22. Data protection: the legal framework

Key Concepts ◽

General Data ◽

Geographical Scope

This chapter examines data protection, digitization of data, its implications for personal privacy, and the regulation of data industries. It begins by discussing the current law found in the General Data Protection Regulation and the Data Protection Act 2018. It examines the key concepts of data controllers, data processors, and data subjects, and discusses the conditions for the processing of personal data. This includes an examination of key cases such as Nowak v Data Protection Commissioner and Bodil Lindqvist. It looks at the geographical scope of the GDPR and the extraterritorial effect of the Regulation, and examines the domestic purposes exemption after Ryneš.

Personal Data Protection in Russia

The Palgrave Handbook of Digital Russia Studies ◽

10.1007/978-3-030-42855-6_6 ◽

2020 ◽

pp. 95-113

Author(s):

Alexander Gurkov

Keyword(s):

Data Protection ◽

Personal Data ◽

Legal Framework ◽

Fundamental Rights ◽

Special Role ◽

State Control ◽

Personal Data Protection ◽

AbstractThis chapter considers the legal framework of data protection in Russia. The adoption of the Yarovaya laws, data localization requirement, and enactment of sovereign Runet regulations allowing for isolation of the internet in Russia paint a grim representation of state control over data flows in Russia. Upon closer examination, it can be seen that the development of data protection in Russia follows many of the steps taken at the EU level, although some EU measures violated fundamental rights and were invalidated. Specific rules in this sphere in Russia are similar to the European General Data Protection Regulation. This chapter shows the special role of Roskomnadzor in forming data protection regulations by construing vaguely defined rules of legislation.

Compatibility of a Security Policy for a Cloud-Based Healthcare System with the EU General Data Protection Regulation (GDPR)

Information ◽

10.3390/info11120586 ◽

2020 ◽

Vol 11 (12) ◽

pp. 586

Author(s):

Dimitra Georgiou ◽

Costas Lambrinoudakis

Keyword(s):

Healthcare System ◽

Data Protection ◽

Security Policy ◽

Personal Data ◽

Legal Framework ◽

Healthcare Systems ◽

Security And Privacy ◽

Security Measures ◽

Currently, there are several challenges that cloud-based healthcare systems around the world are facing. The most important issue is to ensure security and privacy, or in other words, to ensure the confidentiality, integrity, and availability of the data. Although the main provisions for data security and privacy were present in the former legal framework for the protection of personal data, the General Data Protection Regulation (GDPR) introduces new concepts and new requirements. In this paper, we present the main changes and the key challenges of the GDPR and, at the same time, we present how a cloud-based security policy could be modified in order to be compliant with the GDPR, as well as how cloud environments can assist developers to build secure and GDPR compliant cloud-based healthcare systems. The major concept of this paper is dual-purpose; primarily, to facilitate cloud providers in comprehending the framework of the new GDPR and secondly, to identify security measures and security policy rules, for the protection of sensitive data in a cloud-based healthcare system, following our risk-based security policy methodology that assesses the associated security risks and takes into account different requirements from patients, hospitals, and various other professional and organizational actors.

RVAP 118 - Revista Vasca de Administración Pública / Herri-Arduralaritzarako Euskal Aldizkaria ◽

Hacia un nuevo marco de transparencia durante los intercambios transnacionales de datos tributarios de carácter personal: el deber de informar

10.47623/ivap-rvap.110.2018.1.05 ◽

2018 ◽

pp. 157-193

Author(s):

Bernardo D. OLIVARES OLIVARES

Keyword(s):

Data Protection ◽

Minimum Degree ◽

Personal Data ◽

Legal Framework ◽

Legitimate Interests ◽

General Data ◽

Data Controller ◽

Duty To Inform ◽

Special Relevance

LABURPENA: Europar Batasuneko Datuak Babesteko Erregelamendu Orokorrak informazioa modu zilegi, zintzo eta gardenean tratatzea eskatzen du. Hain zuzen ere, azken printzipio horrek garrantzi handia dauka herritarren datuak eremu publikoan eskuratzeko, erabiltzeko eta lagatzeko orduan. Lan honek kritikoki jorratzen du printzipio horren proiekzioetako baten analisia: informatzeko betebeharrarena, alegia. Horretarako, esparru juridikoa aztertu dugu, arreta berezia jarriz erregelamendutik salbuesteko kasuek dakartzaten askotariko arazoei; izan ere, kasu horiek bere betebeharretik askatzen dute datuak tratatzeko arduraduna. Hainbat arazo hauteman ditugu, eta, horiek konpontzeko, arau berriak garatu eta interesdunaren bidezko interesak babesteko neurri egokiak ezarri beharko dira. Gutxieneko gardentasun-maila agertu behar da tratamenduetan, zergapekoek beren datuen erabilera kontrolatu dezaten EBko beste administrazio batzuekin informazioa trukatu ondoren. RESUMEN: El Reglamento General de Protección de Datos de la Unión Europea exige el tratamiento lícito, leal y transparente de la información. Precisamente, este último principio goza de especial relevancia durante la obtención, uso y cesión de los datos de los ciudadanos en el ámbito público. El presente trabajo aborda críticamente el análisis de una de sus proyecciones: el deber de información. Para ello examinamos su marco jurídico, prestando especial atención a los distintos problemas que plantean los supuestos de exención del Reglamento que permitirán liberar, al responsable del tratamiento, de su obligación. Hemos detectado diferentes problemas que necesitarían para su solución del desarrollo de nuevas normas y de la implantación de medidas adecuadas para proteger los intereses legítimos del interesado. Es preciso facilitar un mínimo grado de transparencia sobre los tratamientos con el objetivo de que los administrados controlen el uso de sus datos tras los intercambios de información con otras Administraciones de la UE. ABSTRACT: The General Data Protection Regulation requires that the personal data must be processed lawfully, fairly and in a transparent manner. Precisely, this last principle is of special relevance during the collection, use, and transfer of the citizens’ data. This paper critically addresses the analysis of one of its projections: the duty to inform. To do this, we examine its legal framework, paying particular attention to the various problems arising from its exemptions, which will allow the data controller to be exempt from his or her obligation. We have identified different problems that would need to be solved by the development of new regulations and from the implementation of appropriate measures in order to protect the legitimate interests of the data subjects. It is mandatory to provide a minimum degree of transparency during the processing to allow the citizens to control the use of their data after exchanges of information with other EU administrations.

Directive on certain aspects concerning contracts for the supply of digital content and digital services & the EU data protection legal framework: are worlds colliding?

Unio - EU Law Journal ◽

10.21814/unio.5.2.2290 ◽

2019 ◽

Vol 5 (2) ◽

pp. 34-42

Author(s):

Maria De Almeida Alves

Keyword(s):

Data Protection ◽

Personal Data ◽

Legal Framework ◽

Digital Content ◽

Digital Services ◽

European Data ◽

General Data ◽

The Eu

This Paper will address the interplay between the Directive on certain aspects concerning contracts for the supply of digital content and digital services and the current EU data protection framework, namely the General Data Protection Regulation. Albeit the Directive has the aim of protecting consumers, has it gone too far and made a crack in the data protection EU legal framework? Can personal data be treated as a commodity or is its scope as a counter-performance subject to a particular interpretation? I shall analyze these questions in light of the European Data Protection Supervisor’s Opinion 4/2017 and the European Data Protection Board’s Guidelines 2/2019.

DEVELOPMENT OF THE PERSONAL DATA PROTECTION FRAMEWORK – WILL THE PANDEMIC BRING NEW CHANGES?

Acta Prosperitatis ◽

10.37804/1691-6077-2021-12-59-66 ◽

2021 ◽

Vol 12 ◽

pp. 59-66

Author(s):

Marta Mackeviča ◽

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Legal Framework ◽

Point Of View ◽

The European Union ◽

Personal Privacy ◽

Complex Concept ◽

Personal Data Protection

The General Data Protection Regulation (hereinafter – the Regulation), which entered into force on 25 May 2018 and introduced a new legal framework for the protection of personal data in the European Union, also included a number of new rights, more precise definitions and improvements in the field of personal data protection. The three‐year period has shown that the Regulation has successfully replaced Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement ofsuch data, but the Covid‐19 pandemic posed the question: does the Regulation sufficiently define and explain how controllers should deal with the processing of sensitive data, or in situations where employees of companies and institutions work remotely? Data protection is a complex concept that can be analyzed from both a legal and a social point of view. Traditionally, data protection has been referred to as the protection of personal privacy in the context of processes involving the use of personal data. Prior to the implementation of the Regulation, the existing rules on the protection of personal data in the European Union were not sufficiently uniform and were implemented differently in each Member State. It contributed to the development and implementation of the Regulation, in the hope that it would modernize and promote a common data protection regime, while maintaining all the basic principles of data protection that have been followed so far. Prior to the pandemic, the Regulation successfully achieved its original objectives, but hasthe pandemic necessitated a revision of the Regulation? This article will analyze the development of the legal framework for the protection of personal data and analyze the compliance of the Regulation with the requirements arising from the effects of the pandemic.

Those Who Shall Be Identified: The Data Protection Aspects of the Legal Framework for Electronic Identification in the European Union

TalTech Journal of European Studies ◽

10.2478/bjes-2021-0012 ◽

2021 ◽

Vol 11 (2) ◽

pp. 3-24

Author(s):

Jozef Andraško ◽

Matúš Mesarčík

Keyword(s):

European Union ◽

Data Processing ◽

Data Protection ◽

Mutual Recognition ◽

Personal Data ◽

Legal Framework ◽

The European Union ◽

Abstract The article focuses on the intersections of the regulation of electronic identification as provided in the eIDAS Regulation and data protection rules in the European Union. The first part of the article is devoted to the explanation of the basic notions and framework related to the electronic identity in the European Union— the eIDAS Regulation. The second part of the article discusses specific intersections of the eIDAS Regulation with the General Data Protection Regulation (GDPR), specifically scope, the general data protection clause and mainly personal data processing in the context of mutual recognition of electronic identification means. The article aims to discuss the overlapping issues of the regulation of the GDPR and the eIDAS Regulation and provides a further guide for interpretation and implementation of the outcomes in practice.

Compatibility of a Security Policy for a Cloud-based Healthcare System with the EU General Data Protection Regulation (GDPR)

10.20944/preprints202010.0577.v1 ◽

2020 ◽

Author(s):

Dimitra Georgiou ◽

Costas Lambrinoudakis

Keyword(s):

Data Protection ◽

Security Policy ◽

Health Care Systems ◽

Personal Data ◽

Legal Framework ◽

Security And Privacy ◽

Security Measures ◽

Sensitive Data ◽

Currently, there are several challenges that Cloud-based health-care Systems, around the world, are facing. The most important issue is to ensure security and privacy or in other words to ensure the confidentiality, integrity and availability of the data. Although the main provisions for data security and privacy were present in the former legal framework for the protection of personal data, the General Data Protection Regulation (GDPR) introduces new concepts and new requirements. In this paper, we present the main changes and the key challenges of the General Data Protection Regulation, and also at the same time we present how the Cloud-based Security Policy methodology proposed in [1] could be modified in order to be compliant with the GDPR and how Cloud environments can assist developers to build secure and GDPR compliant Cloud-based health Systems. The major concept of this paper is, primarily, to facilitate Cloud Providers in comprehending the framework of the new General Data Protection Regulation and secondly, to identify security measures and security policy rules for the protection of sensitive data in a Cloud-based Health System, following our risk-based Security Policy Methodology that assesses the associated security risks and takes into account different requirements from patients, hospitals, and various other professional and organizational actors.

An Overview of Belgian Legislation Applicable to Biobank Research and Its Interplay with Data Protection Rules

GDPR and Biobanking - Law, Governance and Technology Series ◽

10.1007/978-3-030-49388-2_10 ◽

2021 ◽

pp. 187-213

Author(s):

Teodora Lalova ◽

Anastassia Negrouk ◽

Laurent Dollé ◽

Sofie Bekaert ◽

Annelies Debucquoy ◽

...

Keyword(s):

Data Protection ◽

Self Regulation ◽

Personal Data ◽

Legal Framework ◽

Presumed Consent ◽

Main Research ◽

Biobank Research ◽

General Data ◽

The Impact

AbstractThis contribution aims to present in a clear and concise manner the intricate legal framework for biobank research in Belgium. In Part 1, we describe the Belgian biobank infrastructure, with a focus on the concept of biobank. In Part 2, we provide an overview of the applicable legal framework, namely the Act of 19 December 2008 on Human Body Material (HBM), and its amendments. Attention is given to an essential piece of self-regulation, namely the Compendium on biobanks issued by the Federal Agency on Medicine Products and Health (FAMPH). Furthermore, we delineate the interplay with relevant data protection rules. Part 3 is dedicated to the main research oversight bodies in the field of biobanking. In Part 4, we provides several examples of the ‘law in context’. In particular, we discuss issues pertaining to presumed consent, processing of personal data associated with HBM, and information provided to the donor of HBM. Finally, Part 5 and 6 addresses the impact of the EU General Data Protection Regulation (GDPR), suggests lines for further research, and outline the future possibilities for biobanking in Belgium.

The Personal Data Protection Bill, 2018: India’s regulatory journey towards a comprehensive data protection law

International Journal of Law and Information Technology ◽

10.1093/ijlit/eaaa003 ◽

2020 ◽

Vol 28 (1) ◽

pp. 1-19

Author(s):

Deva Prasad M ◽

Suchithra Menon C

Keyword(s):

Data Protection ◽

Personal Data ◽

Legal Framework ◽

The European Union ◽

Personal Data Protection ◽

Supreme Court Of India ◽

Indian Context ◽

General Data ◽

Data Protection Law

Abstract This article analyses the relevance of Personal Data Protection Bill, 2018 for developing a data protection legal framework in India. In this regard, the article attempts to analyse the evolution process of comprehensive personal data protection law in the Indian context. The manner in which the Personal Data Protection Bill, 2018 will revamp and strengthen the existing data protection regulatory framework forms the major edifice of this article. The article also dwells on the significant role played by the fundamental right to privacy judgment (Justice K.S. Puttaswamy v Union of India) of Supreme Court of India, thus preparing the regulatory ground for the evolution of the Personal Data Protection Bill, 2018. The influence of the European Union General Data Protection Regulation in shaping the Indian legal framework is highlighted. The article also discusses pertinent legal concerns that could question the effectiveness of the proposed data protection legal framework in the Indian context.

The Risk-Based Approach to Data Protection

10.1093/oso/9780198837718.001.0001 ◽

2020 ◽

Author(s):

Raphaël Gellert

Keyword(s):

Risk Management ◽

Data Protection ◽

Personal Data ◽

Management Tools ◽

Regulation Theory ◽

Régulation Theory ◽

General Data ◽

Data Protection Law ◽

The Way

The main goal of this book is to provide an understanding of what is commonly referred to as “the risk-based approach to data protection”. An expression that came to the fore during the overhaul process of the EU’s General Data Protection Regulation (GDPR)—even though it can also be found in other statutes under different acceptations. At its core it consists in endowing the regulated organisation that process personal data with increased responsibility for complying with data protection mandates. Such increased compliance duties are performed through risk management tools. It addresses this topic from various perspectives. In framing the risk-based approach as the latest model of a series of regulation models, the book provides an analysis of data protection law from the perspective of regulation theory as well as risk and risk management literatures, and their mutual interlinkages. Further, it provides an overview of the policy developments that led to the adoption of such an approach, which it discusses in the light of regulation theory. It also includes various discussions pertaining to the risk-based approach’s scope and meaning, to the way it has been uptaken in statutes including key provisions such as accountability and data protection impact assessments, or to its potential and limitations. Finally, it analyses how the risk-based approach can be implemented in practice by providing technical analyses of various data protection risk management methodologies.