Capturing the Basics of the GDPR in a Well-Founded Legal Domain Modular Ontology

Modular Ontology ◽

Legal Domain ◽

Ontology Reuse

The primary goal of the General Data Protection Regulation (GDPR) is to regulate the rights and duties of citizens and organizations over personal data protection. Implementing the GDPR is recently gaining much importance for legal reasoning and compliance checking purposes. In this work, we aim to capture the basics of GDPR in a well-founded legal domain modular ontology named OPPD (Ontology for the Protection of Personal Data). Ontology-Driven Conceptual Modeling (ODCM), ontology layering, modularization, and reuse processes are applied. These processes aim to support the ontology engineer in overcoming the complexity of the legal knowledge and developing an ontology model faithful to reality. ODCM is used for grounding OPPD in the Unified Foundational Ontology (UFO). Ontology modularization and layering aim to simplify the ontology building process. Ontology reuse focuses on selecting and reusing Conceptual Ontology Patterns (COPs) from UFO and the legal core ontology UFO-L. OPPD intends to overcome the lack of a representation of legal procedures that most ontologies encountered. The potential use of OPPD is proposed to formalize the GDPR rules by combining ontological reasoning and Logic Programming.

Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

Future Internet ◽

10.3390/fi13030066 ◽

2021 ◽

Vol 13 (3) ◽

pp. 66

Author(s):

Dimitra Georgiou ◽

Costas Lambrinoudakis

Keyword(s):

Impact Assessment ◽

Data Protection ◽

Gap Analysis ◽

Health Care Organization ◽

Personal Data ◽

Care Organization ◽

The European Union ◽

Compliance Level

The General Data Protection Regulation (GDPR) harmonizes personal data protection laws across the European Union, affecting all sectors including the healthcare industry. For processing operations that pose a high risk for data subjects, a Data Protection Impact Assessment (DPIA) is mandatory from May 2018. Taking into account the criticality of the process and the importance of its results, for the protection of the patients’ health data, as well as the complexity involved and the lack of past experience in applying such methodologies in healthcare environments, this paper presents the main steps of a DPIA study and provides guidelines on how to carry them out effectively. To this respect, the Privacy Impact Assessment, Commission Nationale de l’Informatique et des Libertés (PIA-CNIL) methodology has been employed, which is also compliant with the privacy impact assessment tasks described in ISO/IEC 29134:2017. The work presented in this paper focuses on the first two steps of the DPIA methodology and more specifically on the identification of the Purposes of Processing and of the data categories involved in each of them, as well as on the evaluation of the organization’s GDPR compliance level and of the gaps (Gap Analysis) that must be filled-in. The main contribution of this work is the identification of the main organizational and legal requirements that must be fulfilled by the health care organization. This research sets the legal grounds for data processing, according to the GDPR and is highly relevant to any processing of personal data, as it helps to structure the process, as well as be aware of data protection issues and the relevant legislation.

Data Sharing Under the General Data Protection Regulation

Hypertension ◽

10.1161/hypertensionaha.120.16340 ◽

2021 ◽

Vol 77 (4) ◽

pp. 1029-1035

Author(s):

Antonia Vlahou ◽

Dara Hallinan ◽

Rolf Apweiler ◽

Angel Argiles ◽

Joachim Beige ◽

...

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Research Approach ◽

The European Union ◽

Protection Legislation ◽

General Data ◽

Almost All

The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

Information and Computer Security ◽

10.1108/ics-01-2020-0002 ◽

2020 ◽

Vol 28 (4) ◽

pp. 531-553 ◽

Cited By ~ 1

Author(s):

Aggeliki Tsohou ◽

Emmanouil Magkos ◽

Haralambos Mouratidis ◽

George Chrysoloras ◽

Luca Piras ◽

...

Keyword(s):

Technology Acceptance ◽

Data Protection ◽

Personal Data ◽

Secondary Process ◽

Multiple Perspectives ◽

Data Governance ◽

Content Type ◽

Eu Project

Purpose General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform. Design/methodology/approach The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors. Findings The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements. Practical implications The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry. Social implications It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives. Originality/value This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.

The State Archives of the Republic of Macedonia: Use of Archival Material and Data Protection Pursuant to the Law on Personal Data Protection and the General Data Protection Regulation

Atlanti ◽

10.33700/2670-451x.28.2.91-98(2018) ◽

2018 ◽

Vol 28 (2) ◽

pp. 91-98

Author(s):

Svetlana Usprcova

Keyword(s):

Data Protection ◽

Personal Data ◽

The State ◽

Archival Material ◽

Republic Of Macedonia ◽

Other Information ◽

The Republic ◽

State Archives

The aim of this paper is to explain the position of the State Archives of the Republic of Macedonia as guardian of the archival material, which is a subject of use for scientific, academic, administrative, public, publishing, exhibition and other purposes. In the process of use of the archival material, the archivists must be very careful in order to protect confidential, sensitive, legal and other information contained in the archival material, and take some measures in relation to the personal data protection. Herein, the author, also talks about the current Law on personal data protection and the harmonisation of the national law with the European legislation.

GDPR implementation as the main reason for the regional fragmentation in the online mediasphere

E3S Web of Conferences ◽

10.1051/e3sconf/202127308099 ◽

2021 ◽

Vol 273 ◽

pp. 08099

Author(s):

Mikhail Smolenskiy ◽

Nikolay Levshin

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Main Role ◽

The European Union ◽

Protection Measures ◽

The Usa ◽

General Data

The EU’s General Data Protection Regulation (GDPR) applies not only to the territory of the European Union, but also to all information systems containing data of EU’s citizens around the world. Misusing or carelessly handling personal data bring fines of up to 20 million euros or 4% of the annual turnover of the offending company. This article analyzes the main trends in the global implementation of the GDPR. Authors considered and analyzed results of personal data protection measures in nineteen regions: The USA, Canada, China, France, Germany, India, Kazakhstan, Nigeria, Russia, South Korea and Thailand, as well as the European Union and a handful of other. This allowed identifying a direct pattern between the global tightening of EU’s citizens personal data protection and the fragmentation of the global mediasphere into separate national segments. As a result of the study, the authors conclude that GDPR has finally slowed down the globalization of the online mediasphere, playing a main role in its regional fragmentation.

Credit-Based Insurance Scores: some Observations in the Light of the European General Data Protection Regulation

Cuadernos Europeos de Deusto ◽

10.18543/ced-62-2020pp155-186 ◽

2020 ◽

pp. 155-186

Author(s):

María Dolores Mas Badia

Keyword(s):

Data Protection ◽

Personal Data ◽

Insurance Companies ◽

The European Union ◽

History Data ◽

Credit History ◽

Automated Processing ◽

General Data

Despite the differences between credit risk and insurance risk, in many countries large insurance companies include credit history amongst the information to be taken into account when assigning consumers to risk pools and deciding whether or not to offer them an auto or homeowner insurance policy, or to determine the premium that they should pay. In this study, I will try to establish some conclusions concerning the requirements and limits that the use of credit history data by insurers in the European Union should be subject to. In order to do this, I shall focus my attention primarily on Regulation (EU) 2016/679. This regulation, that came into force on 24 May 2018, not only forms the backbone of personal data protection in the EU, but is also set to become a model for regulation beyond the borders of the Union. This article will concentrate on two main aspects: the lawful basis for the processing of credit history data by insurers, and the rules that should apply to decisions based solely on automated processing, including profiling.Received: 30 December 2019Accepted: 07 February 2020Published online: 02 April 2020

Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

Applied Sciences ◽

10.3390/app112210574 ◽

2021 ◽

Vol 11 (22) ◽

pp. 10574

Author(s):

Sung-Soo Jung ◽

Sang-Joon Lee ◽

Ieck-Chae Euom

Keyword(s):

Data Processing ◽

Data Protection ◽

Data Privacy ◽

Personal Data ◽

Compliance Audit ◽

General Data ◽

Data Controller ◽

Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

Bases jurídicas relevantes del tratamiento de datos personales en la contratación de contenidos y servicios digitales = Relevant legal bases in the processing of personal data in the contracts of digital contents and digital services

CUADERNOS DE DERECHO TRANSNACIONAL ◽

10.20318/cdt.2020.5228 ◽

2020 ◽

Vol 12 (1) ◽

pp. 875

Author(s):

Rosa María García Pérez

Keyword(s):

Data Protection ◽

Personal Data ◽

Digital Content ◽

Consumer Law ◽

Market Interaction ◽

Digital Services ◽

Regulatory Frameworks ◽

Digital Contents

Resumen: El proceso emprendido a nivel europeo de revisión, modernización y adaptación de las reglas de protección de consumidores al entorno tecnológico ha puesto en contacto dos esferas normativas de contrapuestos intereses: protección de datos personales y Derecho de consumo. El primer punto de inflexión de la compleja interacción entre ambos marcos regulatorios ha venido de la mano de la Directiva (UE) 2019/770 del Parlamento Europeo y del Consejo, de 20 de mayo de 2019, relativa a determinados aspectos relacionados con los contratos de suministro de contenido digital y servicios digitales, que ofrece los mismos remedios contractuales tanto a consumidores que abonan un precio como a quienes, a modo de contraprestación, facilitan sus datos personales. De las nuevas e interesantes perspectivas de análisis que ofrece la imbricación del derecho fundamental a la protección de datos en la esfera contractual, este trabajo centra su atención en la determinación de las bases de licitud, conforme al Reglamento General de Protección de Datos, de los tratamientos de datos personales derivados del ámbito de aplicación de la Directiva y su incidencia contractual.Palabras clave: Mercado Único Digital Europeo, interacción derecho de consumo-protección de datos personales, suministro de contenidos y servicios digitales, datos personales como contraprestación, principio de licitud del tratamiento.Abstract: The European process of revision, modernization and adaptation of consumer protection rules to the technological environment has brought into contact two regulatory spheres of opposite interests: personal data protection and consumer law. The first inflection point of the complex interaction between both regulatory frameworks has come from the hand of Directive (EU) 2019/770 of the European Parliament and of the Council, of 20 May 2019, on certain aspects concerning contracts for the supply of digital content and digital services, which offers the same contractual remedies both to consumers who pay a price and to those who, by way of counter performance, provide their personal data. Of the new and interesting perspectives of analysis offered by the overlapping of the fundamental right to data protection in the contractual sphere, this paper focuses on the determination of the bases of lawfulness, according to the General Data Protection Regulation, of the processing of derived personal data of the scope of the Directive and its contractual impact.Keywords: EU Digital Single Market, interaction consumer law - data protection regulation, supply of digital content and digital services, counter-performance in the form of personal data, principle of lawfulness of the personal data processing.

Uchybienie przepisom o ochronie danych osobowych jako naruszenie dobra osobistego – analiza na przykładzie orzecznictwa Sądu Najwyższego

Studia Prawnoustrojowe ◽

10.31648/sp.5333 ◽

2019 ◽

pp. 245-259

Author(s):

Bernard Łukanko

Keyword(s):

Data Protection ◽

Personal Data ◽

Right To Privacy ◽

Professional Literature ◽

The Right To Privacy ◽

General Data ◽

The Right ◽

Personal Interests

The study is concerned with the issue of mutual relationship between the failure to comply with the laws on personal data protection and regulations relating to the protection of personal interests, including in particular the right to privacy. The article presents the views held by the Supreme Court with respect to the possibility of considering acts infringing upon the provisions of the Personal Data Protection Act of 1997 (after 24 May 2018) and of the General Data Protection Regulation (after 25 May 2018) as violation of personal interests, such as the right to privacy. The author shared the view of the case law stating that, if in specifc circumstances the processing of personal data violates the right to privacy, the party concerned may seek remedy on the grounds of Articles 23 and 24 of the Polish Civil Code. This position isalso relevant after the entry into force of the GDPR which, in a comprehensive and exhaustive manner, directly applicable in all Member States, regulates the issue of liability under civil law for infringements of the provisions of the Regulation, however, according to the position expressed in professional literature, it does not exclude the concurrence of claims and violation of the provisions on the protection of personal interests caused by a specifc event. In case of improper processing of personal data, the remedies available under domestic law on the protection of personal interests may be of particular importance outside the subject matter scope of the GDPR applicability.

OS BIG DATA E OS DADOS PESSOAIS ENTRE OS PRINCÍPIOS DA PROTEÇÃO E DA INOVAÇÃO

Law State and Telecommunications Review ◽

10.26512/lstr.v12i1.30007 ◽

2020 ◽

Vol 12 (1) ◽

pp. 225-245

Author(s):

Célia Zolynski

Keyword(s):

Big Data ◽

Latin American ◽

Data Protection ◽

Personal Data ◽

European Union Law ◽

Internet Regulation ◽

New Type ◽

General Data

Objective ”“ The article contrasts the problem of Big Data with the possibilities and limits of personal data protection. It is an original contribution to the academic discussion about the regulation of the Internet and the management of algorithms, focusing on Big Data. Methodology/approach/design ”“ The article provides bibliographic research on the opposition between Big Data and personal data protection, focusing on European Union law and French law. From the research is possible to identify regulatory alternatives do Big Data, whether legal-administrative nature or technological nature. Findings ”“ The article enlightens that, in addition to the traditional regulatory options, based on the law, there are technological options for regulating Big Data and algorithms. The article goes through an analysis of administrative performance, such as France’s CNIL (Commission nationale informatique et libertés, CNIL), to show that it has limits. Thus, the article concludes that there is a need to build a new type of regulation, one that is open to the inputs of regulated parties and civil society, in the form of new co-regulatory arrangements. Practical implications ”“ The article has an obvious application since the production of legal solutions for Internet regulation requires combining them with technological solutions. Brazil and several Latin American countries are experiencing this agenda, as they are building institutions and solutions to solve the dilemma of personal data protection. Originality/value ”“ The article clarifies several parts of the General Data Protection Regulation (EU Regulation 2016/679) and its applicability to Big Data. These new types of data processing impose several legal and regulatory challenges, whose solutions cannot be trivial and will rely on new theories and practices.