 4 Add ‘c’? Implement a control process to ensure > standardisation of responses to similar questions / scenarios > > P13. 4.2 Might mention the concern that callers may have that > showing their hand may trigger an investigation. Callers need to be > reassured and encouraged to participate. Approaches do differ > between different DPAs. > > P13. 4.2.1 > It was decided to create a dedicated part > Following up on from this decision > > P15. 4.2.3 > I would stress the value of face to face more as context can be > complicated and the caller is subject to information and power > asymmetry. > > P16 4.5 last paragraph > We are included inclined to > > P21 6.2 last paragraph > DPAs across the EU have reported to engage that they have engaged in > > P22 6.3 4.5 last paragraph > Slovic suggests that the following elements play a role when evaluating risk: > > 1. The degree to which an individual feels in control > 2. The nature of consequences and the distribution of the impact > > P23 6.3 2nd paragraph > Which is perceived ‘as the coordinated activities to direct and > control an organisation with regard to risk’ 47 This is most > practically evidenced by the development and maintaining of a formal > risk register. > > (This risk section is very cerebral I fear and wont help with the ‘how’) > > P23 6.3.1 > Typically, the risk based approach formula approach in the GDPR > includes the following elements to be taken into account: > > * The state of the art in terms of technology for of the means > of processing (state of the art needs to be explained – does not > mean the best there is but rather the minimum expectable / expected) > > P24 6.3.2 > I would add a sentence or two on the benefits undertaking a > voluntary DPIA which include: > > * Documented understanding of the how the system works > * Known points of integration with other systems > * Assigning accountability > * Ensuring organisational standards (security / access etc) are > being complied with > * Demonstrated commitment to GDPR > * General piece of mind / greater organisational resilience > > P24 6.3.5 > I would add a piece on keeping a formal risk register of risks to > data subjects, separate from ant organisation risk register of risks > to the organisation in which all risks are assigned an owner and a > review date. > > P25 6.3.5 (b) What does SMEs need to do to be accountable? > > Second paragraph > …that the principle of accountability as an elements of good > > P.26 first line > … that the demonstration of compliance > > P.26 6.3.6 (b) > > * Implement data protection principles (see Article 5) and to > integrate the necessary safeguards into the processing in order to > meet the requirements of this Regulation and protect the rights of > data subjects (see Chapter III) in an effective manner; > * This should done at the time of the determination of the means > for processing and implemented before the time of the processing > itself. > (not that clear in the text.) > > P.27 6.3.6 (c) > It should be noted that some DPAs while note defining and technical > or organisation measures will nonetheless express an expectation > such as the Irish DPC in terms of the use of encryption whenever > possible where personal data is at rest or in transit. > > P.28 6.3.7 (b) 2nd paragraph > It is assumed that organisations will, however, benefit more from > maintaining their documentation electronically as such documentation > can they can easily added to, have entries removed when obsolete, > and amend entries it as necessary. However paper documentation is > regarded as being appropriate for SMEs and micro enterprises. It > should be added that SMEs (entities having less than 250 employees) > are technically exempt from this obligation if provided they are > undertaking: > • processing that is not likely to > result in a risk to the rights and freedoms of > data subjects; > • processing that is not occasional > (meaning that it is not regularly / > frequently undertaken); or > • processing that does not include > special categories of data or personal data > relating to criminal convictions and offences. > > In reality, very few SMEs can avail of this exemption unless the > process very little data. Most SMEs will usually have some special > category data as part of their HR files. > > They can be are available on the websites…. > > P.29 6.3.8 (a) 2 > Large scale is not defined by the legislation though different DPAs > have given some guidance relevant to different activities. > > For SMEs who provide services into other organisations, the > voluntary appointment of an internal or outsourced DPO can provide > commercial and strategic advantage by communicating a commitment to > data protection and promoting higher levels of trust. > > P.29 6.3.8 (b) > > A DPO may either be an employee of the SME or an external expert, > but in both cases, it is fundamental that he or she is independent, > in the sense that: > • the DPO shall be provided of with all the necessary > resources to carry on his/her tasks, in terms of money, time, > workforce, time to devote to professional development > etc.; > • the DPO shall not receive instructions for the > exercise of his/her tasks; > • the DPO shall not be dismissed or penalized for the > performance of his/her tasks; > • the DPO shall report to the highest level of management; and > • the DPO should not be in have any conflict of > interest in respect to other tasks and duties (e.g. > determining objects and purposes of the processing, > representing the SME in legal proceeding). > > P.30 6.3.8 (c) > Task of DPOs > DPOs cannot > Inform and advice the SME on the obligations arising from the GDPR > and the national data protection provisions > Be held accountable for the information and advice given to the SME > (I do not agree with this. They are not accountable for whether > their advice is implemented or not but they can be held accountable > for being negligent) > Monitor the compliance of the SME with the GDPR, the national data > protection provisions and (eventual) its internal data policies > Be considered personally responsible for non-compliance with data > protection requirements > Carry on awareness raising activities and training for the staff of > the SME dealing with data processing > Perform the DPIA. Not true. There is no reason why a DPO cannot take > the lead in undertaking a DPIA especially where the skills do not > exist elsewhere in the organization. but the responsibility to > ensure one is done remains with the Controller. > Provide advice to the SME and monitor the performance in relation to > the DPIA (when a DPIA is required) > Represent the SME in front of the DPA or in a court in case of > proceedings. Not quite so. The DPO remains the first point of > contact for data subjects and the DPAs and may be called to account > for advice / provide an explanation as to how data was processed > based on their monitoring of processing activities. I > Act as contact point for the supervisory authority in case of prior > consultation > Be considered responsible for the maintenance of the register True > but they are responsible for providing oversight as to whether it is > maintained. > Cooperate with the supervisory authority > Simultaneously hold another position in the organization that helps > define the means and purposes of processing of any personal data. > Be contacted by data subjects willing wishing to exercise their rights > > Create and maintain the register of processing (in the exceptional > situations where SME are required to have it one) Not True, under > Art 30 it is the responsibility of the Controller > > P.31 6.3.9(a) Data Protection Impact Assessment > (a) Background > The DPIA is a new addition to the EU data protection framework. It > builds on the rich experience of conducting impact assessments in > other fields, in particular, on the environmental impact > assessments. To be effective, impact assessments are carried out at > the early stage of a project (proactive initiative), at the phase of > planning or designing, and are aimed to identify and help mitigate > anticipate the any potential beneficial and adverse (i.e. negative) > impacts arising from the intended processing of personal data of > such within the project. Impact assessments are risk based exercises > that help decision-makers find the best and most beneficial > solutions for the development and deployment of initiatives while > protecting the rights and freedoms of data subjects. To be > practical, impact assessments must be scalable, flexible and > applicable inter alia for large organisations, consortia or for > small and medium-sized enterprises. Any risks identified will be > entered into the Data Protection Risk Register. > > P.32 6.3.9(c) > (c) What are the elements and characteristics of the > processing that may generate the high risks to rights and freedoms > of individuals? > The following elements that contribute to the high risks to data > subjects from this provision were extracted by the > > (d) What situations could require a DPIA? > Examples of processing operations that could trigger a DPIA: > • If the SME is implementing a new tool to monitor > access to office combining use of fingerprints and face facial > recognition technology; > • If the SME is a biotechnology company offering > genetic tests directly to consumers in order to assess and predict > the disease/health risks > • If the SME is providing CCTV surveillance for a > shopping centre or using a large number of cameras in their own > premises > > (e) Who and when should perform a DPIA? > Albeit the data processor and the data protection officer shall > assist the data controller (i.e., SME), the final responsibility on > for the DPIA process relies on rests with the data controller. > > (f) When is a DPIA is not required? > • When the data processing operations are included in > any list of data processing operations compiled by the DPA non > which do not requiring a DPIA > > P.33 6.3.9(g) > 4) Involve data subjects and/or their representatives, > the data protection officer and any other expert (e.g. information > security officer) and the data processor in the process, ideally in > each phase of the assessment process. This consultation must be > meaningful. > > P.33 6.3.9(h) > (h) When a new (revised) DPIA is required? > A new (i.e. revised version of) DPIA could be required if the risks > resulting from the processing operations are to change, for example > because a new technology is to be has been introduced, a new > processor is to be engaged under contract, or because personal data > is being to be used for a different purpose > > In that case, the review of the risk analysis made can show that the > performance of a DPIA is no longer required. > > P.34 6.3.10(b) > (b) How the security obligation is related to other provisions? > This obligation also requires the controller wishing to engage a > processor under contract to undertake due diligence and assess > whether the guarantees offered by the data processor, in this case > the cloud service provider, are sufficient. A controller must only > engage such a processor where they have faith in their ability to > comply with the obligations under GDPR. During this process, the > controller may take into account whether the processor provides > adequate documentation proving compliance with data protection > principles that could be found in privacy policies, records > management policies, information security policies, external audit > reports, certifications and similar documentation. The controller in > particular should take into account the processor’s expert knowledge > (e.g. technical expertise when dealing with data breaches and > security measures), reliability and its resources. A site visit may > also be necessary. After carrying out the due diligence process, the > controller should be able to take a decision with sufficient > evidence demonstrating that the processor is suitable, it can then > enter into a binding arrangement. It should be added that this due > diligence process is not a one-time effort. and it needs to be > regularly repeated in order The controller will have an ongoing > obligation to check whether the processor is compliant and meeting > their obligations either by auditing using their own staff or a > trusted third party. When outsourcing the processing of personal > data (e.g. for the provision of technical assistance or cloud > services), the controller should must conclude a contract, another > legal act or binding arrangement with the other entity already > setting out clear and precise data protection obligations and the > nature of processing in a detailed data processing agreement. > > > P.35 6.3.10(c) > An information security policy foreseeing the role of each user and > the required permission levels (access control) appropriate to the > role which minimises access to only that data necessary for that > role. This includies the system administrator accounts is as an > example of an appropriate organisational measure. > > P.35 6.3.10(d) What technical security measures can a SME take? > Technical measures must therefore include both physical and computer > or IT security. > > When considering cybersecurity, you should look at factors such as: > • system security – the security of your network and > information systems, including especially those which process > personal data; > • data security – the security of the data you hold > within your systems, e.g., ensuring appropriate access controls are > in place and that data is held securely through the use of suitable > levels of encryption; > > P.36 6.3.10(e) > Would add: > Where Special Category Data is processed (such as health data) or > personal data relating to minors, higher levels of security will be > expected to be implemented and documented. > > P.36 6.3.11 > This section should start with the definition of what is meant by a > breach and explain the difference between an incident and a breach. > It is confusing otherwise. > > P.37 6.3.11(b) > Consequently, this means that the controller must have an internal > procedures defined, tested and documented allowing to confirm to > appropriately identify and handle any breach of security concerning > personal data. > > In an ideal scenario, an information incident response policy should > precede be in place before processing of personal data begins so > that any the occurrence of an incident so that it could be used > should a data breach take place. > > P.37 6.3.11(d) > Would add a final paragraph. > As GDPR is maturing, different DPAs are expressing different > thresholds for the reporting of breaches. Where originally there was > a fear of over reporting, the DPC in Ireland has requested a breach > be reported when there is any risk identified to the data subject. > This allows the Commission to identify trends and to have confidence > that controllers are identifying the minor breaches and thus are > able to identify the more serious beaches should they arise. > > I hope you find this useful. > > Alan > > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On > Behalf Of Lina JASMONTAITE > Sent: 28 February 2020 13:09 > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Here comes D4.1 with both parts now included. We made further minor > edits to Part A. > We believe that the pfd version can be submitted. > We look forward to your comments on Part B, which unfortunately > comes a bit later than planned. > > Best regards, > Lina > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On > Behalf Of Lina JASMONTAITE > Sent: Friday, February 28, 2020 8:45 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Thank you for your additions and edits. > The document to be submitted to the EC will reach you shortly after noon. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Thursday, February 27, 2020 4:31 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Lina! > Dear All! > > Thank you for sharing the restructured version of the guidance for > DPAs. We only added minor additions/corrections. We confirm that the > yellow parts are accurate. > > We are looking forward to the handbook (the submission deadline is > 29.02.2020) > > > Best regards, > > Renáta > > > From: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Sent: Thursday, February 20, 2020 10:32 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Once again, thank you for preparing a revised version of the > guidance for DPAs. We reviewed it now enclose an improved version of > it. > It includes nearly all of your report (see the document you shared; > we marked in yellow parts that were used). However, the current > version is restructured, rephrased and embedded in a wider context > of DPAs’ awareness raising duties. We also extracted recommendations > from your report and developed a graph presenting these > recommendations. > There are two parts marked in yellow that need to be checked for > accuracy. Perhaps, you will want to add some other clarifications in > the text. In particular, further additions could be made to the > concluding remarks part. > As we provided contributions to the initial text, we would like to > be considered co-authors of this guidance. What do you think about > this? > > The part B – the handbook for SMEs – is on a way. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Tuesday, January 28, 2020 4:16 PM > To: 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne > Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear All! > > Please, find enclosed the updated version of the guidance. > > Best, > > Renáta > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Tuesday, January 28, 2020 10:09 AM > To: 'Leanne Cochrane' > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: 'David Barnard-Wills' > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Hi Leanne, > > Thanks for the update on the newsletter. > > Regarding the upcoming events: > > * The plan is to present the drafts of the guidance and the > handbook at the EDPB plenary in February. However, as this is > scheduled for 18-19 February, we can only do this, if the drafts are > ready by then. Renáta will circulate the updated version of the > guidance soon. As for the other document (handbook), Lina can > provide further information. > * I have no further information on the validation workshop > planned for March-April 2020. > > Best, > Gábor > > > From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] > Sent: Monday, January 27, 2020 6:25 PM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: STAR II - Update on EDPB and validation workshop? > > Hi Gabor, > > I hope you are keeping well. > > Our dissemination team is preparing to send out the STAR II > newsletter we mentioned on our previous calls. It will be sent out > this Thursday with links to the approved deliverables and some > blogs. We are also including a section on upcoming events and I > wanted to check with NAIH if we had any further information on the > following two events: > > > * A presentation by NAIH to the EDPB on the STAR II project > planned for the February EDPB plenary (18th-19th) in Brussels. > * A Validation workshop for the STAR II outputs, namely a 'A > Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned > for March-April 2020 in Brussels. > Can I just check this information is still current and there is > nothing more specific we can add at this stage? > > I would be grateful if you can cc all in the reply as I am off > tomorrow and the dissemination team are in need of the confirmation. > > Thanks and best wishes, > Leanne > > > > <image001.jpg>http://www.trilateralresearch.com/ > > > Leanne Cochrane > > Senior Research Analyst | Policy, Ethics and Emerging Technologies Team > > leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com > > www.trilateralresearch.comhttp://www.trilateralresearch.com > > Mobile: +44 (0) 7545 955 242 > > Skype:@ljcochrane
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Thanks for keeping us updated!
-----Original Message----- From: kulitsan.gabor@naih.hu kulitsan.gabor@naih.hu Sent: Friday, April 3, 2020 7:25 AM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: sziklay.julia@naih.hu; 'STAR' star@listserv.vub.ac.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; bazsa.peter bazsa.peter@naih.hu Subject: Re: [star] feedback on STAR II 4.1
Dear All,
Please be informed that due to incomplete filling of an annex (which the PO did not notice when I asked her to review the request) the amendment request had to be withdrawn and re-submitted. I hope that everything will be OK this time.
Best, Gábor
Idézet (kulitsan.gabor@naih.hu):
Dear Lina,
Thanks for the input. I launched the amendment procedure, composed the amendment and asked the PO to unoficially review it. Following the review, the amendment will be finalised, sined and submitted.
Regarding Deliverable D4.1: Sure, I'll provide you with my feeback in the next few days. Regarding the EDPB: If I'm not mistaken the plenary meetings are cancelled until the end of May. The expert subgroups can proceed with their work and can have telcos. That's all I know.
Best, Gábor
2020-03-23 16:15 időpontban Lina JASMONTAITE ezt írta:
Dear Gabor,
As the request for the amendment of our contract is concerned, we believe a message along similar lines could be communicated to the PO.
Formal part: The validation workshop (D4.2) for the draft versions of the guidance for running a hotline service for SMEs and the handbook facilitating SMEs compliance with the GDPR had to take place on 23 April 2020. The workshop agenda was prepared in mind with different interests and expectations of the representatives of DPAs and SMEs. The feedback sessions foreseen in the agenda had to result in suggestions and comments that could be used to finalise the two documents. Organising the event on the foreseen date at the premises of the Vrije Universiteit Brussel (VUB) is no longer possible due to measures taken to reduce the spread of coronavirus/ Covid-19. It is not possible to predict if the VUB will allow hosting any external events before the end of this school year as, together with the other Flemish universities, it has decided to keep all classes exclusively digital until the end of this semester (5 July 2020). Considering the uncertainty surrounding the current spread of Covid-19, we find the extension of 4 months reasonable. We propose to organise the validation workshop (D4.2) in (early) September. It is, however, difficult to propose the exact date. We would then estimate that during the remaining weeks of September and October we would implement edits in the two documents based on the feedback that we receive. Following this scenario, the final versions of the guidance and the handbook (D.4.3) then would be printed in early November. The final closing event presenting the two documents (D4.4) could be organised in the mid-November.
Informal part (and thus not legally binding): Recognising that anxiety caused by the coronavirus pandemic may affect travelling and social interactions in the months to come, we are considering a possibility of launching an online consultation to obtain feedback from the relevant stakeholders (i.e., DPA representatives for part A and SME representatives for part B). Such feedback then would complement feedback obtained during the validation workshop (D4.2).
On the same note, we want to invite NAIH to comment on D4.1. It would be great if you could make suggestions for the questions and answers included in part B. Btw how is the EDPB proceeding with its work?
Best regards, Lina
-----Original Message----- From: kulitsan.gabor@naih.hu kulitsan.gabor@naih.hu Sent: Thursday, March 19, 2020 11:42 AM To: sziklay.julia@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; bazsa.peter bazsa.peter@naih.hu Subject: Re: [star] feedback on STAR II 4.1
Dear All,
The PO informed us on the following (see reseach portal - process communication):
"Your project is foreseen to end in about 4 months, on 31/07/2020. According to your explanation there are still two events (validation workshop in Brussels and launch event for the guidance & handbook in Budapest) to be organized. Taking into consideration these two elements, I would suggest you to apply for 4 months long prolongation – eg project would be ending on 31/11/2020, which seems sufficient at this point to implement these 2 activities. If there would be a need to prolong it even further, we can evaluate it at the later stage. Would you agree?
Please be so kind to introduce the amendment request in the system ASAP you have clear idea around when would you consider it be possible to implement these 2 activities. Please do not forget to make modifications in narrative Part B (eg timeline, History of changes) and upload it as an attachment to your amendment request."
Following this message I asked whether it would be possible to postpone all of the activities and reports by 4 months. Her answer: "Yes, please launch the amendment with 4 months prolongation of the action and please change the submission deadlines of all the pending deliveries according to your evaluation provisions."
In light of the above, I think we should take the POs suggestion and apply for 4 months long prolongation, requesting it for all activities and deliverables, with the indication that in case we don’t need all of this time, we can finish the project earlier.
Would you agree? If so, please read the attached guidance document and please give me input on how we should justify the request for prolongation for each remaining activity and deliverable.
Thank you.
Best, Gábor
Idézet (sziklay.julia@naih.hu):
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
> Dear Julia and David, > > Thank you for your replies. Indeed, the end result of the extension > of the timeline or a temporary suspension would be rather similar – > the project would run longer. > After consulting internally our finance and legal departments, > however, we are of opinion that less restrictive measures (i.e., > extension of the timeline) would be more appropriate. This is also > message that we sent to PO. > > Best regards, > Lina > > From: Sziklay Júlia sziklay.julia@naih.hu > Sent: Monday, March 16, 2020 3:26 PM > To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills > david.barnard-wills@trilateralresearch.com; Leanne Cochrane > leanne.cochrane@trilateralresearch.com > Cc: 'STAR' star@listserv.vub.ac.be > Subject: RE: [star] feedback on STAR II 4.1 > > Dear Colleagues, > I think both proposals can be reasonable but nevertheless with quite > the same effect: we will be stuck in the project till the end of a > prolonged deadline (presumably till autumn 2020 instead of July). I > am sure the Commission is working on the issue (the world epidemic > situation affects all the ongoing projects in general) so we shall > keep our dialogue going on. > Julia > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE > Sent: Monday, March 16, 2020 1:38 PM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; Leanne Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] feedback on STAR II 4.1 > > Dear David and Leanne, > > Could you please let us know your position on this situation? > Best regards, > Lina > > On 16 Mar 2020, at 11:39, Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: > > Dear Gabor, > > I understand your point of view but I believe that all three > partners should have agreed to the suspension before sending a > request to the PO. Following my supervisor’s advice, VUB couldn’t > accept this proposal. > I am ok to discuss alternative solutions with the PO. > I will keep you and TRI team posted via the mailing list. > > Best regards and stay safe, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 11:14 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Lina, > > And how should I ask any extension if I don’t know any exact dates > or anything for sure? I think the suspension is better, indicating > that the project would resume where it left off once the situation > returns to normal or at least to less serious. I already sent the > message to the PO, but If you have any other idea, feel free to > share with her via the portal adding the turn “on behalf of the > coordinator”. I’m really sorry, but now I have neither time nor > energy to act as a contact person. If you want, you can have the > call as well, but I probably won’t to be available. And no offense, > but to be honest, currently the project is of least interest to me. > > Best, > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Monday, March 16, 2020 10:58 AM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > Dear Gabor, > > Thanks for your email. I am not sure what would a suspension mean in > terms of financial implications for VUB, so at this point I think we > should request for an extension in these unforeseen circumstances > rather than a suspension. > > While the situation is full of uncertainty and many of us need to > adapt to it, we can still proceed further and work on deliverables > for the project, apart from the workshop. We need to discuss a > scenario with the PO what to do if the situation does not improve in > upcoming weeks. If that is the case, perhaps, we should ask for the > adjustment in the DOW and instead of a workshop to obtain feedback > we could propose having an online consultation. This would of course > affect our funding. > > I think we should still have a call if not this week, then a week after. > > Best regards, > Lina > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Monday, March 16, 2020 10:39 AM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David > Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: feedback on STAR II 4.1 > Importance: High > > Dear Lina & All > > Due to the current situation I will ask the PO to temporarily > suspend the project including all deadlines by reason of > unforeseeable circumstances of force majeure. I’ll keep you updated. > > Secondly, I can’t make tomorrow’s call, but I don’t think that’s the > most important thing now anyway. > > Best wishes, stay safe and take care of yourselves! > > Gábor > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > Sent: Friday, March 13, 2020 10:54 AM > To: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu > Subject: RE: feedback on STAR II 4.1 > > > @David > Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com > many thanks for sharing the extensive feedback. It’s much > appreciated and we’ll implement it as soon as possible. > > @'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university > we were receiving daily updates on the situation concerning the > virus. For now all external events are cancelled until the end of > April. In view of this, we can suggest to reschedule the event for > the later date (probably to mid or late June) in a hope that by then > the situation improves and we can host the event. This would > consequently require more time to finalise the handbook for the > final event and then July wouldn’t be a realistic date. My > understanding is that we cannot ask for the extension of the project > to the end of October/November because it is funded by the grant > action. Could we ask however the PO for the cost of the final > workshop as well as travelling to be eligible for the later date > that would go beyond the lifetime of the project? > Perhaps, before proceeding with the official communication, it would > be possible to get in touch with the PO via a phone call, so we are > aware about the position taken by the EC considering the current > situation? > > Having a call on Tuesday works well for our team. > > > Best regards, > Lina > > > > > > From: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> > Sent: Tuesday, March 10, 2020 4:22 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: feedback on STAR II 4.1 > > Dear all, > > First, I sincerely apologise for not getting this feedback to you > earlier. I assume that D4.1 was submitted? > On the positive side, this feedback can presumably be included in > the final version of these deliverables. > > We got Alan Moore, one of our DPO team, with good practical > expertise with various commercial clients to review the guidance > document (You met him at the Brussels workshop). His feedback is > below. > > Best wishes, > > DBW > > I have gone through the document and have a few suggestions: > > P7 Section 3.2 It can be suggested that to compensate for being > awarded with limited enforcement powers….. > > I would hold they have significant powers beyond the ability to > fine. Their powers to instruct controllers / processor top cease > processing data, among others, can ultimately shut down a business > without a fine being levied. To ignore these instructions can land a > director in jail for up to 5 years! > > P8. DPAs The focus on standardisation and EDPB. Art 60 was an after > thought and the general view is the it cannot operate within the > prescribed timelines. The ECJ will be the ultimate arbiter for > standardisation of approaches / laws / requirements but each > National Authority must be free to interpret facts presented in its > own way. Their independence is anchored in the EU treaties. A > complication that will eventually need to be addressed. > > P8. 3.3 Should be aware that translation into romance languages can > carry a different commutation the was intended by the Directive and > DPA have a key role to explain the true intent / meaning. > > P9. 3.4 Typo in second paragraph. > It also could be considered e the most > > P10. It appeared that most DPAs do not use internal guidance to direct…. > What has been the result of this? A key concern in the Irish DPC has > been delivering a consistent message and not providing a different > answer to the same or similar callers on different occasions. > > P11. 4 Unclear use of language - first paragraph > This initiative allowed to be confirmed that > It allowed to be obtained > > P11.4. Would stress the importance of standardisation of response > & P12 4 Add ‘c’? Implement a control process to ensure > standardisation of responses to similar questions / scenarios > > P13. 4.2 Might mention the concern that callers may have that > showing their hand may trigger an investigation. Callers need to be > reassured and encouraged to participate. Approaches do differ > between different DPAs. > > P13. 4.2.1 > It was decided to create a dedicated part > Following up on from this decision > > P15. 4.2.3 > I would stress the value of face to face more as context can be > complicated and the caller is subject to information and power > asymmetry. > > P16 4.5 last paragraph > We are included inclined to > > P21 6.2 last paragraph > DPAs across the EU have reported to engage that they have engaged in > > P22 6.3 4.5 last paragraph > Slovic suggests that the following elements play a role when evaluating risk: > > 1. The degree to which an individual feels in control > 2. The nature of consequences and the distribution of the impact > > P23 6.3 2nd paragraph > Which is perceived ‘as the coordinated activities to direct and > control an organisation with regard to risk’ 47 This is most > practically evidenced by the development and maintaining of a formal > risk register. > > (This risk section is very cerebral I fear and wont help with the ‘how’) > > P23 6.3.1 > Typically, the risk based approach formula approach in the GDPR > includes the following elements to be taken into account: > > * The state of the art in terms of technology for of the means > of processing (state of the art needs to be explained – does not > mean the best there is but rather the minimum expectable / expected) > > P24 6.3.2 > I would add a sentence or two on the benefits undertaking a > voluntary DPIA which include: > > * Documented understanding of the how the system works > * Known points of integration with other systems > * Assigning accountability > * Ensuring organisational standards (security / access etc) are > being complied with > * Demonstrated commitment to GDPR > * General piece of mind / greater organisational resilience > > P24 6.3.5 > I would add a piece on keeping a formal risk register of risks to > data subjects, separate from ant organisation risk register of risks > to the organisation in which all risks are assigned an owner and a > review date. > > P25 6.3.5 (b) What does SMEs need to do to be accountable? > > Second paragraph > …that the principle of accountability as an elements of good > > P.26 first line > … that the demonstration of compliance > > P.26 6.3.6 (b) > > * Implement data protection principles (see Article 5) and to > integrate the necessary safeguards into the processing in order to > meet the requirements of this Regulation and protect the rights of > data subjects (see Chapter III) in an effective manner; > * This should done at the time of the determination of the means > for processing and implemented before the time of the processing > itself. > (not that clear in the text.) > > P.27 6.3.6 (c) > It should be noted that some DPAs while note defining and technical > or organisation measures will nonetheless express an expectation > such as the Irish DPC in terms of the use of encryption whenever > possible where personal data is at rest or in transit. > > P.28 6.3.7 (b) 2nd paragraph > It is assumed that organisations will, however, benefit more from > maintaining their documentation electronically as such documentation > can they can easily added to, have entries removed when obsolete, > and amend entries it as necessary. However paper documentation is > regarded as being appropriate for SMEs and micro enterprises. It > should be added that SMEs (entities having less than 250 employees) > are technically exempt from this obligation if provided they are > undertaking: > • processing that is not likely to > result in a risk to the rights and freedoms of > data subjects; > • processing that is not occasional > (meaning that it is not regularly / > frequently undertaken); or > • processing that does not include > special categories of data or personal data > relating to criminal convictions and offences. > > In reality, very few SMEs can avail of this exemption unless the > process very little data. Most SMEs will usually have some special > category data as part of their HR files. > > They can be are available on the websites…. > > P.29 6.3.8 (a) 2 > Large scale is not defined by the legislation though different DPAs > have given some guidance relevant to different activities. > > For SMEs who provide services into other organisations, the > voluntary appointment of an internal or outsourced DPO can provide > commercial and strategic advantage by communicating a commitment to > data protection and promoting higher levels of trust. > > P.29 6.3.8 (b) > > A DPO may either be an employee of the SME or an external expert, > but in both cases, it is fundamental that he or she is independent, > in the sense that: > • the DPO shall be provided of with all the necessary > resources to carry on his/her tasks, in terms of money, time, > workforce, time to devote to professional development > etc.; > • the DPO shall not receive instructions for the > exercise of his/her tasks; > • the DPO shall not be dismissed or penalized for the > performance of his/her tasks; > • the DPO shall report to the highest level of management; and > • the DPO should not be in have any conflict of > interest in respect to other tasks and duties (e.g. > determining objects and purposes of the processing, > representing the SME in legal proceeding). > > P.30 6.3.8 (c) > Task of DPOs > DPOs cannot > Inform and advice the SME on the obligations arising from the GDPR > and the national data protection provisions > Be held accountable for the information and advice given to the SME > (I do not agree with this. They are not accountable for whether > their advice is implemented or not but they can be held accountable > for being negligent) > Monitor the compliance of the SME with the GDPR, the national data > protection provisions and (eventual) its internal data policies > Be considered personally responsible for non-compliance with data > protection requirements > Carry on awareness raising activities and training for the staff of > the SME dealing with data processing > Perform the DPIA. Not true. There is no reason why a DPO cannot take > the lead in undertaking a DPIA especially where the skills do not > exist elsewhere in the organization. but the responsibility to > ensure one is done remains with the Controller. > Provide advice to the SME and monitor the performance in relation to > the DPIA (when a DPIA is required) > Represent the SME in front of the DPA or in a court in case of > proceedings. Not quite so. The DPO remains the first point of > contact for data subjects and the DPAs and may be called to account > for advice / provide an explanation as to how data was processed > based on their monitoring of processing activities. I > Act as contact point for the supervisory authority in case of prior > consultation > Be considered responsible for the maintenance of the register True > but they are responsible for providing oversight as to whether it is > maintained. > Cooperate with the supervisory authority > Simultaneously hold another position in the organization that helps > define the means and purposes of processing of any personal data. > Be contacted by data subjects willing wishing to exercise their rights > > Create and maintain the register of processing (in the exceptional > situations where SME are required to have it one) Not True, under > Art 30 it is the responsibility of the Controller > > P.31 6.3.9(a) Data Protection Impact Assessment > (a) Background > The DPIA is a new addition to the EU data protection framework. It > builds on the rich experience of conducting impact assessments in > other fields, in particular, on the environmental impact > assessments. To be effective, impact assessments are carried out at > the early stage of a project (proactive initiative), at the phase of > planning or designing, and are aimed to identify and help mitigate > anticipate the any potential beneficial and adverse (i.e. negative) > impacts arising from the intended processing of personal data of > such within the project. Impact assessments are risk based exercises > that help decision-makers find the best and most beneficial > solutions for the development and deployment of initiatives while > protecting the rights and freedoms of data subjects. To be > practical, impact assessments must be scalable, flexible and > applicable inter alia for large organisations, consortia or for > small and medium-sized enterprises. Any risks identified will be > entered into the Data Protection Risk Register. > > P.32 6.3.9(c) > (c) What are the elements and characteristics of the > processing that may generate the high risks to rights and freedoms > of individuals? > The following elements that contribute to the high risks to data > subjects from this provision were extracted by the > > (d) What situations could require a DPIA? > Examples of processing operations that could trigger a DPIA: > • If the SME is implementing a new tool to monitor > access to office combining use of fingerprints and face facial > recognition technology; > • If the SME is a biotechnology company offering > genetic tests directly to consumers in order to assess and predict > the disease/health risks > • If the SME is providing CCTV surveillance for a > shopping centre or using a large number of cameras in their own > premises > > (e) Who and when should perform a DPIA? > Albeit the data processor and the data protection officer shall > assist the data controller (i.e., SME), the final responsibility on > for the DPIA process relies on rests with the data controller. > > (f) When is a DPIA is not required? > • When the data processing operations are included in > any list of data processing operations compiled by the DPA non > which do not requiring a DPIA > > P.33 6.3.9(g) > 4) Involve data subjects and/or their representatives, > the data protection officer and any other expert (e.g. information > security officer) and the data processor in the process, ideally in > each phase of the assessment process. This consultation must be > meaningful. > > P.33 6.3.9(h) > (h) When a new (revised) DPIA is required? > A new (i.e. revised version of) DPIA could be required if the risks > resulting from the processing operations are to change, for example > because a new technology is to be has been introduced, a new > processor is to be engaged under contract, or because personal data > is being to be used for a different purpose > > In that case, the review of the risk analysis made can show that the > performance of a DPIA is no longer required. > > P.34 6.3.10(b) > (b) How the security obligation is related to other provisions? > This obligation also requires the controller wishing to engage a > processor under contract to undertake due diligence and assess > whether the guarantees offered by the data processor, in this case > the cloud service provider, are sufficient. A controller must only > engage such a processor where they have faith in their ability to > comply with the obligations under GDPR. During this process, the > controller may take into account whether the processor provides > adequate documentation proving compliance with data protection > principles that could be found in privacy policies, records > management policies, information security policies, external audit > reports, certifications and similar documentation. The controller in > particular should take into account the processor’s expert knowledge > (e.g. technical expertise when dealing with data breaches and > security measures), reliability and its resources. A site visit may > also be necessary. After carrying out the due diligence process, the > controller should be able to take a decision with sufficient > evidence demonstrating that the processor is suitable, it can then > enter into a binding arrangement. It should be added that this due > diligence process is not a one-time effort. and it needs to be > regularly repeated in order The controller will have an ongoing > obligation to check whether the processor is compliant and meeting > their obligations either by auditing using their own staff or a > trusted third party. When outsourcing the processing of personal > data (e.g. for the provision of technical assistance or cloud > services), the controller should must conclude a contract, another > legal act or binding arrangement with the other entity already > setting out clear and precise data protection obligations and the > nature of processing in a detailed data processing agreement. > > > P.35 6.3.10(c) > An information security policy foreseeing the role of each user and > the required permission levels (access control) appropriate to the > role which minimises access to only that data necessary for that > role. This includies the system administrator accounts is as an > example of an appropriate organisational measure. > > P.35 6.3.10(d) What technical security measures can a SME take? > Technical measures must therefore include both physical and computer > or IT security. > > When considering cybersecurity, you should look at factors such as: > • system security – the security of your network and > information systems, including especially those which process > personal data; > • data security – the security of the data you hold > within your systems, e.g., ensuring appropriate access controls are > in place and that data is held securely through the use of suitable > levels of encryption; > > P.36 6.3.10(e) > Would add: > Where Special Category Data is processed (such as health data) or > personal data relating to minors, higher levels of security will be > expected to be implemented and documented. > > P.36 6.3.11 > This section should start with the definition of what is meant by a > breach and explain the difference between an incident and a breach. > It is confusing otherwise. > > P.37 6.3.11(b) > Consequently, this means that the controller must have an internal > procedures defined, tested and documented allowing to confirm to > appropriately identify and handle any breach of security concerning > personal data. > > In an ideal scenario, an information incident response policy should > precede be in place before processing of personal data begins so > that any the occurrence of an incident so that it could be used > should a data breach take place. > > P.37 6.3.11(d) > Would add a final paragraph. > As GDPR is maturing, different DPAs are expressing different > thresholds for the reporting of breaches. Where originally there was > a fear of over reporting, the DPC in Ireland has requested a breach > be reported when there is any risk identified to the data subject. > This allows the Commission to identify trends and to have confidence > that controllers are identifying the minor breaches and thus are > able to identify the more serious beaches should they arise. > > I hope you find this useful. > > Alan > > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On > Behalf Of Lina JASMONTAITE > Sent: 28 February 2020 13:09 > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Here comes D4.1 with both parts now included. We made further minor > edits to Part A. > We believe that the pfd version can be submitted. > We look forward to your comments on Part B, which unfortunately > comes a bit later than planned. > > Best regards, > Lina > > From: > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be> On > Behalf Of Lina JASMONTAITE > Sent: Friday, February 28, 2020 8:45 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: Re: [star] STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Thank you for your additions and edits. > The document to be submitted to the EC will reach you shortly after noon. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Thursday, February 27, 2020 4:31 PM > To: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Lina! > Dear All! > > Thank you for sharing the restructured version of the guidance for > DPAs. We only added minor additions/corrections. We confirm that the > yellow parts are accurate. > > We are looking forward to the handbook (the submission deadline is > 29.02.2020) > > > Best regards, > > Renáta > > > From: Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > Sent: Thursday, February 20, 2020 10:32 AM > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear Renata and Gabor, > > Once again, thank you for preparing a revised version of the > guidance for DPAs. We reviewed it now enclose an improved version of > it. > It includes nearly all of your report (see the document you shared; > we marked in yellow parts that were used). However, the current > version is restructured, rephrased and embedded in a wider context > of DPAs’ awareness raising duties. We also extracted recommendations > from your report and developed a graph presenting these > recommendations. > There are two parts marked in yellow that need to be checked for > accuracy. Perhaps, you will want to add some other clarifications in > the text. In particular, further additions could be made to the > concluding remarks part. > As we provided contributions to the initial text, we would like to > be considered co-authors of this guidance. What do you think about > this? > > The part B – the handbook for SMEs – is on a way. > > Best regards, > Lina > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > Sent: Tuesday, January 28, 2020 4:16 PM > To: 'Kulitsán Gábor' > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne > Cochrane > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: David Barnard-Wills > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Dear All! > > Please, find enclosed the updated version of the guidance. > > Best, > > Renáta > > From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Sent: Tuesday, January 28, 2020 10:09 AM > To: 'Leanne Cochrane' > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > Cc: 'David Barnard-Wills' > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: RE: STAR II - Update on EDPB and validation workshop? > > Hi Leanne, > > Thanks for the update on the newsletter. > > Regarding the upcoming events: > > * The plan is to present the drafts of the guidance and the > handbook at the EDPB plenary in February. However, as this is > scheduled for 18-19 February, we can only do this, if the drafts are > ready by then. Renáta will circulate the updated version of the > guidance soon. As for the other document (handbook), Lina can > provide further information. > * I have no further information on the validation workshop > planned for March-April 2020. > > Best, > Gábor > > > From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] > Sent: Monday, January 27, 2020 6:25 PM > To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > Cc: David Barnard-Wills > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > Subject: STAR II - Update on EDPB and validation workshop? > > Hi Gabor, > > I hope you are keeping well. > > Our dissemination team is preparing to send out the STAR II > newsletter we mentioned on our previous calls. It will be sent out > this Thursday with links to the approved deliverables and some > blogs. We are also including a section on upcoming events and I > wanted to check with NAIH if we had any further information on the > following two events: > > > * A presentation by NAIH to the EDPB on the STAR II project > planned for the February EDPB plenary (18th-19th) in Brussels. > * A Validation workshop for the STAR II outputs, namely a 'A > Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned > for March-April 2020 in Brussels. > Can I just check this information is still current and there is > nothing more specific we can add at this stage? > > I would be grateful if you can cc all in the reply as I am off > tomorrow and the dissemination team are in need of the confirmation. > > Thanks and best wishes, > Leanne > > > > <image001.jpg>http://www.trilateralresearch.com/ > > > Leanne Cochrane > > Senior Research Analyst | Policy, Ethics and Emerging Technologies Team > > leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com > > www.trilateralresearch.comhttp://www.trilateralresearch.com > > Mobile: +44 (0) 7545 955 242 > > Skype:@ljcochrane
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear All,
The amendment request is still not OK. According to the PO I used a new version of "Annex I Part B" template instead of using the old one. So, I have to withdraw and re-submit the amendment request with the modified old version of the template again.
I'll do it today and I really hope that the request will be accepted this time.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Thanks for keeping us updated!
-----Original Message----- From: kulitsan.gabor@naih.hu kulitsan.gabor@naih.hu Sent: Friday, April 3, 2020 7:25 AM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: sziklay.julia@naih.hu; 'STAR' star@listserv.vub.ac.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; bazsa.peter bazsa.peter@naih.hu Subject: Re: [star] feedback on STAR II 4.1
Dear All,
Please be informed that due to incomplete filling of an annex (which the PO did not notice when I asked her to review the request) the amendment request had to be withdrawn and re-submitted. I hope that everything will be OK this time.
Best, Gábor
Idézet (kulitsan.gabor@naih.hu):
Dear Lina,
Thanks for the input. I launched the amendment procedure, composed the amendment and asked the PO to unoficially review it. Following the review, the amendment will be finalised, sined and submitted.
Regarding Deliverable D4.1: Sure, I'll provide you with my feeback in the next few days. Regarding the EDPB: If I'm not mistaken the plenary meetings are cancelled until the end of May. The expert subgroups can proceed with their work and can have telcos. That's all I know.
Best, Gábor
2020-03-23 16:15 időpontban Lina JASMONTAITE ezt írta:
Dear Gabor,
As the request for the amendment of our contract is concerned, we believe a message along similar lines could be communicated to the PO.
Formal part: The validation workshop (D4.2) for the draft versions of the guidance for running a hotline service for SMEs and the handbook facilitating SMEs compliance with the GDPR had to take place on 23 April 2020. The workshop agenda was prepared in mind with different interests and expectations of the representatives of DPAs and SMEs. The feedback sessions foreseen in the agenda had to result in suggestions and comments that could be used to finalise the two documents. Organising the event on the foreseen date at the premises of the Vrije Universiteit Brussel (VUB) is no longer possible due to measures taken to reduce the spread of coronavirus/ Covid-19. It is not possible to predict if the VUB will allow hosting any external events before the end of this school year as, together with the other Flemish universities, it has decided to keep all classes exclusively digital until the end of this semester (5 July 2020). Considering the uncertainty surrounding the current spread of Covid-19, we find the extension of 4 months reasonable. We propose to organise the validation workshop (D4.2) in (early) September. It is, however, difficult to propose the exact date. We would then estimate that during the remaining weeks of September and October we would implement edits in the two documents based on the feedback that we receive. Following this scenario, the final versions of the guidance and the handbook (D.4.3) then would be printed in early November. The final closing event presenting the two documents (D4.4) could be organised in the mid-November.
Informal part (and thus not legally binding): Recognising that anxiety caused by the coronavirus pandemic may affect travelling and social interactions in the months to come, we are considering a possibility of launching an online consultation to obtain feedback from the relevant stakeholders (i.e., DPA representatives for part A and SME representatives for part B). Such feedback then would complement feedback obtained during the validation workshop (D4.2).
On the same note, we want to invite NAIH to comment on D4.1. It would be great if you could make suggestions for the questions and answers included in part B. Btw how is the EDPB proceeding with its work?
Best regards, Lina
-----Original Message----- From: kulitsan.gabor@naih.hu kulitsan.gabor@naih.hu Sent: Thursday, March 19, 2020 11:42 AM To: sziklay.julia@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; bazsa.peter bazsa.peter@naih.hu Subject: Re: [star] feedback on STAR II 4.1
Dear All,
The PO informed us on the following (see reseach portal - process communication):
"Your project is foreseen to end in about 4 months, on 31/07/2020. According to your explanation there are still two events (validation workshop in Brussels and launch event for the guidance & handbook in Budapest) to be organized. Taking into consideration these two elements, I would suggest you to apply for 4 months long prolongation – eg project would be ending on 31/11/2020, which seems sufficient at this point to implement these 2 activities. If there would be a need to prolong it even further, we can evaluate it at the later stage. Would you agree?
Please be so kind to introduce the amendment request in the system ASAP you have clear idea around when would you consider it be possible to implement these 2 activities. Please do not forget to make modifications in narrative Part B (eg timeline, History of changes) and upload it as an attachment to your amendment request."
Following this message I asked whether it would be possible to postpone all of the activities and reports by 4 months. Her answer: "Yes, please launch the amendment with 4 months prolongation of the action and please change the submission deadlines of all the pending deliveries according to your evaluation provisions."
In light of the above, I think we should take the POs suggestion and apply for 4 months long prolongation, requesting it for all activities and deliverables, with the indication that in case we don’t need all of this time, we can finish the project earlier.
Would you agree? If so, please read the attached guidance document and please give me input on how we should justify the request for prolongation for each remaining activity and deliverable.
Thank you.
Best, Gábor
Idézet (sziklay.julia@naih.hu):
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
> Dear Gabor, > > Thank you for sharing the reply from the PO. That's great news. I > suggest that we accept the offer of 6 months as the situation > remains uncertain and in case we don't need all of this time, we > can finalise the project earlier. > > Best regards, > Lina > > -----Original Message----- > From: David Wright David.wright@trilateralresearch.com > Sent: Tuesday, March 17, 2020 11:30 AM > To: kulitsan.gabor@naih.hu; Lina JASMONTAITE > Lina.Jasmontaite@vub.be > Cc: 'STAR' star@listserv.vub.ac.be > Subject: Re: [star] feedback on STAR II 4.1 > > This seems a very good solution. > > > > On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf > of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on > behalf of kulitsan.gabor@naih.hu> wrote: > > > Dear All, > > Response of the PO (see research portal - process communications) > > "Dear coordinator, > > Thank you for contacting us. > > In relation to your request, we are aware of the heavy circumstances > our projects are facing due to current Coronavirus pandemic. > Therefore, we are offering our projects to apply for project > prolongation eg up until for 6 months (depending on justifications > provided) and postponement of activities. There is also, in principle, > the option of total suspension but, given that the suspension > procedure is much heavier, we do recommend our projects to apply for > prolongation instead. Please let me know which way would you like to > proceed - amendment for prolongation, or still total suspension? > > Kind regards, > > Angeelika" > > > If we accept the POs recommendation and apply for project prolongation > and postponement of activities, we still have to > agree on the period of time. If we take this solution I think we > should ask for at least 3 months since we have to organize two > international workshops, and travelling in Europe is currently quite > problematic and it's rather uncertain when the situation will change. > > > Best, > Gábor > > > Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be): > > > Dear Julia and David, > > > > Thank you for your replies. Indeed, the end result of the extension > > of the timeline or a temporary suspension would be rather similar – > > the project would run longer. > > After consulting internally our finance and legal departments, > > however, we are of opinion that less restrictive measures (i.e., > > extension of the timeline) would be more appropriate. This is also > > message that we sent to PO. > > > > Best regards, > > Lina > > > > From: Sziklay Júlia sziklay.julia@naih.hu > > Sent: Monday, March 16, 2020 3:26 PM > > To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills > > david.barnard-wills@trilateralresearch.com; Leanne Cochrane > > leanne.cochrane@trilateralresearch.com > > Cc: 'STAR' star@listserv.vub.ac.be > > Subject: RE: [star] feedback on STAR II 4.1 > > > > Dear Colleagues, > > I think both proposals can be reasonable but nevertheless with quite > > the same effect: we will be stuck in the project till the end of a > > prolonged deadline (presumably till autumn 2020 instead of July). I > > am sure the Commission is working on the issue (the world epidemic > > situation affects all the ongoing projects in general) so we shall > > keep our dialogue going on. > > Julia > > > > From: > > > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > > [mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina > JASMONTAITE > > Sent: Monday, March 16, 2020 1:38 PM > > To: David Barnard-Wills > > > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>>; > Leanne > Cochrane > > > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > > Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > > Subject: Re: [star] feedback on STAR II 4.1 > > > > Dear David and Leanne, > > > > Could you please let us know your position on this situation? > > Best regards, > > Lina > > > > On 16 Mar 2020, at 11:39, Lina JASMONTAITE > > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: > > > > Dear Gabor, > > > > I understand your point of view but I believe that all three > > partners should have agreed to the suspension before sending a > > request to the PO. Following my supervisor’s advice, VUB couldn’t > > accept this proposal. > > I am ok to discuss alternative solutions with the PO. > > I will keep you and TRI team posted via the mailing list. > > > > Best regards and stay safe, > > Lina > > > > From: Kulitsán Gábor > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Sent: Monday, March 16, 2020 11:14 AM > > To: Lina JASMONTAITE > > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > > Cc: 'STAR' > > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > > Barnard-Wills > > > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > > nagy.renata@naih.humailto:nagy.renata@naih.hu > > Subject: RE: feedback on STAR II 4.1 > > > > Dear Lina, > > > > And how should I ask any extension if I don’t know any exact dates > > or anything for sure? I think the suspension is better, indicating > > that the project would resume where it left off once the situation > > returns to normal or at least to less serious. I already sent the > > message to the PO, but If you have any other idea, feel free to > > share with her via the portal adding the turn “on behalf of the > > coordinator”. I’m really sorry, but now I have neither time nor > > energy to act as a contact person. If you want, you can have the > > call as well, but I probably won’t to be available. And no offense, > > but to be honest, currently the project is of least interest to me. > > > > Best, > > Gábor > > > > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > > Sent: Monday, March 16, 2020 10:58 AM > > To: Kulitsán Gábor > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Cc: 'STAR' > > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David > > Barnard-Wills > > > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > > nagy.renata@naih.humailto:nagy.renata@naih.hu > > Subject: RE: feedback on STAR II 4.1 > > > > Dear Gabor, > > > > Thanks for your email. I am not sure what would a suspension mean in > > terms of financial implications for VUB, so at this point I think we > > should request for an extension in these unforeseen circumstances > > rather than a suspension. > > > > While the situation is full of uncertainty and many of us need to > > adapt to it, we can still proceed further and work on deliverables > > for the project, apart from the workshop. We need to discuss a > > scenario with the PO what to do if the situation does not improve in > > upcoming weeks. If that is the case, perhaps, we should ask for the > > adjustment in the DOW and instead of a workshop to obtain feedback > > we could propose having an online consultation. This would of course > > affect our funding. > > > > I think we should still have a call if not this week, then a > week after. > > > > Best regards, > > Lina > > > > From: Kulitsán Gábor > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Sent: Monday, March 16, 2020 10:39 AM > > To: Lina JASMONTAITE > > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David > > Barnard-Wills > > > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; > > nagy.renata@naih.humailto:nagy.renata@naih.hu > > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > > Subject: RE: feedback on STAR II 4.1 > > Importance: High > > > > Dear Lina & All > > > > Due to the current situation I will ask the PO to temporarily > > suspend the project including all deadlines by reason of > > unforeseeable circumstances of force majeure. I’ll keep you updated. > > > > Secondly, I can’t make tomorrow’s call, but I don’t think that’s the > > most important thing now anyway. > > > > Best wishes, stay safe and take care of yourselves! > > > > Gábor > > > > > > From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] > > Sent: Friday, March 13, 2020 10:54 AM > > To: David Barnard-Wills > > > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>>; > 'Kulitsán > Gábor' > > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Cc: 'STAR' > > <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; > > nagy.renata@naih.humailto:nagy.renata@naih.hu > > Subject: RE: feedback on STAR II 4.1 > > > > > > @David > > Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com > > many thanks for sharing the extensive feedback. It’s much > > appreciated and we’ll implement it as soon as possible. > > > > @'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university > > we were receiving daily updates on the situation concerning the > > virus. For now all external events are cancelled until the end of > > April. In view of this, we can suggest to reschedule the event for > > the later date (probably to mid or late June) in a hope that by then > > the situation improves and we can host the event. This would > > consequently require more time to finalise the handbook for the > > final event and then July wouldn’t be a realistic date. My > > understanding is that we cannot ask for the extension of the project > > to the end of October/November because it is funded by the grant > > action. Could we ask however the PO for the cost of the final > > workshop as well as travelling to be eligible for the later date > > that would go beyond the lifetime of the project? > > Perhaps, before proceeding with the official communication, it would > > be possible to get in touch with the PO via a phone call, so we are > > aware about the position taken by the EC considering the current > > situation? > > > > Having a call on Tuesday works well for our team. > > > > > > Best regards, > > Lina > > > > > > > > > > > > From: David Barnard-Wills > > > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> > > Sent: Tuesday, March 10, 2020 4:22 PM > > To: Lina JASMONTAITE > > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > > nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' > > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > > Subject: feedback on STAR II 4.1 > > > > Dear all, > > > > First, I sincerely apologise for not getting this feedback to you > > earlier. I assume that D4.1 was submitted? > > On the positive side, this feedback can presumably be included in > > the final version of these deliverables. > > > > We got Alan Moore, one of our DPO team, with good practical > > expertise with various commercial clients to review the guidance > > document (You met him at the Brussels workshop). His feedback is > > below. > > > > Best wishes, > > > > DBW > > > > I have gone through the document and have a few suggestions: > > > > P7 Section 3.2 It can be suggested that to compensate for being > > awarded with limited enforcement powers….. > > > > I would hold they have significant powers beyond the ability to > > fine. Their powers to instruct controllers / processor top cease > > processing data, among others, can ultimately shut down a business > > without a fine being levied. To ignore these instructions can land a > > director in jail for up to 5 years! > > > > P8. DPAs The focus on standardisation and EDPB. Art 60 was an after > > thought and the general view is the it cannot operate within the > > prescribed timelines. The ECJ will be the ultimate arbiter for > > standardisation of approaches / laws / requirements but each > > National Authority must be free to interpret facts presented in its > > own way. Their independence is anchored in the EU treaties. A > > complication that will eventually need to be addressed. > > > > P8. 3.3 Should be aware that translation into romance languages can > > carry a different commutation the was intended by the Directive and > > DPA have a key role to explain the true intent / meaning. > > > > P9. 3.4 Typo in second paragraph. > > It also could be considered e the most > > > > P10. It appeared that most DPAs do not use internal guidance to > direct…. > > What has been the result of this? A key concern in the Irish DPC has > > been delivering a consistent message and not providing a different > > answer to the same or similar callers on different occasions. > > > > P11. 4 Unclear use of language - first paragraph > > This initiative allowed to be confirmed that > > It allowed to be obtained > > > > P11.4. Would stress the importance of standardisation of response > > & P12 4 Add ‘c’? Implement a control process to ensure > > standardisation of responses to similar questions / scenarios > > > > P13. 4.2 Might mention the concern that callers may have that > > showing their hand may trigger an investigation. Callers need to be > > reassured and encouraged to participate. Approaches do differ > > between different DPAs. > > > > P13. 4.2.1 > > It was decided to create a dedicated part > > Following up on from this decision > > > > P15. 4.2.3 > > I would stress the value of face to face more as context can be > > complicated and the caller is subject to information and power > > asymmetry. > > > > P16 4.5 last paragraph > > We are included inclined to > > > > P21 6.2 last paragraph > > DPAs across the EU have reported to engage that they have engaged in > > > > P22 6.3 4.5 last paragraph > > Slovic suggests that the following elements play a role when > evaluating risk: > > > > 1. The degree to which an individual feels in control > > 2. The nature of consequences and the distribution of the impact > > > > P23 6.3 2nd paragraph > > Which is perceived ‘as the coordinated activities to direct and > > control an organisation with regard to risk’ 47 This is most > > practically evidenced by the development and maintaining of a formal > > risk register. > > > > (This risk section is very cerebral I fear and wont help with > the ‘how’) > > > > P23 6.3.1 > > Typically, the risk based approach formula approach in the GDPR > > includes the following elements to be taken into account: > > > > * The state of the art in terms of technology for of the means > > of processing (state of the art needs to be explained – does not > > mean the best there is but rather the minimum expectable / expected) > > > > P24 6.3.2 > > I would add a sentence or two on the benefits undertaking a > > voluntary DPIA which include: > > > > * Documented understanding of the how the system works > > * Known points of integration with other systems > > * Assigning accountability > > * Ensuring organisational standards (security / access etc) are > > being complied with > > * Demonstrated commitment to GDPR > > * General piece of mind / greater organisational resilience > > > > P24 6.3.5 > > I would add a piece on keeping a formal risk register of risks to > > data subjects, separate from ant organisation risk register of risks > > to the organisation in which all risks are assigned an owner and a > > review date. > > > > P25 6.3.5 (b) What does SMEs need to do to be accountable? > > > > Second paragraph > > …that the principle of accountability as an elements of good > > > > P.26 first line > > … that the demonstration of compliance > > > > P.26 6.3.6 (b) > > > > * Implement data protection principles (see Article 5) and to > > integrate the necessary safeguards into the processing in order to > > meet the requirements of this Regulation and protect the rights of > > data subjects (see Chapter III) in an effective manner; > > * This should done at the time of the determination of the means > > for processing and implemented before the time of the processing > > itself. > > (not that clear in the text.) > > > > P.27 6.3.6 (c) > > It should be noted that some DPAs while note defining and technical > > or organisation measures will nonetheless express an expectation > > such as the Irish DPC in terms of the use of encryption whenever > > possible where personal data is at rest or in transit. > > > > P.28 6.3.7 (b) 2nd paragraph > > It is assumed that organisations will, however, benefit more from > > maintaining their documentation electronically as such documentation > > can they can easily added to, have entries removed when obsolete, > > and amend entries it as necessary. However paper documentation is > > regarded as being appropriate for SMEs and micro enterprises. It > > should be added that SMEs (entities having less than 250 employees) > > are technically exempt from this obligation if provided they are > > undertaking: > > • processing that is not likely to > > result in a risk to the rights and freedoms of > > data subjects; > > • processing that is not occasional > > (meaning that it is not regularly / > > frequently undertaken); or > > • processing that does not include > > special categories of data or personal data > > relating to criminal convictions and offences. > > > > In reality, very few SMEs can avail of this exemption unless the > > process very little data. Most SMEs will usually have some special > > category data as part of their HR files. > > > > They can be are available on the websites…. > > > > P.29 6.3.8 (a) 2 > > Large scale is not defined by the legislation though different DPAs > > have given some guidance relevant to different activities. > > > > For SMEs who provide services into other organisations, the > > voluntary appointment of an internal or outsourced DPO can provide > > commercial and strategic advantage by communicating a commitment to > > data protection and promoting higher levels of trust. > > > > P.29 6.3.8 (b) > > > > A DPO may either be an employee of the SME or an external expert, > > but in both cases, it is fundamental that he or she is independent, > > in the sense that: > > • the DPO shall be provided of with all the necessary > > resources to carry on his/her tasks, in terms of money, time, > > workforce, time to devote to professional development > > etc.; > > • the DPO shall not receive instructions for the > > exercise of his/her tasks; > > • the DPO shall not be dismissed or penalized for the > > performance of his/her tasks; > > • the DPO shall report to the highest level of > management; and > > • the DPO should not be in have any conflict of > > interest in respect to other tasks and duties (e.g. > > determining objects and purposes of the processing, > > representing the SME in legal proceeding). > > > > P.30 6.3.8 (c) > > Task of DPOs > > DPOs cannot > > Inform and advice the SME on the obligations arising from the GDPR > > and the national data protection provisions > > Be held accountable for the information and advice given to the SME > > (I do not agree with this. They are not accountable for whether > > their advice is implemented or not but they can be held accountable > > for being negligent) > > Monitor the compliance of the SME with the GDPR, the national data > > protection provisions and (eventual) its internal data policies > > Be considered personally responsible for non-compliance with data > > protection requirements > > Carry on awareness raising activities and training for the staff of > > the SME dealing with data processing > > Perform the DPIA. Not true. There is no reason why a DPO cannot take > > the lead in undertaking a DPIA especially where the skills do not > > exist elsewhere in the organization. but the responsibility to > > ensure one is done remains with the Controller. > > Provide advice to the SME and monitor the performance in relation to > > the DPIA (when a DPIA is required) > > Represent the SME in front of the DPA or in a court in case of > > proceedings. Not quite so. The DPO remains the first point of > > contact for data subjects and the DPAs and may be called to account > > for advice / provide an explanation as to how data was processed > > based on their monitoring of processing activities. I > > Act as contact point for the supervisory authority in case of prior > > consultation > > Be considered responsible for the maintenance of the register True > > but they are responsible for providing oversight as to whether it is > > maintained. > > Cooperate with the supervisory authority > > Simultaneously hold another position in the organization that helps > > define the means and purposes of processing of any personal data. > > Be contacted by data subjects willing wishing to exercise > their rights > > > > Create and maintain the register of processing (in the exceptional > > situations where SME are required to have it one) Not True, under > > Art 30 it is the responsibility of the Controller > > > > P.31 6.3.9(a) Data Protection Impact Assessment > > (a) Background > > The DPIA is a new addition to the EU data protection framework. It > > builds on the rich experience of conducting impact assessments in > > other fields, in particular, on the environmental impact > > assessments. To be effective, impact assessments are carried out at > > the early stage of a project (proactive initiative), at the phase of > > planning or designing, and are aimed to identify and help mitigate > > anticipate the any potential beneficial and adverse (i.e. negative) > > impacts arising from the intended processing of personal data of > > such within the project. Impact assessments are risk based exercises > > that help decision-makers find the best and most beneficial > > solutions for the development and deployment of initiatives while > > protecting the rights and freedoms of data subjects. To be > > practical, impact assessments must be scalable, flexible and > > applicable inter alia for large organisations, consortia or for > > small and medium-sized enterprises. Any risks identified will be > > entered into the Data Protection Risk Register. > > > > P.32 6.3.9(c) > > (c) What are the elements and characteristics of the > > processing that may generate the high risks to rights and freedoms > > of individuals? > > The following elements that contribute to the high risks to data > > subjects from this provision were extracted by the > > > > (d) What situations could require a DPIA? > > Examples of processing operations that could trigger a DPIA: > > • If the SME is implementing a new tool to monitor > > access to office combining use of fingerprints and face facial > > recognition technology; > > • If the SME is a biotechnology company offering > > genetic tests directly to consumers in order to assess and predict > > the disease/health risks > > • If the SME is providing CCTV surveillance for a > > shopping centre or using a large number of cameras in their own > > premises > > > > (e) Who and when should perform a DPIA? > > Albeit the data processor and the data protection officer shall > > assist the data controller (i.e., SME), the final responsibility on > > for the DPIA process relies on rests with the data controller. > > > > (f) When is a DPIA is not required? > > • When the data processing operations are included in > > any list of data processing operations compiled by the DPA non > > which do not requiring a DPIA > > > > P.33 6.3.9(g) > > 4) Involve data subjects and/or their representatives, > > the data protection officer and any other expert (e.g. information > > security officer) and the data processor in the process, ideally in > > each phase of the assessment process. This consultation must be > > meaningful. > > > > P.33 6.3.9(h) > > (h) When a new (revised) DPIA is required? > > A new (i.e. revised version of) DPIA could be required if the risks > > resulting from the processing operations are to change, for example > > because a new technology is to be has been introduced, a new > > processor is to be engaged under contract, or because personal data > > is being to be used for a different purpose > > > > In that case, the review of the risk analysis made can show that the > > performance of a DPIA is no longer required. > > > > P.34 6.3.10(b) > > (b) How the security obligation is related to other > provisions? > > This obligation also requires the controller wishing to engage a > > processor under contract to undertake due diligence and assess > > whether the guarantees offered by the data processor, in this case > > the cloud service provider, are sufficient. A controller must only > > engage such a processor where they have faith in their ability to > > comply with the obligations under GDPR. During this process, the > > controller may take into account whether the processor provides > > adequate documentation proving compliance with data protection > > principles that could be found in privacy policies, records > > management policies, information security policies, external audit > > reports, certifications and similar documentation. The controller in > > particular should take into account the processor’s expert knowledge > > (e.g. technical expertise when dealing with data breaches and > > security measures), reliability and its resources. A site visit may > > also be necessary. After carrying out the due diligence process, the > > controller should be able to take a decision with sufficient > > evidence demonstrating that the processor is suitable, it can then > > enter into a binding arrangement. It should be added that this due > > diligence process is not a one-time effort. and it needs to be > > regularly repeated in order The controller will have an ongoing > > obligation to check whether the processor is compliant and meeting > > their obligations either by auditing using their own staff or a > > trusted third party. When outsourcing the processing of personal > > data (e.g. for the provision of technical assistance or cloud > > services), the controller should must conclude a contract, another > > legal act or binding arrangement with the other entity already > > setting out clear and precise data protection obligations and the > > nature of processing in a detailed data processing agreement. > > > > > > P.35 6.3.10(c) > > An information security policy foreseeing the role of each user and > > the required permission levels (access control) appropriate to the > > role which minimises access to only that data necessary for that > > role. This includies the system administrator accounts is as an > > example of an appropriate organisational measure. > > > > P.35 6.3.10(d) What technical security measures can a SME take? > > Technical measures must therefore include both physical and computer > > or IT security. > > > > When considering cybersecurity, you should look at factors such as: > > • system security – the security of your network and > > information systems, including especially those which process > > personal data; > > • data security – the security of the data you hold > > within your systems, e.g., ensuring appropriate access controls are > > in place and that data is held securely through the use of suitable > > levels of encryption; > > > > P.36 6.3.10(e) > > Would add: > > Where Special Category Data is processed (such as health data) or > > personal data relating to minors, higher levels of security will be > > expected to be implemented and documented. > > > > P.36 6.3.11 > > This section should start with the definition of what is meant by a > > breach and explain the difference between an incident and a breach. > > It is confusing otherwise. > > > > P.37 6.3.11(b) > > Consequently, this means that the controller must have an internal > > procedures defined, tested and documented allowing to confirm to > > appropriately identify and handle any breach of security concerning > > personal data. > > > > In an ideal scenario, an information incident response policy should > > precede be in place before processing of personal data begins so > > that any the occurrence of an incident so that it could be used > > should a data breach take place. > > > > P.37 6.3.11(d) > > Would add a final paragraph. > > As GDPR is maturing, different DPAs are expressing different > > thresholds for the reporting of breaches. Where originally there was > > a fear of over reporting, the DPC in Ireland has requested a breach > > be reported when there is any risk identified to the data subject. > > This allows the Commission to identify trends and to have confidence > > that controllers are identifying the minor breaches and thus are > > able to identify the more serious beaches should they arise. > > > > I hope you find this useful. > > > > Alan > > > > > > From: > > > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > > > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be>> > On > > Behalf Of Lina JASMONTAITE > > Sent: 28 February 2020 13:09 > > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > > Subject: Re: [star] STAR II - Update on EDPB and validation > workshop? > > > > Dear Renata and Gabor, > > > > Here comes D4.1 with both parts now included. We made further minor > > edits to Part A. > > We believe that the pfd version can be submitted. > > We look forward to your comments on Part B, which unfortunately > > comes a bit later than planned. > > > > Best regards, > > Lina > > > > From: > > > star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be > > > <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.a c.be>> > On > > Behalf Of Lina JASMONTAITE > > Sent: Friday, February 28, 2020 8:45 AM > > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > > Subject: Re: [star] STAR II - Update on EDPB and validation > workshop? > > > > Dear Renata and Gabor, > > > > Thank you for your additions and edits. > > The document to be submitted to the EC will reach you shortly > after noon. > > > > Best regards, > > Lina > > > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > > Sent: Thursday, February 27, 2020 4:31 PM > > To: Lina JASMONTAITE > > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán > > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > > Subject: RE: STAR II - Update on EDPB and validation workshop? > > > > Dear Lina! > > Dear All! > > > > Thank you for sharing the restructured version of the guidance for > > DPAs. We only added minor additions/corrections. We confirm that the > > yellow parts are accurate. > > > > We are looking forward to the handbook (the submission deadline is > > 29.02.2020) > > > > > > Best regards, > > > > Renáta > > > > > > From: Lina JASMONTAITE > > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> > > Sent: Thursday, February 20, 2020 10:32 AM > > To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán > > Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> > > Subject: RE: STAR II - Update on EDPB and validation workshop? > > > > Dear Renata and Gabor, > > > > Once again, thank you for preparing a revised version of the > > guidance for DPAs. We reviewed it now enclose an improved version of > > it. > > It includes nearly all of your report (see the document you shared; > > we marked in yellow parts that were used). However, the current > > version is restructured, rephrased and embedded in a wider context > > of DPAs’ awareness raising duties. We also extracted recommendations > > from your report and developed a graph presenting these > > recommendations. > > There are two parts marked in yellow that need to be checked for > > accuracy. Perhaps, you will want to add some other clarifications in > > the text. In particular, further additions could be made to the > > concluding remarks part. > > As we provided contributions to the initial text, we would like to > > be considered co-authors of this guidance. What do you think about > > this? > > > > The part B – the handbook for SMEs – is on a way. > > > > Best regards, > > Lina > > > > From: nagy.renata@naih.humailto:nagy.renata@naih.hu > > <nagy.renata@naih.humailto:nagy.renata@naih.hu> > > Sent: Tuesday, January 28, 2020 4:16 PM > > To: 'Kulitsán Gábor' > > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne > > Cochrane > > > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > > Cc: David Barnard-Wills > > > <david.barnard-wills@trilateralresearch.commailto:david.barnard-wi lls@trilateralresearch.com>>; 'Corinna Pannofino' > <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>>; 'Angelo Napolano' > <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>>; Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > 'Sziklay > Júlia' > > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > > Subject: RE: STAR II - Update on EDPB and validation workshop? > > > > Dear All! > > > > Please, find enclosed the updated version of the guidance. > > > > Best, > > > > Renáta > > > > From: Kulitsán Gábor > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Sent: Tuesday, January 28, 2020 10:09 AM > > To: 'Leanne Cochrane' > > > <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> > > Cc: 'David Barnard-Wills' > > > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>>; 'Corinna Pannofino' > <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>>; 'Angelo Napolano' > <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>>; 'Nagy Renáta' > <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina > JASMONTAITE' > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > 'Sziklay > Júlia' > > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > > Subject: RE: STAR II - Update on EDPB and validation workshop? > > > > Hi Leanne, > > > > Thanks for the update on the newsletter. > > > > Regarding the upcoming events: > > > > * The plan is to present the drafts of the guidance and the > > handbook at the EDPB plenary in February. However, as this is > > scheduled for 18-19 February, we can only do this, if the drafts are > > ready by then. Renáta will circulate the updated version of the > > guidance soon. As for the other document (handbook), Lina can > > provide further information. > > * I have no further information on the validation workshop > > planned for March-April 2020. > > > > Best, > > Gábor > > > > > > From: Leanne Cochrane > [mailto:leanne.cochrane@trilateralresearch.com] > > Sent: Monday, January 27, 2020 6:25 PM > > To: Kulitsán Gábor > <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> > > Cc: David Barnard-Wills > > > <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wi lls@trilateralresearch.com>>; Corinna Pannofino > <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@ trilateralresearch.com>>; Angelo Napolano > <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@tril ateralresearch.com>>; 'Nagy Renáta' > <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE > <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; > Sziklay > Júlia > > <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> > > Subject: STAR II - Update on EDPB and validation workshop? > > > > Hi Gabor, > > > > I hope you are keeping well. > > > > Our dissemination team is preparing to send out the STAR II > > newsletter we mentioned on our previous calls. It will be sent out > > this Thursday with links to the approved deliverables and some > > blogs. We are also including a section on upcoming events and I > > wanted to check with NAIH if we had any further information on the > > following two events: > > > > > > * A presentation by NAIH to the EDPB on the STAR II project > > planned for the February EDPB plenary (18th-19th) in Brussels. > > * A Validation workshop for the STAR II outputs, namely a 'A > > Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned > > for March-April 2020 in Brussels. > > Can I just check this information is still current and there is > > nothing more specific we can add at this stage? > > > > I would be grateful if you can cc all in the reply as I am off > > tomorrow and the dissemination team are in need of the confirmation. > > > > Thanks and best wishes, > > Leanne > > > > > > > > <image001.jpg>http://www.trilateralresearch.com/ > > > > > > Leanne Cochrane > > > > Senior Research Analyst | Policy, Ethics and Emerging > Technologies Team > > > > > leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com > > > > www.trilateralresearch.comhttp://www.trilateralresearch.com > > > > Mobile: +44 (0) 7545 955 242 > > > > Skype:@ljcochrane > > > > _______________________________________________ > STAR mailing list > STAR@listserv.vub.ac.be > https://listserv.vub.ac.be/mailman/listinfo/star > > > _______________________________________________ > STAR mailing list > STAR@listserv.vub.ac.be > https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Hi Julia,
Sure. Please see the attached document for questions about the hotline.
Best wishes, DBW
-----Original Message----- From: sziklay.julia@naih.hu sziklay.julia@naih.hu Sent: 18 March 2020 13:32 To: kulitsan.gabor@naih.hu Cc: 'STAR' star@listserv.vub.ac.be; Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills David.Barnard-Wills@trilateralresearch.com Subject: Re: [star] feedback on STAR II 4.1
Dear David, I kindly ask you to formulate and share with us your questions as soon as possible.Renata and me would stay at your disposal and for sure there would be no better time for discussion as now! Julia Idézet (kulitsan.gabor@naih.hu):
Hi David,
Of course, I informed the PO that we would like apply for project prolongation, including postponement of all activities and submission of deliverables, for 6 months. Let's see what she answers.
Best, Gábor
Idézet (David Barnard-Wills David.Barnard-Wills@trilateralresearch.com):
Hi Julia, Gabor, Renata,
In addition to the prolongation, can we request to postpone the report on the statistical efficiency of the hotline too? We would need to have an in-depth conversation/discussion(s) with you at NAIH about analysing the data we do have, and adding value to what is in the reporting on the hotline If you have no capacity for STAR II at the moment, then I don't see us as being able to deliver that this month.
Best wishes,
DBW
-----Original Message----- From: star-bounces@listserv.vub.ac.be star-bounces@listserv.vub.ac.be On Behalf Of sziklay.julia@naih.hu Sent: 17 March 2020 12:37 To: Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
Dear All, then all of us agree on requesting a 6 month prolongation. I kindly ask Gabor and Renata to proceed according to it. Kind regards, Julia Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Gabor,
Thank you for sharing the reply from the PO. That's great news. I suggest that we accept the offer of 6 months as the situation remains uncertain and in case we don't need all of this time, we can finalise the project earlier.
Best regards, Lina
-----Original Message----- From: David Wright David.wright@trilateralresearch.com Sent: Tuesday, March 17, 2020 11:30 AM To: kulitsan.gabor@naih.hu; Lina JASMONTAITE Lina.Jasmontaite@vub.be Cc: 'STAR' star@listserv.vub.ac.be Subject: Re: [star] feedback on STAR II 4.1
This seems a very good solution.
On 17/03/2020, 10:21, "star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu" <star-bounces@listserv.vub.ac.be on behalf of kulitsan.gabor@naih.hu> wrote:
Dear All,
Response of the PO (see research portal - process communications)
"Dear coordinator,
Thank you for contacting us.
In relation to your request, we are aware of the heavy circumstances our projects are facing due to current Coronavirus pandemic. Therefore, we are offering our projects to apply for project prolongation eg up until for 6 months (depending on justifications provided) and postponement of activities. There is also, in principle, the option of total suspension but, given that the suspension procedure is much heavier, we do recommend our projects to apply for prolongation instead. Please let me know which way would you like to proceed - amendment for prolongation, or still total suspension?
Kind regards,
Angeelika"
If we accept the POs recommendation and apply for project prolongation and postponement of activities, we still have to agree on the period of time. If we take this solution I think we should ask for at least 3 months since we have to organize two international workshops, and travelling in Europe is currently quite problematic and it's rather uncertain when the situation will change.
Best, Gábor
Idézet (Lina JASMONTAITE Lina.Jasmontaite@vub.be):
Dear Julia and David,
Thank you for your replies. Indeed, the end result of the extension of the timeline or a temporary suspension would be rather similar – the project would run longer. After consulting internally our finance and legal departments, however, we are of opinion that less restrictive measures (i.e., extension of the timeline) would be more appropriate. This is also message that we sent to PO.
Best regards, Lina
From: Sziklay Júlia sziklay.julia@naih.hu Sent: Monday, March 16, 2020 3:26 PM To: Lina JASMONTAITE Lina.Jasmontaite@vub.be; David Barnard-Wills david.barnard-wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: 'STAR' star@listserv.vub.ac.be Subject: RE: [star] feedback on STAR II 4.1
Dear Colleagues, I think both proposals can be reasonable but nevertheless with quite the same effect: we will be stuck in the project till the end of a prolonged deadline (presumably till autumn 2020 instead of July). I am sure the Commission is working on the issue (the world epidemic situation affects all the ongoing projects in general) so we shall keep our dialogue going on. Julia
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
[mailto:star-bounces@listserv.vub.ac.be] On Behalf Of Lina JASMONTAITE Sent: Monday, March 16, 2020 1:38 PM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wil ls@trilateralresearch.com>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: STAR <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote:
Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a
week after.
Best regards, Lina
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>;
nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wil ls@trilateralresearch.com>; 'Kulitsán Gábor'
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>
Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to
direct….
What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when
evaluating risk:
- The degree to which an individual feels in control
- The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with
the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
- The state of the art in terms of technology for of the means
of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
- Documented understanding of the how the system works
- Known points of integration with other systems
- Assigning accountability
- Ensuring organisational standards (security / access etc) are
being complied with
- Demonstrated commitment to GDPR
- General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
- Implement data protection principles (see Article 5) and to
integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner;
- This should done at the time of the determination of the means
for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of
management; and
• the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other
provisions?
This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac .be> On
Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From:
star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be
<star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac .be> On
Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly
after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: David Barnard-Wills
<david.barnard-wills@trilateralresearch.commailto:david.barnard-wil ls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@t rilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trila teralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane'
<leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com>
Cc: 'David Barnard-Wills'
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wil ls@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@t rilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trila teralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia'
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
- The plan is to present the drafts of the guidance and the
handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information.
- I have no further information on the validation workshop
planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor
<kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>
Cc: David Barnard-Wills
<David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wil ls@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@t rilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trila teralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia
<sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
- A presentation by NAIH to the EDPB on the STAR II project
planned for the February EDPB plenary (18th-19th) in Brussels.
- A Validation workshop for the STAR II outputs, namely a 'A
Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
<image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging
Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star _______________________________________________ STAR mailing list STAR@listserv.vub.ac.be https://listserv.vub.ac.be/mailman/listinfo/star
Dear Lina, Gabor,
We would find a suspension acceptable under the current circumstances.
Best wishes,
DBW
From: Lina JASMONTAITE Lina.Jasmontaite@vub.be Sent: 16 March 2020 12:38 To: David Barnard-Wills David.Barnard-Wills@trilateralresearch.com; Leanne Cochrane leanne.cochrane@trilateralresearch.com Cc: STAR star@listserv.vub.ac.be; nagy.renata@naih.hu; Kulitsán Gábor kulitsan.gabor@naih.hu Subject: Re: feedback on STAR II 4.1
Dear David and Leanne,
Could you please let us know your position on this situation? Best regards, Lina
On 16 Mar 2020, at 11:39, Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> wrote: Dear Gabor,
I understand your point of view but I believe that all three partners should have agreed to the suspension before sending a request to the PO. Following my supervisor’s advice, VUB couldn’t accept this proposal. I am ok to discuss alternative solutions with the PO. I will keep you and TRI team posted via the mailing list.
Best regards and stay safe, Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Monday, March 16, 2020 11:14 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Lina,
And how should I ask any extension if I don’t know any exact dates or anything for sure? I think the suspension is better, indicating that the project would resume where it left off once the situation returns to normal or at least to less serious. I already sent the message to the PO, but If you have any other idea, feel free to share with her via the portal adding the turn “on behalf of the coordinator”. I’m really sorry, but now I have neither time nor energy to act as a contact person. If you want, you can have the call as well, but I probably won’t to be available. And no offense, but to be honest, currently the project is of least interest to me.
Best, Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Monday, March 16, 2020 10:58 AM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
Dear Gabor,
Thanks for your email. I am not sure what would a suspension mean in terms of financial implications for VUB, so at this point I think we should request for an extension in these unforeseen circumstances rather than a suspension.
While the situation is full of uncertainty and many of us need to adapt to it, we can still proceed further and work on deliverables for the project, apart from the workshop. We need to discuss a scenario with the PO what to do if the situation does not improve in upcoming weeks. If that is the case, perhaps, we should ask for the adjustment in the DOW and instead of a workshop to obtain feedback we could propose having an online consultation. This would of course affect our funding.
I think we should still have a call if not this week, then a week after.
Best regards, Lina
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Monday, March 16, 2020 10:39 AM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; nagy.renata@naih.humailto:nagy.renata@naih.hu Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: feedback on STAR II 4.1 Importance: High
Dear Lina & All
Due to the current situation I will ask the PO to temporarily suspend the project including all deadlines by reason of unforeseeable circumstances of force majeure. I’ll keep you updated.
Secondly, I can’t make tomorrow’s call, but I don’t think that’s the most important thing now anyway.
Best wishes, stay safe and take care of yourselves!
Gábor
From: Lina JASMONTAITE [mailto:Lina.Jasmontaite@vub.be] Sent: Friday, March 13, 2020 10:54 AM To: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu Subject: RE: feedback on STAR II 4.1
@David Barnard-Willsmailto:David.Barnard-Wills@trilateralresearch.com many thanks for sharing the extensive feedback. It’s much appreciated and we’ll implement it as soon as possible.
@'Kulitsán Gábor'mailto:kulitsan.gabor@naih.hu at the university we were receiving daily updates on the situation concerning the virus. For now all external events are cancelled until the end of April. In view of this, we can suggest to reschedule the event for the later date (probably to mid or late June) in a hope that by then the situation improves and we can host the event. This would consequently require more time to finalise the handbook for the final event and then July wouldn’t be a realistic date. My understanding is that we cannot ask for the extension of the project to the end of October/November because it is funded by the grant action. Could we ask however the PO for the cost of the final workshop as well as travelling to be eligible for the later date that would go beyond the lifetime of the project? Perhaps, before proceeding with the official communication, it would be possible to get in touch with the PO via a phone call, so we are aware about the position taken by the EC considering the current situation?
Having a call on Tuesday works well for our team.
Best regards, Lina
From: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com> Sent: Tuesday, March 10, 2020 4:22 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: feedback on STAR II 4.1
Dear all,
First, I sincerely apologise for not getting this feedback to you earlier. I assume that D4.1 was submitted? On the positive side, this feedback can presumably be included in the final version of these deliverables.
We got Alan Moore, one of our DPO team, with good practical expertise with various commercial clients to review the guidance document (You met him at the Brussels workshop). His feedback is below.
Best wishes,
DBW
I have gone through the document and have a few suggestions:
P7 Section 3.2 It can be suggested that to compensate for being awarded with limited enforcement powers…..
I would hold they have significant powers beyond the ability to fine. Their powers to instruct controllers / processor top cease processing data, among others, can ultimately shut down a business without a fine being levied. To ignore these instructions can land a director in jail for up to 5 years!
P8. DPAs The focus on standardisation and EDPB. Art 60 was an after thought and the general view is the it cannot operate within the prescribed timelines. The ECJ will be the ultimate arbiter for standardisation of approaches / laws / requirements but each National Authority must be free to interpret facts presented in its own way. Their independence is anchored in the EU treaties. A complication that will eventually need to be addressed.
P8. 3.3 Should be aware that translation into romance languages can carry a different commutation the was intended by the Directive and DPA have a key role to explain the true intent / meaning.
P9. 3.4 Typo in second paragraph. It also could be considered e the most
P10. It appeared that most DPAs do not use internal guidance to direct…. What has been the result of this? A key concern in the Irish DPC has been delivering a consistent message and not providing a different answer to the same or similar callers on different occasions.
P11. 4 Unclear use of language - first paragraph This initiative allowed to be confirmed that It allowed to be obtained
P11.4. Would stress the importance of standardisation of response & P12 4 Add ‘c’? Implement a control process to ensure standardisation of responses to similar questions / scenarios
P13. 4.2 Might mention the concern that callers may have that showing their hand may trigger an investigation. Callers need to be reassured and encouraged to participate. Approaches do differ between different DPAs.
P13. 4.2.1 It was decided to create a dedicated part Following up on from this decision
P15. 4.2.3 I would stress the value of face to face more as context can be complicated and the caller is subject to information and power asymmetry.
P16 4.5 last paragraph We are included inclined to
P21 6.2 last paragraph DPAs across the EU have reported to engage that they have engaged in
P22 6.3 4.5 last paragraph Slovic suggests that the following elements play a role when evaluating risk:
1. The degree to which an individual feels in control 2. The nature of consequences and the distribution of the impact
P23 6.3 2nd paragraph Which is perceived ‘as the coordinated activities to direct and control an organisation with regard to risk’ 47 This is most practically evidenced by the development and maintaining of a formal risk register.
(This risk section is very cerebral I fear and wont help with the ‘how’)
P23 6.3.1 Typically, the risk based approach formula approach in the GDPR includes the following elements to be taken into account:
* The state of the art in terms of technology for of the means of processing (state of the art needs to be explained – does not mean the best there is but rather the minimum expectable / expected)
P24 6.3.2 I would add a sentence or two on the benefits undertaking a voluntary DPIA which include:
* Documented understanding of the how the system works * Known points of integration with other systems * Assigning accountability * Ensuring organisational standards (security / access etc) are being complied with * Demonstrated commitment to GDPR * General piece of mind / greater organisational resilience
P24 6.3.5 I would add a piece on keeping a formal risk register of risks to data subjects, separate from ant organisation risk register of risks to the organisation in which all risks are assigned an owner and a review date.
P25 6.3.5 (b) What does SMEs need to do to be accountable?
Second paragraph …that the principle of accountability as an elements of good
P.26 first line … that the demonstration of compliance
P.26 6.3.6 (b)
* Implement data protection principles (see Article 5) and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects (see Chapter III) in an effective manner; * This should done at the time of the determination of the means for processing and implemented before the time of the processing itself. (not that clear in the text.)
P.27 6.3.6 (c) It should be noted that some DPAs while note defining and technical or organisation measures will nonetheless express an expectation such as the Irish DPC in terms of the use of encryption whenever possible where personal data is at rest or in transit.
P.28 6.3.7 (b) 2nd paragraph It is assumed that organisations will, however, benefit more from maintaining their documentation electronically as such documentation can they can easily added to, have entries removed when obsolete, and amend entries it as necessary. However paper documentation is regarded as being appropriate for SMEs and micro enterprises. It should be added that SMEs (entities having less than 250 employees) are technically exempt from this obligation if provided they are undertaking: • processing that is not likely to result in a risk to the rights and freedoms of data subjects; • processing that is not occasional (meaning that it is not regularly / frequently undertaken); or • processing that does not include special categories of data or personal data relating to criminal convictions and offences.
In reality, very few SMEs can avail of this exemption unless the process very little data. Most SMEs will usually have some special category data as part of their HR files.
They can be are available on the websites….
P.29 6.3.8 (a) 2 Large scale is not defined by the legislation though different DPAs have given some guidance relevant to different activities.
For SMEs who provide services into other organisations, the voluntary appointment of an internal or outsourced DPO can provide commercial and strategic advantage by communicating a commitment to data protection and promoting higher levels of trust.
P.29 6.3.8 (b)
A DPO may either be an employee of the SME or an external expert, but in both cases, it is fundamental that he or she is independent, in the sense that: • the DPO shall be provided of with all the necessary resources to carry on his/her tasks, in terms of money, time, workforce, time to devote to professional development etc.; • the DPO shall not receive instructions for the exercise of his/her tasks; • the DPO shall not be dismissed or penalized for the performance of his/her tasks; • the DPO shall report to the highest level of management; and • the DPO should not be in have any conflict of interest in respect to other tasks and duties (e.g. determining objects and purposes of the processing, representing the SME in legal proceeding).
P.30 6.3.8 (c) Task of DPOs DPOs cannot Inform and advice the SME on the obligations arising from the GDPR and the national data protection provisions Be held accountable for the information and advice given to the SME (I do not agree with this. They are not accountable for whether their advice is implemented or not but they can be held accountable for being negligent) Monitor the compliance of the SME with the GDPR, the national data protection provisions and (eventual) its internal data policies Be considered personally responsible for non-compliance with data protection requirements Carry on awareness raising activities and training for the staff of the SME dealing with data processing Perform the DPIA. Not true. There is no reason why a DPO cannot take the lead in undertaking a DPIA especially where the skills do not exist elsewhere in the organization. but the responsibility to ensure one is done remains with the Controller. Provide advice to the SME and monitor the performance in relation to the DPIA (when a DPIA is required) Represent the SME in front of the DPA or in a court in case of proceedings. Not quite so. The DPO remains the first point of contact for data subjects and the DPAs and may be called to account for advice / provide an explanation as to how data was processed based on their monitoring of processing activities. I Act as contact point for the supervisory authority in case of prior consultation Be considered responsible for the maintenance of the register True but they are responsible for providing oversight as to whether it is maintained. Cooperate with the supervisory authority Simultaneously hold another position in the organization that helps define the means and purposes of processing of any personal data. Be contacted by data subjects willing wishing to exercise their rights
Create and maintain the register of processing (in the exceptional situations where SME are required to have it one) Not True, under Art 30 it is the responsibility of the Controller
P.31 6.3.9(a) Data Protection Impact Assessment (a) Background The DPIA is a new addition to the EU data protection framework. It builds on the rich experience of conducting impact assessments in other fields, in particular, on the environmental impact assessments. To be effective, impact assessments are carried out at the early stage of a project (proactive initiative), at the phase of planning or designing, and are aimed to identify and help mitigate anticipate the any potential beneficial and adverse (i.e. negative) impacts arising from the intended processing of personal data of such within the project. Impact assessments are risk based exercises that help decision-makers find the best and most beneficial solutions for the development and deployment of initiatives while protecting the rights and freedoms of data subjects. To be practical, impact assessments must be scalable, flexible and applicable inter alia for large organisations, consortia or for small and medium-sized enterprises. Any risks identified will be entered into the Data Protection Risk Register.
P.32 6.3.9(c) (c) What are the elements and characteristics of the processing that may generate the high risks to rights and freedoms of individuals? The following elements that contribute to the high risks to data subjects from this provision were extracted by the
(d) What situations could require a DPIA? Examples of processing operations that could trigger a DPIA: • If the SME is implementing a new tool to monitor access to office combining use of fingerprints and face facial recognition technology; • If the SME is a biotechnology company offering genetic tests directly to consumers in order to assess and predict the disease/health risks • If the SME is providing CCTV surveillance for a shopping centre or using a large number of cameras in their own premises
(e) Who and when should perform a DPIA? Albeit the data processor and the data protection officer shall assist the data controller (i.e., SME), the final responsibility on for the DPIA process relies on rests with the data controller.
(f) When is a DPIA is not required? • When the data processing operations are included in any list of data processing operations compiled by the DPA non which do not requiring a DPIA
P.33 6.3.9(g) 4) Involve data subjects and/or their representatives, the data protection officer and any other expert (e.g. information security officer) and the data processor in the process, ideally in each phase of the assessment process. This consultation must be meaningful.
P.33 6.3.9(h) (h) When a new (revised) DPIA is required? A new (i.e. revised version of) DPIA could be required if the risks resulting from the processing operations are to change, for example because a new technology is to be has been introduced, a new processor is to be engaged under contract, or because personal data is being to be used for a different purpose
In that case, the review of the risk analysis made can show that the performance of a DPIA is no longer required.
P.34 6.3.10(b) (b) How the security obligation is related to other provisions? This obligation also requires the controller wishing to engage a processor under contract to undertake due diligence and assess whether the guarantees offered by the data processor, in this case the cloud service provider, are sufficient. A controller must only engage such a processor where they have faith in their ability to comply with the obligations under GDPR. During this process, the controller may take into account whether the processor provides adequate documentation proving compliance with data protection principles that could be found in privacy policies, records management policies, information security policies, external audit reports, certifications and similar documentation. The controller in particular should take into account the processor’s expert knowledge (e.g. technical expertise when dealing with data breaches and security measures), reliability and its resources. A site visit may also be necessary. After carrying out the due diligence process, the controller should be able to take a decision with sufficient evidence demonstrating that the processor is suitable, it can then enter into a binding arrangement. It should be added that this due diligence process is not a one-time effort. and it needs to be regularly repeated in order The controller will have an ongoing obligation to check whether the processor is compliant and meeting their obligations either by auditing using their own staff or a trusted third party. When outsourcing the processing of personal data (e.g. for the provision of technical assistance or cloud services), the controller should must conclude a contract, another legal act or binding arrangement with the other entity already setting out clear and precise data protection obligations and the nature of processing in a detailed data processing agreement.
P.35 6.3.10(c) An information security policy foreseeing the role of each user and the required permission levels (access control) appropriate to the role which minimises access to only that data necessary for that role. This includies the system administrator accounts is as an example of an appropriate organisational measure.
P.35 6.3.10(d) What technical security measures can a SME take? Technical measures must therefore include both physical and computer or IT security.
When considering cybersecurity, you should look at factors such as: • system security – the security of your network and information systems, including especially those which process personal data; • data security – the security of the data you hold within your systems, e.g., ensuring appropriate access controls are in place and that data is held securely through the use of suitable levels of encryption;
P.36 6.3.10(e) Would add: Where Special Category Data is processed (such as health data) or personal data relating to minors, higher levels of security will be expected to be implemented and documented.
P.36 6.3.11 This section should start with the definition of what is meant by a breach and explain the difference between an incident and a breach. It is confusing otherwise.
P.37 6.3.11(b) Consequently, this means that the controller must have an internal procedures defined, tested and documented allowing to confirm to appropriately identify and handle any breach of security concerning personal data.
In an ideal scenario, an information incident response policy should precede be in place before processing of personal data begins so that any the occurrence of an incident so that it could be used should a data breach take place.
P.37 6.3.11(d) Would add a final paragraph. As GDPR is maturing, different DPAs are expressing different thresholds for the reporting of breaches. Where originally there was a fear of over reporting, the DPC in Ireland has requested a breach be reported when there is any risk identified to the data subject. This allows the Commission to identify trends and to have confidence that controllers are identifying the minor breaches and thus are able to identify the more serious beaches should they arise.
I hope you find this useful.
Alan
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: 28 February 2020 13:09 To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Here comes D4.1 with both parts now included. We made further minor edits to Part A. We believe that the pfd version can be submitted. We look forward to your comments on Part B, which unfortunately comes a bit later than planned.
Best regards, Lina
From: star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be <star-bounces@listserv.vub.ac.bemailto:star-bounces@listserv.vub.ac.be> On Behalf Of Lina JASMONTAITE Sent: Friday, February 28, 2020 8:45 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: Re: [star] STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Thank you for your additions and edits. The document to be submitted to the EC will reach you shortly after noon.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Thursday, February 27, 2020 4:31 PM To: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Lina! Dear All!
Thank you for sharing the restructured version of the guidance for DPAs. We only added minor additions/corrections. We confirm that the yellow parts are accurate.
We are looking forward to the handbook (the submission deadline is 29.02.2020)
Best regards,
Renáta
From: Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be> Sent: Thursday, February 20, 2020 10:32 AM To: nagy.renata@naih.humailto:nagy.renata@naih.hu; 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: 'STAR' <star@listserv.vub.ac.bemailto:star@listserv.vub.ac.be> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear Renata and Gabor,
Once again, thank you for preparing a revised version of the guidance for DPAs. We reviewed it now enclose an improved version of it. It includes nearly all of your report (see the document you shared; we marked in yellow parts that were used). However, the current version is restructured, rephrased and embedded in a wider context of DPAs’ awareness raising duties. We also extracted recommendations from your report and developed a graph presenting these recommendations. There are two parts marked in yellow that need to be checked for accuracy. Perhaps, you will want to add some other clarifications in the text. In particular, further additions could be made to the concluding remarks part. As we provided contributions to the initial text, we would like to be considered co-authors of this guidance. What do you think about this?
The part B – the handbook for SMEs – is on a way.
Best regards, Lina
From: nagy.renata@naih.humailto:nagy.renata@naih.hu <nagy.renata@naih.humailto:nagy.renata@naih.hu> Sent: Tuesday, January 28, 2020 4:16 PM To: 'Kulitsán Gábor' <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu>; Leanne Cochrane <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: David Barnard-Wills <david.barnard-wills@trilateralresearch.commailto:david.barnard-wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Dear All!
Please, find enclosed the updated version of the guidance.
Best,
Renáta
From: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Sent: Tuesday, January 28, 2020 10:09 AM To: 'Leanne Cochrane' <leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com> Cc: 'David Barnard-Wills' <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; 'Corinna Pannofino' <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; 'Angelo Napolano' <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; 'Lina JASMONTAITE' <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; 'Sziklay Júlia' <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: RE: STAR II - Update on EDPB and validation workshop?
Hi Leanne,
Thanks for the update on the newsletter.
Regarding the upcoming events:
* The plan is to present the drafts of the guidance and the handbook at the EDPB plenary in February. However, as this is scheduled for 18-19 February, we can only do this, if the drafts are ready by then. Renáta will circulate the updated version of the guidance soon. As for the other document (handbook), Lina can provide further information. * I have no further information on the validation workshop planned for March-April 2020.
Best, Gábor
From: Leanne Cochrane [mailto:leanne.cochrane@trilateralresearch.com] Sent: Monday, January 27, 2020 6:25 PM To: Kulitsán Gábor <kulitsan.gabor@naih.humailto:kulitsan.gabor@naih.hu> Cc: David Barnard-Wills <David.Barnard-Wills@trilateralresearch.commailto:David.Barnard-Wills@trilateralresearch.com>; Corinna Pannofino <Corinna.Pannofino@trilateralresearch.commailto:Corinna.Pannofino@trilateralresearch.com>; Angelo Napolano <Angelo.Napolano@trilateralresearch.commailto:Angelo.Napolano@trilateralresearch.com>; 'Nagy Renáta' <nagy.renata@naih.humailto:nagy.renata@naih.hu>; Lina JASMONTAITE <Lina.Jasmontaite@vub.bemailto:Lina.Jasmontaite@vub.be>; Sziklay Júlia <sziklay.julia@naih.humailto:sziklay.julia@naih.hu> Subject: STAR II - Update on EDPB and validation workshop?
Hi Gabor,
I hope you are keeping well.
Our dissemination team is preparing to send out the STAR II newsletter we mentioned on our previous calls. It will be sent out this Thursday with links to the approved deliverables and some blogs. We are also including a section on upcoming events and I wanted to check with NAIH if we had any further information on the following two events:
* A presentation by NAIH to the EDPB on the STAR II project planned for the February EDPB plenary (18th-19th) in Brussels. * A Validation workshop for the STAR II outputs, namely a 'A Risk Focused Handbook for SMEs' and a 'Guidance for DPAs' planned for March-April 2020 in Brussels. Can I just check this information is still current and there is nothing more specific we can add at this stage?
I would be grateful if you can cc all in the reply as I am off tomorrow and the dissemination team are in need of the confirmation.
Thanks and best wishes, Leanne
http://www.trilateralresearch.com/ <image001.jpg>http://www.trilateralresearch.com/
Leanne Cochrane
Senior Research Analyst | Policy, Ethics and Emerging Technologies Team
leanne.cochrane@trilateralresearch.commailto:leanne.cochrane@trilateralresearch.com
www.trilateralresearch.comhttp://www.trilateralresearch.com
Mobile: +44 (0) 7545 955 242
Skype:@ljcochrane