%3C%21--+this+is+a+work+in+progress+made+possible+by+a+grant+from+the+Ewing+Marion+Kauffman+Foundation+in+cooperation+with+the+LTL+Network--%3E%0D%0A%0D%0A%3C%21--+bubble+hex+color+value+%3D+9A1E2C+--%3E%0D%0A%0D%0AQ%28WIP%29%3A+This+is+the+BLIP+LTL+GDPR+learning+tool.%3Cbr%3E%3Cbr%3E+It+is+a+work-in-progress%2C+so+not+all+answer+fields+will+be+populated%2C+and+there+may+be+some+broken+fields.%0D%0AA%3A+I+understand.%0D%0A%09Q%281.1%29%3A+Great.++Thanks+for+giving+it+a+spin%21+If+you+find+any+errors+or+broken+parts%2C+please+%3Ca+href%3D%22mailto%3Ablip%40brooklaw.edu%3Fsubject%3DGDPR%2520QnA%2520Feedback%2520UID20180525%22%3Esend+us+a+note%3C%2Fa%3E.+Thanks%21+%3Cbr%3E%3Cbr%3EThis+was+last+updated+on+May+12%2C+2018.%0D%0A%09A%3A+What%27s+BLIP%3F%0D%0A%09%09Q%28BLIP_IS%29%3A+BLIP+is+the+Brooklyn+Law+Incubator+and+Policy+Clinic+at+Brooklyn+Law+School.%3Cbr%3E%3Cbr%3E+It%27s+basically+a+full-service+law+firm+for+bootstrap+entrepreneurs+and+startups.++BLIP+folks+built+this+tool%21+%3A%29.+You+can+%3Ca+href%3D%22https%3A%2F%2Fwww.brooklaw.edu%2Facademics%2Fclinicalprogram%2Fblip%2Faboutblip%3F%22+target%3D%22_blank%22%3Eread+more+about+BLIP+here%3C%2Fa%3E.%0D%0A%09%09A%3A+Got+it.++What%27s+LTL%3F%0D%0A%09%09%09Q%281.1.1.1%29%3A+LTL+is+the+Legal+Technology+Laboratory.%0D%0A%09%09%09A%3A+What%27s+that%3F%0D%0A%09%09%09%09Q%281.1.1.1.1%29%3A+Well%2C+it+started+as+an+outgrowth+of+several+key+events+at+the+intersections+of+legal+technology%2C+access+to+justice%2C+lawyering+and+justice%2C+and+entrepreneurship.%0D%0A%09%09%09%09A%3A+Cool.%0D%0A%09%09%09%09%09Q%281.1.1.1.1.1%29%3A++We+think+to+so+too.++That%27s+why+LTL+continues+to+evolve+as+both+the+size+of+the+LTL+community+and+the+opportunities+created+by+their+connections+to+other+network+innovators+expands.++You+can+%3Ca+href%3D%22http%3A%2F%2Fwww.thelegaltechlab.com%2F%22+target%3D%22_blank%22%3Eread+more+about+it+here%3C%2Fa%3E.%0D%0A%09%09%09%09%09A%3A+And+what%27s+GDPR%3F%0D%0A%09%09%09%09%09%09Q%281.1.1.1.1.1.1%29%3A+That%27s+why+you%27re+here%21GOTO%3AHOLDING_PATTERN%0D%0A%09A%3A+What%27s+LTL%3F%0D%0A%09%09Q%281.1.2%29%3A+LTL+is+the+Legal+Technology+Laboratory.%0D%0A%09%09A%3A+What%27s+that%3F%0D%0A%09%09%09Q%281.1.2.1%29%3A+Well%2C+it+started+as+an+outgrowth+of+several+key+events+at+the+intersections+of+legal+technology%2C+access+to+justice%2C+lawyering+and+justice%2C+and+entrepreneurship.%0D%0A%09%09%09A%3A+Cool.%0D%0A%09%09%09%09Q%281.1.2.1.1%29%3A++We+think+to+so+too.++That%27s+why+LTL+continues+to+evolve+as+both+the+size+of+the+LTL+community+and+the+opportunities+created+by+their+connections+to+other+network+innovators+expands.++You+can+%3Ca+href%3D%22http%3A%2F%2Fwww.thelegaltechlab.com%2F%22+target%3D%22_blank%22%3Eread+more+about+it+here%3C%2Fa%3E.%0D%0A%09%09%09%09A%3A+And+what%27s+this+GDPR%3F%0D%0A%09%09%09%09%09Q%281.1.2.1.1.1%29%3A+It%27s+why+you+came+here%21GOTO%3AHOLDING_PATTERN%0D%0A%09A%3A+What%27s+the+GDPR%3F%0D%0A%09%09Q%281.1.3%29%3A+Just+you+wait...%0D%0A%09%09A%3A+Hold+on%21++I+want+to+know+what+LTL+is%21%0D%0A%09%09%09Q%281.1.3.1%29%3A+LTL+is+the+Legal+Technology+Laboratory.%0D%0A%09%09%09A%3A+What%27s+that%3F%0D%0A%09%09%09%09Q%281.1.3.1.1%29%3A+Well%2C+it+started+as+an+outgrowth+of+several+key+events+at+the+intersections+of+legal+technology%2C+access+to+justice%2C+lawyering+and+justice%2C+and+entrepreneurship.%0D%0A%09%09%09%09A%3A+Cool.%0D%0A%09%09%09%09%09Q%281.1.3.1.1.1%29%3A++We+think+to+so+too.++That%27s+why+LTL+continues+to+evolve+as+both+the+size+of+the+LTL+community+and+the+opportunities+created+by+their+connections+to+other+network+innovators+expands.++You+can+%3Ca+href%3D%22http%3A%2F%2Fwww.thelegaltechlab.com%2F%22+target%3D%22_blank%22%3Eread+more+about+it+here%3C%2Fa%3E.%0D%0A%09%09%09%09%09A%3A+Wait.++I+never+asked+what+BLIP+IS%21%0D%0A%09%09%09%09%09%09Q%281.1.3.1.1.1.1%29%3A++Relax.++BLIP+is+the+Brooklyn+Law+Incubator+and+Policy+Clinic+at+Brooklyn+Law+School.%3Cbr%3E%3Cbr%3E+It%27s+basically+a+full-service+law+firm+for+bootstrap+entrepreneurs+and+startups.++BLIP+folks+built+this+tool%21+%3A%29.+You+can+%3Ca+href%3D%22https%3A%2F%2Fwww.brooklaw.edu%2Facademics%2Fclinicalprogram%2Fblip%2Faboutblip%3F%22+target%3D%22_blank%22%3Eread+more+about+BLIP+here%3C%2Fa%3E.%0D%0A%09%09%09%09%09%09A%3A+Okay.++I+think+I%27m+ready+to+start%21%0D%0A%09%09%09%09%09%09%09Q%281.1.3.1.1.1.1.1%29%3AGOTO%3AHOLDING_PATTERN%0D%0A%09%09A%3A+Wait%21++What%27s+BLIP%3F%0D%0A%09%09%09Q%281.1.3.2%29%3A+BLIP+is+the+Brooklyn+Law+Incubator+and+Policy+Clinic+at+Brooklyn+Law+School.%3Cbr%3E%3Cbr%3E+It%27s+basically+a+full-service+law+firm+for+bootstrap+entrepreneurs+and+startups.++BLIP+folks+built+this+tool%21+%3A%29.+You+can+%3Ca+href%3D%22https%3A%2F%2Fwww.brooklaw.edu%2Facademics%2Fclinicalprogram%2Fblip%2Faboutblip%3F%22+target%3D%22_blank%22%3Eread+more+about+BLIP+here%3C%2Fa%3E.%0D%0A%09%09%09A%3A+And+what%27s+LTL%3F%0D%0A%09%09%09%09Q%281.1.3.2.1%29%3A+LTL+is+the+Legal+Technology+Laboratory.%0D%0A%09%09%09%09A%3A+What%27s+that%3F%0D%0A%09%09%09%09%09Q%281.1.3.2.1.1%29%3A+Well%2C+it+started+as+an+outgrowth+of+several+key+events+at+the+intersections+of+legal+technology%2C+access+to+justice%2C+lawyering+and+justice%2C+and+entrepreneurship.%0D%0A%09%09%09%09%09A%3A+Cool.%0D%0A%09%09%09%09%09%09Q%281.1.3.2.1.1.1%29%3A++We+think+to+so+too.++That%27s+why+LTL+continues+to+evolve+as+both+the+size+of+the+LTL+community+and+the+opportunities+created+by+their+connections+to+other+network+innovators+expands.++You+can+%3Ca+href%3D%22http%3A%2F%2Fwww.thelegaltechlab.com%2F%22+target%3D%22_blank%22%3Eread+more+about+it+here%3C%2Fa%3E.%0D%0A%09%09%09%09%09%09A%3A+Got+it.++What+now%3F%0D%0A%09%09%09%09%09%09%09Q%281.1.3.2.1.1.1.1%29%3AGOTO%3AHOLDING_PATTERN%0D%0A%09%09A%3A+I+don%27t+have+any+questions+at+this+time.%0D%0A%09%09%09Q%281.1.3.3%29%3AGOTO%3ASTART%0D%0A%09A%3A+I%27d+just+like+to+move+on%2C+please.%0D%0A%09%09Q%281.1.4%29%3AGOTO%3AHOLDING_PATTERN%0D%0A%0D%0AQ%28HOLDING_PATTERN%29%3AGOTO%3ASTART%0D%0A%0D%0AQ%28START%29%3A+Welcome+to+the+BLIP+LTL+GDPR+Learning+Tool.+%3Cbr%3E%3Cbr%3E+We%27re+going+to+ask+you+several+questions+to+help+identify+potential+risk+areas+for+you+to+speak+about+with+your+attorney.%0D%0AA%3A+Got+it.%0D%0A%09Q%283.1%29%3AGOTO%3ADISCLAIMER%0D%0A%0D%0AQ%28DISCLAIMER%29%3A+We%27re+about+to+get+to+the+good+part.+%3Cbr%3E%3Cbr%3E+But%2C+before+we+do%2C+we+need+to+go+over+a+few+things+with+you.%0D%0AA%3A+Okay%2C+I%27m+ready.%0D%0A%09Q%284.1%29%3A+First+of+all%2C+none+of+the+information+we+discuss+here+is+legal+advice%2C+and+you+should+not+construe+it+as+legal+advice.%0D%0A%09A%3A+Okay.++I+understand+that+this+is+not+legal+advice.%0D%0A%09%09Q%284.1.1%29%3A+Terrific.++In+addition%2C+we+are+not+entering+into+an+agreement+to+represent+you%2C+and+nothing+in+this+tool+should+be+understood+as+an+offer+to+enter+into+an+attorney%2Fclient+relationship+with+you.%0D%0A%09%09A%3A+Okay.++I+also+understand+that+we+are+not+entering+into+an+attorney%2Fclient+relationship.%0D%0A%09%09%09Q%284.1.1.1%29%3A+This+tool+is+meant+to+help+you+learn+a+bit+about+the+GDPR+and+identify+some+areas+about+which+you+should+speak+with+an+attorney.%0D%0A%09%09%09A%3A+I+think+it%27s+great+that+this+is+only+a+learning+tool.%0D%0A%09%09%09%09Q%284.1.1.1.1%29%3A+And%2C+finally%2C+if+you+have+%3Ci%3Eany%3C%2Fi%3E+legal+questions%2C+you+should+speak+with+an+attorney.%0D%0A%09%09%09%09A%3A+Of+course+I%27ll+speak+with+an+attorney+if+I+have+any+legal+questions.%0D%0A%09%09%09%09%09Q%284.1.1.1.1.1%29%3A+Terrific.++Let%27s+get+started.GOTO%3Aready%0D%0A%0D%0AQ%28ready%29%3A+Do+you+have+any+questions+for+%3Ci%3Eus%3C%2Fi%3E+before+we+get+into+it%3F%0D%0AA%3A+Yes.%0D%0A%09Q%28MAIN_QUESTIONS%29%3A+What+sort+of+questions+do+you+have%3F%0D%0A%09A%3A+I+have+questions+about+this+tool.%0D%0A%09%09Q%28TOOL_QUESTIONS%29%3A+What+would+you+like+to+know%3F%0D%0A%09%09A%3A+What+happens+to+do+my+answers%3F++Do+you+keep+them%3F%0D%0A%09%09%09Q%285.1.1.1%29%3ANo%2C+we+do+not+store+any+of+your+data.+%3Cbr%3E%3Cbr%3E+At+the+end+of+our+series+of+questions%2C+you%27ll+have+some+options+to+view+or+save+a+note+we%27ve+drafted+for+you+to+share+with+your+attorney+as+a+launchpad+to+discuss+GDPR+issues.%0D%0A%09%09%09A%3A+Got+it.++I+have+more+questions+about+this+tool.%0D%0A%09%09%09%09Q%285.1.1.1.1%29%3AGOTO%3ATOOL_QUESTIONS%0D%0A%09%09%09A%3A+Okay.++I+have+questions+about+the+GDPR.%0D%0A%09%09%09%09Q%285.1.1.1.2%29%3AGOTO%3AGDPR_QUESTIONS%0D%0A%09%09%09A%3A+I+don%27t+think+I+have+any+more+questions+at+this+time.%0D%0A%09%09%09%09Q%285.1.1.1.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09A%3A+What+sort+of+questions+will+you+be+asking%3F%0D%0A%09%09%09Q%285.1.1.2%29%3A+We%27ll+be+asking+you+some+questions+about+you+and+your+business%2C+such+as+your+name%2C+the+name+of+your+attorney+%28if+you+have+one%29%2C+and+the+name+of+your+business.++%3Cbr%3E%3Cbr%3E+These+questions+are+optional+and+are+just+to+format+the+talking+points+we%27ll+have+for+you+at+the+end+of+the+process.+%3Cbr%3E%3Cbr%3E+You+can+just+use+pseudonyms+for+that+part.+%3A%29%0D%0A%09%09%09A%3A+I+understand%2C+and+I+have+some+more+questions+about+the+tool.%0D%0A%09%09%09%09Q%285.1.1.2.1%29%3AGOTO%3ATOOL_QUESTIONS%0D%0A%09%09%09A%3A+Got+it.++I+have+some+questions+about+the+GDPR.%0D%0A%09%09%09%09Q%285.1.1.2.2%29%3AGOTO%3AGDPR_QUESTIONS%0D%0A%09%09%09A%3A++Thanks.++I+don%27t+have+any+more+general+questions+about+the+GDPR+at+this+time.%0D%0A%09%09%09%09Q%285.1.1.2.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09A%3A++This+format+is+really+cool%21++What+is+it%3F%0D%0A%09%09%09Q%285.1.1.3%29%3A+Thanks+for+noticing%21++This+was+built+using+a+markup+language+called+QnA+built+by+%3Ca+href%3D%22http%3A%2F%2Fwww.davidcolarusso.com%2Fattorney%2F%22+target%3D%22_blank%22%3EDavid+Colarusso%3C%2Fa%3E.++%3Cbr%3E%3Cbr%3EYou+can+build+your+own+interactive+QnA+by+visiting+the+%3Ca+href%3D%22http%3A%2F%2Fwww.qnamarkup.org%2F%22+target%3D%22_blank%22%3EQnA+Markup+Editor+%28still+in+beta%29%3C%2Fa%3E.%0D%0A%09%09%09A%3AI+have+more+questions.%0D%0A%09%09%09%09Q%285.1.1.3.1%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09A%3A+I+don%27t+have+any+more+general+questions+about+the+GDPR+at+this+time.%0D%0A%09%09%09Q%285.1.1.4%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09A%3A+I+have+questions+about+about+the+GDPR.%0D%0A%09%09Q%28GDPR_QUESTIONS%29%3A+Great.++What+would+you+like+to+know%3F%0D%0A%09%09A%3A+Okay.++Of+course+%3Ci%3EI%3C%2Fi%3E+know+what+the+GPDR+is.++I+just+want+to+make+sure+you+do.++So....+what+is+it%3F%0D%0A%09%09%09Q%285.1.2.1%29%3A+The+GDPR+is+a+data+privacy+law+that+will+affect+nearly+every+firm+that+does+business+with+folks+in+the+EU++It+was+passed+a+couple+years+ago%2C+but+it+comes+into+force+in+May+of+2018.%0D%0A%09%09%09A%3A+Right.++I+knew+that.+So%2C+do+%3Ci%3Eyou%3C%2Fi%3E+know+why+I+should+be+paying+attention+to+this%3F%0D%0A%09%09%09%09Q%285.1.2.1.1%29%3A+Of+course%21++Most+businesses+with+a+web+presence+will+likely+encounter+folks+in+the+EU%2C+and+these+businesses%2C+no+matter+where+they+are%2C+will+need+to+comply+with+the+GDPR+or+face+heavy+penalties.%0D%0A%09%09%09%09A%3A+I+see.++What+sorta+penalties+are+we+talking+about+here%3F%0D%0A%09%09%09%09%09Q%285.1.2.1.1.1%29%3A+According+to+Article+83+of+the+regulation%2C+a+firm+can+face+a+fine+of++%22up+to+20+000+000+EUR%2C+or+...+up+to+4+%25+of+the+total+worldwide+annual+turnover+of+the+preceding+financial+year%2C+whichever+is+higher.%22%0D%0A%09%09%09%09%09A%3A+Wow.++Okay.++I+have+more+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09Q%285.1.2.1.1.1.1%29%3AGOTO%3AGDPR_QUESTIONS%0D%0A%09%09%09%09%09A%3A+I+don%27t+think+I+have+any+more+questions+at+this+time.%0D%0A%09%09%09%09%09%09Q%285.1.2.1.1.1.2%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09A%3A+What%27s+the+GDPR+and+why+should+I+care%3F%0D%0A%09%09%09Q%285.1.2.2%29%3A+The+GDPR+is+a+European+data+privacy+law+that+will+impact+nearly+all+firms+that+store%2C+access%2C+or+process+data+from+data+subjects+within+the+European+Union.%0D%0A%09%09%09A%3A++Tell+me+more.%0D%0A%09%09%09%09Q%285.1.2.2.1%29%3A+The+GDPR+is+around+87+pages+and+covers+a+lot+of+things%21%0D%0A%09%09%09%09A%3A+Go+on...%0D%0A%09%09%09%09%09Q%285.1.2.2.1.1%29%3A+If+you%27d+like+to+read+more+about+the+GDPR%2C+you+can+do+so++%3Ca+href%3D%22http%3A%2F%2Feur-lex.europa.eu%2Flegal-content%2FEN%2FTXT%2F%3Furi%3DCELEX%3A32016R0679%22+target%3D%22_blank%22%3Ehere%3C%2Fa%3E.%0D%0A%09%09%09%09%09A%3AOkay.++I+have+other+questions.%0D%0A%09%09%09%09%09%09Q%285.1.2.2.1.1.1%29%3AGOTO%3AGDPR_QUESTIONS%0D%0A%09%09%09%09%09A%3A+I+don%27t+think+I+have+any+more+questions+at+this+time.%0D%0A%09%09%09%09%09%09Q%285.1.2.2.1.1.2%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09%09A%3A+Okay.++I+have+other+questions.%0D%0A%09%09%09%09%09Q%285.1.2.2.1.2%29%3AGOTO%3AGDPR_QUESTIONS%0D%0A%09%09%09%09%09A%3A+I+don%27t+think+I+have+any+more+questions+at+this+time.%0D%0A%09%09%09%09%09%09Q%285.1.2.2.1.2.1%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A++Got+it.++I+have+other+questions.%0D%0A%09%09%09%09Q%285.1.2.2.2%29%3AGOTO%3AGDPR_QUESTIONS%0D%0A%09%09%09A%3A+I+don%27t+have+any+other+questions+at+this+time.%0D%0A%09%09A%3A+What+is+the+scope+of+the+GDPR%3F%0D%0A%09%09%09Q%285.1.2.3%29%3A+The+GDPR+applies+to+%22the+processing+of+personal+data+in+the+context+of+activities+of+an+establishment+of+a+controller+or+a+processor+in+the+%5BEU%5D%2C+regardless+of+whether+the+processing+takes+place+in+the+union+or+not.%22%0D%0A%09%09%09A%3A+What+does+that+mean%3F%0D%0A%09%09%09%09Q%285.1.2.3.1%29%3A+Essentially%2C+that+means+that+the+GDPR+applies+to+firms+that+collect%2C+store%2C+and+process+data+on+people+in+the+EU+not+matter+where+the+data+processing+takes+place.%0D%0A%09%09%09%09A%3AI+have+more+questions%0D%0A%09%09%09%09%09Q%285.1.2.3.1.1%29%3AGOTO%3AGDPR_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+general+questions+about+the+GDPR+at+this+time.%0D%0A%09%09%09%09%09Q%285.1.2.3.1.2%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09A%3A+I+have+questions+about+the+terms+in+the+GDPR.%0D%0A%09%09%09Q%28GDPR_TERMS%29%3A+Great%21++We+love+answering+questions.+What+would+you+like+to+learn+about%3F%0D%0A%09%09%09A%3A+What+does+%22personal+data%22+mean+for+the+GDPR%3F%0D%0A%09%09%09%09Q%285.1.2.4.1%29%3A+%09%27personal+data%27+means+any+information+relating+to+an+identified+or+identifiable+natural+person+%28%27data+subject%27%29%3B+an+identifiable+natural+person+is+one+who+can+be+identified%2C+directly+or+indirectly%2C+in+particular+by+reference+to+an+identifier+such+as+a+name%2C+an+identification+number%2C+location+data%2C+an+online+identifier+or+to+one+or+more+factors+specific+to+the+physical%2C+physiological%2C+genetic%2C+mental%2C+economic%2C+cultural+or+social+identity+of+that+natural+person.%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.1.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.1.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.1.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A+What+does+%22processing%22+mean+for+the+GDPR%3F%0D%0A%09%09%09%09Q%285.1.2.4.2%29%3A+%27processing%27+means+any+operation+or+set+of+operations+which+is+performed+on+personal+data+or+on+sets+of+personal+data%2C+whether+or+not+by+automated+means%2C+such+as+collection%2C+recording%2C+organisation%2C+structuring%2C+storage%2C+adaptation+or+alteration%2C+retrieval%2C+consultation%2C+use%2C+disclosure+by+transmission%2C+dissemination+or+otherwise+making+available%2C+alignment+or+combination%2C+restriction%2C+erasure+or+destruction.%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.2.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.2.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.2.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A+What+is+a+%22controller%22+in+the+GDPR%3F%0D%0A%09%09%09%09Q%285.1.2.4.3%29%3A%27controller%27+means+the+natural+or+legal+person%2C+public+authority%2C+agency+or+other+body+which%2C+alone+or+jointly+with+others%2C+determines+the+purposes+and+means+of+the+processing+of+personal+data%3B+where+the+purposes+and+means+of+such+processing+are+determined+by+Union+or+Member+State+law%2C+the+controller+or+the+specific+criteria+for+its+nomination+may+be+provided+for+by+Union+or+Member+State+law.%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.3.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.3.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.3.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A+What+is+a+%22processor%22+in+the+GDPR%3F%0D%0A%09%09%09%09Q%285.1.2.4.4%29%3A+%09%27processor%27+means+a+natural+or+legal+person%2C+public+authority%2C+agency+or+other+body+which+processes+personal+data+on+behalf+of+the+controller.%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.4.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.4.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.4.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A+What+is+a+%22consent%22+in+the+GDPR%3F%0D%0A%09%09%09%09Q%285.1.2.4.5%29%3A+%09%27consent%27+of+the+data+subject+means+any+freely+given%2C+specific%2C+informed+and+unambiguous+indication+of+the+data+subject%27s+wishes+by+which+he+or+she%2C+by+a+statement+or+by+a+clear+affirmative+action%2C+signifies+agreement+to+the+processing+of+personal+data+relating+to+him+or+her.%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.5.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.5.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.5.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A+What+is+a+%22recipient%22+in+the+GPDR%3F%0D%0A%09%09%09%09Q%285.1.2.4.6%29%3A+%27recipient%27+means+a+natural+or+legal+person%2C+public+authority%2C+agency+or+another+body%2C+to+which+the+personal+data+are+disclosed%2C+whether+a+third+party+or+not.+However%2C+public+authorities+which+may+receive+personal+data+in+the+framework+of+a+particular+inquiry+in+accordance+with+Union+or+Member+State+law+shall+not+be+regarded+as+recipients%3B+the+processing+of+those+data+by+those+public+authorities+shall+be+in+compliance+with+the+applicable+data+protection+rules+according+to+the+purposes+of+the+processing.%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.6.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.6.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.6.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A+What+is+a+%22third+party+in+the+GDPR%3F%0D%0A%09%09%09%09Q%285.1.2.4.7%29%3A+%27third+party%27+means+a+natural+or+legal+person%2C+public+authority%2C+agency+or+body+other+than+the+data+subject%2C+controller%2C+processor+and+persons+who%2C+under+the+direct+authority+of+the+controller+or+processor%2C+are+authorised+to+process+personal+data%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.7.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.7.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.7.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A+What+is+%22consent%22+in+the+GDPR%3F%0D%0A%09%09%09%09Q%285.1.2.4.8%29%3A+%27consent%27+of+the+data+subject+means+any+freely+given%2C+specific%2C+informed+and+unambiguous+indication+of+the+data+subject%27s+wishes+by+which+he+or+she%2C+by+a+statement+or+by+a+clear+affirmative+action%2C+signifies+agreement+to+the+processing+of+personal+data+relating+to+him+or+her.%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.8.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.8.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.8.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09%09A%3A+What+is+%22pseudonymisation%22%3F%0D%0A%09%09%09%09Q%285.1.2.4.9%29%3A+%27pseudonymisation%27+means+the+processing+of+personal+data+in+such+a+manner+that+the+personal+data+can+no+longer+be+attributed+to+a+specific+data+subject+without+the+use+of+additional+information%2C+provided+that+such+additional+information+is+kept+separately+and+is+subject+to+technical+and+organisational+measures+to+ensure+that+the+personal+data+are+not+attributed+to+an+identified+or+identifiable+natural+person.%0D%0A%09%09%09%09A%3A+I+have+another+question+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.9.1%29%3AGOTO%3AGDPR_TERMS%0D%0A%09%09%09%09A%3A+I+have+another+question%2C+but+not+about+GDPR+terms.%0D%0A%09%09%09%09%09Q%285.1.2.4.9.2%29%3AGOTO%3AMAIN_QUESTIONS%0D%0A%09%09%09%09A%3A+I+don%27t+have+any+more+questions.%0D%0A%09%09%09%09%09Q%285.1.2.4.9.3%29%3AGOTO%3ASLEEPER_CELL%0D%0A%09%09A%3A++I+don%27t+have+any+more+general+questions+about+the+GDPR+at+this+time.%0D%0A%09%09%09Q%285.1.2.5%29%3AGOTO%3ASLEEPER_CELL%0D%0AA%3A+No.%0D%0A%09Q%285.2%29%3AGOTO%3ASLEEPER_CELL%0D%0A%0D%0AQ%28DORMANT%29%3A+We+can+help+you+understand+how+the+GDPR+might+affect+your+business.+%3Cbr%3E%3Cbr%3E+What+sort+of+industry+are+you+in+and+what+sorts+of+questions+do+you+have%3F%0D%0AA%3A+Mobile+app+development%0D%0A%09Q%286.1%29%3AGOTO%3AMOBILE_APPS%0D%0AA%3A+Retail.%0D%0A%09Q%286.2%29%3AGOTO%3ARETAIL%0D%0AA%3A+Healthcare.%0D%0A%09Q%286.3%29%3AGOTO%3AHEALTHCARE%0D%0AA%3A+Sharing%2Fgig%2Fplatform+economy.%0D%0A%09Q%286.4%29%3AGOTO%3APLATFORM%0D%0AA%3A+Food+service%2Fproduction.%0D%0A%09Q%286.5%29%3AGOTO%3AFOOD%0D%0AA%3A+General+business.%0D%0A%09Q%286.6%29%3AGOTO%3AGENERAL_BUSINESS%0D%0AA%3A+I+have+questions+about+enforcement+and+penalties.%0D%0A%09Q%286.7%29%3AGOTO%3APENALTIES%0D%0AA%3A+I+don%27t+have+any+questions+about+my+business.%0D%0A%09Q%286.8%29%3AGOTO%3AEUROPA%0D%0A%0D%0AQ%28MOBILE_APPS%29%3ACool%21++Mobile+apps+are+great.+%3Cbr%3E%3Cbr%3E+What+are+you+thinking+about%3F%0D%0AA%3A+My+app+isn%27t+commerce-based.+It+does+not+facilitate+purchases.+Do+I+still+need+to+worry+about+the+GDPR%3F%0D%0A%09Q%287.1%29%3A+Yes%2C+you+might.+The+GDPR%27s+application+does+not+turn+on+transactions+being+made.+If+you+offer+goods+or+services%2C+irrespective+of+whether+a+purchase+is+required%2C+to+data+subjects+in+the+EU%2C+or+if+you+monitor+their+behavior+in+the+EU%2C+then+the+GDPR+will+apply+to+your+app.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%287.1.1%29%3AGOTO%3AMOBILE_APPS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%287.1.2%29%3AGOTO%3AEUROPA%0D%0AA%3AI+don%27t+store+the+data+collected+from+my+app-I+partner+with+a+cloud+storage+provider.+Do+I+still+need+to+worry+about+all+this%3F%0D%0A%09Q%287.2%29%3AYes%2C+the+GDPR+implicates+both+%27controllers%27+and+%27processors.%27+The+GDPR+also+applies+to+%27joint+controllers.%27+Talk+to+your+cloud+storage+partner%2C+as+well+as+your+attorney%2C+about+ensuring+that+your+data+collection+and+data+processing+activities+comply+with+the+GDPR.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%287.2.1%29%3AGOTO%3AMOBILE_APPS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%287.2.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+Some+of+the+behavioral+data+collected+from+my+app+could+be+valuable%2C+and+I+intend+to+sell+it+to+partners.+Is+this+allowed%3F%0D%0A%09Q%287.3%29%3A+Maybe+not.+The+GDPR+emphasizes+%27data+minimization%2C%27+which+means+data+processing+should+be+limited+to+what+is+necessary+in+relation+to+the+purposes+for+which+the+data+was+collected.+Additionally%2C+the+GDPR+requires+that+personal+data+only+be+collected+for+specified%2C+explicit%2C+and+legitimate+purposes+and+not+further+processed+in+a+manner+incompatible+with+those+purposes.+So%2C+make+sure+you+have+a+privacy+policy%2C+and+talk+to+your+attorney+about+specific+data+usage+activities+you+intend+to+carry+out.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%287.3.1%29%3AGOTO%3AMOBILE_APPS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%287.3.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+Users+accept+a+set+of+terms+before+launching+my+app+and+using+it.+Does+that+mean+I%27m+good%3F%0D%0A%09Q%287.4%29%3A+Not+necessarily.+The+GDPR+requires+that+requests+for+consent+be+presented+in+a+manner+which+is+clearly+distinguishable+from+other+matters%2C+in+an+intelligible+and+easily+accessible+form%2C+using+clear+and+plain+language.+Therefore%2C+obtaining+consent+through+acceptance+of+terms+of+use+must+meet+the+GDPR%27s+standard.+Additionally%2C+you+must+be+able+to+demonstrate+that+the+data+subject+consented+to+the+processing+of+his+or+her+personal+data.+Talk+to+your+attorney+about+ensuring+that+your+method+of+obtaining+consent+complies+with+the+GDPR.%0D%0AA%3A++Are+there+any+kinds+of+data+that+I%27m+never+allowed+to+process+under+the+GDPR%3F%0D%0A%09Q%287.5%29%3AYes.+With+narrow+exceptions%2C+the+GDPR+prohibits+the+processing+of+personal+data+revealing+racial+or+ethnic+origin%2C+political+opinions%2C+religious+or+philosophical+beliefs%2C+or+trade+union+membership%2C+and+the+processing+of+genetic+data%2C+biometric+data+for+the+purpose+of+uniquely+identifying+a+natural+person%2C+and+data+concerning+health+or+data+concerning+a+natural+person%27s+sex+life+or+sexual+orientation.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%287.5.1%29%3AGOTO%3AMOBILE_APPS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%287.5.2%29%3AGOTO%3AEUROPA%0D%0AA%3AAre+there+policies+and+procedures+I+should+put+in+place+now+to+comply+with+the+GDPR%3F%0D%0A%09Q%287.6%29%3AYes.+The+GDPR+requires+that+data+controllers+implement+appropriate+technical+and+organizational+measures+to+ensure+that%2C+by+default%2C+only+personal+data+which+are+necessary+for+each+specific+purpose+of+the+processing+are+processed.+This+applies+to+the+amount+of+data+collected%2C+the+extent+of+their+processing%2C+the+period+of+their+storage%2C+and+their+accessibility.+Talk+to+your+attorney+about+how+to+implement+appropriate+technical+and+organizational+measures+to+ensure+that+any+data+processing+activities+comply+with+the+GDPR.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%287.6.1%29%3AGOTO%3AMOBILE_APPS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%287.6.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I%27m+curious+about+other+industries.%0D%0A%09Q%287.7%29%3AGOTO%3ASLEEPER_CELL%0D%0A%0D%0AQ%28RETAIL%29%3A+Great.+So%2C+what%27s+up%3F%0D%0AA%3A+Does+GDPR+apply+to+me%2C+when+my+place+of+business+is+based+outside+of+Europe%3F%0D%0A%09Q%288.1%29%3AYes%2C+it+does+not+matter+if+your+company+is+in+or+outside+of+Europe.+If+your+site+interacts+with+European+customers+or+offers+a+service+or+product%2C+then+you+need+to+comply+GDPR.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%288.1.1%29%3AGOTO%3ARETAIL%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%288.1.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+As+a+shop+owner%2C+what+can+I+do+on+my+e-commerce+site+for+GDPR+compliance%3F%0D%0A%09Q%288.2%29%3A+GDPR+empowers+Europeans+to+control+how+their+data+is+used.+As+a+result%2C+being+GDPR+compliant+means+you+cannot+assume+what+your+users+want.+For+example%2C+GDPR+says%2C+%27silence%2C+pre-ticked+boxes+or+inactivity+should+not+constitute+consent.%27+Therefore%2C+no+more+automatically+subscribing+customers+to+your+newsletters%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%288.2.1%29%3AGOTO%3ARETAIL%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%288.2.2%29%3AGOTO%3AEUROPA%0D%0AA%3AWhat+type+of+data+can+I+collect+from+customers%3F%0D%0A%09Q%288.3%29%3A+Only+collecting+the+data+that+you+need+is+a+great+way+to+limit+your+exposure.+For+example%2C+if+there+is+no+business+value+in+knowing+what+company+the+costumer+works+for%2C+then+GDPR+gives+you+an+incentive+not+to+ask.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%288.3.1%29%3AGOTO%3ARETAIL%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%288.3.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+What+type+of+good+practices+do+regulators+look+for+from+shop+owners+with+e-commerce+sites%3F%0D%0A%09Q%288.4%29%3A+Regulators+look+for+transparency+and+honesty.+You+want+to+be+able+to+demonstrate+you+put+your+best+foot+forward+to+meet+the+requirements+of+GDPR.+Good+practices+include+placing+an+%27unsubscribe%27+link+next+to+your+%27subscribe%27+link.+You+can+also+link+directly+to+your+terms+and+conditions+and+privacy+policy+from+your+site%27s+footer.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%288.4.1%29%3AGOTO%3ARETAIL%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%288.4.2%29%3AGOTO%3AEUROPA%0D%0AA%3ABesides+my+e-commerce+site%2C+should+I+be+worried+about+the+other+online+tools+I+use+to+interact+with+costumers%3F%0D%0A%09Q%288.5%29%3A+Yes%2C+GDPR+applies+to+more+than+just+your+e-commerce+site+so+make+sure+your+all+of+your+company%27s+online+accounts+are+in+compliance.+Think+of+your+company%27s+accounts+on+Facebook%2C+MailChimp%2C+Shopify%2C+and+other+platforms+used+to+interact+with+consumers.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%288.5.1%29%3AGOTO%3ARETAIL%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%288.5.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+What+are+benefits+to+GDPR+compliance+for+E-commerce+shops%2C+besides+not+being+fined%3F%0D%0A%09Q%288.6%29%3A+Topics+related+to+one%27s+personal+privacy+populate+all+over+the+web+so+companies+practicing+GDPR+compliance+can+use+this+as+a+huge+selling+point.+You+can+leverage+attitudes+to+grow+your+e-commerce+business.+Some+companies+use+methods+such+as+informing+users+of+their+use+of+cookies+and+policy+on+data+privacy+as+a+top-page+notification.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%288.6.1%29%3AGOTO%3ARETAIL%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%288.6.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I%27m+curious+about+other+industries.%0D%0A%09Q%288.7%29%3AGOTO%3ASLEEPER_CELL%0D%0A%0D%0AQ%28HEALTHCARE%29%3A+Awesome.+How+can+we+help%3F%0D%0AA%3A+I+won%27t+be+operating+my+start-up+in+the+EU+nor+will+I+be+offering+it+to+EU+residents%2C+does+the+GDPR+still+apply%3F%0D%0A%09Q%289.1%29%3A+If+your+start-up+is+accessible+through+the+world+wide+web+or+other+international+medium%2C+then+it+is+possible+that+the+GDPR+will+still+apply+even+if+you+are+not+targeting+EU+residents.++The+only+way+to+prevent+the+GDPR+from+applying+would+be+to+have+a+policy+or+coding+that+does+not+allow+access+from+an+EU+location+of+your+start-up.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%289.1.1%29%3AGOTO%3AHEALTHCARE%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%289.1.2%29%3AGOTO%3AEUROPA%0D%0AA%3AIt%27s+just+me+%28or+me+and+a+few+friends%29+creating+this+startup%2FIT+and+putting+it+into+the+app+stores%2Fwww%2Fsimilar+and+I+won%27t+be+offering+it+for+money+as+this+is+simply+a+need+I+see+that+needs+to+be+fulfilled+and+I+can+fulfill+it%2C+does+the+GDPR+still+apply+to+my+startup%2FIT%3F%0D%0A%09Q%289.2%29%3A+Yes%2C+because+of+the+nature+of+the+content%2C+GDPR+considers+healthcare+information+to+be+particularly+sensitive+information+and+if+you+store+any+EU+residents+information+then+you+must+comply+with+the+GDPR+even+if+you+never+have+more+than+just+1+employee+on+the+payroll.++Generally%2C+a+company+with+250+or+more+employees+must+comply+but+certain+subject+matters+are+considered+sensitive+and+healthcare+information+is+one+of+those+categories.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%289.2.1%29%3AGOTO%3AHEALTHCARE%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%289.2.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I+want+my+startup%2FIT+to+eventually+go+world+wide+but+right+now+I+will+just+be+developing+it+in+a+non-EU+country%2C+does+it+make+sense+to+go+ahead+and+make+sure+the+coding+is+GDPR+compliant+or+is+that+something+I+can+work+up+to+at+a+later+date%3F%0D%0A%09Q%289.3%29%3A+Considering+the+sensitive+nature+of+healthcare+information+and+the+fact+many+countries%2C+even+non-GDPR+companies+have+strict+healthcare+information+protection+laws%2C+it+is+recommended+to+go+ahead+and+begin+by+aiming+for+compliance.+If+you+already+have+a+system+in+place%2C+once+you+open+it+up+to+EU+residents%2C+then+the+curve+is+much+less+steep+as+everyone+will+already+be+familiar+with+the+dos+and+don%27ts+within+your+organization%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%289.3.1%29%3AGOTO%3AHEALTHCARE%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%289.3.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+What+if+I+am+not+collecting+data+regarding+people%27s+healthcare+but+rather+providing+users+with+easy+access+to+health-related+information%3F%0D%0A%09Q%289.4%29%3A+If+your+startup+or+IT+does+NOT+store+or+collect+any+identifiable+information+about+the+data+subject+so+that+whatever+your+startup%2FIT+does+cannot+be+traced+back+to+a+particular+individual+natural+human+being%2C+then+it+is+GDPR+compliant.+As+GDPR+requires+that+the+minimum+amount+of+data+be+collected+to+carry+out+the+function+of+the+business.++So+if+you+are+not+collecting+data+then+you+are+in+compliance.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%289.4.1%29%3AGOTO%3AHEALTHCARE%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%289.4.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+If+I+am+HIPAA+compliant+am+I+GDPR+compliant%3F++And+if+I+become+GDPR+compliant%2C+does+that+make+me+HIPAA+compliant%3F++If+not%2C+what%27s+the+difference%3F%0D%0A%09Q%289.5%29%3A+Both+HIPAA+and+GDPR+require+the+strict+protection+of+personally+identifiable+information+and+the+release+of+the+patient%2Fdata+subjects+stored+information+within+one+month+of+the+request.+%3Cbr%3E%3Cbr%3E+However%2C+there+are+many+significant+differences%2C+so+being+HIPAA+compliant+doesn%27t+mean+your+GDPR+compliant%2C+and+being+GDPR+compliant+doesn%27t+mean+you%27re+HIPAA+compliant.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%289.5.1%29%3AGOTO%3AHEALTHCARE%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%289.5.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I%27m+curious+about+other+industries.%0D%0A%09Q%289.6%29%3AGOTO%3ASLEEPER_CELL%0D%0A%0D%0AQ%28PLATFORM%29%3A+Awesome.+How+can+we+help%3F%0D%0AA%3A+I+won%27t+be+operating+my+start-up+in+the+EU+nor+will+I+be+offering+it+to+EU+residents%2C+does+the+GDPR+still+apply%3F%0D%0A%09Q%2810.1%29%3A+If+your+start-up+is+accessible+through+the+world+wide+web+or+other+international+medium%2C+then+it+is+possible+that+the+GDPR+will+still+apply+even+if+you+are+not+targeting+EU+residents.++The+only+way+to+prevent+the+GDPR+from+applying+would+be+to+have+a+policy+or+coding+that+does+not+allow+access+from+an+EU+location+of+your+start-up.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2810.1.1%29%3AGOTO%3APLATFORM%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2810.1.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I+won%27t+be+operating+my+start-up+in+the+EU+nor+will+I+be+offering+it+to+EU+residents%2C+does+the+GDPR+still+apply%3F%0D%0A%09Q%2810.2%29%3A+If+your+start-up+is+accessible+through+the+world+wide+web+or+other+international+medium%2C+then+it+is+possible+that+the+GDPR+will+still+apply+even+if+you+are+not+targeting+EU+residents.++The+only+way+to+prevent+the+GDPR+from+applying+would+be+to+have+a+policy+or+coding+that+does+not+allow+access+from+an+EU+location+of+your+start-up.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2810.2.1%29%3AGOTO%3APLATFORM%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2810.2.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I+have+two+kinds+of+users%3B+those+who+use+my+platform+to+provide+services%2C+and+those+who+use+my+platform+to+connect+with+service+providers.++What+sorts+of+data+can+I+keep%3F%0D%0A%09Q%2810.3%29%3A+Good+question.++It%27s+a+little+complicated.++Any+data+you+hold+onto+should+be+tied+directly+to+informed+user+consent.++And%2C+you+an+hold+onto+that+data+so+long+as+it+is+necessary+to+perform+contracted+services.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2810.3.1%29%3AGOTO%3APLATFORM%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2810.3.2%29%3AGOTO%3AEUROPA%0D%0A%0D%0AQ%28FOOD%29%3ADelicious%21+What+sorts+of+questions+do+you+have%3F%0D%0AA%3A+Question+1%0D%0A%09Q%2811.1%29%3A+Answer+1%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2811.1.1%29%3AGOTO%3AFOOD%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2811.1.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+Question+2%0D%0A%09Q%2811.2%29%3A+Answer+2%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2811.2.1%29%3AGOTO%3AFOOD%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2811.2.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+Question+3%0D%0A%09Q%2811.3%29%3A+Answer+3%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2811.3.1%29%3AGOTO%3AFOOD%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2811.3.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+Question+4%0D%0A%09Q%2811.4%29%3A+Answer+4%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2811.4.1%29%3AGOTO%3AFOOD%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2811.4.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+Question+5%0D%0A%09Q%2811.5%29%3A+Answer+5%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2811.5.1%29%3AGOTO%3AFOOD%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2811.5.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I%27m+curious+about+other+industries.%0D%0A%09Q%2811.6%29%3AGOTO%3ASLEEPER_CELL%0D%0A%0D%0AQ%28GENERAL_BUSINESS%29%3AWhat+sorts+of+questions+do+you+have+for+us%3F%0D%0AA%3A+How+do+I+determine+if+my+business+falls+within+the+scope+of+GDPR%3F%0D%0A%09Q%2812.1%29%3AIf+you+offer+products+and+services+to+Europe+you+have+to+comply+with+the+GDPR.+The+use+of+a+language+or+a+currency+generally+used+in+one+or+more+member+states+in+connection+with+offering+goods+and+services%2C+will+indicate+an+intent+to+offer+products%2Fservices+in+the+EU.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2812.1.1%29%3AGOTO%3AGENERAL_BUSINESS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2812.1.2%29%3AGOTO%3AEUROPA%0D%0AA%3AAm+I+required+to+hire+a+data+protection+officer%3F%0D%0A%09Q%2812.2%29%3ANo%2C+data+protection+officers+are+only+required+for+companies+who+employ+over+250+people.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2812.2.1%29%3AGOTO%3AGENERAL_BUSINESS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2812.2.2%29%3AGOTO%3AEUROPA%0D%0AA%3AWhat+are+some+things+I+can+do+to+make+sure+I+get+proper+consent%3F%0D%0A%09Q%2812.3%29%3AMake+sure+consent+is+separate+from+terms+and+conditions%2C+no+pre-ticked+boxes+for+consent%2C+write+it+in+plain+language%2C+cannot+be+a+precondition+of+service%2C+tell+individuals+they+can+withdraw+consent%2C+and+explain+what+information+is+being+collected+and+how+it+will+be+used.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2812.3.1%29%3AGOTO%3AGENERAL_BUSINESS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2812.3.2%29%3AGOTO%3AEUROPA%0D%0AA%3AHow+does+the+GDPR+define+personal+data%3F%0D%0A%09Q%2812.4%29%3A+The+GDPR+defines+personal+data+as+any+information+relating+to+an+identified+or+identifiable+natural+person.++An+identifiable+natural+person+can+be+identified+by+reference+to+an+identifier+such+as+a+name%2C+an+identification+number%2C+location+data%2C+an+online+identifier+or+more+factors+specific+to+the+physical%2C+physiological%2C+genetic%2C+mental%2C+economic%2C+cultural+or+social+identity+of+that+natural+person.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2812.4.1%29%3AGOTO%3AGENERAL_BUSINESS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2812.4.2%29%3AGOTO%3AEUROPA%0D%0AA%3ACan+a+data+subject+request+access+to+our+internal+system%28s%29%3F%0D%0A%09Q%2812.5%29%3A+Yes%2C+the+controller+should+be+able+to+provide+remote+access+to+a+secure+system+which+would+provide+the+data+subject+with+direct+access+to+his+or+her+personal+data.++Before+this+is+done%2C+the+controller+must+use+all+reasonable+measures+to+verify+the+identity+of+the+data+subject+who+is+requesting+access.++Furthermore%2C+a+controller+should+not+retain+the+personal+data+for+reactionary+purposes.++Instead+the+controller+should+set+up+the+businessn%27+secure+internal+database+for+preventative+reasons+as+well.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2812.5.1%29%3AGOTO%3AGENERAL_BUSINESS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2812.5.2%29%3AGOTO%3AEUROPA%0D%0AA%3ADoes+a+customer%27s+prior+consent+provide+legal+grounds+for+processing%3F%0D%0A%09Q%2812.6%29%3AThere+has+been+ample+debate+on+this+topic.++The+GDPR+states+that+consent+must+be+explicit%2C+freely+given%2C+and+the+controller+is+required+to+demonstrate+that+consent+was+given.++To+determine+whether+consent+was+freely+given%2C+account+shall+be+taken+of+whether+the+performance+of+a+contract+is+made+conditional+on+the+consent+to+processing+data+that+is+not+necessary+to+perform+the+contract.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2812.6.1%29%3AGOTO%3AGENERAL_BUSINESS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2812.6.2%29%3AGOTO%3AEUROPA%0D%0AA%3AWill+a+specific+point+person+be+able+to+assist+me+with+the+GDPR%3F%0D%0A%09Q%2812.7%29%3AData+processors+will+be+obliged+to+appoint+a+data+protection+officer+%28DPO%29+in+some+specific+circumstances+such+as+when+the+supplier+is+processing+special+data+i.e.+sensitive+data%2C+or+if+required+to+do+so+under+Member+State+law.+%3Cbr%3E%3Cbr%3EThis+also+might+not+apply+if+you+have+fewer+than+250+employees.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2812.7.1%29%3AGOTO%3AGENERAL_BUSINESS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2812.7.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I%27m+curious+about+other+industries.%0D%0A%09Q%2812.8%29%3AGOTO%3ASLEEPER_CELL%0D%0A%0D%0AQ%28PENALTIES%29%3A+Shoot%21%0D%0AA%3AWhat+should+I+do+if+my+business+suffers+from+a+data+breach%3F%0D%0A%09Q%2813.1%29%3AIf+the+data+breach+poses+a+risk+to+individuals%2C+the+Data+Protection+Authorities+and+individuals+must+be+notified+within+72+hours+without+undue+delay.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2813.1.1%29%3AGOTO%3APENALTIES%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2813.1.2%29%3AGOTO%3AEUROPA%0D%0AA%3AWhat+happens+if+I+do+not+correctly+comply+with+the+law%3F%0D%0A%09Q%2813.2%29%3A+There+are+fines+for+not+complying+with+the+law.+For+small+offenses+you+can+be+fined+2%25+of+global+revenue+and+for+large+offenses+4%25+of+global+revenue.+Make+sure+you+are+actively+trying+to+comply+with+the+law+because+supervisory+authorities+will+likely+be+more+lenient+with+you.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2813.2.1%29%3AGOTO%3APENALTIES%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2813.2.2%29%3AGOTO%3AEUROPA%0D%0AA%3AHow+will+my+business+be+penalized+if+we+do+not+abide+by+the+GDPR%3F%0D%0A%09Q%2813.3%29%3AIn+general%2C+the+GDPR+considers+the+nature%2C+gravity%2C+and+duration+of+the+infringements+when+calculating+penalties.++The+GDPR+establishes+a+tiered+approach+to+penalties+for+breach.++DPAs+can+impose+fines+for+some+infringements+of+up+to+the+higher+of+4+percent+of+annual+worldwide+turnover+and+international+transfers.++Other+specified+infringements+may+attract+a+fine+of+up+to+the+higher+of+2+percent.%0D%0A%09A%3A+Got+it.++I+have+more+questions.%0D%0A%09%09Q%2813.3.1%29%3AGOTO%3AGENERAL_BUSINESS%0D%0A%09A%3A+I+see.++I%27m+ready+to+move+on.%0D%0A%09%09Q%2813.3.2%29%3AGOTO%3AEUROPA%0D%0AA%3A+I%27m+curious+about+other+industries.%0D%0A%09Q%2813.4%29%3AGOTO%3ASLEEPER_CELL%0D%0A%0D%0AQ%28SLEEPER_CELL%29%3AGOTO%3AEUROPA%0D%0A%0D%0AQ%28EUROPA%29%3A+The+European+Commission+has+released+some+Guidance+on+GDPR+in+which+it+answers+a+bunch+of+pressing+questions.++We%27ve+built+them+into+this+tool.++Wanna+see+it%3F%0D%0AA%3AYes.++That+sounds+great.%0D%0A%09Q%28EUROPA_YES%29%3AOkay.++What+are+what+sorts+of+areas+are+you+interested+in%3F%0D%0A%09A%3AApplication+of+the+GDPR+in+general.%0D%0A%09%09Q%28APPLICATION_YES%29%3A+Okay.++Go+ahead%0D%0A%09%09A%3A+To+whom+does+the+data+protection+law+apply%3F%0D%0A%09%09%09Q%2815.1.1.1%29%3AThe+law+applies+to%3A%3Cbr%3E%3Cbr%3E1%29a+company+or+entity+which+processes+personal+data+as+part+of+the+activities+of+one+of+its+branches+established+in+the+EU%2C+regardless+of+where+the+data+is+processed%3B+or+%3Cbr%3E%3Cbr%3E2%29a+company++established+outside+the+EU+offering+goods%2Fservices+%28paid+or+for+free%29+or+monitoring+the+behaviour+of+individuals+in+the+EU.+%3Cbr%3E%3Cbr%3E%0D%0AIf+your+company+is+a+small+and+medium-sized+enterprise+%28%27SME%27%29+that+processes+personal+data+as+described+above+you+have+to+comply+with+the+GDPR.+However%2C+if+processing+personal+data+isn%27t+a+core+part+of+your+business+and+your+activity+doesn%27t+create+risks+for+individuals%2C+then+some+obligations+of+the+GDPR+will+not+apply+to+you+%28for+example+the+appointment+of+a+%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Finfo%2Flaw%2Flaw-topic%2Fdata-protection%2Freform%2Frules-business-and-organisations%2Fobligations%2Fdata-protection-officers%2Fdoes-my-company-organisation-need-have-data-protection-officer-dpo_en%22%3EData+Protection+Officer%3C%2Fa%3E+%28%27DPO%27%29%29.+Note+that+%27core+activities%27should+include+activities+where+the+processing+of+data+forms+an+inextricable+part+of+the+controller%27s+or+processor%27s+activities.%0D%0A%09%09%09A%3AI+see.%0D%0A%09%09%09%09Q%2815.1.1.1.1%29%3AWould+you+like+to+see+some+examples%3F%0D%0A%09%09%09%09A%3A+Yes.++I+would+like+to+see+one+where+the+regulation+applies.%0D%0A%09%09%09%09%09Q%2815.1.1.1.1.1%29%3AYour+company+is+a+small%2C+tertiary+education+company+operating+online+with+an+establishment+based+outside+the+EU.+It+targets+mainly+Spanish+and+Portuguese+language+universities+in+the+EU.+It+offers+free+advice+on+a+number+of+university+courses+and+students+require+a+username+and+a+password+to+access+your+online+material.+Your+company++provides+the+said+username+and+password+once+the+students+fill+out+an+enrollment+form.%3Cbr%3E%3Cbr%3EHere%2C+the+regulation+would+apply.%0D%0A%09%09%09%09%09A%3A+Got+it.%0D%0A%09%09%09%09%09%09Q%2815.1.1.1.1.1.1%29%3AWhat+now%3F%0D%0A%09%09%09%09%09%09A%3A+I+want+to+see+an+example+where+the+GDPR+does+not+apply.%0D%0A%09%09%09%09%09%09%09Q%2815.1.1.1.1.1.1.1%29%3AYour+company+is+service+provider+based+outside+the+EU.+It+provides+services+to+customers+outside+the+EU.++Its+clients+can+use+its+services+when+they+travel+to+other+countries%2C+including+within+the+EU.+Provided+your+company++doesn%27t+specifically+target+its+services+at+individuals+in+the+EU%2C+it+is+not+subject+to+the+rules+of+the+GDPR.++%3Cbr%3E%3Cbr%3EHere%2C+the+GDPR+would+not+apply.%0D%0A%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+in+this+area.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.1.1.1.1.1.1.1%29%3AGOTO%3AAPPLICATION_YES%0D%0A%09%09%09%09%09%09%09A%3AI+have+more+general+questions.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.1.1.1.1.1.1.2%29%3AGOTO%3AEUROPE_YES.%0D%0A%09%09%09%09A%3A+Yes.++I+would+like+to+see+one+where+the+regulation+does+not+apply.%0D%0A%09%09%09%09%09Q%2815.1.1.1.1.2%29%3AYour+company+is+service+provider+based+outside+the+EU.+It+provides+services+to+customers+outside+the+EU.++Its+clients+can+use+its+services+when+they+travel+to+other+countries%2C+including+within+the+EU.+Provided+your+company++doesn%27t+specifically+target+its+services+at+individuals+in+the+EU%2C+it+is+not+subject+to+the+rules+of+the+GDPR.++%3Cbr%3E%3Cbr%3EHere%2C+the+GDPR+would+not+apply.%0D%0A%09%09%09%09%09A%3A+Got+it.%0D%0A%09%09%09%09%09%09Q%2815.1.1.1.1.2.1%29%3AWhat+now%3F%0D%0A%09%09%09%09%09%09A%3A+I+want+to+see+an+example+where+the+GDPR+does+apply.%0D%0A%09%09%09%09%09%09%09Q%2815.1.1.1.1.2.1.1%29%3AYour+company+is+a+small%2C+tertiary+education+company+operating+online+with+an+establishment+based+outside+the+EU.+It+targets+mainly+Spanish+and+Portuguese+language+universities+in+the+EU.+It+offers+free+advice+on+a+number+of+university+courses+and+students+require+a+username+and+a+password+to+access+your+online+material.+Your+company++provides+the+said+username+and+password+once+the+students+fill+out+an+enrollment+form.%3Cbr%3E%3Cbr%3EHere%2C+the+regulation+would+apply.%0D%0A%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+in+this+area.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.1.1.1.2.1.1.1%29%3AGOTO%3AAPPLICATION_YES%0D%0A%09%09%09%09%09%09%09A%3AI+have+more+general+questions.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.1.1.1.2.1.1.2%29%3AGOTO%3AEUROPE_YES.%0D%0A%09%09A%3ADo+the+rules+apply+to+small-to-medium+enterprises%3F%0D%0A%09%09%09Q%2815.1.1.2%29%3AYes%2C+the+%3Cb%3Eapplication+of+the+data+protection+regulation+depends+not+on+the+size+of+your+company%2Forganisation+but+on+the+nature+of+your+activities.%3C%2Fb%3E+Activities+that+present+high+risks+for+the+individuals%27+rights+and+freedoms%2C+whether+they+are+carried+out+by+an+SME+or+by+a+large+corporation%2C+trigger+the+application+of+more+stringent+rules.+However%2C+some+of+the+obligations+of+the+GDPR+may+not+apply+to+all+SMEs.%3Cbr%3E%3Cbr%3EFor+instance%2C+companies+with+%3Cb%3Efewer+than+250+employees+don%27t+need+to+keep+records%3C%2Fb%3E+of+their+processing+activities+unless+processing+of+personal+data+is+a+regular+activity%2C+poses+a+threat+to+individuals%27+rights+and+freedoms%2C+or+concerns+sensitive+data+or+criminal+records.%3Cbr%3E%3Cbr%3ESimilarly%2C+SMEs+will+only+have+to+appoint+a+%3Cb%3EData+Protection+Officer%3C%2Fb%3E+if+processing+is+their+main+business+and+it+poses+specific+threats+to+the+individuals%27+rights+and+freedoms+%28such+as+monitoring+of+individuals+or+processing+of+sensitive+data+or+criminal+records%29+in+particular+because+it%27s+done+on+a+large+scale.%0D%0A%09%09%09A%3A+Got+it.%0D%0A%09%09%09%09Q%2815.1.1.2.1%29%3AWhat+now%3F%0D%0A%09%09%09%09A%3A+I+have+more+questions+in+this+area.%0D%0A%09%09%09%09%09Q%2815.1.1.2.1.1%29%3AGOTO%3AAPPLICATION_YES%0D%0A%09%09%09%09A%3A+I+have+more+questions+in+general.%0D%0A%09%09%09%09%09Q%2815.1.1.2.1.2%29%3AGOTO%3AEUROPA_YES%0D%0A%09%09A%3ADo+the+data+protection+rules+apply+to+data+about+a+company%3F%0D%0A%09%09%09Q%2815.1.1.3%29%3ANo%2C+the+rules+only+apply+to+personal+data+about+individuals%2C+they+don%27t+govern+data+about+companies+or+any+other+legal+entities.+However%2C+information+in+relation+to+one-person+companies+may+constitute+personal+data+where+it+allows+the+identification+of+a+natural+person.+The+rules+also+apply+to+all+personal+data+relating+to+natural+persons+in+the+course+of+a+professional+activity%2C+such+as+the+employees+of+a+company%2Forganisation%2C+business+email+addresses+like+%27forename.surname%40company.eu%27+or+employees%27+business+telephone+numbers.%0D%0A%09%09%09A%3A+Got+it.%0D%0A%09%09%09%09Q%2815.1.1.3.1%29%3AWhat+now%3F%0D%0A%09%09%09%09A%3A+I+have+more+questions+in+this+area.%0D%0A%09%09%09%09%09Q%2815.1.1.3.1.1%29%3ACool.++The+references+for+this+question+are+Articles+1+and+2+and+Recital+%2814%29+of+the+GDPR%3B%0D%0ASee+Judgment+of+the+Court+%28Second+Chamber%29+of+9+March+2017+in+case+C-398%2F15%2C+%3CI%3EManni%3C%2FI%3E%3B+and+Articles+1%2C+2%2C+3%3B+Recitals+13%2C+14%2C+15%2C+18%2C+19%2C+21%2C+22%2C+23%2C+24%2C+25.GOTO%3AAPPLICATION_YES%0D%0A%09%09%09%09A%3A+I+have+more+general+questions.%0D%0A%09%09%09%09%09Q%2815.1.1.3.1.2%29%3ACool.++The+references+for+this+question+are+Articles+1+and+2+and+Recital+%2814%29+of+the+GDPR%3B%0D%0ASee+Judgment+of+the+Court+%28Second+Chamber%29+of+9+March+2017+in+case+C-398%2F15%2C+%3CI%3EManni%3C%2FI%3E%3B+and+Articles+1%2C+2%2C+3%3B+Recitals+13%2C+14%2C+15%2C+18%2C+19%2C+21%2C+22%2C+23%2C+24%2C+25.GOTO%3AEUROPA_YES%0D%0A%09A%3APrinciples+of+the+GDPR.%0D%0A%09%09Q%28PRINCIPLES%29%3AWhat+sort+of+questions+do+you+have%3F%0D%0A%09%09A%3AWhat+data+can+we+process+and+under+which+conditions%3F%0D%0A%09%09%09Q%2815.1.2.1%29%3AThis+is+a+long+one.++Okay%2C+so+type+and+amount+of+personal+data+you+may+process+depends+on+the+reason+you%27re+processing+it+%28legal+reason+used%29+and+what+you+want+to+do+with+it.+You+must+respect+several+key+rules%2C+including%3A%3Cbr%3E%3Cbr%3Epersonal+data+must+be+processed+in+a+%3Cb%3Elawful+and+transparent+manner%3C%2Fb%3E%2C+ensuring+fairness+towards+the+individuals+whose+personal+data+you%27re+processing+%28%27lawfulness%2C+fairness+and+transparency%27%29.%0D%0A%09%09%09A%3AGo+on.%0D%0A%09%09%09%09Q%2815.1.2.1.1%29%3AYou+must+have+%3Cb%3Especific+purposes%3C%2Fb%3E+for+processing+the+data+and+you+must+indicate+those+purposes+to+individuals+when+collecting+their+personal+data.+You+can%27t+simply+collect+personal+data+for+undefined+purposes+%28%27purpose+limitation%27%29.%0D%0A%09%09%09%09A%3AGo+on.%0D%0A%09%09%09%09%09Q%2815.1.2.1.1.1%29%3AYou+must+collect+and+process+%3Cb%3Eonly+the+personal+data+that+is+necessary+to+fulfil+that+purpose%3C%2Fb%3E+%28%27data+minimisation%27%29.%3Cbr%3E%3Cbr%3EYou+must+ensure+the+personal+data+is+accurate+and+up-to-date%2C+having+regard+to+the+purposes+for+which+it%27s+processed%2C+and+correct+it+if+not+%28%27accuracy%27%29.%0D%0A%09%09%09%09%09A%3AGo+on.%0D%0A%09%09%09%09%09%09Q%2815.1.2.1.1.1.1%29%3AYou+can%27t+further+use+the+personal+data+for+other+purposes+that+aren%27t+%3Cb%3Ecompatible%3C%2Fb%3E+with+the+original+purpose+of+collection.%3Cbr%3E%3Cbr%3EYou+must+ensure+that+personal+data+is+%3Cb%3Estored+for+no+longer+than+necessary%3C%2Fb%3E+for+the+purposes+for+which+it+was+collected+%28%27storage+limitation%27%29.%0D%0A%09%09%09%09%09%09A%3AOkay.++More+please%21%0D%0A%09%09%09%09%09%09%09Q%2815.1.2.1.1.1.1.1%29%3AYou+must+install+appropriate+%3Cb%3Etechnical+and+organisational+safeguards%3C%2Fb%3E+that+ensure+the+security+of+the+personal+data%2C+including+protection+against+unauthorised+or+unlawful+processing+and+against+accidental+loss%2C+destruction+or+damage%2C+using+appropriate+technology+%28%27integrity+and+confidentiality%27%29.%0D%0A%09%09%09%09%09%09%09A%3AWow.++That%27s+a+lot.++Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.2.1.1.1.1.1.1%29%3AYou+run+a+travel+agency.+When+you+obtain+your+clients%27+personal+data%2C+you+should+explain+in+clear+and+plain+language+why+you+need+the+data%2C+how+you%27ll+be+using+it%2C+and+how+long+you+intend+to+keep+it.+The+processing+should+be+tailored+in+a+way+that+respects+the+key+data+protection+principles.%0D%0A%09%09%09%09%09%09%09%09A%3AThanks.++I+have+more+questions+in+this+area.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.2.1.1.1.1.1.1.1%29%3AThe+references+for+these+answers+are+from+Article+5%281%29%3B+Recital+39%3B+Article+29+and+Working+Party+Opinion+03%2F2013+on+purpose+limitation+%28WP+203%29.GOTO%3APRINCIPLES%0D%0A%09%09%09%09%09%09%09%09A%3AThanks.++I+have+more+questions+general+questions.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.2.1.1.1.1.1.1.2%29%3AThe+references+for+these+answers+are+from+Article+5%281%29%3B+Recital+39%3B+Article+29+and+Working+Party+Opinion+03%2F2013+on+purpose+limitation+%28WP+203%29.GOTO%3AEUROPA%0D%0A%09%09%09%09%09%09%09A%3AOkay.++I+get+it+and+don%27t+need+to+see+an+example.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.2.1.1.1.1.1.2%29%3AOkay.++The+references+for+these+answers+are+from+Article+5%281%29%3B+Recital+39%3B+Article+29+and+Working+Party+Opinion+03%2F2013+on+purpose+limitation+%28WP+203%29.GOTO%3APRINCIPLES%0D%0A%09%09A%3AI+have+questions+regarding+the+purpose+of+data+processing.%0D%0A%09%09%09Q%28DATA_PROCESSING%29%3A+Okay.++Go+ahead%21%0D%0A%09%09%09A%3A+Can+data+be+processed+for+any+purpose%3F%0D%0A%09%09%09%09Q%2815.1.2.2.1%29%3A+No.+The+purpose+for+processing+of+personal+data+must+be+known+and++the+individuals+whose+data+you%27re+processing+must+be+informed.+It+is+not+possible+to+simply+indicate+that+personal+data+will+be+collected+and+processed.+This+is+known+as+the+%27purpose+limitation%27+principle.%0D%0A%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+data+processing.%0D%0A%09%09%09%09%09Q%2815.1.2.2.1.1%29%3AOkay.++References+for+this+question+come+from+Article+29+Working+Party+Opinion+03%2F2013+on+purpose+limitation+%28WP+203%29.GOTO%3ADATA_PROCESSING%0D%0A%09%09%09%09A%3A+Alright.+I+have+more+questions+about+the+principles+of+the+GDPR.%0D%0A%09%09%09%09%09Q%2815.1.2.2.1.2%29%3AOkay.++References+for+this+question+come+from+Article+29+Working+Party+Opinion+03%2F2013+on+purpose+limitation+%28WP+203%29.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09A%3A+Okay.+I+have+more+general+questions.%0D%0A%09%09%09%09%09Q%2815.1.2.2.1.3%29%3AOkay.++References+for+this+question+come+from+Article+29+Working+Party+Opinion+03%2F2013+on+purpose+limitation+%28WP+203%29.GOTO%3AEUROPA_YES%0D%0A%09%09%09A%3A+Can+we+use+data+for+another+purpose%3F%0D%0A%09%09%09%09Q%2815.1.2.2.2%29%3AOkay.++Here+we+go.++Yes%2C+but+only+in+some+cases.+If+your+company%2Forganisation+has+collected+data+on+the+basis+of+legitimate+interest%2C+a+contract+or+vital+interests+it+can+be+used+for+another+purpose+but+only+after+checking+that+the+new+purpose+is+compatible+with+the+original+purpose.%0D%0A%09%09%09%09A%3AGo+on.%0D%0A%09%09%09%09%09Q%2815.1.2.2.2.1%29%3AThe+following+points+should+be+considered%3A%3Cbr%3E%3Cbr%3EThe+link+between+the+original+purpose+and+the+new%2Fupcoming+purpose%3B%3Cbr%3E%3Cbr%3EThe+context+in+which+the+data+was+collected+%28what+is+the+relationship+between+your+company%2Forganisation+and+the+individual%3F%29%0D%0A%09%09%09%09%09A%3AGo+on.%0D%0A%09%09%09%09%09%09Q%2815.1.2.2.2.1.1%29%3AThe+type+and+nature+of+the+data+%28is+it+sensitive%3F%29%3Cbr%3E%3Cbr%3EThe+possible+consequences+of+the+intended+further+processing+%28how+will+it+impact+the+individual%3F%29%3Cbr%3E%3Cbr%3EThe+existence+of+appropriate+safeguards+%28such+as+encryption+or+pseudonymisation%29.%0D%0A%09%09%09%09%09%09A%3AMore+please%21%0D%0A%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1%29%3AIf+your+company%2Forganisation+wants+to+use+the+data+for+statistics+or+for+scientific+research+it+is+not+necessary+to+run+the+compatibility+test.%3Cbr%3E%3Cbr%3EIf+your+company%2Forganisation+has+collected+the+data+on+the+basis+of+consent+or+following+a+legal+requirement%2C+no+further+processing+beyond+what+is+covered+by+the+original+consent+or+the+provisions+of+the+law+is+possible.+Further+processing+would+require+obtaining+new+consent+or+a+new+legal+basis.%0D%0A%09%09%09%09%09%09%09A%3AWow.++That%27s+a+lot+of+information.++Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1%29%3A+Sure.++Which+kind+of+example%3F%0D%0A%09%09%09%09%09%09%09%09A%3A+Further+data+processing+is+possible.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1.1%29%3AA+bank+has+a+contract+with+a+client+to+provide+the+client+with+a+bank+account+and+a+personal+loan.+At+the+end+of+the+first+year+the+bank+uses+the+client%27s+personal+data+to+check+whether+they+are+eligible+for+a+better+type+of+loan+and+a+savings+scheme.+It+informs+the+client.+The+bank+can+process+the+data+of+the+client+again+as+the+new+purposes+are+compatible+with+the+initial+purposes.%0D%0A%09%09%09%09%09%09%09%09%09A%3AOkay.++What+if+further+data+processing+isn%27t+possible%3F%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1.1.1%29%3AThe+same+bank+wants+to+share+the+client%27s+data+with+insurance+firms%2C+based+on+the+same+contract+for+a+bank+account+and+personal+loan.+That+processing+isn%27t+permitted+without+the+explicit+consent+of+the+client+as+the+purpose+isn%27t+compatible+with+the+original+purpose+for+which+the+data+was+processed.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AThanks.++I+have+more+questions+about+data+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1.1.1.1%29%3AReferences+here+are+Articles+5%281%29%28b%29%2C+6%284%29+and+89%281%29+and+Recitals+%2839%29+and+%2850%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+03%2F2013+on+purpose+limitation%2C+2+April+2013+%28WP+203%29.GOTO%3ADATA_PROCESSING%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+general+questions.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1.1.1.2%29%3AReferences+here+are+Articles+5%281%29%28b%29%2C+6%284%29+and+89%281%29+and+Recitals+%2839%29+and+%2850%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+03%2F2013+on+purpose+limitation%2C+2+April+2013+%28WP+203%29.GOTO%3AEUROPA_YES.%0D%0A%09%09%09%09%09%09%09%09A%3A+Further+data+processing+isn%27t+possible.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1.2%29%3A+The+same+bank+wants+to+share+the+client%27s+data+with+insurance+firms%2C+based+on+the+same+contract+for+a+bank+account+and+personal+loan.+That+processing+isn%27t+permitted+without+the+explicit+consent+of+the+client+as+the+purpose+isn%27t+compatible+with+the+original+purpose+for+which+the+data+was+processed.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Okay.++What+if+further+data+processing+is+possible%3F%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1.2.1%29%3AA+bank+has+a+contract+with+a+client+to+provide+the+client+with+a+bank+account+and+a+personal+loan.+At+the+end+of+the+first+year+the+bank+uses+the+client%27s+personal+data+to+check+whether+they+are+eligible+for+a+better+type+of+loan+and+a+savings+scheme.+It+informs+the+client.+The+bank+can+process+the+data+of+the+client+again+as+the+new+purposes+are+compatible+with+the+initial+purposes.%0D%0A%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AThanks.++I+have+more+questions+about+data+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1.2.1.1%29%3AReferences+here+are+Articles+5%281%29%28b%29%2C+6%284%29+and+89%281%29+and+Recitals+%2839%29+and+%2850%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+03%2F2013+on+purpose+limitation%2C+2+April+2013+%28WP+203%29.GOTO%3ADATA_PROCESSING%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+general+questions.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.2.2.1.1.1.1.2.1.2%29%3AReferences+here+are+Articles+5%281%29%28b%29%2C+6%284%29+and+89%281%29+and+Recitals+%2839%29+and+%2850%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+03%2F2013+on+purpose+limitation%2C+2+April+2013+%28WP+203%29.GOTO%3AEUROPA_YES%0D%0A%09%09A%3AHow+much+data+can+be+collected%3F%0D%0A%09%09%09Q%2815.1.2.3%29%3APersonal+data+should+only+be+processed+where+it+isn%27t+reasonably+feasible+to+carry+out+the+processing+in+another+manner.+Where+possible%2C+it+is+preferable+to+use+anonymous+data.+Where+personal+data+is+needed%2C+it+should+be+%3Cb%3Eadequate%2C+relevant%2C+and+limited+to+what+is+necessary+for+the+purpose+%28%27data+minimisation%27%29%3C%2Fb%3E.+It%27s+your+company%2Forganisation%27s+responsibility+as+controller+to+assess+how+much+data+is+needed+and+ensure+that+irrelevant+data+isn%27t+collected.%0D%0A%09%09%09A%3A+Ahhh.++Can+I+see+an+example%3F%0D%0A%09%09%09%09Q%2815.1.2.3.1%29%3AYour+company%2Forganisation++offers+car-sharing+services+to+individuals.+For+those+services+it+may+require+the+name%2C+address+and+credit+card+number+of+your+customers+and+potentially+even+information+on+whether+the+person+has+a+disability+%28so+health+data%29%2C+but+not+their+racial+origin.%0D%0A%09%09%09%09A%3AI+have+more+questions+about+GDPR+principles.%0D%0A%09%09%09%09%09Q%2815.1.2.3.1.1%29%3ACool.++References+for+this+come+from+Article+5%281%29%28c%29+and+Recital+%2839%29+of+the+GDPR.GOTO%3APRINCIPLES%0D%0A%09%09%09%09A%3AI+have+more+questions+about+the+GDPR.%0D%0A%09%09%09%09%09Q%2815.1.2.3.1.2%29%3ACool.+References+for+this+come+from+Article+5%281%29%28c%29+and+Recital+%2839%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3AFor+how+long+can+data+be+kept+and+is+it+necessary+to+update+it%3F%0D%0A%09%09%09Q%2815.1.2.4%29%3AYou+must+store+data+for+the+%3Cb%3Eshortest+time+possible.%3C%2Fb%3E+That+period+should+take+into+account+the+reasons+why+your+company%2Forganisation+needs+to+process+the+data%2C+as+well+as+any+legal+obligations+to+keep+the+data+for+a+fixed+period+of+time+%28for+example+national+labour%2C+tax+or+anti-fraud+laws+requiring+you+to+keep+personal+data+about+your+employees+for+a+defined+period%2C+product+warranty+duration%2C+etc.%29.%0D%0A%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09Q%2815.1.2.4.1%29%3A+Your+company%2Forganisation+should+establish+%3Cb%3Etime+limits%3C%2Fb%3E+to+erase+or+%3Cb%3Ereview%3C%2Fb%3E+the+data+stored.+%3Cbr%3E%3Cbr%3EBy+way+of+an+exception%2C+personal+data+may+be+kept+for+a+longer+period+for+archiving+purposes+in+the+public+interest+or+for+reasons+of+scientific+or+historical+research%2C+provided+that+appropriate+technical+and+organisational+measures+are+put+in+place+%28such+as+anonymisation%2C+encryption%2C+etc.%29.%0D%0A%09%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09%09Q%2815.1.2.4.1.1%29%3AYour+company%2Forganisation+must+also+ensure+that+the+data+held+is+accurate+and+kept+up-to-date.%0D%0A%09%09%09%09%09A%3A+Ah.++Can+you+give+me+an+example%3F++Like+if+data+is+kept+to+long+without+an+update%3F%0D%0A%09%09%09%09%09%09Q%2815.1.2.4.1.1.1%29%3AYour+company%2Forganisation+runs+a+recruitment+office+and+for+that+purpose+it+collects+CVs+of+persons+seeking+employment+and+who%2C+in+exchange+for+your+intermediary+services%2C+pay+you+a+fee.+You+plan+to+keep+the+data+for+20+years+and+you+take+no+measures+for+updating+the+CVs.%0D%0A%09%09%09%09%09%09A%3AGo+on.%0D%0A%09%09%09%09%09%09%09Q%2815.1.2.4.1.1.1.1%29%3AThe+storage+period+doesn%27t+seem+proportionate+to+the+purpose+of+finding+employment+for+a+person+in+the+short+to+medium+term.+Moreover%2C+the+fact+you+don%27t+request+updates+to+CVs+at+regular+intervals+renders+some+of+the+searches+useless+for+the+person+seeking+employment+after+a+certain+amount+of+time+%28for+instance+because+that+person+has+gained+new+qualifications%29.%0D%0A%09%09%09%09%09%09%09A%3A+Got+it.+I+have+more+questions+about+GPDR+Principles.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.2.4.1.1.1.1.1%29%3A+Okay.++References+for+this+question+are+from%0D%0AArticle+5%281%29%28e%29+and+Recital+%2839%29+of+the+GDPR.GOTO%3APRINCIPLES%0D%0A%09%09%09%09%09%09%09A%3A+Thanks.+I+have+more+general+questions+about+the+GPDR.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.2.4.1.1.1.1.2%29%3A+Okay.++References+for+this+question+are+from%0D%0AArticle+5%281%29%28e%29+and+Recital+%2839%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+information+must+be+given+to+individuals+whose+data+is+collected%3F%0D%0A%09%09%09Q%2815.1.2.5%29%3AAt+the+time+of+collecting+their+data%2C+people+must+be+informed+clearly+about+at+least%3A%3Cbr%3E%3Cbr%3E%3Cb%3EWho%3C%2Fb%3E+your+company%2Forganisation+is+%28your+contact+details%2C+and+those+of+your+DPO+if+any%29%0D%0A%09%09%09A%3AGo+on.%0D%0A%09%09%09%09Q%2815.1.2.5.1%29%3A%3Cb%3Ewhy%3C%2Fb%3E+your+company%2Forganisation+will+be+using+their+personal+data+%28purposes%29%3Cbr%3E%3Cbr%3EThe+categories+of+personal+data+concerned%3B%3Cbr%3E%3Cbr%3EThe+%3Cb%3Elegal+justification%3C%2Fb%3E+for+processing+their+data%0D%0A%09%09%09%09A%3AGo+on.%0D%0A%09%09%09%09%09Q%2815.1.2.5.1.1%29%3A%3Cb%3EFor+how%3C%2Fb%3E+long+the+data+will+be+kept+%3Cbr%3E%3Cbr%3E%3Cb%3Ewho+else%3C%2Fb%3E+might+receive+it+%3Cbr%3E%3Cbr%3EWhether+their+personal+data+will+be+%3Cb%3Etransferred%3C%2Fb%3E+to+a+recipient+outside+the+EU%0D%0A%09%09%09%09%09A%3AGo+on.%0D%0A%09%09%09%09%09%09Q%2815.1.2.5.1.1.1%29%3Athat+they+have+a+right+to+a+%3Cb%3Ecopy+of+the+data%3C%2Fb%3E+%28right+to+access+personal+data%29+and+other+%3Cb%3Ebasic+rights%3C%2Fb%3E+in+the+field+of+data+protection+%28%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Finfo%2Flaw%2Flaw-topic%2Fdata-protection%2Freform%2Frights-citizens%2Fmy-rights_en%22+target%3D%22_blank%22%3Esee+complete+list+of+rights%3C%2Fa%3E%29%0D%0A%09%09%09%09%09%09A%3A+...%0D%0A%09%09%09%09%09%09%09Q%2815.1.2.5.1.1.1.1%29%3A+Their+%3Cb%3Eright+to+lodge+a+complaint%3C%2Fb%3E+with+a+Data+Protection+Authority+%28DPA%29+%3Cbr%3E%3Cbr%3E+Their+%3Cb%3Eright+to+withdraw%3C%2Fb%3E+consent+at+any+time+%3Cbr%3E%3Cbr%3E+Where+applicable%2C+the+existence+of+%3Cb%3Eautomated+decision-making%3C%2Fb%3E+and+the+logic+involved%2C+including+the+consequences+thereof.%0D%0A%09%09%09%09%09%09%09A%3AWow.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.2.5.1.1.1.1.1%29%3AYeah.++They+also+give+a+complete+%3Ca+href%3D%22http%3A%2F%2Feur-lex.europa.eu%2Flegal-content%2FEN%2FTXT%2F%3Furi%3DCELEX%3A32016R0679%23d1e2254-1-1%22+target%3D%22_blank%22%3E+list+of+information+%3C%2Fa%3E+to+be+provided.%0D%0A%09%09%09%09%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.2.5.1.1.1.1.1.1%29%3A+They%27re+not+done+yet.++You+see%2C+the+information+may+be+provided+in+%3Cb%3Ewriting%2C+orally%3C%2Fb%3E+at+the+request+of+the+individual+when+identity+of+that+person+is+proven+by+other+means%2C+or+by+electronic+means+where+appropriate.+Your+company%2Forganisation+must+do+that+in+a+%3Cb%3Econcise%2C+transparent%2C+intelligible+and+easily+accessible+way%3C%2Fb%3E%2C+in+%3Cb%3Eclear+and+plain+language%3C%2Fb%3E+and+%3Cb%3Efree+of+charge%3C%2Fb%3E.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+I+assume+there%27s+more.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.5.1.1.1.1.1.1.1%29%3A+You+betcha.+When+data+is+obtained+from+another+company%2Forganisation%2C+your+company%2Forganisation+should+provide+the++information+listed+above+to+the+person+concerned+at+the+latest+within+1+month+after+your+company+obtained+the+personal+data%3B+or%2C+in+case+your+company%2Forganisation+communicates+with+the+individual%2C+when+the+data+is+used+to+communicate+with+them%3B+or%2C+if+a+disclosure+to+another+company+is+envisaged%2C+when+the+personal+data+was+first+disclosed.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+Okay.++And+the+rest%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.5.1.1.1.1.1.1.1.1%29%3A+Your+company%2Forganisation+is+also+required+to+inform+the+individual+of+the+categories+of+data+and+the+source+from+which+it+was+obtained+including+if+it+was+obtained++from+publicly+accessible+sources.+Under+specific+circumstances+listed+in+Articles+13%284%29+and+14%285%29+of+the+GDPR+your+company%2Forganisation+may+be+exempted+from+the+obligation+to+inform+the+individual.+Please+check+whether+that+exemption+applies+to+your+company%2Forganisation.%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+GDPR+principles.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.5.1.1.1.1.1.1.1.1.1%29%3A+Okay.++References+for+this+question+came+from+Article+12%281%29%2C+%285%29+and+%287%29%2C+Articles+13+and+14+and+Recitals+%2858%29+to+%2862%29+of+the+GDPR+and+Article+29+Working+Party+guidelines+on+transparency.GOTO%3APRINCIPLES.%0D%0A%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.2.5.1.1.1.1.1.1.1.1.2%29%3A+Okay.++References+for+this+question+came+from+Article+12%281%29%2C+%285%29+and+%287%29%2C+Articles+13+and+14+and+Recitals+%2858%29+to+%2862%29+of+the+GDPR+and+Article+29+Working+Party+guidelines+on+transparency.GOTO%3AEUROPA_YES.%0D%0A%09A%3A+Public+administration+and+data+protection.%0D%0A%09%09Q%28PUBLIC_ADMIN%29%3A+Okay.++What+sort+of+thing+are+you+interested+in%3F%0D%0A%09%09A%3A+What+are+the+main+aspects+of+the+General+Data+Protection+Regulation+%28GDPR%29+that+a+public+administration+should+be+aware+of%3F%0D%0A%09%09%09Q%2815.1.3.1%29%3A+A+public+administration+is+subject+to+the+rules+of+the+GDPR+when+processing+personal+data+relating+to+an+individual.+It+is+the+responsibility+of+the+national+administrations+to+support+regional+and+local+administration+in+preparing+for+the+application+of+the+GDPR.%0D%0A%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09Q%2815.1.3.1.1%29%3A+Most+of+the+personal+data+held+by+public+administrations+is+usually+processed+on+the+basis+of+a+legal+obligation+or+insofar+as+it+is+necessary+to+perform+tasks+carried+out+in+the+public+interest+or+in+the+exercise+of+official+authority+vested+in+it.%0D%0A%09%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09%09Q%2815.1.3.1.1.1%29%3AWhen+processing+personal+data+a+public+administration+must+respect+%3Cb%3Ekey+principles%3C%2Fb%3E%2C+such+as%3A%3Cbr%3E%3Cbr%3EFair+and+lawful+processing%3Cbr%3E%3Cbr%3EPurpose+limitation%3Cbr%3E%3Cbr%3EData+minimisation+and+data+retention.%0D%0A%09%09%09%09%09A%3AOkay.%0D%0A%09%09%09%09%09%09Q%2815.1.3.1.1.1.1%29%3A+In+the+case+of+processing+on+the+basis+of+the+law%2C+this+law+should+already+ensure+that+these+principles+are+observed+%28e.g.+the+types+of+data%2C+storage+period+and+appropriate+safeguards%29.%0D%0A%09%09%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09%09%09Q%2815.1.3.1.1.1.1.1%29%3A+Prior+to+processing+personal+data%2C+individuals+must+be+informed+about+the+processing%2C+such+as+its+purposes%2C+the+types+of+data+collected%2C+the+recipients%2C+and+their+data+protection+rights.%0D%0A%09%09%09%09%09%09%09A%3A+There%27s+more%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.3.1.1.1.1.1.1%29%3AA+public+administration+is+required+to+%3Cb%3Eappoint+a+Data+Protection+Officer+%28DPO%29%2C+however%3C%2Fb%3E+a+single+data+protection+officer+may+be+designated+for+several+public+bodies+and+therefore+be+shared+amongst+them+or+outsource+this+work+to+an+external+DPO.%0D%0A%09%09%09%09%09%09%09%09A%3A+...%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.3.1.1.1.1.1.1.1%29%3A+It+must+also+ensure+that+appropriate+technical+and+organisational+measures+have+been+implemented+to+%3Cb%3Esecure+personal+data%3C%2Fb%3E.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+...%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.3.1.1.1.1.1.1.1.1%29%3A+If+parts+of+the+processing+are+outsourced+to+an+external+organisation+%28so-called+%27processor%27%29+there+must+be+a+contract+or+another+legal+act+guaranteeing+that+the+processor+provides+sufficient+guarantees+to+implement+appropriate+technical+and+organisational+measures+that+meet+the+standards+of+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+...%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.3.1.1.1.1.1.1.1.1.1%29%3A+In+cases+where+personal+data+held+is+disclosed+accidentally+or+unlawfully+to+unauthorised+recipients+or+is+temporarily+unavailable+or+altered%2C+%3Cb%3Ethe+breach+must+be+notified+to+the+Data+Protection+Authority+%28DPA%29%3C%2Fb%3E+without+undue+delay+and+at+the+latest+within+72+hours+after+having+become+aware+of+the+breach.+The+public+administration+may+also+need+to+inform+individuals+about+the+breach.%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+We+almost+done+with+this%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.3.1.1.1.1.1.1.1.1.1.1%29%3A+Yes.++You+can+find+more+information+about+the+obligations+of+public+administrations+under+the+GDPR+in+the+section+%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Finfo%2Flaw%2Flaw-topic%2Fdata-protection%2Freform%2Frules-business-and-organisations_en%22+taget%3D%22_blank%22%3E%27Business+and+organisations%27%3C%2Fa%3E.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Thanks.++I+have+more+questions+about+Public+administration+and+data+protection.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.3.1.1.1.1.1.1.1.1.1.1.1%29%3ACool.++References+for+this+question+are+Chapter+II+and+IV+of+the+GDPR.GOTO%3APUBLIC_ADMIN%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.3.1.1.1.1.1.1.1.1.1.1.2%29%3ACool.++References+for+this+question+are+Chapter+II+and+IV+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+How+should+requests+from+individuals+be+dealt+with%3F%0D%0A%09%09%09Q%2815.1.3.2%29%3A+Individuals+may+contact+a+public+administration+to+exercise+their+rights+under+the+GDPR+%28rights+of+access%2C+rectification%2C+erasure%2C+restriction%2C+objection%2C+right+not+to+be+subject+to+automated+decision-making%29.%0D%0A%09%09%09A%3A+Okay.%0D%0A%09%09%09%09Q%2815.1.3.2.1%29%3A+Note+that+individuals+have+a+%3Cb%3Eright+to+object%3C%2Fb%3E+to+the+processing+of+personal+data+by+the+public+administration+on+grounds+of+public+interest.+They+must+provide+the+public+administration+with+reasons+relating+to+their+particular+situation.%3Cbr%3E%3Cbr%3E+The+public+administration+may+continue+processing+the+data%2C+and+thus+deny+their+request%2C+if+it+demonstrates+compelling+legitimate+grounds+for+the+processing+that+override+the+interests+and+rights+of+the+individual%2C+or+if+the+data+is+required+for+the+establishment%2C+exercise+or+defence+of+legal+claims.%0D%0A%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09Q%2815.1.3.2.1.1%29%3AIndividuals+don%27t+have+a+right+to+the+transmission+of+data+relating+to+them+that+is+needed+for+the+performance+of+a+task+carried+out+in+the+public+interest+or+in+the+exercise+of+official+authority+vested+in+them.%0D%0A%09%09%09%09%09A%3A+Got+it.%0D%0A%09%09%09%09%09%09Q%2815.1.3.2.1.1.1%29%3AA+public+administration+must+%3Cb%3Ereply%3C%2Fb%3E+to+requests+from+individuals+without+undue+delay%2C+and+in+principle+within+%3Cb%3E1+month%3C%2Fb%3E+of+receipt+of+the+request.+It+may+ask+for+additional+information+in+order+for++to+confirm+the+identity+of+the+person+making+the+request.%3Cbr%3E%3Cbr%3EIf+the+request+is+rejected+the+individuals+must+be+provided+with+the+reasons+for+rejection+and+informed+of+their+right+to+file+a+complaint+with+the+DPA+and+to+seek+a+judicial+remedy.%0D%0A%09%09%09%09%09%09A%3A+Got+it.%0D%0A%09%09%09%09%09%09%09Q%2815.1.3.2.1.1.1.1%29%3A+Great%21++If+you+have+more+questions%2C+you+can+see+the+%22%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Finfo%2Flaw%2Flaw-topic%2Fdata-protection%2Freform%2Frules-business-and-organisations_en%22+target%3D%22_blank%22%3EBusiness+and+organizations%3C%2Fa%3E%22+section+of+the+European+Commission%27s+site+on+data+protection.%0D%0A%09%09%09%09%09%09%09A%3A+Thanks.++I+have+more+questions+about+public+administration+and+data+collection.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.3.2.1.1.1.1.1%29%3A+Awesome.++References+for+this+section+came+form+Chapter+II+and+IV+of+the+GDPR.GOTO%3APUBLIC_ADMIN%0D%0A%09%09%09%09%09%09%09A%3A+I+see.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.3.2.1.1.1.1.2%29%3A+Awesome.++References+for+this+section+came+form+Chapter+II+and+IV+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+if+a+public+administration+fails+to+comply+with+the+data+protection+rules%3F%0D%0A%09%09%09Q%2815.1.3.3%29%3AThe+question%2C+really%2C+is+what+%3Ci%3Edoesn%27t%3C%2FI%3E+happen.++Just+kidding.+%3Cbr%3E%3Cbr%3E+The+%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Finfo%2Flaw%2Flaw-topic%2Fdata-protection%2Freform%2Frules-business-and-organisations%2Fenforcement-and-sanctions%2Fenforcement%2Fwhat-role-data-protection-authority_en%22+target%3D%22blank%22%3EData+Protection+Authorities%3C%2Fa%3E+have+different+tools+at+their+disposal+in+cases+of+non-compliance.+%3Cbr%3E%3Cbr%3EIn+the+case+of+a+likely+infringement%2C+a+%3Cb%3Ewarning%3C%2Fb%3E+may+be+issued.+In+the+case+of+an+infringement%2C+the+possibilities+include%3A+a+%3Cb%3Ereprimand+or+a+temporary+or+definitive+ban+on+the+processing.%3C%2Fb%3E+In+some+countries%2C+public+bodies+may+also+be+subject+to+%3Cb%3Eadministrative+fines%3C%2Fb%3E.+A+public+administration+should+check+the+national+data+protection+law+in+its+country.%0D%0A%09%09%09A%3A+Okay.%0D%0A%09%09%09%09Q%2815.1.3.3.1%29%3A+Individuals+can+claim+compensation+where+a+public+body+is+in+breach+of+the+GDPR+and+they+have+suffered+material+damages%2C+for+example+financial+loss%2C+or+non-material+damages%2C+for+example+reputational+loss+or+psychological+distress.%0D%0A%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09Q%2815.1.3.3.1.1%29%3A+The+GDPR+ensures+that+they+will+be+provided+with+compensation%2C+regardless+of+the+number+of+organisations+involved+in+the+processing+of+their+data.+Compensation+can+be+claimed+directly+from+the+public+body+or+before+the+competent+national+courts+of+the+EU+Member+State+concerned.%0D%0A%09%09%09%09%09A%3A+Got+it.%0D%0A%09%09%09%09%09%09Q%2815.1.3.3.1.1.1%29%3A+Okay.++Where+to+now%3F%0D%0A%09%09%09%09%09%09A%3A+I+have+more+questions+about+public+administration+and+data+collection.%0D%0A%09%09%09%09%09%09%09Q%2815.1.3.3.1.1.1.1%29%3A+I+knew+you+would.+You+can+always+check+out+Article+58+and+Article+82+to+%2884%29and+Recitals+%28129%29%2C+%28146%29+to+%28148%29%2C+%28150%29+and+%28151%29+of+the+GDPR+to+see+where+the+info+for+this+question+came+from.GOTO%3APUBLIC_ADMIN%0D%0A%09%09%09%09%09%09A%3A+I+have+more+questions+about+public+administration+and+data+collection.%0D%0A%09%09%09%09%09%09%09Q%2815.1.3.3.1.1.1.2%29%3A+I+knew+you+would.+You+can+always+check+out+Article+58+and+Article+82+to+%2884%29and+Recitals+%28129%29%2C+%28146%29+to+%28148%29%2C+%28150%29+and+%28151%29+of+the+GDPR+to+see+where+the+info+for+this+question+came+from.GOTO%3AEUROPA_YES%0D%0A%09A%3A+Legal+grounds+for+processing+data.%0D%0A%09%09Q%28LEGAL_GROUNDS%29%3A+Okay.++About+which+areas+do+you+have+questions%3F%0D%0A%09%09A%3AGrounds+for+processing.%0D%0A%09%09%09Q%28DATA_GROUNDS%29%3A+Okay.++About+what+sort+of+think+would+you+like+to+learn%3F%0D%0A%09%09%09A%3AWhen+can+personal+data+be+processed%3F%0D%0A%09%09%09%09Q%2815.1.4.1.1%29%3A+Your+company%2Forganisation+can+only+process+personal+data+in+the+following+circumstances%3A%3Cbr%3E%3Cbr%3Ewith+the+%3Cb%3Econsent%3C%2Fb%3E+of+the+individuals+concerned%3B%3Cbr%3E%3Cbr%3Ewhere+there+is+a+%3Cb%3Econtractual+obligation%3C%2Fb%3E+%28a+contract+between+your+company%2Forganisation++and+a+client%29%3B%0D%0A%09%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09%09Q%2815.1.4.1.1.1%29%3ATo+meet+a+%3Cb%3Elegal+obligation%3C%2Fb%3E+under+EU+or+national+legislation%3Cbr%3E%3Cbr%3EWhere+processing+is+necessary+for+the+performance+of+a+task+carried+out+in+the+public+%3Cb%3Einterest%3C%2Fb%3E+under+EU+or+national+legislation%3Cbr%3E%3Cbr%3ETo+protect+the+vital+interests+of+an+individual%0D%0A%09%09%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09%09%09Q%2815.1.4.1.1.1.1%29%3AFor+your+organisation%27s+%3Cb%3Elegitimate+interests%3C%2Fb%3E%2C+but+only+after+having+checked+that+the+fundamental+rights+and+freedoms+of+the+person+whose+data+you%27re+processing+aren%27t+seriously+impacted.+If+the+person%27s+rights+override+your+interests%2C+then+processing+cannot+be+carried+out+based+on+legitimate+interest.+The+assessment+as+to+whether+your+company%2Forganisation+has+a+legitimate+interest+for+processing+override+those+of+the+persons+concerned+depends+on+the+individual+circumstances+of+the+case.%0D%0A%09%09%09%09%09%09A%3A+I+think+I+understand+and+have+other+questions.%0D%0A%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1%29%3A+Are+you+sure%3F++I+have+some+good+examples+coming+up.%0D%0A%09%09%09%09%09%09%09A%3A+Yes%2C+I%27m+sure.+I+have+other+questions.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.1%29%3A+Okay.++Questions+about+what%3F%0D%0A%09%09%09%09%09%09%09%09A%3A+The+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.1.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09A%3A+The+GDPR+in+general%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.1.1.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09A%3A+Okay%2C+you%27ve+convinced+me.++Let%27s+see+your+examples.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2%29%3A+Awesome.++Just+so+we%27re+clear%3A+they%27re+not+my+examples.+They%27re+the+examples+given+by+the+European+Commission.%0D%0A%09%09%09%09%09%09%09%09A%3A+Whatever.%0D%0A%09%09%09%09%09%09%09%09%09Q%28DATA_GROUNDS_EXAMPLE%29%3A+...+%3Cbr%3E%3Cbr%3EOkay.++Which+example+would+you+like+to+see%3F%0D%0A%09%09%09%09%09%09%09%09%09A%3A+An+example+related+to+consent.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.1%29%3AYour+company%2Forganisation+offers+a+music+app+and+ask+for+citizens%27+consent+to+process+their+musical+preferences+in+order+to+suggest+tailored+songs+and+possible+concerts+to+them.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+would+like+to+see+more+examples.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.1.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS_EXAMPLES%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.1.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.1.2.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.1.2.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09%09%09A%3A+One+about+contractual+obligation.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.2%29%3AYour+company%2Forganisation++sell+goods+online.+It+can+process+data+that+is+necessary+to+take+steps+at+the+request+of+the+individual+prior+to+entering+into+the+contract+and+for+the+performance+of+the+contract.+So+you+can+process+the+name%2C+delivery+address%2C+credit+card+number+%28if+payment+by+card%29%2C+etc.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+would+like+to+see+more+examples.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.2.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS_EXAMPLES%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.2.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.2.2.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.2.2.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Let%27s+talk+about+legal+obligations.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.3%29%3AYou+own+a+company+with+employees.+In+order+to+obtain+social+security+cover%2C+the+law+obliges+you+to+provide+personal+data+%28for+example+weekly+income+of+your+employees%29+to+the+relevant+authority.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+would+like+to+see+more+examples.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.3.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS_EXAMPLES%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.3.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.3.2.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.3.2.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09%09%09A%3A+How+about+the+public+interest%3F%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.4%29%3A+Example%3A+a+professional+association+such+as+a+bar+association+or+a+chamber+of+medical+professionals+vested+with+an+official+authority+to+do+so+may+carry+out+disciplinary+procedures+against+some+of+their+members.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+would+like+to+see+more+examples.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.4.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS_EXAMPLES%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.4.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.4.2.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.4.2.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09%09%09A%3A+One+regarding+the+vital+interests+of+a+person.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.5%29%3A+A+hospital+is+treating+a+patient+after+a+serious+road+accident%3B+the+hospital+doesn%27t+need+his+consent+to+search+for+his+ID+to+check+whether+that+person+exists+in+the+hospital%27s+database+to+find+previous+medical+history+or+to+contact+his+next+of+kin.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+would+like+to+see+more+examples.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.5.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS_EXAMPLES%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.5.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.5.2.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.5.2.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09%09%09A%3A+My+organization%27s+legitimate+interests.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.6%29%3A+Your+company%2Forganisation+ensures+network+security+by+monitoring+the+use+of+its+employees%27+IT+devices.+Your+company%2Forganisation++may+legitimately+process+personal+data+for+that+purpose%2C+only+if+the+least+intrusive+method+is+chosen+as+regards+the+privacy+and+data+protection+rights+of+your+employees%2C+for+example%2C+by+limiting+the+accessibility+of+certain+websites.+%28Note+that+this+can%27t+be+done+in+EU+Member+States+where+national+law+sets+out+stricter+rules+for+processing+in+the+employment+context%29.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+would+like+to+see+more+examples.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.6.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS_EXAMPLES%0D%0A%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.6.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.6.2.1%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ADATA_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3AGot+it.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.1.1.1.1.1.2.1.6.2.2%29%3AOkay.++References+for+this+question+came+from+Article+6+and+Recitals+%2840%29+to+%2849%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+Sensitive+Data.%0D%0A%09%09%09Q%28SENSITIVE_DATA%29%3A+Gotcha.+What+would+you+like+to+know%3F%0D%0A%09%09%09A%3A+What+personal+data+is+considered+sensitive%3F%0D%0A%09%09%09%09Q%2815.1.4.2.1%29%3AThe+following+personal+data+is+considered+%27sensitive%27+and+is+subject+to+specific+processing+conditions%3A%3Cbr%3E%3Cbr%3Epersonal+data+revealing+racial+or+ethnic+origin%2C+political+opinions%2C+religious+or+philosophical+beliefs%3Cbr%3E%3Cbr%3Etrade-union+membership%3Cbr%3E%3Cbr%3Egenetic+data%2C+biometric+data+processed+solely+to+identify+a+human+being%3Cbr%3E%3Cbr%3Ehealth-related+data%3Cbr%3E%3Cbr%3Edata+concerning+a+person%27s+sex+life+or+sexual+orientation.%0D%0A%09%09%09%09A%3AGot+it.++Thanks.++I+have+more+questions+about+sensitive+data.%0D%0A%09%09%09%09%09Q%2815.1.4.2.1.1%29%3A+Okay.++References+for+this+question+came+from+Article+4%2813%29%2C+%2814%29+and+%2815%29+and+Article+9+andRecitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ASENSITIVE_DATA%0D%0A%09%09%09%09A%3AI+see.++I+have+more+questions+about+legal+grounds+for+processing+data.%0D%0A%09%09%09%09%09Q%2815.1.4.2.1.2%29%3A+Okay.++References+for+this+question+came+from+Article+4%2813%29%2C+%2814%29+and+%2815%29+and+Article+9+andRecitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ALEGAL_GROUNDS%0D%0A%09%09%09%09A%3AUnderstood.++I+have+more+questions+general+questions+about+GDPR.%0D%0A%09%09%09%09%09Q%2815.1.4.2.1.3%29%3A+Okay.++References+for+this+question+came+from+Article+4%2813%29%2C+%2814%29+and+%2815%29+and+Article+9+andRecitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09%09A%3A+Under+what+conditions+can+my+company%2Forganisation+process+sensitive+data%3F%0D%0A%09%09%09%09Q%2815.1.4.2.2%29%3A+Your+company%2Forganisation+can+only+process+%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Finfo%2Flaw%2Flaw-topic%2Fdata-protection%2Freform%2Frules-business-and-organisations%2Flegal-grounds-processing-data%2Fsensitive-data%2Fwhat-personal-data-considered-sensitive_en%22+target%3D%22_blank%22%3Esensitive+data%3C%2Fa%3E+if+one+of+the+following+conditions+is+met%3A%3Cbr%3E%3Cbr%3Ethe+%3Cb%3Eexplicit+consent%3C%2Fb%3E+of+the+individual+was+obtained+%28a+law+may+rule+out+this+option+in+certain+cases%29%3Cbr%3E%3Cbr%3EAn+%3Cb%3EEU+or+national+law+or+a+collective+agreement%3C%2Fb%3E%2C+requires+your+company%2Forganisation+to+process+the+data+to+comply+with+its+obligations+and+rights%2C+and+those+of+the+individuals%2C+in+the+fields+of+employment%2C+social+security+and+social+protection+law%0D%0A%09%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09%09Q%2815.1.4.2.2.1%29%3A+The+%3Cb%3Evital+interests%3C%2Fb%3E+of+the+person%2C+or+of+a+person+physically+or+legally+incapable+of+giving+consent%2C+are+at+stake%3Cbr%3E%3Cbr%3EYou+are+a+%3Cb%3Efoundation%2C+association+or+other+not-for-profit+body%3C%2Fb%3E+with+a+political%2C+philosophical%2C+religious+or+trade+union+aim%2C+processing+data+about+its+%3Cb%3Emembers%3C%2Fb%3E+or+about+people+in+regular+contact+with+the+organisation%0D%0A%09%09%09%09%09A%3A+Anything+else%3F%0D%0A%09%09%09%09%09%09Q%2815.1.4.2.2.1.1%29%3AThe+personal+data+was+%3Cb%3Emanifestly+made+public%3C%2Fb%3E+by+the+individual%3Cbr%3E%3Cbr%3EThe+data+is+required+for+the+establishment%2C+exercise+or+defence+of+%3Cb%3Elegal+claims%3C%2Fb%3E%3B%3Cbr%3E%3Cbr%3EThe+data+is+processed+for+reasons+of+%3Cb%3Esubstantial+public+interest%3C%2Fb%3E+on+the+basis+of+EU+or+national+law%0D%0A%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1%29%3AThe+data+is+processed+for+the+purposes+of+%3Cb%3Epreventive+or+occupational+medicine%3C%2Fb%3E%2C+assessment+of+the+working+capacity+of+the+employee%2C+medical+diagnosis%2C+the+provision+of+health+or+social+care+or+treatment%2C+or+the+management+of+health+or+social+care+systems+and+services+on+the+basis+of+EU+or+national+law%2C+or+on+the+basis+of+a+contract+as+a+health+professional%0D%0A%09%09%09%09%09%09%09A%3AThe+data+is+processed+for+reasons+of+%3Cb%3Epublic+interest+in+the+field+of+public+health%3C%2Fb%3E+on+the+basis+of+EU+or+national+law%3Cbr%3E%3Cbr%3EThe+data+is+processed+for+%3Cb%3Earchiving%2C+scientific+or+historical+research+purposes%3C%2Fb%3E+or+statistical+purposes+on+the+basis+of+EU+or+national+law.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1%29%3A+Further+conditions+may+be+imposed+by+national+law+on+the+processing+of+genetic+data%2C+biometric+data+or+data+concerning+health.+Check+with+your+%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Fcommission%2Fsites%2Fbeta-political%2Ffiles%2Fnational-data-protection-authorities-jan_2018_en.pdf%22+target%3D%22_blank%22%3ENational+Data+Protection+Authority%3C%2Fa%3E.%0D%0A%09%09%09%09%09%09%09%09A%3A+Okay.++I+would+like+to+see+some+examples.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1%29%3A+What+sort+of+example+would+you+like+to+see%3F%0D%0A%09%09%09%09%09%09%09%09%09A%3A+I+would+like+to+see+an+example+where+I+can+process+sensitive+data.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1%29%3AA+doctor+sees+a+number+of+patients+at+his+clinic.+He+logs+the+visit+in+a+database+that+includes+fields+such+as+name%2Fsurname+of+patient%2C+description+of+symptoms+and+medication+prescribed.+That+is+considered+to+be+sensitive+data.+The+processing+of+health+data+by+the+clinic+is+allowed+under+the+data+protection+law+because+it+is+required+to+treat+the+person+and+is+carried+out+under+the+responsibility+of+a+doctor+who+is+subject+to+an+obligation+of+professional+secrecy.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+Got+it.+What+about+an+example+where+I+%3Ci%3Ecan%27t%3C%2Fi%3E+process+sensitive+data%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.1%29%3ANo+problem%21+Your++company+sells+dresses+online.+In+order+to+tailor+the+services+to+the+specific+interests+of+your+clients%2C+you+ask+them+to+provide+you+with+information+about+sizes%2C+preferred+colour%2C+payment+method%2C+name+and+the+address+so+that+the+product+can+be+delivered.+In+addition+your+company+asks+for+your+clients%27+political+views.+You+need+the+majority+of+the+information+to+fulfil+your+side+of+the+contract.+However%2C+clients%27+political+views+are+not+a+requirement+to+make+and+deliver+their+dresses.+Your+company+cannot++ask+for+that+information+under+that+contract.%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+I+see.++I+have+more+questions+about+sensitive+data.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.1.1%29%3ACool.+References+for+this+questions+come+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ASENSITIVE_DATA%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+Go+it.++I+have+more+questions+about+the+legal+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.1.2%29%3ACool.+References+for+this+questions+come+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ALEGAL_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+Wonderful.++I+have+more+general+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.1.3%29%3ACool.+References+for+this+questions+come+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+How+about+an+example+where+I+can%27t+process+sensitive+data%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.2%29%3AYour++company+sells+dresses+online.+In+order+to+tailor+the+services+to+the+specific+interests+of+your+clients%2C+you+ask+them+to+provide+you+with+information+about+sizes%2C+preferred+colour%2C+payment+method%2C+name+and+the+address+so+that+the+product+can+be+delivered.+In+addition+your+company+asks+for+your+clients%27+political+views.+You+need+the+majority+of+the+information+to+fulfil+your+side+of+the+contract.+However%2C+clients%27+political+views+are+not+a+requirement+to+make+and+deliver+their+dresses.+Your+company+cannot++ask+for+that+information+under+that+contract.%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+Got+it.+What+the+example+where+I+%3Ci%3Ecan%3C%2FI%3E+process+sensitive+data%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.2.1%29%3ASure+thing%21+A+doctor+sees+a+number+of+patients+at+his+clinic.+He+logs+the+visit+in+a+database+that+includes+fields+such+as+name%2Fsurname+of+patient%2C+description+of+symptoms+and+medication+prescribed.+That+is+considered+to+be+sensitive+data.+The+processing+of+health+data+by+the+clinic+is+allowed+under+the+data+protection+law+because+it+is+required+to+treat+the+person+and+is+carried+out+under+the+responsibility+of+a+doctor+who+is+subject+to+an+obligation+of+professional+secrecy.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+I+see.++I+have+more+questions+about+sensitive+data.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.2.1.1%29%3ACool.+References+for+this+questions+come+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ASENSITIVE_DATA%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Go+it.++I+have+more+questions+about+the+legal+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.2.1.2%29%3ACool.+References+for+this+questions+come+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ALEGAL_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Wonderful.++I+have+more+general+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.1.2.1.3%29%3ACool.+References+for+this+questions+come+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Got+it.+I+have+other+questions.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.2%29%3A+Okay.++What+do+you+have+questions+about%3F%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+I+have+more+questions+about+sensitive+data.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.2.1%29%3A+Okay.+References+for+this+questions+came+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ASENSITIVE_DATA%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+I+have+more+questions+about+about+the+legal+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.2.2%29%3A+Okay.+References+for+this+questions+came+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ALEGAL_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.2.2.1.1.1.1.1.2.3%29%3A+Okay.+References+for+this+questions+came+from+Article+9+and+Recitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09A%3AGot+it.++Thanks.++I+have+more+questions+about+sensitive+data.%0D%0A%09%09%09%09%09Q%2815.1.4.2.2.2%29%3A+Okay.++References+for+this+question+came+from+Article+4%2813%29%2C+%2814%29+and+%2815%29+and+Article+9+andRecitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ASENSITIVE_DATA%0D%0A%09%09%09%09A%3AI+see.++I+have+more+questions+about+legal+grounds+for+processing+data.%0D%0A%09%09%09%09%09Q%2815.1.4.2.2.3%29%3A+Okay.++References+for+this+question+came+from+Article+4%2813%29%2C+%2814%29+and+%2815%29+and+Article+9+andRecitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3ALEGAL_GROUNDS%0D%0A%09%09%09%09A%3AUnderstood.++I+have+more+questions+general+questions+about+GDPR.%0D%0A%09%09%09%09%09Q%2815.1.4.2.2.4%29%3A+Okay.++References+for+this+question+came+from+Article+4%2813%29%2C+%2814%29+and+%2815%29+and+Article+9+andRecitals+%2851%29+to+%2856%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+Are+there+any+specific+safeguards+for+data+about+children%3F%0D%0A%09%09%09Q%2815.1.4.3%29%3A+Your+company%2Forganisation+can+only+process+a+child%27s+personal+data+on+grounds+of+consent+with+the+%3Cb%3Eexplicit+consent+of+their+parent+or+guardian%3C%2Fb%3E+up+to+a+certain+age.+The+age+threshold+for+obtaining+parental+consent+varies+between+13+and+16+years%2C+depending+on+the+age+established+in+each+EU+Member+State.+Check+with+your+%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Fcommission%2Fsites%2Fbeta-political%2Ffiles%2Fnational-data-protection-authorities-jan_2018_en.pdf%22+target%3D%22_blank%22%3ENational+Data+Protection+Authority%3C%2Fa%3E.%0D%0A%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09Q%2815.1.4.3.1%29%3AA+reasonable+effort+must+be+made%2C+taking+into+consideration+available+technology%2C+to+verify+that+the+consent+given+is+truly+in+line+with+the+law.+That+means+that+your+company%2Forganisation+must+implement+age-verification+measures+%28for+example+control+questions%2C+actions+on+the+website%29.%0D%0A%09%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09%09Q%2815.1.4.3.1.1%29%3A+The+consent+from+the+parent+or+guardian+must+be+obtained+if+your+organisation+works+on+online+social+networking+sites+that+provide+free+games+to+children+or+family+insurance%2C+for+example.%3Cbr%3E%3Cbr%3EIf+your+organisation+targets+children%2C+you+must+ensure+that+any+information+and+communication+addressed+to+a+child+is+easily+accessible+and+in+clear+and+plain+language+that+a+child+can+easily+understand.%0D%0A%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09Q%2815.1.4.3.1.1.1%29%3A+Preventive+or+counselling+services+offered+directly+to+a+child+don%27t+require+parental+authorisation+since+they+are+aimed+at+protecting+the+children%27s+best+interests.%0D%0A%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+legal+grounds+for+processing.%0D%0A%09%09%09%09%09%09%09Q%2815.1.4.3.1.1.1.1%29%3A+No+problem.++References+for+this+question+are+Articles+8+and+12+and+Recitals+%2838%29+and+%2858%29+of+the+GDPR.GOTO%3ALEGAL_GROUNDS%0D%0A%09%09%09%09%09%09A%3A+I+see.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09Q%2815.1.4.3.1.1.1.2%29%3AOf+course.++References+for+this+questions+are+Articles+8+and+12+and+Recitals+%2838%29+and+%2858%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+Can+data+received+from+a+third+party+be+used+for+marketing%3F%0D%0A%09%09%09Q%2815.1.4.4%29%3ABefore+acquiring+a+contact+list+or+a+database+with+contact+details+of+individuals+from+another+organisation%2C+that+organisation+must+be+able+to+%3Cb%3Edemonstrate+that+the+data+was+obtained+in+compliance+with+the+General+Data+Protection+Regulation%3C%2Fb%3E+and+that+it+%3Cb%3Emay+use+it+for+advertising+purposes%3C%2Fb%3E.+For+example%2C+if+the+organisation+acquired+it+based+on+consent%2C+the+consent+should%27ve+included+the+possibility+to+transmit+the+data+to+other+recipients+for+their+own+direct+marketing.%0D%0A%09%09%09A%3A+Okay.%0D%0A%09%09%09%09Q%2815.1.4.4.1%29%3AYour+company%2Forganisation+must+also+ensure+that+the+list+or+database+is+up-to-date+and+that+you+don%27t+send+advertising+to+individuals+who+objected+to+the+processing+of+their+personal+data+for+direct+marketing+purposes.+Your+company%2Forganisation+must+also+ensure+that+if+it+uses+communication+tools%2C+such+as+email%2C+for+the+purposes+of+direct+marketing%2C+it+complies+with+the+rules+set+out+in+the+%3Ca+href%3D%22http%3A%2F%2Feur-lex.europa.eu%2FLexUriServ%2FLexUriServ.do%3Furi%3DCELEX%3A32002L0058%3Aen%3AHTML%22+target%3D%22_blank%22%3EePrivacy+Directive%3C%2Fa%3E+%28Directive+2002%2F58%2FEC1%2A%29.%3Cbr%3E%3Cbr%3E%2ADirective+2002%2F58%2FEC+of+the+European+Parliament+and+of+the+Council+of+12+July+2002+concerning+the+processing+of+personal+data+and+the+protection+of+privacy+in+the+electronic+communications+sector+%28Directive+on+privacy+and+electronic+communications%29+%28OJ+L+201%2C+31.07.2002+p.37%29.%0D%0A%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09Q%2815.1.4.4.1.1%29%3ASuch+lists+are+processed+on+grounds+of+legitimate+interests+and+individuals+will+have+a+right+to+object+to+such+processing.+Your+company%2Forganisation+must+also+inform+individuals%2C+at+the+latest+at+the+time+of+the+first+communication+with+them%2C+that+you%27ve+collected+their+personal+data+and+that+you%27ll+be+processing+it+for+sending+them+adverts.%0D%0A%09%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09%09Q%2815.1.4.4.1.1.1%29%3A+Yup.++So%2C+want+to+see+an+example%3F%0D%0A%09%09%09%09%09%09A%3A+Sure%21%0D%0A%09%09%09%09%09%09%09Q%2815.1.4.4.1.1.1.1%29%3ATwo+friends%2C+Mrs.+A+and+Mr.+B%2C+run%2C+respectively%2C+a+gym+and+a+book+shop.+Each+collects+data+from+their+respective+customers.+Mr.+B%27s+book+shop+isn%27t+doing+well.+His+client+database+has+few+entries+and+not+many+people+walk+into+his+shop.+He+tells+Mrs.+A+that+he+has+a+new+biography+of+a+famous+athlete+and+asks+whether+Mrs.+A%27s+clients+would+be+interested+in+receiving+advertising+about+the+book.%0D%0A%09%09%09%09%09%09%09A%3A+So+what%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.4.4.1.1.1.1.1%29%3AThe+terms+of+Mrs.+A%27s+privacy+notice+informed+her+clients+that+she+could+share+the+data+with+partners+offering+products+in+the+health+and+fitness+area.+As+far+as+specific+consent+was+given+for+the+purpose+of+transmitting+the+data+to+other+recipients+for+their+own+direct+marketing%2C+Mrs.+A+can+send+the+client+list+to+Mr.+B.+No+data+can+be+sent+about+an+individual+who+objected+to+the+processing+of+their+personal+data.%0D%0A%09%09%09%09%09%09%09%09A%3A+Gotcha.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.4.4.1.1.1.1.1.1%29%3A+Okay.++What%27s+next%3F%0D%0A%09%09%09%09%09%09%09%09%09A%3A+I+have+more+questions+about+the+legal+grounds+from+processing+data.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.4.1.1.1.1.1.1.1%29%3ANo+problem.+References+for+this+question+came+from+Articles+4%2810%29%2C+5%2C+6%2C+14+and+21+of+the+GDPR%2C+Article+29+Working+Party+Opinion+on+Transparency%2C+and+%3Ca+href%3D%22http%3A%2F%2Feur-lex.europa.eu%2FLexUriServ%2FLexUriServ.do%3Furi%3DCELEX%3A32002L0058%3Aen%3AHTML%22+target%3D%22_blank%22%3EePrivacy+Directive+2002%2F58%2FEC%3C%2Fa%3E+rules+on+direct+marketing%2C+in+particular+Article+13.GOTO%3ALEGAL_GROUNDS%0D%0A%09%09%09%09%09%09%09%09%09A%3A+I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.4.4.1.1.1.1.1.1.2%29%3ANo+problem.+References+for+this+question+came+from+Articles+4%2810%29%2C+5%2C+6%2C+14+and+21+of+the+GDPR%2C+Article+29+Working+Party+Opinion+on+Transparency%2C+and+%3Ca+href%3D%22http%3A%2F%2Feur-lex.europa.eu%2FLexUriServ%2FLexUriServ.do%3Furi%3DCELEX%3A32002L0058%3Aen%3AHTML%22+target%3D%22_blank%22%3EePrivacy+Directive+2002%2F58%2FEC%3C%2Fa%3E+rules+on+direct+marketing%2C+in+particular+Article+13.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09A%3A+Nope.%0D%0A%09%09%09%09%09%09%09Q%2815.1.4.4.1.1.1.2%29%3A+If+you+say+so.++What+now%3F%0D%0A%09%09%09%09%09%09%09A%3A+I+have+more+questions+about+the+legal+grounds+from+processing+data.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.4.4.1.1.1.2.1%29%3ANo+problem.+References+for+this+question+came+from+Articles+4%2810%29%2C+5%2C+6%2C+14+and+21+of+the+GDPR%2C+Article+29+Working+Party+Opinion+on+Transparency%2C+and+%3Ca+href%3D%22http%3A%2F%2Feur-lex.europa.eu%2FLexUriServ%2FLexUriServ.do%3Furi%3DCELEX%3A32002L0058%3Aen%3AHTML%22+target%3D%22_blank%22%3EePrivacy+Directive+2002%2F58%2FEC%3C%2Fa%3E+rules+on+direct+marketing%2C+in+particular+Article+13.GOTO%3ALEGAL_GROUNDS%0D%0A%09%09%09%09%09%09%09A%3A+I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.4.4.1.1.1.2.2%29%3ANo+problem.+References+for+this+question+came+from+Articles+4%2810%29%2C+5%2C+6%2C+14+and+21+of+the+GDPR%2C+Article+29+Working+Party+Opinion+on+Transparency%2C+and+%3Ca+href%3D%22http%3A%2F%2Feur-lex.europa.eu%2FLexUriServ%2FLexUriServ.do%3Furi%3DCELEX%3A32002L0058%3Aen%3AHTML%22+target%3D%22_blank%22%3EePrivacy+Directive+2002%2F58%2FEC%3C%2Fa%3E+rules+on+direct+marketing%2C+in+particular+Article+13.GOTO%3AEUROPA_YES%0D%0A%09A%3A+Obligations.%0D%0A%09%09Q%28OBLIGATIONS%29%3A+Cool.++What+would+you+like+to+know+about+obligations%3F%0D%0A%09%09A%3A+I+have+questions+about+data+controllers+and+processors.%0D%0A%09%09%09Q%28CONTROLLER_PROCESSOR%29%3A+Okay.+What+would+you+like+to+know%3F%0D%0A%09%09%09A%3A+What+is+a+data+controller+or+a+data+processor%3F%0D%0A%09%09%09%09Q%2815.1.5.1.1%29%3A+The+%3Cb%3Edata+controller%3C%2Fb%3E+determines+the+%3Cb%3Epurposes%3C%2Fb%3E+for+which+and+the+%3Cb%3Emeans%3C%2Fb%3E+by+which+personal+data+is+processed.+So%2C+if+your+company%2Forganisation+decides+%27why%27+and+%27how%27+the+personal+data+should+be+processed+it+is+the+data+controller.+Employees+processing+personal+data+within+your+organisation+do+so+to+fulfil+your+tasks+as+data+controller.%0D%0A%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09Q%2815.1.5.1.1.1%29%3A+Your+company%2Forganisation+is+a+%3Cb%3Ejoint+controller%3C%2Fb%3E+when+together+with+one+or+more+organisations+it+jointly+determines+%27why%27+and+%27how%27+personal+data+should+be+processed.+Joint+controllers+must+enter+into+an+arrangement+setting+out+their+respective+responsibilities+for+complying+with+the+GDPR+rules.+The+main+aspects+of+the+arrangement+must+be+communicated+to+the+individuals+whose+data+is+being+processed.%0D%0A%09%09%09%09%09A%3A+Hmmm....%0D%0A%09%09%09%09%09%09Q%2815.1.5.1.1.1.1%29%3A+The+%3Cb%3Edata+processor%3C%2Fb%3E+processes+personal+data+only+%3Cb%3Eon+behalf+of+the+controller%3C%2Fb%3E.+The+data+processor+is+usually+a+third+party+external+to+the+company.+However%2C+in+the+case+of+groups+of+undertakings%2C+one+undertaking+may+act+as+processor+for+another+undertaking.%0D%0A%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1%29%3AThe+duties+of+the+processor+towards+the+controller+must+be+specified+in+a+contract+or+another+legal+act.+For+example%2C+the+contract+must+indicate+what+happens+to+the+personal+data+once+the+contract+is+terminated.+A+typical+activity+of+processors+is+offering+IT+solutions%2C+including+cloud+storage.+The+data+processor+may+only+sub-contract+a+part+of+its+task+to+another+processor+or+appoint+a+joint+processor+when+it+has+received+prior+written+authorisation+from+the+data+controller.%0D%0A%09%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1%29%3A+There+are+situations+where+an+entity+can+be+a+data+controller%2C+or+a+data+processor%2C+or+both.%0D%0A%09%09%09%09%09%09%09%09A%3A+I+see.++Can+you+give+me+some+examples%3F%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1%29%3A+Sure.++Have+a+suggestion%3F%0D%0A%09%09%09%09%09%09%09%09%09A%3A+I+would+like+to+see+an+example+where+an+entity+is+both+a+controller+and+a+processor.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1%29%3AA+brewery+has+many+employees.+It+signs+a+contract+with+a+payroll+company+to+pay+the+wages.+The+brewery+tells+the+payroll+company+when+the+wages+should+be+paid%2C+when+an+employee+leaves+or+has+a+pay+rise%2C+and+provides+all+other+details+for+the+salary+slip+and+payment.+The+payroll+company+provides+the+IT+system+and+stores+the+employees%27+data.+The+brewery+is+the+data+controller+and+the+payroll+company+is+the+data+processor.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+And+what+about+an+example+where+there+are+joint+controllers%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1.1%29%3AYour+company%2Forganisation+offers+babysitting+services+via+an+online+platform.+At+the+same+time+your+company%2Forganisation+has+a+contract+with+another+company+allowing+you+to+offer+value-added+services.+Those+services+include+the+possibility+for+parents+not+only+to+choose+the+babysitter+but+also+to+rent+games+and+DVDs+that+the+babysitter+can+bring.%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1.1.1%29%3ABoth+companies+are+involved+in+the+technical+set-up+of+the+website.+In+that+case%2C+the+two+companies+have+decided+to+use+the+platform+for+both+purposes+%28babysitting+services+and+DVD%2Fgames+rental%29+and+will+very+often+share+clients%27+names.+Therefore%2C+the+two+companies+are+joint+controllers+because+not+only+do+they+agree+to+offer+the+possibility+of+%27combined+services%27+but+they+also+design+and+use+a+common+platform.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+I+understand.++I+have+some+more+questions+about+controllers+and+processors.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1.1.1.1%29%3ASure+thing.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.GOTO%3ACONTROLLER_PROCESSOR%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Gotcha.++I+have+some+more+questions+about+obligations+under+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1.1.1.2%29%3ASure+thing.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.OBLIGATIONS%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+I+have+some+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1.1.1.3%29%3ASure+thing.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.GOTO%3AEUROPA_YES%0D%0A%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+I+understand.++I+have+some+more+questions+about+controllers+and+processors.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1.2%29%3ASure+thing.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.GOTO%3ACONTROLLER_PROCESSOR%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+Gotcha.++I+have+some+more+questions+about+obligations+under+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1.3%29%3ASure+thing.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.OBLIGATIONS%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+I+have+some+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.1.1.4%29%3ASure+thing.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.GOTO%3AEUROPA_YES%0D%0A%09%09%09%09%09%09%09%09A%3A+I+understand.++I+have+some+more+questions+about+controllers+and+processors.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.2%29%3ASure+thing.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.GOTO%3ACONTROLLER_PROCESSOR%0D%0A%09%09%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+obligations+under+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.3%29%3AOkay.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09%09%09%09A%3A+Okie-dokie.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.1.1.1.1.1.4%29%3ASure+thing.+References+for+this+questions+are+from+Article+4%287%29+and+%288%29%2C+Articles+24%2C+26%2C+28+and+29+and+Recitals+%2874%29%2C+%2879%29+and+%2881%29+of+the+GDPR+and+Article+29+Working+Party+Opinion+1%2F2010+on+the+concepts+of+%27controller%27+and+%27processor%27+%28WP+169%29.GOTO%3AEUROPA_YES.%0D%0A%09%09%09A%3ACan+someone+else+process+the+data+on+my+organisation%27s+behalf%3F%0D%0A%09%09%09%09Q%2815.1.5.1.2%29%3A+Someone+else+%28a+natural+or+legal+person+or+any+other+body%29+%3Cb%3Emay+process+personal+data%3C%2Fb%3E+on+your+behalf+provided+%3Cb%3Ethere+is+a+contract+or+other+legal+act%3C%2Fb%3E.+It+is+important+that+the+processor+you+appoint+provides+sufficient+guarantees+to+implement+appropriate+technical+and+organisational+measures+to+ensure+that+the+processing+will+meet+the+standards+of+the+General+Data+Protection+Regulation+%28GDPR%29+and+to+guarantee+the+protection+of+the+rights+of+the+individuals.%0D%0A%09%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09%09Q%2815.1.5.1.2.1%29%3A+The+appointed+processor+can%27t+subsequently+appoint+another+processor+without+your+prior%2C+specific+or+general+written+authorisation.+The+contract+or+legal+act+between+your+company%2Forganisation++and+the+processor+should+include+the+following+elements...%0D%0A%09%09%09%09%09A%3A+What+are+they%3F%0D%0A%09%09%09%09%09%09Q%2815.1.5.1.2.1.1%29%3A+The+processing+can+take+place+only+on+documented+instructions+from+the+controller%3Cbr%3E%3Cbr%3EThe+processor+ensures+that+persons+authorised+to+process+the+personal+data+have+committed+themselves+to+confidentiality+or+are+under+an+appropriate+statutory+obligation+of+confidentiality%0D%0A%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.1.2.1.1.1%29%3A+The+processor+must+offer+a+minimal+security+level+defined+by+the+controller+%3Cbr%3E%3Cbr%3EThe+processor+must+assist+in+ensuring+compliance+with+the+GDPR.%0D%0A%09%09%09%09%09%09%09A%3A+Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.1.2.1.1.1.1%29%3A+A+construction+company+is+using+a+sub-contractor+for+specific+construction+work%2C+and+provides+it+with+the+contact+details+of+the+clients+where+the+construction+work+needs+to+be+done.+The+sub-contractor+further+uses+the+data+to+send+the+clients+marketing+material.+The+sub-contractor+in+that+case+doesn%27t+qualify+merely+as+a+%27processor%27+under+the+GDPR+as+the+sub-contractor+is+not+only+processing+personal+data+on+behalf+of+the+construction+company%2C+but+also+further+processing+it+for+its+own+purposes.+The+sub-contractor+is+therefore+acting+as+a+%27data+controller%27.%0D%0A%09%09%09%09%09%09%09%09A%3A+Okay.++How+about+another%3F%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.2.1.1.1.1.1%29%3A+You%27re+a+retail+company+that+decides+to+store+a+back-up+version+of+your+client+database+on+a+cloud+server.+To+that+end+you+enter+into+a+contract+with+a+cloud+provider+known+for+its+data+protection+standards+and+which+also+has+a+certified+system+of+encryption+of+data.+The+cloud+provider+is+your+processor+as+by+storing+the+personal+data+of+your+clients+in+its+servers+it+will+be+processing+personal+data+on+your+behalf.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+controllers+and+processors.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.2.1.1.1.1.1.1%29%3A+Sure.++References+for+this+question+are+Article+28+and+Recital+%2881%29+of+the+GDPR.GOTO%3ACONTROLLER_PROCESSOR%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+obligations.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.2.1.1.1.1.1.2%29%3A+Sure.++References+for+this+question+are+Article+28+and+Recital+%2881%29+of+the+GDPR.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Alright.++I+have+more+questions+about+controllers+and+processors.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.1.2.1.1.1.1.1.3%29%3A+Sure.++References+for+this+question+are+Article+28+and+Recital+%2881%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+Are+the+obligations+the+same+regardless+of+the+amount+of+data+my+company%2Forganisation+handles%3F%0D%0A%09%09%09Q%2815.1.5.2%29%3A+The+General+Data+Protection+Regulation+%28GDPR%29+is+based+on+the+risk-based+approach.+In+other+words%2C+companies%2Forganisations+processing+personal+data+are+encouraged+to+implement+protective+measures+%3Cb%3Ecorresponding+to+the+level+of+risk+of+their+data+processing+activities%3C%2Fb%3E.+Therefore%2C+the+obligations+on+a+company+processing+a+lot+of+data+are+more+onerous+than+on+a+company+processing+a+small+amount+of+data.%0D%0A%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09Q%2815.1.5.2.1%29%3A+For+example%2C+the+probability+of+hiring+a+data+protection+officer+for+a+company%2Forganisation+processing+a+lot+of+data+is+higher+than+for+a+company%2Forganisation+processing+a+small+amount+of+data+%28in+that+case+this+links+to+the+notion+of+processing+of+personal+data+on+a+%27large+scale%27%29.+At+the+same+time%2C+the+nature+of+the+personal+data+and+the+impact+of+the+envisaged+processing+also+play+a+role.+Processing+of+a+small+amount+of+data%2C+but+which+is+of+a+sensitive+nature%2C+for+example++health+data%2C+would+require+implementing+more+stringent+measures+to+comply+with+the+GDPR.%0D%0A%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09Q%2815.1.5.2.1.1%29%3A+In+all+cases%2C+the+principles+of+data+protection+must+be+respected+and+individuals+allowed+to+exercise+their+rights.%0D%0A%09%09%09%09%09A%3A+Great.++I+have+more+questions+about+obligations+under+the+GDPR.%0D%0A%09%09%09%09%09%09Q%2815.1.5.2.1.1.1%29%3A+Okay.++The+reference+for+this+question+is+Chapter+IV+of+the+GDPR.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09Q%2815.1.5.2.1.1.2%29%3A+Okay.++The+reference+for+this+question+is+Chapter+IV+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+does+data+protection+%27by+design%27+and+%27by+default%27+mean%3F%0D%0A%09%09%09Q%2815.1.5.3%29%3A+Companies%2Forganisations+are+encouraged+to+implement+technical+and+organisational+measures%2C+at+the+earliest+stages+of+the+design+of+the+processing+operations%2C+in+such+a+way+that++safeguards+privacy+and+data+protection+principles+right+from+the+start+%28%27data+protection+by+design%27%29.%0D%0A%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09Q%2815.1.5.3.1%29%3ABy+default%2C+companies%2Forganisations+should+ensure+that+personal+data+is+processed+with+the+highest+privacy+protection+%28for+example+only+the+data+necessary+should+be+processed%2C+short+storage+period%2C+limited+accessibility%29+so+that+by+default+personal+data+isn%27t+made+accessible+to+an+indefinite+number+of+persons+%28%27data+protection+by+default%27%29.%0D%0A%09%09%09%09A%3A+Can+you+give+me+an+example+of+data+protection+by+design%3F%0D%0A%09%09%09%09%09Q%2815.1.5.3.1.1%29%3A+The+use+of+pseudonymisation+%28replacing+personally+identifiable+material+with+artificial+identifiers%29+and+encryption+%28encoding+messages+so+only+those+authorised+can+read+them%29.%0D%0A%09%09%09%09%09A%3A+Great.++Can+I+see+an+example+of+data+protection+by+default%3F%0D%0A%09%09%09%09%09%09Q%2815.1.5.3.1.1.1%29%3A+A+social+media+platform+should+be+encouraged+to+set+users%27+profile+settings+in+the+most+privacy-friendly+setting+by%2C+for+example%2C+limiting+from+the+start+the+accessibility+of+the+users%27+profile+so+that+it+isn%27t+accessible+by+default+to+an+indefinite+number+of+persons.%0D%0A%09%09%09%09%09%09A%3A+Great.++I+have+more+questions+about+obligations+under+the+GDPR.%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.3.1.1.1.1%29%3A+Okay.++The+references+for+this+question+are+Article+25+and+Recital+78+of+the+GDPR.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.3.1.1.1.2%29%3A+Okay.++The+references+for+this+question+are+Article+25+and+Recital+78+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+is+a+data+breach+and+what+do+we+have+to+do+in+case+of+a+data+breach%3F%0D%0A%09%09%09Q%2815.1.5.4%29%3A+A+data+breach+occurs+when+the+data+for+which+your+company%2Forganisation+is+responsible+suffers+a+security+incident+resulting+in+a+breach+of+confidentiality%2C+availability+or+integrity.+If+that+occurs%2C+and+it+is+likely+that+the+breach+poses+a+risk+to+an+individual%27s+rights+and+freedoms%2C+your+company%2Forganisation+has+to+%3Cb%3Enotify+the+supervisory+authority+without+undue+delay%2C+and+at+the+latest+within+72+hours+after+having+become+aware+of+the+breach.%3C%2Fb%3E%0D%0A%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09Q%2815.1.5.4.1%29%3A+If+your+company%2Forganisation+is+a+data+processor+it+must+notify+every+data+breach+to+the+data+controller.%0D%0A%09%09%09%09A%3A+Got+it.++Is+there+more%3F%0D%0A%09%09%09%09%09Q%2815.1.5.4.1.1%29%3A+If+the+data+breach+poses+a+%3Cb%3Ehigh+risk+to+those+individuals+affected%3C%2Fb%3E+then+they+should+all+also+be+informed%2C+unless+there+are+effective+technical+and+organisational+protection+measures+that+have+been+put+in+place%2C+or+other+measures+that+ensure+that+the+risk+is+no+longer+likely+to+materialise.%3Cbr%3E%3Cbr%3EAs+an+organisation+it+is+vital+to+implement+appropriate+technical+and+organisational+measures+to+avoid+possible+data+breaches.%0D%0A%09%09%09%09%09A%3A+Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09Q%2815.1.5.4.1.1.1%29%3A+Here%27s+one+where+the+organisation+must+notify+the+Data+Protection+Authority+and+individuals.%0D%0A%09%09%09%09%09%09A%3A+I%27m+ready.%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.4.1.1.1.1%29%3AThe+data+of+a+textile+company%27s+employees+has+been+disclosed.+The+data+included+the+personal+addresses%2C+family+composition%2C+monthly+salary+and+medical+claims+of+each+employee.+In+that+case%2C+the+textile+company+must+inform+the+supervisory+authority+of+the+breach.+Since+it+includes+sensitive+data%2C+such+as+health+data%2C+the+company+has+to+notify+the+employees+as+well.%0D%0A%09%09%09%09%09%09%09A%3A+Alright.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.4.1.1.1.1.1%29%3AA+hospital+employee+decides+to+copy+patients%27+details+onto+a+CD+and+publishes+them+online.+The+hospital+finds+out+a+few+days+later.+As+soon+as+the+hospital+finds+out%2C+it+has+72+hours+to+inform+the+supervisory+authority+and%2C+since+the+personal+details+contain+sensitive+information+such+as+whether+a+patient+has+cancer%2C+is+pregnant%2C+etc.%2C+it+has+to+inform+the+patients+as+well.%0D%0A%09%09%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.4.1.1.1.1.1.1%29%3A+In+that+case%2C+there+would+be+doubts+about+whether+the+hospital+has+implemented+appropriate+technical+and+organisational+protection+measures.++If+it+had+indeed+implemented+appropriate+protection+measures+%28for+example+encrypting+the+data%29%2C+a+material+risk+would+be+unlikely+and+it+could+be+exempt+from+notifying+the+patients.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Okay.++How+about+one+where+a+company+must+notify+clients+and+they+may+then+have+to+notify+the+Data+Protection+Agency+and+individuals%3F%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.4.1.1.1.1.1.1.1%29%3A+That%27s+very+specific.++Have+you+done+this+before%3F%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+...%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.4.1.1.1.1.1.1.1.1%29%3A+Okay%2C+so+a+cloud+service+loses+several+hard+drives+containing+personal+data+belonging+to+several+of+its+clients.+It+has+to+notify+those+clients+as+soon+as+it+becomes+aware+of+the+breach.+Its+clients+must+notify+the+DPA+and+the+individuals+depending+on+the+data+that+was+processed+by+the+data+processor.%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+obligations+under+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.4.1.1.1.1.1.1.1.1.1%29%3A+Okay.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+Personal+data+breach+notification+under+Regulation+2016%2F679%2C+3+October+2017+%28WP+250%29+and+Articles+4%2812%29%2C+33+and+34+and+Recitals+%2885%29+to+%2888%29+of+the+GDPR%09.GOTO%3AOBLIGATIONS.%0D%0A%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+general+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.4.1.1.1.1.1.1.1.1.2%29%3A+Okay.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+Personal+data+breach+notification+under+Regulation+2016%2F679%2C+3+October+2017+%28WP+250%29+and+Articles+4%2812%29%2C+33+and+34+and+Recitals+%2885%29+to+%2888%29+of+the+GDPR%09.GOTO%3AEUROPA_YES.%0D%0A%09%09A%3A+When+is+a+Data+Protection+Impact+Assessment+%28DPIA%29+required%3F%0D%0A%09%09%09Q%2815.1.5.5%29%3AA+DPIA+is+required+whenever+processing+is+likely+to+result+in+a+high+risk+to+the+rights+and+freedoms+of+individuals.+A+DPIA+is+required+at+least+in+the+following+cases...%0D%0A%09%09%09A%3A+What+are+they%3F%0D%0A%09%09%09%09Q%2815.1.5.5.1%29%3A+A+systematic+and+extensive+evaluation+of+the+personal+aspects+of+an+individual%2C+including+profiling%3Cbr%3E%3Cbr%3EProcessing+of+sensitive+data+on+a+large+scale%3Cbr%3E%3Cbr%3ESystematic+monitoring+of+public+areas+on+a+large+scale.%0D%0A%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09Q%2815.1.5.5.1.1%29%3A%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Fcommission%2Fsites%2Fbeta-political%2Ffiles%2Fnational-data-protection-authorities-jan_2018_en.pdf%22+target%3D%22_blank%3A%3ENational+Data+Protection+Authorities%3C%2Fa%3E%2C+in+concertation+with+the+%3Ca+href%3D%22%27https%3A%2F%2Feuropa.eu%2Feuropean-union%2Fabout-eu%2Finstitutions-bodies%2Feuropean-data-protection-supervisor_en%22+target%3D%22_blank%22%3EEuropean+Data+Protection+Board%3C%2Fa%3E%2C+may+provide+lists+of+cases+where+a+DPIA+would+be+required.+The+DPIA+should+be+conducted+before+the+processing+and+should+be+considered+as+a+living+tool%2C+not+merely+as+a+one-off+exercise.%0D%0A%09%09%09%09%09A%3A+Got+it.%0D%0A%09%09%09%09%09%09Q%2815.1.5.5.1.1.1%29%3AWhere+there+are+residual+risks+that+can%27t+be+mitigated+by+the+measures+put+in+place%2C+the+DPA+must+be+consulted+prior+to+the+start+of+the+processing.%0D%0A%09%09%09%09%09%09A%3A+Can+you+give+me+an+example+where+a+DPIA+is+required%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.5.1.1.1.1%29%3A+Okay.++A+bank+screening+its+customers+against+a+credit+reference+database%3B+a+hospital+about+to+implement+a+new+health+information+database+with+patients%27+health+data%3B+a+bus+operator+about+to+implement+on-board+cameras+to+monitor+drivers%27+and+passengers%27+behaviour.%0D%0A%09%09%09%09%09%09%09A%3A+And+what+about+one+where+a+DPIA+is+%3Ci%3Enot%3C%2Fi%3E+required%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.5.1.1.1.1.1%29%3AA+doctor+processing+personal+data+of+his+patients.+In+that+case%2C+there+is+no+need+for+a+DPIA+since+the+processing+by+the+doctors+isn%27t+done+on+a+large+scale+in+cases+where+the+number+of+patients+is+limited.%0D%0A%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+obligations+under+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.5.1.1.1.1.1.1%29%3A+No+sweat.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+Data+Protection+Impact+Assessment+%28DPIA%29+and+determining+whether+processing+is+%27likely+to+result+in+a+high+risk%27+for+the+purposes+of+Regulation+%28EU%29+2016%2F679%2C+4+April+2017+and+Articles+35+and+36+and+Recitals+%2889%29+to+%2896%29+of+the+GDPR.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+general+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.5.1.1.1.1.1.2%29%3A+No+sweat.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+Data+Protection+Impact+Assessment+%28DPIA%29+and+determining+whether+processing+is+%27likely+to+result+in+a+high+risk%27+for+the+purposes+of+Regulation+%28EU%29+2016%2F679%2C+4+April+2017+and+Articles+35+and+36+and+Recitals+%2889%29+to+%2896%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+I+have+questions+about+Data+Protection+Officers+%28DPOs%29.%0D%0A%09%09%09Q%28DPOS%29%3A+Sure+thing.++What%27s+your+question%3F%0D%0A%09%09%09A%3A+Does+my+company%2Forganisation+need+to+have+a+Data+Protection+Officer+%28DPO%29%3F%0D%0A%09%09%09%09Q%2815.1.5.6.1%29%3AYour+company%2Forganisation+needs+to+appoint+a+DPO%2C+whether+it%27s+a+controller+or+a+processor%2C+if+its+core+activities+involve+processing+of+sensitive+data+on+a+large+scale+or++involve+large+scale%2C+regular+and+systematic+monitoring+of+individuals.+In+that+respect%2C+monitoring+the+behaviour+of+data+subjects+includes+all+forms+of+tracking+and+profiling+on+the+internet%2C+including+for+the+purposes+of+behavioural+advertising.%0D%0A%09%09%09%09A%3A+Okay.%0D%0A%09%09%09%09%09Q%2815.1.5.6.1.1%29%3APublic+administrations+always+have+an+obligation+to+appoint+a+DPO+%28except+for+courts+acting+in+their+judicial+capacity%29.%3Cbr%3E%3Cbr%3EThe+DPO+may+be+a+staff+member+of+your+organisation+or+may+be+contracted+externally+on+the+basis+of+a+service+contact.+A+DPO+can+be+an+individual+or+an+organisation.%0D%0A%09%09%09%09%09A%3A+Can+I+see+some+examples%3F%0D%0A%09%09%09%09%09%09Q%2815.1.5.6.1.1.1%29%3A+Sure.++A+DPO+is+mandatory+when+your+organization+is%3A+a+hospital+processing+large+sets+of+sensitive+data%3B+a+security+company+responsible+for+monitoring+shopping+centres+and+public+spaces%3B+or%2C+a+small+head-hunting+company+that+profiles+individuals.%0D%0A%09%09%09%09%09%09A%3A+How+about+where+a+DPO+might+not+be+mandatory%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.6.1.1.1.1%29%3A++Sure.++A+DPO+likely+won%27t+be+mandatory+if+you%27re+a+local+community+doctor+and+you+process+personal+data+of+your+patients%2C+or+you+have+a+small+law+firm+and+you+process+personal+data+of+your+clients.%0D%0A%09%09%09%09%09%09%09A%3A+Got+it.++I+have+some+more+questions+about+Data+Protection+Officers.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.6.1.1.1.1.1%29%3A+Okay.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+the+Data+Protection+Officers%2C+5+April+2017+%28WP+243%29+and+Articles+37+to++39+and+Recital+%2897%29+of+the+GDPR.GOTO%3ADPOS%0D%0A%09%09%09%09%09%09%09A%3A+Got+it.++I+have+some+more+questions+about+obligations+under+the+GPDR.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.6.1.1.1.1.2%29%3A+Okay.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+the+Data+Protection+Officers%2C+5+April+2017+%28WP+243%29+and+Articles+37+to++39+and+Recital+%2897%29+of+the+GDPR.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09%09%09A%3A+Got+it.++I+have+some+more+questions+about+the+GPDR+in+general.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.6.1.1.1.1.3%29%3A+Okay.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+the+Data+Protection+Officers%2C+5+April+2017+%28WP+243%29+and+Articles+37+to++39+and+Recital+%2897%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09%09A%3A+What+are+the+responsibilities+of+a+Data+Protection+Officer+%28DPO%29%3F%0D%0A%09%09%09%09Q%2815.1.5.6.2%29%3A+The+DPO+assists+the+controller+or+the+processor+in+all+issues+relating+to+the+protection+of+personal+data.+In+particular%2C+the+DPO+must%3A%0D%0A%09%09%09%09A%3A+Yeah%3F%0D%0A%09%09%09%09%09Q%2815.1.5.6.2.1%29%3A+Inform+and+advise+the+controller+or+processor%2C+as+well+as+their+employees%2C+of+their+obligations+under+data+protection+law+%3Cbr%3E%3Cbr%3EMonitor+compliance+of+the+organisation+with+all+legislation+in+relation+to+data+protection%2C+including+in+audits%2C+awareness-raising+activities+as+well+as+training+of+staff+involved+in+processing+operations%0D%0A%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09Q%2815.1.5.6.2.1.1%29%3A+Provide+advice+where+a+DPIA+has+been+carried+out+and+monitor+its+performance%3Cbr%3E%3Cbr%3EAct+as+a+contact+point+for+requests+from+individuals+regarding+the+processing+of+their+personal+data+and+the+exercise+of+their+rights%3Cbr%3E%3Cbr%3EAnd+cooperate+with+DPAs+and+act+as+a+contact+point+for+DPAs+on+issues+relating+to+processing.%0D%0A%09%09%09%09%09%09A%3A+Anything+else+I+should+know%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.6.2.1.1.1%29%3A+The+organisation+must+involve+the+DPO+in+a+timely+manner.+The+DPO+must+not+receive+any+instructions+from+the+controller+or+processor+for+the+exercise+of+their+tasks.+The+DPO+reports+directly+to+the+highest+level+of+management+of+the+organisation.%0D%0A%09%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+Data+Protection+Officers.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.6.2.1.1.1.1%29%3A+Sure+thing.++References+for+this+question+are+Articles+37+to+39+and+Recital+%2897%29+of+the+GDPR.GOTO%3ADPOS%0D%0A%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+obligations.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.6.2.1.1.1.2%29%3A+Sure+thing.++References+for+this+question+are+Articles+37+to+39+and+Recital+%2897%29+of+the+GDPR.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09%09%09A%3A+Got+it.++I+have+more+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.6.2.1.1.1.3%29%3A+Sure+thing.++References+for+this+question+are+Articles+37+to+39+and+Recital+%2897%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+rules+apply+if+my+organisation+transfers+data+outside+the+EU%3F%0D%0A%09%09%09Q%2815.1.5.7%29%3A+In+today%27s+globalised+world%2C+there+are+large+amounts+of+cross-border+transfers+of+personal+data%2C+which+are+sometimes+stored+on+servers+in+different+countries.+The+%3Cb%3Eprotection+offered+by+the+General+Data+Protection+Regulation+%28GDPR%29+travels+with+the+data%3C%2Fb%3E%2C+meaning+that+the+rules+protecting+personal+data+continue+to+apply+regardless+of+where+the+data+lands.+This+also+applies+when+data+is+transferred+to+a+country+which+is+not+a+member+of+the+EU+%28hereinafter+referred+to+as+%27third+country%27%29.%0D%0A%09%09%09A%3A+And%3F%0D%0A%09%09%09%09Q%2815.1.5.7.1%29%3A+The+GDPR+provides+different+tools+to+frame+data+transfers+from+the+EU+to+a+third+country.%0D%0A%09%09%09%09A%3A+Like+what%3F%0D%0A%09%09%09%09%09Q%2815.1.5.7.1.1%29%3A+Well%2C+sometimes%2C+a+third+country+may+be+declared+as+offering+an+adequate+level+of+protection+through+a+European+Commission+decision+%28%27Adequacy+Decision%27%29%2C+meaning+that+data+can+be+transferred+with+another+company+in+that+third+country+without+the+data+exporter+being+required+to+provide+further+safeguards+or+being+subject+to+additional+conditions.+In+other+words%2C+the+transfers+to+an+%27adequate%27+third+country+will+be+comparable+to+a+transmission+of+data+within+the+EU.%0D%0A%09%09%09%09%09A%3A+What+else%3F%0D%0A%09%09%09%09%09%09Q%2815.1.5.7.1.1.1%29%3A+in+the+absence+of+an+Adequacy+Decision%2C+a+transfer+can+take+place+through+the+provision+of+appropriate+safeguards+and+on+condition+that+enforceable+rights+and+effective+legal+remedies+are+available+for+individuals.+Such+appropriate+safeguards+include...%0D%0A%09%09%09%09%09%09A%3A+Yeah%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.7.1.1.1.1%29%3A+In+the+case+of+a+group+of+undertakings%2C+or+groups+of+companies+engaged+in+a+joint+economic+activity%2C+companies+can+transfer+personal+data+based+on+so-called+binding+corporate+rules...%0D%0A%09%09%09%09%09%09%09A%3A+And...%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.7.1.1.1.1.1%29%3A+Contractual+arrangements+with+the+recipient+of+the+personal+data%2C+using%2C+for+example%2C+the+standard+contractual+clauses+approved+by+the+European+Commission...%0D%0A%09%09%09%09%09%09%09%09A%3A+And+...+...%3F%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.7.1.1.1.1.1.1%29%3A+Adherence+to+a+code+of+conduct+or+certification+mechanism+together+with+obtaining+binding+and+enforceable+commitments+from+the+recipient+to+apply+the+appropriate+safeguards+to+protect+the+transferred+data.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+I+see.++Are+there+any+other+big+scenarios%3F%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.7.1.1.1.1.1.1.1%29%3A+Yes.+Finally%2C+if+a+transfer+of+personal+data+is+envisaged+to+a+third+country+that+isn%27t+the+subject+of+an+Adequacy+Decision+and+if+appropriate+safeguards+are+absent%2C+a+transfer+can+be+made+based+on+a+number+of+derogations+for+specific+situations+for+example%2C+where+an+individual+has+explicitly+consented+to+the+proposed+transfer+after+having+been+provided+with+all+necessary+information+about+the+risks+associated+with+the+transfer.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+This+is+pretty+complicated.++Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.7.1.1.1.1.1.1.1.1%29%3A+Good+idea.++So%2C+let%27s+say+you%27re+a+French+company+intending+to+expand+its+services+to+South+America%2C+notably+Argentina%2C+Uruguay+and+Brazil.+The+first+step+would+be+to+check+whether+those+third+countries+are+subject+to+an+Adequacy+Decision.+In+this+case%2C+both+Argentina+and+Uruguay+have+been+declared+adequate.+You%27d+be+able+to+transfer+personal+data+to+those+two+third+countries+without+any+additional+safeguards+while+for+transfers+to+Brazil+which+is+not+the+subject+of+Adequacy+Decision%2C+you%27ll+have+to+frame+your+transfers+by+providing+appropriate+safeguards.%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A++Got+it.++I+have+some+more+questions+about+obligations+under+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.7.1.1.1.1.1.1.1.1.1%29%3A+Sure.++References+for+this+question+are+numerous.++Chapter+V%2C+Articles+44+to+50%29+and+Recitals+%28101%29+to+%28116%29+of+the+GDPR+%3Cbr%3E%3Cbr%3E%3Ca+href%3D%22http%3A%2F%2Fec.europa.eu%2Fjustice%2Fdata-protection%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Findex_en.htm%22+target%3D%22_blank%22%3EArticle+29+Working+Party%27s%3C%2Fa%3E+latest+Working+Documents+on+International+transfers+%3Ci%3EWorking+Document+on+Adequacy+Referential+%28update+of+Chapter+One+of+WP+12%29%2C+WP+254%3B+Working+Document+setting+up+a+table+with+the+elements+and+principles+to+be+found+in+Binding+Corporate+Rules%2C+WP+256%3B+and+Working+Document+setting+up+a+table+with+the+elements+and+principles+to+be+found+in+Processor+Binding+Corporate+Rules%2C+WP+257%3C%2Fi%3E+%3Cbr%3E%3Cbr%3ESee+also+for+reference+the+European+Commission+Communication+on+%3Ca+href%3D%22http%3A%2F%2Feuropa.eu%2Frapid%2Fpress-release_MEMO-17-15_en.htm%22+target%3D%22_blank%22%3EExchanging+and+Protecting+Personal+Data+in+a+Globalised+World%3C%2Fa%3E%2C+10+January+2017.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A++Understood.++I+have+some+more+general+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.5.7.1.1.1.1.1.1.1.1.1.1%29%3A+Sure.++References+for+this+question+are+numerous.++Chapter+V%2C+Articles+44+to+50%29+and+Recitals+%28101%29+to+%28116%29+of+the+GDPR+%3Cbr%3E%3Cbr%3E%3Ca+href%3D%22http%3A%2F%2Fec.europa.eu%2Fjustice%2Fdata-protection%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Findex_en.htm%22+target%3D%22_blank%22%3EArticle+29+Working+Party%27s%3C%2Fa%3E+latest+Working+Documents+on+International+transfers+%3Ci%3EWorking+Document+on+Adequacy+Referential+%28update+of+Chapter+One+of+WP+12%29%2C+WP+254%3B+Working+Document+setting+up+a+table+with+the+elements+and+principles+to+be+found+in+Binding+Corporate+Rules%2C+WP+256%3B+and+Working+Document+setting+up+a+table+with+the+elements+and+principles+to+be+found+in+Processor+Binding+Corporate+Rules%2C+WP+257%3C%2Fi%3E+%3Cbr%3E%3Cbr%3ESee+also+for+reference+the+European+Commission+Communication+on+%3Ca+href%3D%22http%3A%2F%2Feuropa.eu%2Frapid%2Fpress-release_MEMO-17-15_en.htm%22+target%3D%22_blank%22%3EExchanging+and+Protecting+Personal+Data+in+a+Globalised+World%3C%2Fa%3E%2C+10+January+2017.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+How+can+I+demonstrate+that+my+organisation+is+compliant+with+the+GDPR%3F%0D%0A%09%09%09Q%2815.1.5.8%29%3A+The+principle+of+%3Cb%3Eaccountability%3C%2Fb%3E+is+a+cornerstone+of+the+General+Data+Protection+Regulation+%28GDPR%29.+According+to+the+GDPR%2C+a+business%2Forganisation+is++responsible+for+complying+with+all+data+protection+principles+and+is+also++responsible+for+demonstrating+compliance.+The+GDPR+provides+businesses%2Forganisations+with+a+set+of+tools+to+help+demonstrate+accountability%2C+some+of+which+have+to+be+mandatorily+put+in+place.%0D%0A%09%09%09A%3A++Go+on.%0D%0A%09%09%09%09Q%2815.1.5.8.1%29%3A+For+example%2C+in+specific+cases+the+establishment+of+a+DPO+or+conducting+data+protection+impact+assessments+%28DPIA%29+may+be+mandatory.+Data+controllers+can+choose+to+use+other+tools+such+as+codes+of+conduct+and+certification+mechanisms+to+demonstrate+compliance+with+data+protection+principles.%0D%0A%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09Q%2815.1.5.8.1.1%29%3A+You+may+adhere+to+a+%3Cb%3ECode+of+Conduct%3C%2Fb%3E+prepared+by+a+business+association+which+has+been+approved+by+a+DPA.+A+Code+of+Conduct+may+be+given+EU-wide+validity+through+an+implementing+act+of+the+Commission.%0D%0A%09%09%09%09%09A%3A+What+else%3F%0D%0A%09%09%09%09%09%09Q%2815.1.5.8.1.1.1%29%3A+You+may+adhere+to+a+certification+mechanism+operated+by+one+of+the+certification+bodies+that+have+received+accreditation+from+a+DPA+or+a+national+accreditation+body+or+both%2C+as+decided+in+each+Member+State+law.%0D%0A%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.5.8.1.1.1.1%29%3ABoth+codes+of+conduct+and+certification+are+optional+instruments+and+therefore+it+is+up+to+your+company%2Forganisation+to+decide+whether+to+adhere+to+a+given+code+of+conduct+or+to+request+certification.+While+your+company%2Forganisation+still+has+to+respect+and+comply+with+the+GDPR%2C+adherence+to+such+instruments+might+be+taken+into+consideration+in+the+case+of+an+enforcement+measure+against+you+for+a+breach+of+the+GDPR.%0D%0A%09%09%09%09%09%09%09A%3A+Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.5.8.1.1.1.1.1%29%3A+Sure.+The+umbrella+insurance+body+in+the+EU+Member+State+of+your+company%2Forganisation+has+had+a+Code+of+Conduct+approved+by+the+supervisory+authority.+A+number+of+rival+insurance+firms+have+adhered+to+the+Code.+While+adhering+is+voluntary%2C+the+adherence+to+the+Code+helps+in+demonstrating+compliance+with+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+obligations+under+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.8.1.1.1.1.1.1%29%3A+Sure.++References+for+this+question+are+Article+24%2C+Articles+40%2C+to+43+and+Article+83+and+Recitals+%2898%29%2C+to+%28100%29%2C+%28148%29%2C+%28150%29+and+%28151%29+of+the+GDPR.GOTO%3AOBLIGATIONS%0D%0A%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.5.8.1.1.1.1.1.2%29%3A+Sure.++References+for+this+question+are+Article+24%2C+Articles+40%2C+to+43+and+Article+83+and+Recitals+%2898%29%2C+to+%28100%29%2C+%28148%29%2C+%28150%29+and+%28151%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09A%3A+Dealing+with+citizens.%0D%0A%09%09Q%28CITIZENS%29%3A+Okay.++What+would+you+like+to+know%3F%0D%0A%09%09A%3A+How+should+requests+from+individuals+exercising+their+data+protection+rights+be+dealt+with%3F%0D%0A%09%09%09Q%2815.1.6.1%29%3A+Individuals+may+contact+your+company%2Forganisation+to+exercise+their+rights+under+the+GDPR+%28rights+of+access%2C+rectification%2C+erasure%2C+portability%2C+etc.%29.+Where+personal+data+is+processed+by+electronic+means%2C+your+company%2Forganisation++should+provide+means+for+requests+to+be+made+electronically.+Your+company%2Forganisation++must+reply+to+their+request+without+undue+delay%2C+and+in+principle+within+%3Cb%3E1+month+of+the+receipt+of+the+request%3C%2Fb%3E.%0D%0A%09%09%09A%3A+And%3F%0D%0A%09%09%09%09Q%2815.1.6.1.1%29%3A+It+can+ask+them+for+additional+information+in+order+to+confirm+the+identity+of+the+person+making+the+request.%3Cbr%3E%3Cbr%3EIf+your+company%2Forganisation+rejects+the+request+then+it+has+to+inform+the+person+of+the+reasons+for+doing+so+and+of+their+right+to+file+a+complaint+with+the+Data+Protection+Authority+and+to+seek+a+judicial+remedy.%0D%0A%09%09%09%09A%3A+Is+that+all%3F%0D%0A%09%09%09%09%09Q%2815.1.6.1.1.1%29%3A+Dealing+with+requests+of+individuals+%3Cb%3Eshould+be+carried+out+free+of+charge.%3C%2Fb%3E+Where+requests+are+manifestly+unfounded+or+excessive%2C+in+particular+because+of+their+repetitive+character%2C+you+may+charge+a+reasonable+fee+or+refuse+to+act.%0D%0A%09%09%09%09%09A%3A+Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09Q%2815.1.6.1.1.1.1%29%3A+Sure.++A+person+who+accessed+all+his+personal+data+the+month+before%2C+lodges+again+the+same+request+for+access+to+the+same+personal+data.+You+may+consider+either+informing+them+that+you+reject+their+request+or+requesting+a+reasonable+fee.%0D%0A%09%09%09%09%09%09A%3A+Gotcha.++I+have+more+questions+about+dealing+with+citizens.%0D%0A%09%09%09%09%09%09%09Q%2815.1.6.1.1.1.1.1%29%3A+Okay.+References+for+this+question+are+Article+12+and+Articles+15+to+22+and+Recitals+%2859%29+and%28+63%29+to+%2871%29+of+the+GDPR.GOTO%3ACITIZENS%0D%0A%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09Q%2815.1.6.1.1.1.1.2%29%3A+Okay.+References+for+this+question+are+Article+12+and+Articles+15+to+22+and+Recitals+%2859%29+and%28+63%29+to+%2871%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+personal+data+and+information+can+an+individual+access+on+request%3F%0D%0A%09%09%09Q%2815.1.6.2%29%3A+When+someone+requests+access+to+their+personal+data%2C+your+company%2Forganisation+must...%3Cbr%3E%3Cbr%3EConfirm+whether+or+not+it+is+processing+personal+data+concerning+them%3Cbr%3E%3Cbr%3EProvide+a+copy+of+the+personal+data+it+holds+about+them%3Cbr%3E%3Cbr%3EAnd+provide+information+about+the+processing+%28such+as+purposes%2C+categories+of+personal+data%2C+recipients%2C+etc.%29%0D%0A%09%09%09A%3A+Is+that+all%3F%0D%0A%09%09%09%09Q%2815.1.6.2.1%29%3A+Your+company%2Forganisation++must+provide+the+individual+with+a+copy+of+their+personal+data++free+of+charge.++However%2C+a+reasonable+fee+can+be+charged+for+further+copies.%0D%0A%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09Q%2815.1.6.2.1.1%29%3A+The+exercise+of+the+right+of+access+is+closely+linked+to+the+exercise+of+the+right+to+data+portability+-+to+allow+the+individual+to+transmit+their+data+to+another+organisation.%0D%0A%09%09%09%09%09A%3A+Is+there+anything+else%3F%0D%0A%09%09%09%09%09%09Q%2815.1.6.2.1.1.1%29%3A+It+is+important+that%2C+in+your+company%2Forganisation%27s+Privacy+Notice%2C+there+is+a+clear+distinction+between+the+two+rights.++Therefore%2C++both+rights+need+to+be+briefly+mentioned+separately.%0D%0A%09%09%09%09%09%09A%3A+Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.6.2.1.1.1.1%29%3A+Your+company%2Forganisation+provides+an+online+social+networking+service+whereby+individuals+can+exchange+messages+and+pictures.+A+user+requests+to+access+their+personal+data+and+to+verify+what+personal+data+which+concerns+them+is+processed+by+your+company%2Forganisation.%0D%0A%09%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.6.2.1.1.1.1.1%29%3A+Your+company%2Forganisation++must+confirm+that+it+is+processing+personal+data+which+concerns+them+and+provide+a+copy+%28such+as++name%2C+contact+details%2C+messages+and+pictures+exchanged%29.+Your+company%2Forganisation+must+also+provide+them+with+information+about+the+processing+-+usually+that+would+be+in+the+privacy+notice+of+your+service.%0D%0A%09%09%09%09%09%09%09%09A%3A+Gotcha.++I+have+more+questions+about+dealing+with+citizens.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.6.2.1.1.1.1.1.1%29%3A+Okay.+References+for+this+question+are+Article+15+and+Recitals+%2863%29+and+%2864%29+of+the+GDPR.GOTO%3ACITIZENS%0D%0A%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.6.2.1.1.1.1.1.2%29%3A+Okay.+References+for+this+question+are+Article+15+and+Recitals+%2863%29+and+%2864%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+Do+we+always+have+to+delete+personal+data+if+a+person+asks%3F%0D%0A%09%09%09Q%2815.1.6.3%29%3A+The+General+Data+Protection+Regulation+%28GDPR%29+gives+%3Cb%3Eindividuals+the+right+to+ask+for+their+data+to+be+deleted%3C%2Fb%3E+and+organisations+do+have+an+%3Cb%3Eobligation+to+do+so%2C+except%3C%2Fb%3E+in+the+following+cases...%0D%0A%09%09%09A%3A+Which+are%3F%0D%0A%09%09%09%09Q%2815.1.6.3.1%29%3A+The+personal+data+your+company%2Forganisation++holds+is+needed+to+exercise+the+right+of+freedom+of+expression%3Cbr%3E%3Cbr%3EThere+is+a+legal+obligation+to+keep+that+data%3Cbr%3E%3Cbr%3EFor+reasons+of+public+interest+%28for+example+public+health%2C+scientific%2C+statistical+or+historical+research+purposes%29.%0D%0A%09%09%09%09A%3A+Anything+else+I+should+know%3F%0D%0A%09%09%09%09%09Q%2815.1.6.3.1.1%29%3A+Plenty%21++If+your+company%2Forganisation+processed+data+unlawfully+it+must+delete+it.+In+the+case+of+an+individual%2C+data+collected+when+they+were+still+a+minor+must+be+deleted.%0D%0A%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09Q%2815.1.6.3.1.1.1%29%3A+With+regard+to+the+right+to+be+forgotten+online%2C+organisations+are+expected+to+take+reasonable+steps+%28for+example+technical+measures%29+to+inform+other+websites+that+a+particular+individual+has+requested+the+erasure+of+their+personal+data.%0D%0A%09%09%09%09%09%09A%3A+Is+that+all%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.6.3.1.1.1.1%29%3A+Data+can+also+be+kept+if+it+has+undergone+an+appropriate+process+of+anonymisation.%0D%0A%09%09%09%09%09%09%09A%3A+Can+you+give+me+an+example+where+data+need+to+be+deleted%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.6.3.1.1.1.1.1%29%3A+Sure.++Your+company%2Forganisation++runs+a+social+media+platform.+A+minor+uploads+photos%3B+however%2C+some+years+later+he+decides+that+the+said+photos+are+potentially+harming+his+career+prospects.+Since+the+individual+was+a+minor+at+the+time+of+uploading%2C+you%27re+obliged+to+delete+the+said+photos.+Furthermore%2C+if+the+photos+have+been+processed+on+other+websites%2C+your+company%2Forganisation++must+take+reasonable+steps+to+inform+them+that+a+request+to+delete+the+photos+was+filed.%0D%0A%09%09%09%09%09%09%09%09A%3A+Can+you+give+me+an+example+of+data+that+%3Ci%3Edo+not%3C%2Fi%3E+need+to+be+deleted%3F%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.6.3.1.1.1.1.1.1%29%3A+Your+company%2Forganisation+runs+an+online+newspaper.+One+of+your+journalists+publishes+a+story+on+how+a+politician+had+laundered+money+in+off-shore+banks.+The+politician+requests+to+remove+the+story+because+his+personal+data+is+being+processed.+Since+the+personal+data+is+used+to+exercise+the+right+of+freedom+of+expression%2C+your+company%2Forganisation+is%2C++in+principle%2C+not+obliged+to+delete+such+data.+However%2C+this+will+depend+on+the+national+legislation+in+place.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+I+see.++I+have+more+questions+about+dealing+with+citizens.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.3.1.1.1.1.1.1.1%29%3A+Of+course%21+References+for+this+question+are+Article+17+and+Recitals+%2865%29+and%2866%29+of+the+GDPR+and+Article+29+Working+Party+Guidelines+on+the+implementation+of+the+Court+of+Justice+of+the+European+Union+judgment+on+%27Google+Spain+and+inc+v.+Agencia+Espa%C3%B1ola+de+Protecci%C3%B3n+de+Datos+%28AEPD%29+and+Mario+Costeja+Gonz%C3%A1lez%27+c-131%2F121+%28WP+225%29.GOTO%3ACITIZENS%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.3.1.1.1.1.1.1.2%29%3A+Of+course%21+References+for+this+question+are+Article+17+and+Recitals+%2865%29+and%2866%29+of+the+GDPR+and+Article+29+Working+Party+Guidelines+on+the+implementation+of+the+Court+of+Justice+of+the+European+Union+judgment+on+%27Google+Spain+and+inc+v.+Agencia+Espa%C3%B1ola+de+Protecci%C3%B3n+de+Datos+%28AEPD%29+and+Mario+Costeja+Gonz%C3%A1lez%27+c-131%2F121+%28WP+225%29.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+happens+if+someone+objects+to+my+company+processing+their+personal+data%3F%0D%0A%09%09%09Q%2815.1.6.4%29%3A+Oh+boy.++So%2C+Individuals+have+the+right+to+object+to+the+processing+of+personal+data+for+specific+reasons.+Whether+such+a+specific+situation+exists+must+be+examined+on+a++case-by-case+basis.%0D%0A%09%09%09A%3A+And%3F%0D%0A%09%09%09%09Q%2815.1.6.4.1%29%3A+They+may+raise+an+objection+only+in+cases+where+a+public+administration+is+processing+the+data+in+the+context+of+its+public+tasks+or+when+a+company+is+processing+the+data+on+the+basis+of+its+legitimate+interests.+In+such+cases%2C+your+company%2Forganisation+may+no+longer+process+the+data+unless+it+demonstrates+that+it+needs+to+process+it+for+reasons+that+override+the+rights+and+freedoms+of+the+individual+or+if+the+data+is+necessary+for+the+establishment%2C+exercise+or+defence+of+legal+claims.%0D%0A%09%09%09%09A%3A+Is+that+all%3F%0D%0A%09%09%09%09%09Q%2815.1.6.4.1.1%29%3A+Individuals+also+have+a+right+to+object+at+any+time+to+the+processing+of+their+personal+data+for+%3Cb%3Edirect+marketing+purposes%3C%2Fb%3E.+Direct+marketing+is+understood+under+the+General+Data+Protection+Regulation+as+any+action+by+a+company+to+communicate+advertising+or+marketing+material%2C+aimed+at+particular+individuals.%0D%0A%09%09%09%09%09A%3A+Is+there+more%3F%0D%0A%09%09%09%09%09%09Q%2815.1.6.4.1.1.1%29%3A+Your+company%2Forganisation++must+inform+individuals+in+its+privacy+notice+or+at+the+latest+at+the+time+of+the+first+communication+with+individuals%2C+that+it+will+be+using+their+personal+data+for+direct+marketing+and+that+they+have+a+right+to+object+free+of+charge.+Where+a+person+objects+to+processing+for+direct+marketing+purposes%2C+your+company%2Forganisation++may+no+longer+process+their+personal+data+for+such+purposes.%0D%0A%09%09%09%09%09%09A%3A+Can+you+provide+me+with+an+example%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.6.4.1.1.1.1%29%3A+In+the+insurance+sector%2C+very+often+the+personal+data+is+needed+for+the+defence+of+legal+claims+in+the+case+of+anti-fraud+or+anti-money+laundering+measures.+In+those+cases+insurance+companies+may+refuse+to+uphold+an+individual%27s+request+to+object+based+on+reasons+that+override+the+rights+and+freedoms+of+the+individual.%0D%0A%09%09%09%09%09%09%09A%3A+Gotcha.++I+have+more+questions+about+dealign+with+citizens.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.6.4.1.1.1.1.1%29%3A+Okay.+References+for+the+question+are+Article+21+and+Recitals+%2869%29+and+%2870%29+of+the+GDPR+and%0D%0AArticle+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3ACITIZENS%0D%0A%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.6.4.1.1.1.1.2%29%3A+Okay.+References+for+the+question+are+Article+21+and+Recitals+%2869%29+and+%2870%29+of+the+GDPR+and%0D%0AArticle+29+Working+Party+Opinion+06%2F2014+on+the+notion+of+legitimate+interests+of+the+data+controller+under+Article+7+of+Directive+95%2F46%2FEC.GOTO%3AGDPR%0D%0A%09%09A%3A+Can+individuals+ask+to+have+their+data+transferred+to+another+organisation%3F%0D%0A%09%09%09Q%2815.1.6.5%29%3A+Yes%2C+individuals+have+the+right+to+data+portability%2C+that+is+to+receive+from+your+company%2Forganisation+the+personal+data+they+provided+in+a+structured+machine-readable+format%2C+and+have+it+transmitted+to+another+company%2Forganisation.+The+right+may+only+be+exercised+where+personal+data+was+collected+in+the+context+of+a+contract+or+on+the+basis+of+consent%2C+and+such+data+is+processed+by+automated+means.%0D%0A%09%09%09A%3A+Are+there+any+examples%3F%0D%0A%09%09%09%09Q%2815.1.6.5.1%29%3A+Sure.++A+patient+of+a+private+clinic+in+Belgium+is+moving+to+another+clinic+in+Germany.+The+individual+asks+the+Belgian+clinic%2C+which+has+electronic+files+on+them%2C+to+provide+them+with+their+personal+data+in+a+structured+machine-readable+format%2C+to+be+able+to+transmit+the+data+to+the+relevant+health+professionals+in+Germany.%0D%0A%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09Q%2815.1.6.5.1.1%29%3A+The+Belgian+clinic+should+provide+them+with+the+personal+data+in+a+commonly+used+open+format+%28e.g.+XML%2C+JSON%2C+CSV%2C+etc.%29.+When+selecting+a+data+format%2C+the+organisation+should+consider+how+this+format+would+impact+or+hinder+the+individual%27s+right+to+re-use+the+data.+For+instance%2C+providing+an+individual+with+PDF+versions+of+their+records+may+not+be+sufficient+to+ensure+that+personal+data+is+easily+re-used.%0D%0A%09%09%09%09%09A%3A+Gotcha.++I+have+more+questions+about+dealing+with+citizens.%0D%0A%09%09%09%09%09%09Q%2815.1.6.5.1.1.1%29%3A+Sure+thing.++References+for+this+question+are+Article+20+and+Recital+68+of+the+GDPR+and+Article+29+Working+Party+Guidelines+on+data+portability.GOTO%3ACITIZENS%0D%0A%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09Q%2815.1.6.5.1.1.2%29%3A+Sure+thing.++References+for+this+question+are+Article+20+and+Recital+68+of+the+GDPR+and+Article+29+Working+Party+Guidelines+on+data+portability.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+Are+there+restrictions+on+the+use+of+automated+decision-making%3F%0D%0A%09%09%09Q%2815.1.6.6%29%3A+Yes%2C+%3Cb%3Eindividuals+should+not+be+subject+to+a+decision+that+is+based+solely+on+automated+processing%3C%2Fb%3E+%28such+as+algorithms%29+and+that+is+legally+binding+or+which+significantly+affects+them.%0D%0A%09%09%09A%3A+And%3F%0D%0A%09%09%09%09Q%2815.1.6.6.1%29%3A+A+decision+may+be+considered+as+producing+legal+effects+when+the+individual%27s+legal+rights+or+legal+status+are+impacted+%28such+as+their+right+to+vote+for+example%29.+In+addition%2C+processing+can+significantly+affect+an+individual+if+it+influences+their+personal+circumstances+%2C+their+behaviour+or+their+choices+%28for+example+an+automatic+processing+may+lead+to+the+refusal+of+an+online+credit+application%29.%0D%0A%09%09%09%09A%3A+ANd%3F%0D%0A%09%09%09%09%09Q%2815.1.6.6.1.1%29%3A+The+use+of+automated+processing+for+decision-making+is+authorised+only+in+the+following+cases...%0D%0A%09%09%09%09%09A%3A+Which+are%3F%0D%0A%09%09%09%09%09%09Q%2815.1.6.6.1.1.1%29%3A+For+instance%2C+the+decision+based+on+the+algorithm+is+necessary+%28i.e.+there+must+be+no+other+way+to+achieve+the+same+goal%29+to+enter+into+or+to+perform+a+contract+with+the+individual+whose+data+your+company%2Forganisation+processed+via+the+algorithm+%28for+example+an+online+loan+application%29...%0D%0A%09%09%09%09%09%09A%3A+Or...%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1%29%3A+A+particular+European+or+national+law+allows+the+use+of+algorithms+and+provides+for+suitable+safeguards+to+protect+the+individual%27s+rights%2C+freedoms+and+legitimate+interests+%28for+example+anti-tax+evasion+regulations%29...%0D%0A%09%09%09%09%09%09%09A%3A+Or...%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1%29%3A+The+individual+has+explicitly+given+his+consent+to+a+decision+based+on+the+algorithm.%0D%0A%09%09%09%09%09%09%09%09A%3A+Anything+else%3F%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1.1%29%3A+However%2C+the+decision+taken+needs+to+protect+the+individual%27s+rights%2C+freedoms+and+legitimate+interest%2C+by+implementing+suitable+safeguards.+Except+where+such+decision-making+is+based+on+a+law%2C++the+individual+must+be+at+least+informed+of+%28i%29+the+logic+involved+in+the+decision-making+process%2C+%28ii%29+their+right+to+obtain+human+intervention%2C+%28iii%29+the+potential+consequences+of+the+processing+and+%28iv%29+their+right+to+contest+the+decision.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1.1.1%29%3AYour+company%2Forganisation+must+therefore+make+the+required+procedural+arrangements+to+allow+the+individual+to+express+their+point+of+view+and+to+contest+the+decision.%0D%0A%09%09%09%09%09%09%09%09%09%09A%3A+Is+there+something+else%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1.1.1.1%29%3A+Finally%2C+particular+attention+should+be+given+if+the+algorithm+uses+special+categories+of+personal+data%3A+automated+decision-making+is+only+allowed+in+the+following+circumstances...%0D%0A%09%09%09%09%09%09%09%09%09%09%09A%3A+Which+are%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1.1.1.1.1%29%3A+The+individual+has+given+their+explicit+consent%3B+%3Cbr%3E%3Cbr%3EOr+the+processing+is+necessary+for+reasons+of+substantial+public+interest+under+European+or+national+law.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Anything+more%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1.1.1.1.1.1%29%3A+Furthermore%2C+if+the+individual+is+a+child%2C+decisions+made+solely+on+automated+processing+that+produce+legal+effects+or+effects+which+are+of+similar+significance+for+the+child+should+be+avoided%2C+because+children+represent+a+more+vulnerable+group+of+society.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1.1.1.1.1.1.1%29%3A+Your+company%2Forganisation+is+an+online+bank+offering+loans.+Clients+insert+their+data+and+an+algorithm+produces+results+on+whether+they+should+be+offered+a+loan+or+not+and+the+suggested+interest+rate.+Your+company%2Forganisation+needs+to+review+the+said+decision+before+communicating+to+the+prospective+client+and+inform+him+that+he+may+express+his+opinion+and+eventually+contest+the+decision%2C+keeping+in+mind+that+the+individual+has+the+right+not+to+be+subject+to+a+decision+based+on+algorithms.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Cool.++I+have+more+questions+about+dealing+with+citizens.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1.1.1.1.1.1.1.1%29%3A+Gotcha.++References+for+this+question+are+Articles+4%284%29+and+22+and+Recitals+%2871%29+and+%2872%29+of+the+GDPR+and+Article+29+Working+Party+Guidelines+on+Automated+individual+decision-making+and+Profiling+for+the+purposes+of+Regulation+2016%2F679+%28WP+251%29.GOTO%3ACITIZENS%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+dealing+with+citizens.%0D%0A%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09Q%2815.1.6.6.1.1.1.1.1.1.1.1.1.1.1.2%29%3A+Okay.++References+for+this+question+are+Articles+4%284%29+and+22+and+Recitals+%2871%29+and+%2872%29+of+the+GDPR+and+Article+29+Working+Party+Guidelines+on+Automated+individual+decision-making+and+Profiling+for+the+purposes+of+Regulation+2016%2F679+%28WP+251%29.GOTO%3AEUROPA_YES%0D%0A%09A%3A+Enforcement.%0D%0A%09%09Q%28ENFORCEMENT%29%3A+What+are+your+enforcement+questions%3F%0D%0A%09%09A%3A++What+is+the+role+of+the+Data+Protection+Authority%3F%0D%0A%09%09%09Q%2815.1.7.1%29%3AOne+of+the+roles+of+the+DPA+is+to+%3Cb%3Epublish+expert+advice%3C%2Fb%3E+on+data+protection+issues.+It+informs+the+general+public+on+the+rights+and+obligations+related+to+data+protection+and+in+particular+the+General+Data+Protection+Regulation+%28GDPR%29.+One+relevant+example+is+the+obligation+imposed+on+the+DPAs+to+establish+and+make+public+a+list+of+processing+operations+that+require+a+data+protection+impact+assessment.%0D%0A%09%09%09A%3A+Go+on.%0D%0A%09%09%09%09Q%2815.1.7.1.1%29%3A+Some+DPAs+have+already+established+handbooks+and+other+tools+to+help+businesses+understand+their+obligations+under+the+GDPR+and+individuals+understand+their+rights.+In+addition%2C++Article+29+Working+Party%2C+which+is+the+group+of+national+European+DPAs+%28which+will+be+replaced+by+the+European+Data+Protection+Board%29%2C+has+produced+a+number+of+documents+interpreting+the+provisions+of+data+protection+law.+The+DPA+can%27t%2C+however%2C+give+advice+in+individual+cases+or+replace+a+competent+lawyer.%0D%0A%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09Q%2815.1.7.1.1.1%29%3AYour+company%2Forganisation+%3Cb%3Edoes+not+need+to+notify+the+DPA+that+it+processes+data%3C%2Fb%3E.+However%2C+%3Cb%3Eprior+consultation%3C%2Fb%3E+with+the+DPA+is+required+when+a+%3Cb%3EDPIA%3C%2Fb%3E+indicates+that+the+processing+of+the+data+would+pose+a+%3Cb%3Ehigh+risk%3C%2Fb%3E+and+residual+risks+remain+despite+the+implementation+of+several+safeguards.%0D%0A%09%09%09%09%09A%3A+Anything+else%3F%0D%0A%09%09%09%09%09%09Q%2815.1.7.1.1.1.1%29%3A+Yes.%09Your+company%2Forganisation+would+also+need+to+contact+the+DPA+in+the+case+of+a+data+breach.+For+some+specific+types+of+data+processing%2C+national+laws+might+still+require+your+company%2Forganisation+to+obtain+an+authorisation+from+your+DPA.%0D%0A%09%09%09%09%09%09A%3A+Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09Q%2815.1.7.1.1.1.1.1%29%3A+You+own+a+shop+selling+household+goods.+You+process+client+data+such+as+delivery+addresses+and+billing+details+required+in+the+nature+of+your+business.+In+this+case+you+don%27t+need+to+notify+the+DPA.%0D%0A%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+enforcement+of+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.7.1.1.1.1.1.1%29%3A+Sure.++References+for+this+question+are+Chapter+IV+and+Chapter+VI+of+the+GDPR+WP+29+guidelines+on+the+GDPR%2C+especially+the+guidelines+on+the+DPIA+and+guidelines+on+data+breach+notifications.GOTO%3AENFORCEMENT%0D%0A%09%09%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.7.1.1.1.1.1.2%29%3A+Sure.++References+for+this+question+are+Chapter+IV+and+Chapter+VI+of+the+GDPR+WP+29+guidelines+on+the+GDPR%2C+especially+the+guidelines+on+the+DPIA+and+guidelines+on+data+breach+notifications.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+is+the+European+Data+Protection+Board+%28EDPB%29%3F%0D%0A%09%09%09Q%2815.1.7.2%29%3A+The+EDPB+is+an+EU+body+in+charge+of+the+application+of+the+General+Data+Protection+Regulation+%28GDPR%29+as+of+25+May+2018.+It%27s+made+up+of+the+head+of+each+DPA+and+of+the+European+Data+Protection+Supervisor+%28EDPS%29+or+their+representatives.+The+European+Commission+takes+part+in+the+meetings+of+the+EDPB+without+voting+rights.+The+secretariat+of+the+EDPB+is+provided+by+the+EDPS.%0D%0A%09%09%09A%3A+And%3F%0D%0A%09%09%09%09Q%2815.1.7.2.1%29%3A+The+EDPB+will+be+at+the+centre+of+the+new+data+protection+landscape+in+the+EU.+It+will+help+ensure+that+the+data+protection+law+is+%3Cb%3Eapplied+consistently+across+the+EU%3C%2Fb%3E+and+work+to+ensure+%3Cb%3Eeffective+cooperation%3C%2Fb%3E+amongst+DPAs.%0D%0A%09%09%09%09A%3A+And%3F%0D%0A%09%09%09%09%09Q%2815.1.7.2.1.1%29%3A+The+Board+will+not+only+%3Cb%3Eissue+guidelines%3C%2Fb%3E+on+the+interpretation+of+core+concepts+of+the+GDPR+but+also+be+called+to+rule+%3Cb%3Eby+binding+decisions+on+disputes%3C%2Fb%3E+regarding+cross-border+processing%2C+ensuring+therefore+a+uniform+application+of+EU+rules+to+avoid+the+same+case+potentially+being+dealt+with+differently+across+various+jurisdictions.%0D%0A%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+enforcement+of+the+GDPR.%0D%0A%09%09%09%09%09%09Q%2815.1.7.2.1.1.1%29%3A+Sure.++References+for+this+question+are+Articles+63+to+76+and+Recitals+%28135%29+to+%28140%29+of+the+GDPR.GOTO%3AENFORCEMENT%0D%0A%09%09%09%09%09A%3A+Okay.++I+have+more+questions+about+the+GDPR.%0D%0A%09%09%09%09%09%09Q%2815.1.7.2.1.1.2%29%3A+Sure.++References+for+this+question+are+Articles+63+to+76+and+Recitals+%28135%29+to+%28140%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+What+happens+if+my+company+processes+data+in+different+EU+Member+States%3F%0D%0A%09%09%09Q%2815.1.7.3%29%3AThe+General+Data+Protection+Regulation+%28GDPR%29+applies+throughout+the+EU+-+one+set+of+data+protection+rules+for+all+EU+Member+States.+This+spares+your+company%2Forganisation+the+need+to+get+to+grips+with+several+different+laws.%0D%0A%09%09%09A%3A+Is+there+more%3F%0D%0A%09%09%09%09Q%2815.1.7.3.1%29%3A+In+certain+areas%2C+EU+Member+States+can+further+specify+the+application+of+the+rules+of+the+GDPR+%28for+example+employment+rules%3B+public+health+sector%3B+rules+on+reconciliation+between+freedom+of+expression+and+data+protection%29.+The+GDPR+also+introduces+the+so+called+%27one-stop-shop%27+mechanism%2C+which+ensures+cooperation+between+the+%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Finfo%2Flaw%2Flaw-topic%2Fdata-protection%2Freform%2Frules-business-and-organisations%2Fenforcement-and-sanctions%2Fenforcement%2Fwhat-role-data-protection-authority_en%22+target%3D%22_blank%22%3EData+Protection+Authorities%3C%2Fa%3E+%28DPAs%29+in+the+case+of+cross-border+processing.%0D%0A%09%09%09%09A%3A+Anything+else%3F%0D%0A%09%09%09%09%09Q%2815.1.7.3.1.1%29%3A+If+your+company%2Forganisation+is+processing+data+in+%3Cb%3Edifferent+countries%3C%2Fb%3E%2C+the+competent+DPA+-+which+will+be+the+lead+authority+in+its+dealings+with+other+concerned+%3Cb%3EDPAs+in+the+EU+-+is+the+DPA+of+the+EU+Member+State+where+it+has+the+main+establishment.%3C%2Fb%3E%0D%0A%09%09%09%09%09A%3A+How+do+you+determine+where+the+main+establishment+is%3F++What+does+that+mean%3F%0D%0A%09%09%09%09%09%09Q%2815.1.7.3.1.1.1%29%3A+The+main+establishment+is+the+company%2Forganisation%27s+central+administration+in+the+EU+unless+decisions+about+the+purposes+and+means+of+processing+of+personal+data+are+taken+in+another+establishment+and+that+establishment+has+the+power+to+implement+those+decisions.%0D%0A%09%09%09%09%09%09A%3A+Oh.%0D%0A%09%09%09%09%09%09%09Q%2815.1.7.3.1.1.1.1%29%3A+If+your+company%2Forganisation+processes+data+in+order+to+fulfil+an+obligation+under+the+national+law+of+an+EU+Member+State%2C+only+the+DPA+of+that+EU+Member+State+is+competent.%0D%0A%09%09%09%09%09%09%09A%3A+Can+you+give+me+an+example%3F%0D%0A%09%09%09%09%09%09%09%09Q%2815.1.7.3.1.1.1.1.1%29%3A+A+textile+company%27s+main+establishment+%28that+is+to+say+its+headquarters%29+is+in+Italy.+It+has+satellite+shops+in+neighbouring+countries+such+as+Malta%2C+Greece%2C+France+and+Austria.+In+those+neighbouring+countries%2C+its+satellite+shops+set+up+databases+which+process+customers%27+personal+data+for+marketing+purposes.%0D%0A%09%09%09%09%09%09%09%09A%3A+...%0D%0A%09%09%09%09%09%09%09%09%09Q%2815.1.7.3.1.1.1.1.1.1%29%3A+However%2C+the+decisions+on+%27how%27+to+contact+the+said+customers%2C+%27when%27+and+%27why%27+are+taken+at+the+headquarters+in+Italy.+Thus%2C+in+this+case%2C+the+decision+on+the+processing+of+personal+data+for+marketing+purposes+is+deemed+to+be+made+in+Italy.+The+Italian+DPA+is+the+lead+authority+for+your+company%2Forganisation.%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Gotcha.++I+have+more+questions+about+enforcement.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.7.3.1.1.1.1.1.1.1%29%3A+Okay.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+the+Lead+Supervisory+Authority+and+its+annex+%28Frequently+asked+questions%29%2C+5+April+2017+and+Articles+4%2823%29%2C+55%2C+56+and+60+to+70+and+Recitals+%28124%29+%28140%29+of+the+GDPR.GOTO%3AENFORCEMENT%0D%0A%09%09%09%09%09%09%09%09%09A%3A+Gotcha.++I+have+more+questions+about+the+GDPR+in+general.%0D%0A%09%09%09%09%09%09%09%09%09%09Q%2815.1.7.3.1.1.1.1.1.1.2%29%3A+Okay.++References+for+this+question+are+Article+29+Working+Party+Guidelines+on+the+Lead+Supervisory+Authority+and+its+annex+%28Frequently+asked+questions%29%2C+5+April+2017+and+Articles+4%2823%29%2C+55%2C+56+and+60+to+70+and+Recitals+%28124%29+%28140%29+of+the+GDPR.GOTO%3AEUROPA_YES%0D%0A%09A%3A+Resources+to+read+more+about+the+GDPR.%0D%0A%09%09Q%2815.1.8%29%3A+You+can+find+all+sorts+of+handy+things+here+at+the+%3Ca+href%3D%22https%3A%2F%2Fec.europa.eu%2Fcommission%2Fpriorities%2Fjustice-and-fundamental-rights%2Fdata-protection%2F2018-reform-eu-data-protection-rules_en%23library%22+target%3D%22_blank%22%3Esite+for+the+European+Commission.%3C%2Fa%3E%0D%0A%09%09A%3AGotcha.%0D%0A%09%09%09Q%2815.1.8.1%29%3A+Ready+to+move+on%3F%0D%0A%09%09%09A%3A+Yes.%0D%0A%09%09%09%09Q%2815.1.8.1.1%29%3AGOTO%3AEU_DISCLAIMER%0D%0A%09%09%09A%3A+No.++I+have+more+questions+about+the+GDPR.%0D%0A%09%09%09%09Q%2815.1.8.1.2%29%3AOkay.GOTO%3AEUROPA_YES%0D%0A%09A%3AI%27m+ready+to+move+on.%0D%0A%09%09Q%2815.1.9%29%3AGOTO%3AEU_DISCLAIMER%0D%0AA%3ANo+thanks.+I%27m+ready+to+go+on.%0D%0A%09Q%2815.2%29%3AGOTO%3AEU_DISCLAIMER%0D%0A%0D%0AQ%28EU_DISCLAIMER%29%3A+The+information+and+guidance+in+this+tool+are+intended+to+contribute+to+a+better+understanding+of+EU+data+protection+rules.%0D%0AA%3A+I+understand.%0D%0A%09Q%2816.1%29%3AThis+is+intended+purely+as+a+guidance+tool+-+only+the+text+of+the+General+Data+Protection+Regulation+%28GDPR%29+has+legal+force.+As+a+consequence%2C+only+the+GDPR+is+liable+to+create+rights+and+obligations+for+individuals.+This+guidance+does+not+create+any+enforceable+right+or+expectation.%0D%0A%09A%3A+I+see+and+agree.%0D%0A%09%09Q%2816.1.1%29%3A+The+binding+interpretation+of+EU+legislation+is+the+exclusive+competence+of+the+Court+of+Justice+of+the+European+Union.+The+views+expressed+in+this+guidance+are+without+prejudice+to+the+position+that+the+Commission+might+take+before+the+Court+of+Justice.%0D%0A%09%09A%3A+I+understand+and+acknowledge.%0D%0A%09%09%09Q%2816.1.1.1%29%3A+Neither+LTL%2C+BLIP%2C+nor+the+creators+of+and+contributors+to+this+tool%2C+nor+David+Colarusso+%28creator+of+QnA+Markup%29%2C+nor+the+European+Commission+nor+any+person+acting+on+behalf+of+the+European+Commission+is+responsible+for+the+use+which+might+be+made+of+the+information+contained+in+this+tool.%0D%0A%09%09%09A%3A+I+understand+and+agree.%0D%0A%09%09%09%09Q%2816.1.1.1.1%29%3A+As+this+guidance+reflects+the+state+of+the+art+at+the+time+of+its+drafting%2C+it+should+be+regarded+as+a+%27living+tool%27+open+for+improvement+and+its+content+may+be+subject+to+modifications+without+notice.%0D%0A%09%09%09%09A%3A+I+understand+and+affirm.%0D%0A%09%09%09%09%09Q%2816.1.1.1.1.1%29%3A+Great.+This+was+last+updated+on+May+10%2C+2018.+%3Cbr%3E%3Cbr%3EAre+you+ready+to+move+on%3F%0D%0A%09%09%09%09%09A%3A+Yes.%0D%0A%09%09%09%09%09%09Q%2816.1.1.1.1.1.1%29%3AGOTO%3APOINT_OF_NO_RETURN%0D%0A%09%09%09%09%09A%3A+No.%0D%0A%09%09%09%09%09%09Q%2816.1.1.1.1.1.2%29%3A+What%27s+up%3F%0D%0A%09%09%09%09%09%09A%3A+I+don%27t+agree+with+some+of+the+stuff+we%27ve+just+discussed.%0D%0A%09%09%09%09%09%09%09Q%2816.1.1.1.1.1.2.1%29%3A+This+is+an+educational+%3Ci%3Eonly%3C%2Fi%3E+an+educational+tool+that+provides+you+with+information.++It+is+a+collaborative+effort+designed+to+assist+small+business+owners+and+entrepreneurs+with+some+background+on+the+GDPR%2C+and%2C+at+the+next+stage%2C+to+help+them+draft+a+letter+intended+for+an+attorney+to+help+focus+the+conversation.++If%2C+for+some+reason%2C+you+don%27t+agree+with+us+here+or+you+have+questions%2C+you+an+%3Ca+href%3D%22mailto%3Ablip%40brooklaw.edu%3Fsubject%3DGDPR%2520QnA%2520UID201705025%22%3Esend+us+a+message%3C%2Fa%3E.%0D%0A%09%09%09%09%09%09%09A%3A+Okay.+I+don%27t+feel+comfortable+going+any+further.%0D%0A%09%09%09%09%09%09%09%09Q%2816.1.1.1.1.1.2.1.1%29%3A+I%27m+afraid+we+can%27t+go+any+further+with+you+if+you+have+these+kinds+of+concerns.GOTO%3AENDRUN%0D%0A%09%09%09%09%09%09%09A%3A+I+understand+and+would+like+to+continue.%0D%0A%09%09%09%09%09%09%09%09Q%2816.1.1.1.1.1.2.1.2%29%3AGOTO%3APOINT_OF_NO_RETURN%0D%0A%0D%0AQ%28POINT_OF_NO_RETURN%29%3A++We%27re+about+to+move+on+to+the+next+section+where+we%27ll+ask+you+some+questions.%0D%0AA%3A+Cool.++I%27m+ready.%0D%0A%09Q%2817.1%29%3AGOTO%3ALAUNCHPAD%0D%0AA%3A+WAIT%21%21%21+I+want+to+go+back%21.%0D%0A%09Q%2817.2%29%3A+Okay.+No+problem%21++What+sort+of+questions+do+you+have%3F%0D%0A%09A%3A+I+want+have+questions+about+this+tool.%0D%0A%09%09Q%2817.2.1%29%3AGOTO%3ATOOL_QUESTIONS%0D%0A%09A%3A+I+have+general+questions+about+the+GDPR.%0D%0A%09%09Q%2817.2.2%29%3AGOTO%3AGDPR_QUESTIONS%0D%0A%09A%3A+I+want+to+see+the+EU%27s+Guidance+again.%0D%0A%09%09Q%2817.2.3%29%3AGOTO%3AEUROPA_YES%0D%0AA%3A+I%27d+like+to+save+a+copy+of+this+chat.%0D%0A%09Q%2817.3%29%3A+Cool.+Okay.++Just+click+here.%0D%0A%09A%5Bjavascript%3Asave2%28%27GDPR_Chat_Transcript.txt%27%2C+transcript%28%29%29%3B%5D%3A+Save+conversation.%0D%0A%09%09Q%2817.3.1%29%3AWhat+would+you+like+to+do+now%3F%0D%0A%09%09A%3A+I+have+more+general+questions.%0D%0A%09%09%09Q%2817.3.1.1%29%3A+Okay%21GOTO%3AGDPR_QUESTIONS%0D%0A%09%09A%3A+I+have+more+questions+about+the+guidance+from+the+European+Commission.%0D%0A%09%09%09Q%2817.3.1.2%29%3A+Okay%21GOTO%3AEUROPA_YES%0D%0A%09%09A%3A+I+would+like+to+go+to+the+next+step.%0D%0A%09%09%09Q%2817.3.1.3%29%3AGOTO%3ALAUNCHPAD%0D%0AA%3A+I+changed+my+mind.++I+don%27t+have+any+more+questions+at+this+time+and+am+ready+to+move+on.%0D%0A%09Q%2817.4%29%3AGOTO%3ALAUNCHPAD%0D%0A%0D%0AQ%28LAUNCHPAD%29%3A+So%2C+the+tool+is+now+in+two+places.++To+advance+to+the+next+section%2C+%3Ca+href%3D%22https%3A%2F%2Fpotkewitz.github.io%2FQnA%2FGDPR_Letter.html%22+target%3D%22_blank%22%3Eclick+here+to+go+to+the+next+step%3C%2Fa%3E.%0D%0A%0D%0AQ%28ENDRUN%29%3A+Thanks+for+stopping+by.%0D%0A%0D%0A%3C%21--Copyright+%28c%29+2018+Mark+Potkewitz--%3E%0D%0A%3C%21--This+is+available+under+the+MIT+License--%3E%0D%0A