Data Protection Module r - Introduction

Course materials / handouts checklist

Resources :

1. Powerpoint facilities
2. Spare lined paper
3. Namecards and pens

Handout for each delegate:

1. Delegate notes
2. Handout - contents list for GDPR
3. Activity 2 - identifying the principle
4. Activity2- answers
5. Activity 3 - delegate sheet - 1 each (not laminated)
6. Evaluation form

Printouts for each Tutor / Observer:

1. PrÍntout of Powerpoint slides in'Notes page'format

Introduction - Module 1 resources checklist

Name of course: Data Protection and PECR.

Objective: To give staff a better understanding of the GDPR, DPA201B

and PECR.

The course is suitable for: Any new staff to the ICO who are going to
be working with the GDPR, DPA2018 and PECR

Module Objectives: By the end of the session you will be able to

Modulel uction

appreciate the wider context of data protection and the

aims of the GDPR;
a have an awareness of some basic data protection
concepts; and
outline the tasks and powers of the ICO and the
Commissioner.

Module 2 Getting Started with the GDPR and the Data

Protection Act 2018
a understand how the GDPR and the DPA201B are related;
and
o explain the main definitions of the GDPR, including:
o what makes data personal data for the purposes
of the GDPR; and
o the difference between a controller and a data
processor.

Module 3 Principles Part 1 - Lawful Processing

understand the requirements of principle (a) - lawful,

fair, transparent;
a understand the lawful bases for processing personal data;
and
a identify special categories of personal data and
understand when the can be p rocessed
odule 4 Principles Part 2 - Purpose Limitation, Adequacy,
racy and Storage Limitation

a understand what is meant by purpose limitation;

o understand what is meant by data minimisation;
a describe the requirements of the GDPR with respect to
the accuracy of data; and
appreciate what a controller must consider when retaining
data.

GDPR/PECR Core training modules - course outline 18042018

Module 5 Principles Part 3 - Security, Accountability and
Governance
o understand the data security requirements of the GDPR,
including principle (f);
appreciate how the controller ensures accountability of
processing;
o describe the role of a data protection officer;
o explain when a controller must report a breach in data
security; and
o explain the obligations of the data processor.

Module 6 he Rights of the Individual - Part 1

explain the right of access to personal data and outline
what an individual is entitled to;
a appreciate how the controller should respond to a request
for personal data;
explain the kind of information which should be included
in a privacy notice; and
understand how the right to data portability works and
when it applies.

Module 7 e Rights of the Individual - Part 2

a understand the right to erasure and rectification and

when they apply;
a appreciate what is meant by the right to restrict
processing and the right to object to processing and when
these rights apply; and
a appreciate what is meant by automated decision making
and profiling and understand what rights the data subject
has with respect to such processing.

Module 8 nternational Transfers

o understand what is meant by an adequacy decision;
o explain the nature of appropriate safeguards which
enable the transfer of personal data outside the EU;
. list the derogations which allow for the transfer of data
outside the EU; and
o explain how a transfer can be made to a country without
an adequate level of Protection.

GDPR/PECR Core training modules - course outline 18042018

Module 9 Exemptions

a appreciate the different types of exemptions in the

DPA201B and how they relate to the GDPR; and
o understand broadly how the exemptions can be applied in
ractice.
Module 1O e Law Enforcement Provisions - Part 3 of the Data
Protection Act 2018
a understand how the GDPR and the DPA2018 fit together
with respect to law enforcement processing;
a explain key definitions of the DPA2018 with respect to law
enforcement processing; and
a outline the bases for processing law enforcement data,
the data protection principles and the rights of individuals
with respect to that data.

Module 11 e Role and Powers of the Commissioner

a understand the role and powers of the Commissioner;

o explain the difference between an information notice, an
enforcement notice and an assessment notice;
a appreciate when the Commissioner may impose a fine
upon a controller or processor; and
a understand what criminal offences are contained in the
Data Protection Act 2018.

Module 12 PECR and Direct Marketing

o a basic appreciation of the requirements of PECR

concerning electronic communications; and
a an understanding of the direct marketing requirements of
PECR,

Post course requirements: Delegates on this course should retain their

training materials for future use (folders will be provided).

GDPR/PECR Core training modules - course outline 18042018

Module 1 ntroduction
1. Legislation
The GDPR is the main legislation we use in our data protection work.

It is a European Regulation which means that all countries in the EU have the
same basis for their data protection laws.

The Data Protection Act 2018 (DPA2018) provides UK-specific provisions and
exemptions.

UK law enforcement processing is covered in Part 3 of the DPA201B (implements

the Law Enforcement Directive or LED).
The GDPR means that everyone in Europe has the same level of protection. It
also means that companies can transfer information between European countries
easily, because they know the data will always have a high level of protection.

There are two main aims of the GDPR:

. It protects individuals by controlling how their information can be used,

. It enables organisations to use personal information to benefit their own
business needs (eg. to enable trade).

PECR overlaps with GDPR, and specifically covers electronic marketing - phone
calls, emails, texts. It will be replaced by the ePrivacy regulation.

2. Aims of the GDPR

2018 General Data Protection Regulation - intended to build upon the DPA 1998
but impose consistency across the EU.
. The reference to a person's fundamental right to the protection of their
personal data is the first sentence of the GDPRI
. However this must be balanced - is not an absolute right,
. Harmonisation is a key aim of the GDPR and is closely linked to the free
flow of data for commercial trade.
. Technology has changed at a pace which has far outstripped the scope of
DPA 1998 and has transformed economies and the social lives of
individuals. The GDPR is intended to address these challenges and ensure
our personal data is protected.
. Consistency is a key aim. The requirement for transparency underpins the
GDPR.

3. The Data Protection Act 2O18

The GDPR is an EU Regulation and applies across all EU Member States, but that
it allows for member states to pass further legislation to suit the requirements of
their own country - the DPA201B in the UK.

1
So the GDPR and the DPA201B need to be read together. They are not complete
as standalone documents.

Key points:

a The DPA201B is divided into Parts which cover different types of

processing eg. Part 3 and 4 (law enforcement / intelligence services
processing).

a It makes UK arrangements where appropriate eg. Part 5 and 6 (The

Information Commissioner / UK Enforcement).

o The Schedules contain UK conditions for processing certain categories of

personal data eg. special category data / criminal offence data.

a The Schedules also contain UK exemptions to GDPR processing eg. legal

professional privilege, crime and taxation.

4, Kev definitions

data subject the person who is the subject of the personal data. If an
-
organisation holds data about you, you are the data subject.

controller - the organisation responsible for the processing of the data about
the data subject. The ICO is a controller for our data.

data processor - the controller may outsource its processing to another

organisation. Eg. the ICO outsources our payroll to another company. The ICO
remains responsible for the data.

5. The data protection principles

The GDPR is based around 7 principles of information handling. An organisation

must comply with these principles of processing.

Failing to comply with a principle is not a criminal offence, but can lead to
enforcement action from the ICO (including a monetary penalty),

Many complaints to the ICO involve an assessment as to whether the

organisation has handled the personal data it holds in accordance with these
principles.

There are 6 principles (a) to (f)

(a) processed lawfully, fairly and in a transparent manner in relation to the data
subject (lawfulness, fairness and transparency);

(b) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes (purpose
limitation);

2
(c) adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed (data minimisation);

(d) accurate and, where necessary, kept up to date (accuracy);

(e) kept in a form which permits identification of data subjects for no longer than
is necessary for the purposes for which the personal data are processed
(storage limitation);

(f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures (integrity and confidentiality)'

There is a final principle at Article 5(2) which states that the controller shall be
responsible for, and be able to demonstrate compliance with, paragraph 1(a) to
(f) - referred to as accountability.
6. Lawfulness of processing (Article 6)
There must be a lawful basis for processing (a) to (f):

a) the data subject has given consent to the processing of his or her personal
data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the
data subject is party or in order to take steps at the request of the data
subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the
controller is subject;
d) processing is necessary in order to protect the vital interests of the data
subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the
controller;
f) processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such interests
are overridden by the interests or fundamental rights and freedoms of the
data subject which require protection of personal data, in particular where
the data subject is a child. (Not applicable to Public Authorities).

7. Processing special categories of data (Article 9)

The GDPR sets out the following special categories of personal data:

1 Racial or ethnic origin;

2 Political opinions;
3 Religious or philosophical beliefs;
4 Trade union membership;
5 Genetic data;
6 Biometric data when used for ID purposes;
7 Health (physical or mental);
B Sexual life or orientation.

3
Be aware that processing special category data is prohibited unless certain
conditions apply (there are 10 listed in Article 9).

Eg (a) explicit consent, (f) processing necessary for the establishment, exercise
or defence of legal claims or whenever courts are acting in their judicial capacity
etc

Not that 5 out of the 10 conditions refer to Member State law and require UK
authorisation or a basis in UK law. In the UK this is the DPA201B.

The UK conditions for processing special category data are in Schedule 1 of the
DPA2018 (will cover in a later module).

A controller must still also have an Article 6 lawful basis for processing - special
category data is by its nature more sensitive and needs more protection.

8. Personal data relating to criminal convictions and offences, or

related securitv matters
Article 10 sets out separate safeguards for personal data relating to criminal
convictions and offences, or related security measures. This includes allegations
concerning offences.

This is separate to special category data.

Such processing must have an Article 6 basis for processing and

a May be carried out under the control of official authority;

Or
a Must be authorised by member state law - ie. when certain conditions in
the DPA201B are met.

NOTE - Processing for law enforcement purposes by competent authorities (eg.

the Police) is separate to this and falls under Part 3 of the DPA201B.
9. The rights of the individual

The GDPR also accords the individual specific rights with respect to their
personal data held about them. The right to:

. be informed;
. be given access;
. rectification;
. erasure (to be forgotten);
o restriction of processing;
. data portability;
. object to processing (including direct marketing);
o Íìot be subject to a decision based solely on automated processing
including profiling, which produces legal effects concerning him or her or
similarly affects him or her.

4
1O. Exemptions
The GDPR generally requires that controllers tell individuals when their data is
being processed, and limits the sharing of data with third parties.
However there are exemptions for circumstances where this would be
undesirable.

As most exemptions relate to the law of each member state, the GDPR allows
them to provide their own exemptions. Ours are therefore covered in the DPA1B

Exemptions affect or restrict the application of the GDPR

They are necessary for different reasons:

. The nature of the data.

. The purpose of processing the data

If an exemption applies a controller may not have to comply with all of the usual
GDPR rights and obligations,

An exemption may therefore restrict normal GDPR processing or it may be

permissive and allow processing in certain circumstances.

Example - where an individual is being investigated for a crime, an organisation

might consider that telling the individual or giving them rights to see their data
would prejudice the investigation. It therefore might wish to withhold data from
a request for information from that individual. There is an exemption for this
which allows the controller to withhold the data in certain circumstances.

Also, you would expect the organisation to share information with the
investigators - so for example, an employer might tell the police a suspect's
address, (This information would normally be kept confidential but there is an
exemption to allow disclosure in these circumstances).

So for example there are exemptions in the DPA2018 which cover crime,
information required to be disclosed by law etc or in connection with legal
proceedings and journalism.

Note the GDPR states in its scope (Article 2) that it does not apply to the
processing of personal data: by a natural person in the course of a purely
personal or household activity, This is not strictly an exemption but means
domestic processing does not fall under the GDPR.

11. The Data Protection Act 2O18

The GDPR explicitly refers to the need for member states to pass further
legislation to suit the requirements of their country:

The UK therefore:

1. Has its own exemptions

5
 For example, article 23 of the GDPR states that a member state may
legislate to restrict the scope of data subject's rights in order to
safeguard:
o national security;
o defence;
o public security;
o the prevention, investigation, detection or prosecution of criminal
offences; or
o the execution of criminal penalties, including the safeguarding
against, and prevention of, threats to public security.

2 Provides UK conditions for processing certain categories of personal data

eg: special category data / criminal offence data (in Schedule 1).

3. Makes its own arrangements where appropriate eg':

o for UK Enforcement
o regarding the Information Commissioner
Example 1: A public authority is not defined in GDPR, it is left to Member
States. The UK has used FOIA/FOISA definitions.

Exampte 2: The GDPR allows a child under 16 to give their own consent for the
processing of their personal data when they are accessing the internet (an
information society service) (Article B). However it also states that a member
state may provide by law for a lower age for those purposes provided that such
lower age is not below 13 years.

DPA2018 sets the age at 13 for UK.

L2. Processing for law enforcement ourposes

The GDPR states that processing for law enforcement purposes (eg. criminal
convictions and offences or related security measures) does not fall under the
GDPR but is governed by Directive (EU) 2OL6/6BO of the European Parliament
and of the Council. This is the Law Enforcement Directive (the LED),

The LED outlines the specific requirements for controllers who have responsibility
for data protection for criminal law enforcement:
. the processing of personal data for criminal law enforcement purposes by
competent authorities; and
. the free movement of such data - international transfers for criminal law
enforcement purposes.

It applies to all EU Member States including the UK who are required to

transpose it into their national law in May 2018 - hence the DPA201B which
makes these requirements UK-specific.

13. The Supervisory Authoritv

Tasks and powers are laid out in the GDPR and given specific detail in the Data
Protection Act 2018:

6
Examples of tasks:
. Monitor and enforce the application of the GDPR.
. Promote public awareness and understanding of the risks, safeguards and
rights in relation to processing.
. Advise the national parliament.
. Promote awareness of controllers and proces3ors of their GDPR
obligations.
. Handle complaints lodged by a data subject and investigate to the extent
appropriate, the subject matter of the complaint.
. Cooperate with other supervisory authorities with a view to ensuring the
consistency of application and enforcement of the GDPR.
. Encourage the drawing up of codes of conduct by accredited data
controllers.
. Encourage the establishment of data protection certification mechanisms
(which demonstrate compliance with the GDPR).

Examples of powers:

1. Investigative powers
. to order the controller and processor to provide information for the
performance of its tasks.
. to carry out audits.
2. Corrective powers
. to issue warnings to the controller or processor that intended processing
operations are likely to infringe provisions of the GDPR.
. to order the controller or processor to comply with the data subject's
requests to exercise his or her rights under the GDPR.
. to order a controller or processor to bring processing operations into
compliance with the provisions of the GDPR.
. to impose an administrative fine.
3. Authorisation and advisory powers
. to approve draft codes of conduct
. to accredit certification bodies.
4. International role - liaison with other supervisory bodies, the EU Commission,
to ensure consistency across member states.

L4. The Information Commissioner

Covered in the Data Protection Act 2018 - Part 5 and Schedule 12

A corporation sole is an individual person who represents an official position
which has a separate legal entity. It can only be created by statute.

Part 5 includes:

. UK functions (eg, report to Parliament);

. Her international role (cooperation and mutual assistance);
. Codes of practice she must prepare (eg. data sharing, direct marketing);
. Powers of audit;

7
 . Confidentiality of information; and
. Fees she may charge.

Schedule 12 includes:

. Appointment bY the Crown;

. Resignation and removal;
. Salary;
. Officers and staff (eg. pay and pensions); and
o Accounts.

15. Enforcement Powers (Part 6 of the DPA2O18)

There are different ways for us to promote compliance with the GDPR:
. Educating organisations by publishing guidance and providing advice'
. Dealing with complaints informally by getting organisations to change
their behaviour,
. Taking formal enforcement action in more serious cases.

The Commissioner's enforcement powers

Information notices - require a controller or processor to provide the

Commissioner with information when we are investigating their compliance'

Assessment notices - require a controller or processor to permit the

Commissioner to carry out an assessment (compulsory audit) of whether it has
complied with or is complying with the data protection legislation.

Enforcement notice - the Commissioner can order steps to be taken by a

controller or processor where it has failed to:
¡ coñPly with the GDPR PrinciPles;
. confer rights on data subjects;
o rn€€t their GDPR obligations;
. communicate a breach to the ICO or the data subject;
. comply with the principles of data transfer to third countries
(outside the EU).
Breach reporting will be made to the personal data breach (PDB) team. Most will
be closed with no further action. Will be passed to Enforcement where they are
more serious and there is a potential for action.
powers of entry and inspection - ability to apply to a court for the issue of
warrants - for above failures or for an offence under the GDPR.
Eg. - June 20L7 the ICO executed two search warrants in private homes (in
Gatley and Wilmslow) - and seized computers and phones. Part of an
investigation which linked the theft of data from car repair centres to nuisance
calls encouraging people to make personal injury claims about road traffic
accidents.

B
Eg. - March 2015 the ICO raided a call centre in Hove thought to be responsible
for making millions of nuisance calls (4 to 6 million recorded telephone calls a
day about debt management or payment protection insurance). Documents and
computer equipment were removed for further examination. The calls were
made anonymously, without consent and it was impossible to opt out of
receiving them.

Warrants often issued in relation to PECR cases. Lots of examples on our website
and ICON in press releases,

Administrative fines (Monetary Penalty Notices) - for serious failures (fines

set by the GDPR).

Offences

The Commissioner has the power to prosecute for criminal offences. These
include:

1. Knowingly or recklessly make a materially false statement in

response to an Information Notice;

2. Knowingly or recklessly, without controller's consent, obtaining or

disclosing personal data, procuring disclosure to another
individual, or retaining information;
(This is one of the most frequent offences we see - unauthorised viewing
or trading of data (eg. someone who works in a hospital looks at another
person's medical records without having any need to do so - the records
of a family member, neighbour, famous person);

3, Knowingly or recklessly, without controller's consent re-

identifying information that is de-identifying personal data;
4. Intending to prevent disclosure of information a person is entitled
to receive in response to an access request by altering, defacing,
blocking, erasing, destroying or concealing information;
5. Obstruction of a warrant, or failing to provide reasonable
assistance;
6. There is also an offence which applies to us! It prohibits disclosure of
information by ICO staff (unless the disclosure is made with lawful
authority eg. it's in the public interest, or for purposes of criminal or civil
proceedings), We have access to some very sensitive data working at the
ICO and it's really important we understand the sensitivity of this data
and don't disclose it to anyone outside the organisation.

9
Data Protection

Module r

Introduction

a
lco.
1ñJffi iìbn Côñtìlr11slÈ Clila.

1
 Objectives

By the end of this session

you will be able to:

a appreciate the wider context of data protection and

the aims of the GDPR;

I have an awareness of some basic data protection

concepts; and

a outline the tasks and powers of the ICO and the

Commissioner.
ico.

This session is for everyone who joins the lCO.

The session gives a quick overview of the ICO's data protection role.

Looking at how data protection works 'in the real world' - not too focused on
technical/legal terms.

Some delegates may just have this course and no more

Others who need more detailed training will be able to go on to do the ICO data
protection training (12 modules!)

This session only covers our data protection work, so no FOIA

2
 Course structure

and DPA2018

individual, exemptions and the DPA2018

Commissioner

a
lco.

Emphasise that the detail will be at the level of an overview - this is intended to
introduce the GDPR / DPA}OLS and the key concepts - the detail will be provided
in future modules.

3
 Why does our data need protecting?
What kinds of organisations hold your personal data?

Do you have any concerns about

how your data is processed?

What is an acceptable use of data?

If you complained to the ICO

about the misuse of your data
what would you expect it to be
able to do?

a
lco.

Can break delegates into small groups per table, or have a big group discussion

Without knowing the technical legal background - how do data protection issues
apply in practice?
See questions on slide.

Any examples people have experienced - when their information been used in a

way that affected them?

. Receiving marketing
. Social media sites, profiling, protection of children, giving consent
. Previous jobs with a DP element (e.g. working with HR records, police)
. What does your employer know about you?
. There can be good examples as welll E'g. data sharing
Some key points which could be discussed:
' Knowing who is using your information, and why
. What is a reasonable purpose for processing personal data?
' Being able to access the information about you
. Making sure information is accurate - what are the consequences of
inaccurate data?
' Keeping information secure
. The ICO could fine organisations, make recommendations to improve
practice, audit their security, provide guidance, codes of practice.

4
 Key data protection legislation

k*
Kev points
The GDPR is the main legislation we use in our data protection work.

It is a European Regulation which means that all countries in the EU have the same
basis for their data protection laws. lt also means that companies can transfer
information between European countries easily, because they know the data will
always have a high level of protection.

So there are two main aims of the GDPR:

. it protects individuals by controlling how their information can be used.
. lt enables organisations to use personal information to benefit their own
business needs.

The Data Protection Act 2018 provides UK-specific provisions and exemptions.

UK law enforcement processing is covered in Part 3 of the DPA2018 (implements

the Law Enforcement Directive or LED)

PECR overlaps with GDPR, and specifically covers electronic marketing - phone
calls, emails, texts. lt will be replaced bythe ePrivacy regulation.

5
BACKGROUND if needed:

Regulations must be followed

Have general application, are binding in their entirety and directly applicable in
all EU member states
Do not have to be transposed into national law
Confer rights or impose obligations on citizens and organisations in the same
way as national law
Drafted in such a way that the addressees have no doubts as to the rights and
obligations resulting from the provisions

Directives - provides guidelines to be implemented how a country sees fit

a
Dual objective - securing the necessary uniformity of EU law whilst respecting
the diversity of nationaltraditions and structures
a
Do not supersede national laws but places Member States under an obligation
to adapt their national law in line with EU legal provisions
Directives are addressed to the Member States; must be transposed into
national law. EU criteria are used to assess whether they have done so in
accordance with EU law.
a
Directives do not as a rule directly confer rights or impose obligations. The
national transposing law does that. ln practice, makes no difference to an
ordinary citizen or organisation.

5
 Aims of the GDPR

free flow of
data for developm ents
trade and

ico.

The idea of balance is a key message of the GDPR'

ln 1950 Article B of the European Convention on Human Rights introduced the
concept of a right to a private and family life and privacy of correspondence - but it
qualified the right and acknowledged that interference in an individual's privacy
may be necessary in a democratic society'

The second half of the twentieth century saw the development of ideas about data
protection - various reports in the 1970s identified the need for:

x security of data; * guidelines for information use;

* authority; * for legislation to protect personal data'
a supervisory

1984 Data Protection Act - first act focused on computerised data and applied
only to organisations which needed to register.

199g Data protection Act - applied to all organisations, intended to harmonise

legislation across different EU countries, applied not to just computerised data,
gave more rights to individuals. lmplemented a European directive so in practice
DPA legislation different in each European country'

2018 General Data Protection Regulation - intended to build upon the DPA 1998
but impose consistency - see further aims on slide (click for each).

6
Slide bullet points

(click for second point on screen)The reference to a person's fundamental right to

the protection of their personal data is the first sentence of the GDPR!
However as discussed, this must be balanced - is not an absolute right.

(click) Harmonisation of the legislation is a key aim of the GDPR and is closely
linked to the free flow of data for trade.

(click)Technology has changed at a pace which has far outstripped the scope of
DPA 1998 and has transformed economies and the social lives of individuals. The
GDPR is intended to address these challenges and ensure our personal data is
protected.

(click) Consistency is a key aim - to provide legal certainty and transparency The
requirement for transparency underpins the GDPR.

ls intended as an evolution to the DPA 1998 (not a revolutionl)

6
 Structure of the GDPR

t
lco.

Structure
Give out copy of the contents of the GDPR and briefly go through structure -
chapters, articles and recitals.
Pick out one or two of the chaPters.
Explain the definitions data subject, controller and processor for clarity'

L General provisions - scope and definitions

2. Principles relating to processing of personal data
3. Rights of individuals (referred to as data subjects)
4. Controller and processor : (the organisations which process our data)
5. Transfers of personal data to third countries or international organisations
6. lndependent supervisory authorities
7. Cooperation and consistencY
B. Remedies, liability and penalties
9. Provisions relating to specific processing situations
10. Delegated acts and implementing acts
11-. Final provisions

Recitals - NOT legally binding but advisory - provide context

7
 The GDPR and the DPAzorB

General Data
Protection ReguÏation
Data Protection Act 2018
T;,IJ'¿tss{= I *f *

Íco"

The GDPR is an EU Regulation and applies across all EU MemberStates, butthat it

allows for member states to pass further legislation to suit the requirements of
their own country - the DPA20L8 in the UK.
So the GDPR and the DPA20L8 need to be read together. They are not complete as
standalone documents.

Structure of the DPA2018 - we will look at this in detail in other modules but for
now, using the tabs on the side of the legislation, just note:

L. The DPA2018 is divided into Parts wh¡ch cover different types of processing
eg. Part 3 and 4 (law enforcement / intelligence services processing)

2. lt makes UK arrangements where appropriate eg Part 5 and 6 (The

Information Commissioner / UK lco Enforcement)

3. The Schedules contain UK conditions for processing certain categories of

personal data eg: special category data I criminal offence data

ln UK law, Schedules follow the main body of an Act. They tend to set out, in more
detail, how the provisions of the Act work.

4. The Schedules also contain UK exemptions to GDPR processing eg legal

professional privilege, crime and taxation.

B
lf a UK exemption applies, a controller may not have to comply with all of the
usualGDPR rights and obligations.

An exemption may therefore restrict normal GDPR processing or it may be

permissive and allow processing in certain circumstances'

We will discuss how the two pieces of legislation link to each other in future
modules.

B
 Key definitions

a
lco.

These are key definitions in the GDPR -

1. (Click) data subject - the person who is the subjectof the personal data. lf an
organisation holds data about you, you are the data subject.
2. (Click) controller - the organisation responsible for the processing of the data
about the data subject. The ICO is a controller for our data.
3. (Click) data processor - the controller may outsource its processing to another
organisation. EG the ICO outsources our payroll to another company. The ICO
remains responsible for the data.

(These definitions are discussed in later modules but some people won't be going
on to do these modules so it's important they understand the meaning of these
terms).

9
 The data protection principles
1 1 !-il.J 1 Ì i.l¡ I 1 1 t-ii.l',l u:-iili-1litr
!r ltiJlÚ11.1 1? ll.jr-r1Ù"ïfiì
Lr-.- - .il'-r!:.'l I l1 ,1-i.
iji]1(,' . tiiiiülr,ì1'rl I 1l-ii-ji:i,l
, u1 I i,Jri1 ¡ liitl I t,jÙl 1
¡ 1{:iaJlIifiïfil I 1;11 1 1rJ1 1

1.t l 1-ì tll-J lJf-r:.1 I 1 I lJ 1-i ¡il 1.l',l ¡ t í.i

1 lj.,rr.1iiil 1,11 i¡1'.i l 1 :jI i 1

s il 'I 1Ì,jùili 1rl 1iIilairi:rr-i iIi,1

t utll 1 !¡ I 1 1 *rJ 1 úl.rir':itil
I I lrr1 tJ1 lJ1 f 1 l.lirI rJ i:,;ì

I
lco.
Accountability

The GDPR is based around 7 principles of information handling. An organisation

must comply with these principles of processing.

with a principle isn't a criminal offence, but can lead to

Failing to comply
enforcement action from the ICO (including a monetary penalty).

Many complaints to the ICO involve an assessment as to whether the organisation

has handled the personal data it holds in accordance with these principles.

Article 5 of the GDPR gives 6 principles (a)to (f) (will be covered in later modules)

(al (click) processed lawfully, fairly and in a transparent manner in relation to the
data subject ('lawfulness, fairness and transparency');

(b) (click) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; ('purpose
limitation');

(c) (cl¡ck) adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed ('data minimisation') (click to shrink);

10
(d) (cl¡ck) accurate and, where necessary, kept up to date; every reasonable step
must be taken to ensure that personal data that are inaccurate, having regard to
the purposes for which they are processed, are erased or rectified without delay
('accuracy');

(e) (cl¡ck) kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed;
('storage limitation');

(f) (cl¡ck) processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures ('integrity and confidentiality').

The principles are worded in quite general terms - this means that organisations
are responsible for deciding how they will comply.

(click) there is a final principle at Article 5(2) which states that the controller shall
be responsible for; and be able to demonstrate compliance with paragraph 1(a) to
(f)- referred to as 'accountability'

10
 Exercise - principles
For each scenario:

How would you expect an

organisation to handle the data?

Which principles apply, and how?

(a) Lawfulness, fairness and transpären

(b) Purpose limitation
(c) Data minimisation
(d) Accuracy
(e) Storage limítation
(f) Integrity and confidentiality {security)

l*cL

Activity 2
See handouts with scenarios
Also handouts with answers.

The purpose of the exercise is to help delegates link the legal requirements of the
principles to the practical implementation.

lf there has been a lot of discussion of examples when explaining the principles,
this exercise might not be necessary.

1,I
 Lawfulness of processing

lco.

Lawfulness of processing
Article 6 - There must be a lawful basis for processing (a) to (f) (click for each one)

(a) the data subject has given consent to the processing of his or her personaldata
for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data subject prior
to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the
controller is subject;
(d) processing is necessary in order to protect the vital interests of the data
subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by
the controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particularwhere the data subject is a
child. (Not applicable to PAs).

When investigating a complaint, the ICO will typically ask an organisation to

explain its basis for processing the relevant personal data,

12
 Special categories of data

ico.

Special catesories of data (Article 9) (Cl¡ck for each picture)

1, Racial or ethnic origin;

2. Political opinions;
3. Religious or philosophical beliefs;
4. Trade union membership;
5. Genetic data;
6. Biometric data when used for lD purposes;
7. Health (physical or mental);
B. Sexual life or orientation.

Be aware that processing special category data is prohibited unless certain

conditions apply (there are 10 listed in Article 9).(Ee (a) explicit consent, (f)
processing necessary for the establishment, exercise or defence of legal claims or
whenever courts are acting in their judicial capacity etc)

Not that 5 out of the L0 conditions refer to Member State law and require UK
authorisation or a basis in UK law. ln the UK this is the DP42018. The UK conditions
forprocessingspecial categorydataareinScheduleLoftheDPA2O1B (will coverin
a later module).

A controller must still also have an Article 6lawful basis for processing - special
category data is by its nature more sensitive & needs more protection.

13
 Personal data relating to
criminal convictions and offences,
or related" security measures

I
lco.

Look at Article L0 - This Article sets out separate safeguards for personal data
relatingto criminal convictions and offences, or related security measures. This
includes allegations concerning offences.

This is separate to special category data.

Such processing must have an Article 6 basis for processing and

May be carried out under the control of official authority (not actually defined in
the uK)
Or
When it is authorised by member state law - ie when certain conditions in the
DPA20L8 are met. (We will look at this in another module)

NOTE
Processing for law enforcement purposes by competent authorities (eg the Police)
is separate to this and falls under Part 3 of the DPA2018 (covered in module 10)

So for example, a shopkeeper who has CCTV footage showing a crime might pass
this data to the Police and would disclose the personaldata underArticle 10 of the
GDPR and with an Article 6 basis for processing. Will be covered in more detail in
later modules.

L4
 The rights of the indivi,Cual
$q& "sry;i

'ø , :*;
,&,,
**l
';ö\"
i-Þ #

ANEA
cL0

IFg,

The GDPR also accords the individual specific rights with respect to their personal
data held about them:

The right to (click for each one)

L. be informed (what data is held aboutthem and the purpose ofthe processing,
the recipients of the data, how long it will be stored for, etc.)
2. be given access
3. rectification
4. erasure (to be forgotten)
5. restriction of processing
6. data portability
7. object to processing (including direct marketing)
8. not be subject to a decision based solely on automated processing including
profiling, which produces legal effects concerning him or her or similarly affects
him or her.

The ICO receives complaints where the individual considers they have been denied
their rights.

15
 Exemptions
The GDPR general
I ndividuals when t

limits the sharing of informa

However there are exempt

where this would be und

ico.

As most exemptions relate to the law of each member state, the GDPR allows
them to provide their own exemptions. Ours are therefore covered in the DPALB.

Exemptions affect or restrict the application of the GDPR.

The exemptions are necessary for different reasons:
*The nature of the data *The purpose of processing the data

lf an exemption applies a controller may not haveto complywith all of the usual
GDPR rights and obligations,

An exemption may therefore restrict normal GDPR processing or it may be

permissive and allow processing in certain circumstances.

Example - where an individual is being investigated for a crime, an organisation

might consider that telling the individual or giving them rights to see their data
would prejudice the investigation. lt therefore might wish to w¡thhold data from a
request for information from that individual. There is an exemption for this which
allows the controller to withhold the data in certain circumstances .

Also, you would expect the organisation to share information with the investigators
- so for example, an employer might tell the police a suspect's address. (This
information would normally be kept confidential but there is an exemption to allow
disclosure in these circumstances).

T6
So for example there are exemptions in the DPA20L8 which cover crime,
information required to be disclosed by law etc or in connection with legal
proceedings and journalism .

Note the GDPR states in its scope (Article 2) that it does not apply to the
processing of personal data: by a natural person in the course of a purely personal
or household activity. This is not strictly an exemption but means domestic
processing does not fall under the GDPR. For example:

school nativity and parents filmingthe play; and

personal use of online social media.

16
 The Data Protection Act zorB

Sorememberthe GDPR and the DPA2018 need to be read together. They are not
complete as standalone documents.

The GDPR explicitly refers to the need for member states to pass further
legislation to suit the requirements of their country.

The DPA20L8 is divided into these sections and each adds to the provisions of the
GDPR with UK-specific exemptions and legislation which is unique to the UK.

The UK therefore:

t. Has its own exemptions

For example, article 23 of the GDPR states that a member state may legislate to
restrict the scope of data subject's rights in order to safeguard:

national security, defence and public security;

the prevention, investigation, detection or prosecution of criminal offences; or
O
the execution of criminal penalties, including the safeguarding against, and
prevention of threats to public security.

2. Provides UK conditions for processing certain categories of personal data, eg:

special category data /criminal offence data (in Schedule 1)

T7
3. Makes its own arrangements where appropriate eg
. for Enforcement.
. regarding the lnformation Commissioner.

Example 1: A public authority is not defined in GDPR, this is left to Member

States. UK has used FOIA/FOISA definitions

Example 2: The GDPR allows a child under 1-6 to give their own consent for the
processing of their personal data when they are accessing the internet (an
information society service) (Article 8). However it also states that a member state
may provide by law for a lower age for those purposes provided that such lower
age is not below 1-3 years.

DPA20L8 sets the age at L3 forthe UK.

T7
 Law Enforcement Processing (Part g)

Ities

on of

rÇ9_,

Part 3 of the DPA1B - will be covered in a later module

The GDPR states that processing for law enforcement purposes (eg criminal
convictions and offences or related security measures) does not fall under the
GDpR but is governed by Directive (EU) 2OL6l680 of the European Parliament and
of the Council.

This is known as the Law Enforcement Directive (the LED).

The LED outlines the specific requirements for controllers who have responsibility
for data protection for criminal law enforcement:

the processing of personal data for criminal law enforcement purposes by

competent authorities; and
the free movement of such data - internationaltransfers for criminal law
enforcement purposes.

It applies to all EU Member States including the UK who transposed it into their
national law in May 2018 - hence the DPA201B which makes these requirements
UK-specific (eg principles and rights, bases for processing for LE purposes).

1B
 a
The Supervisory Authority lco.
¡trñ¡ú6Cdñdffi¡Orta

me m be 5 ta te m U s t
haVe
a 5u rv so ry th on ty to b
on5 b e for m on to n a nd
ng the application of the

0 1 B co R fi rm s rh
formation Commissioner is the

lÇ9*

Tasks and powers are laid out in the GDPR and given specific detail in the Data
Protection Act 2018:

Examples of tasks (article 57):

. Monitor and enforce the application of the GDPR
. Promote public awareness and understanding of the risks, safeguards and rights
in relation to processing
. Advise the national parliament
. Promote awareness of controllers and processors of their GDPR obligations
. Handle complaints lodged by a data subject and investigate to the extent
appropriate, the subject matter of the complaint
. Cooperate with other supervisory authorities with a view to ensuring the
consistency of application and enforcement of the GDPR
. Encourage the drawing up of codes of conduct by accredited data controllers
. Encourage the establishment of data protection certification mechanisms (which
demonstrate compliance with the GDPR)

Examples of powers (article 58)

1. lnvestigative powers
. to order the controller and processor to provide information for the
performance of its tasks
. to carry out audits

19
2. Corrective powers
. to issue warnings to the controller or processor that intended processing
operations are likely to infringe provisions of the GDPR
. to order the controller or processor to comply with the data subject's requests
to exercise his or her rights underthe GDPR.
. to order a controller or processor to bring processing operations into
compliance with the provisions of the GDPR
. to impose an administrative fine
3. Authorisation and advisory powers
' to approve draft codes of conduct
. to accredit certification bodies

4. lnternational role - liaison with other supervisory bodies, the EU Commission,

to ensure consistency across member states

19
 Information Commissioner
Corporation sole

Appointed by Queen

7 year term

a Independent - the
Commissioner and her
staff are not civil
servants

lÇ9'

Defined in the Data Protection Act 2018 - Part 5 and schedule 12

A corporation sole is an individual person who represents an official position which

has a separate legal entity. lt can only be created by statute'

A corporation aggregate (which we're more familiar with) is a separate legal entity
formed by several individual persons.

Part 5 includes:
. UK functions (eg report to Parliament),
. her international role (cooperation and mutual assistance)
. Codes of practice she must prepare (eg data sharing, direct marketing)
. Powers of audit
. Confidentiality of information
. Fees she may charge

Schedule l-2 includes:

. Appointment bY the Crown
. Resignation and removal
. Salary
. Officers and staff (eg pay and pensions)
. Accounts

20
 Enforcement powers

DecÜon

onetary

Offen

a
lco.

There are different ways for us to promote compliance with the GDPR:
. Educating organisations by publishing guidance and providing advice
. Dealing with complaints informally by getting organisations to change their
behaviour
. Taking formal enforcement action in more serious cases
The slide lists the Commissioner's enforcement powers - (Part 6 of the DPA2018).
lnformation notices - require a controller or processor to provide the
Commissioner with information when we are investigatingtheir compliance.
Assessment notices - require a controller or processor to permit the Commissioner
to carry out an assessment (compulsory audit) of whether it has complied with or
is complying with the data protection legislation'
Enforcement notice - the Commissioner can order steps to be taken by a
controller or processor where it has failed to (chose 2 examples):
. comply with the GDPR PrinciPles;
. confer rights on data subjects;
. meet their GDPR obligations;
. communicate a breach to the ICO or the data subject
. comply with the principles of data transfer to third countries (outside the EU)

Breach reporting will be made to the personal data breach (PDB) team. Most will
be closed with no further action. Will be passed to Enforcement where they are
more serious and there is a potential for action.

2I
Powers of entry and inspection - ability to apply to a court for the issue of
warrants - for above failures or for an offence under GDPR

Eg -June 2017 the ICO executed two search warrants in private homes (in Gatley
and Wilmslow) - and seized computers and phones. Part of an investigation which
linked the theft of data from car repair centres to nuisance calls encouraging
people to make personal injury claims about road traffic accidents.

Eg- March 2015 the ICO raided a call centre in Hove thought to be responsible for
making millions of nuisance calls (4 to 6 million recorded telephone calls a day
about debt management or payment protection insurance). Documents and
computer equipment were removed for further examination. The calls were made
anonymously, without consent and it was impossible to opt out of receiving them.

Warrants often issued in relation to PECR cases. Lots of examples on our website
and ICON in press releases.

Administrative fines (Monetary Penalty Notices) - for serious failures (fines set by
the GDPR - will discuss in later module).

Offences - the Commissioner has the power to prosecute for criminal offences:

L. Knowingly or recklessly make a materially false statement in response to lN.

2. Knowingly or recklessly, without controller's consent, obtaining or disclosing
personal data, procuring disclosure to another individual, or retaining
information (This is one of the most frequent offences we see - unauthorised
viewing or trading of data. (EG someone who works in a hospital looks at
another person's medical records without having any need to do so - the
records of a family member, neighbour, famous person);
3. Knowingly or recklessly, without controller's consent re-identifying
information that is de-identifying personal data;
4, lntending to prevent disclosure of information a person is entitled to receive
in response to a SAR by altering, defacing, blocking, erasing, destroying or
concealing information;
5. Obstruction of a warrant, or failing to provide reasonable assistance;
6. There is also an offence which applies to us! Clause L32. lt prohibits
disclosure of information by ICO staff (unless the disclosure is made with
lawful authority - eg it's in the public interest, or for purposes of criminal or
civil proceedings) **Really important to note this*x
We have access to some very sensitive data (eg medical details of a DS)
working at the ICO and its really important we understand the sensitivity of
this data and don't disclose it to anyone outside the organisation.

2T
 Exercise

Example; a
a
lco.

Activity 3
On the next slide (and on a handout - give this out now) there are L2 boxes each
containing a definition.

ln pairs, delegates are to decide what word corresponds to each definition

described in the boxes (they should end up with 12 words).

They must then take the first letter of each word and rearrange them to form a key
requirement of the GDPR - a new L2-letter word'

When they have the new word, they should put up their hand to let you know, but
wait untilthe other groups have finished before they give the answer away.

Click for example:

Definition = The Commissioner is appointed bythis person
(click box) Keyword answer - Queen
Letter = Q

(some boxes have a few possible answers to they will have to think about what the
letter could be to fit the finished word)

The winners must have all L2 words and the final key word.

22
 TRANSPARENCY

lÇg*

Delegates may use their notes - they may need some help if they are struggling... !

For answers, click on each box.

23
 Review of
Objectives
You should now be able to:

t appreciate the wider context of data protection and

the aims of the GDPR;

a have an awareness of some basic data protection

concepts; and

a be able to outline the tasks and powers of the ICO and

the Commissioner.
ico.

Review of objectives

24
The End.

tçgL

25
{-J
r r-{

o l-{
P
O

I
0
U
I t
Introduction to data protection - identifying the GDPR principle
Activitv 2 - Answers
For each example think about how the principles might be applied in
practice. What would you expect an organisation to do in each case, and
how does that fit with the principles in the GDPR?

Example one
When you sign up with an online shop they ask for some personal
information. They need this information to process your order, and they
might also want to contact you with marketing information in the future.
. What kind of data would be appropriate or inappropriate to collect?
. What would a customer expect the ínformation to be used for?

if you are buying clothes, they should not send you medical
information (unless they asked specifically for consent for this)

time.

Principles - transparency, purpose limitation, data minimisation,

accuracy

Example two
Credit reference agencies share information with lenders about what
debts people have. They also collect information recording where people
live. This is used to confirm people's addresses and identities, and to
decide whether a bank will lend money.

. What are the benefits to lenders and individuals?

. What should the agencies consider when they use the information?
. What could go wrong if the information isn't kept in line with the
principles?

have a bad credit history.

address is correct

Principles - transparency/ accuracy, security

Example three
A charity rings the ICO helpline asking for advice. They offer advice to
individuals on various issues, and keep casework records in paper files.
The charity wants to change their casework system to one using
computers.

. What potential risks should they charity be aware of?

. What will happen to the old paper files, and which principles need to
be considered?
. How can the charity make sure its staff are ready for the change
and able to comply with their obligations?

disposal.

Principles - accuracy, security, data minimisation

Example four
An IT helpline wants to start recording the calls it receives from members
of the public. It wants to do this so that it can monitor the quality of help
given by staff, and use good and bad calls in training exercises.

. What should callers be told?

. What are the other considerations when planning how to record and
store the calls?
. What about if a caller wants to have a recording of their call?

it be requested?
be used for training?

when the call is used in training?

place to provide this data? Is it clear to callers how long the data
will be kept?

Principles - fairness, security, data minimisation, storage limitation

Data Protection Module 1- Introduction
Course outline
Total time: z Vz hours
Materials for use in training: Handouts, Powerpoint, flipcharts

Introduction - 15 Powerpoint
objectives and minutes presentation
course structure
Handout - delegate
notes for reference

Group exercise - 1O mins Exercise 1 - Delegates to start to think about data protection
why does our Discussion only in their own lives and to consider what the
data need 5 mins issues might be.
protecting? to
discuss
in small
9roups
and then
5 mins
asa
class

lntroduction - Module 1 session plan

 The aims and 10 mins Introduction to GDPR Powerpoint Delegates to appreciate there are different
structure of the the thinking behind it presentation pieces of legislation and to start thinking about
GDPR. and the structure of the broader aims behind the GDPR.
the legislation. Handout -
Introduction to contents of GDPR Show delegates the contents of the GDPR and
the DPA2O18 Basic structure of the explain the key terms - chapters, afticles and
DPA2O18 recitals. Plus look at structure of the DPA2018

Introduction to 10 Explain the principles Powerpoint Also ensure they have a basic understanding of
the key concepts minutes and their significance presentation the terms data subject, controllers and
underpinning the processors.
GDPR: key
definitions and Delegates to have a good basic awareness of
data protection these key concepts and to understand why they
principles are impoftant.

Activity 2 15 Exercise in small Powerpoint slide Delegates to link the principles to practical
minutes groups or pairs - with the principles examples.
delegates to link the for reference
principles to practical
examples. Activity 2 -
Identifying the
Discuss answers as a principle
whole group
Plus answer sheet

lntroduction - Module 1 session plan

I
Introduction to 15 mins Outline the rights ot Powerpoint Delegates to have a good basic awareness of
lawfulness of individuals presentation these key concepts and to understand why they
processing, are important.
special
categories of
data, criminal
offence data and
the rights of
individuals
Exemptions, the 15 mins Discussion of the Powerpoint Delegates to understand what an exemption is
Data Protection nature of exemptions presentation and why they are necessary.
Act 2O18 and the and where they can be
Law Enforcement found.
Directive
The Information 15 mins Introduction to the Powerpoint Delegates to have a basic understanding
Commissioner idea of compliance presentation
and promoting and enforcement
compliance with
the GDPR
Activity 3 30 mins Key points of the Powerpoint slide To reinforce learning
(with coffee module - delegates to with keywords
break?) work in pairs to
discover the keyword Delegate sheet
on the board. with definitions
from slide
Review answers
altogether and recap
kev ooints
Review objectives 5 mins Powerpoint To ensure objectives have been met.
and complete presentation
feedback form.

lntroduction - Module 1 session plan

lntroduction - Module 1 session plan
 GDPR Contents
Chapter 1 - General provisions
t Subject matter & objectives
2 Material scope
3 Territorial scope
4 Definitions

Chapter 2 - Principles
5 Principles relation to processing of personal data
6 Lawfu lness of processing
7 Conditions for consent
B Conditions app licable to child's consent in relation to info society services
9 Processing of special categories of personal data
10 Processing relating to criminal convictions & offences
LT Processing which doesn't re uire identification

Chapter 3 - Rights of data subjects

Section 1: Transparency & modalities
12 Transparent info, communication & modalities for the exercise of rights of data
subjects
Section 2: lnformation & access to personal data
1_3 lnfo to be p rovided where data are collected from the data subject
1"4 info to be p rovided where data have not been obtained from the data subject
1_5 Right of access by the data subject
Section 3: Rectification & erasure
16 Right to rectification
17 Right to erasure ('right to be forgotten')
18 Right to restriction of processing
t9 Notification obligation re rectification or erasure of data or restriction of
processing
20 Right to data portability
Section 4: Right to object and automated individual decision-maki ng
21, Right to object
22 Automated individual decision-making, including profiling
Section 5: Restrictions
23 Restrictions

Chapter 4 - Controller and processor

Section 1: General obligations
24 Responsibility of the controller
25 Data protection by design and by default
26 Joint controllers
27 Repr esentatives of controllers or processors not established in the Union
28 Processor
29 Processing under the authority of the controller or processor
30 Records of processing activities
3L Cooperation with the supervisory authority
Section 2: Security of personal data
32 Security of processing
33 Notification of a personal data breach to the su rvisory authority
34 Communication of a personal data breach to the d ata subject
Section 3: Data protection impact assessment & prior consultation
35 Data protection impact assessment
36 Prior consultation
Section 4: Data protection officer
37 Designation of the data protection officer
38 Position of the data protection officer
39 Tasks of the data protection officer
Section 5: Codes of conduct and certification
40 Codes of conduct
41, Monitoring of approved codes of conduct
42 Certification
43 Certification bodies

Chapter 5 - Transfers of personal data to third countries or in ternational organisations

44 General principle for transfers
45 Transfers on the basis of an adequacy decision
46 Transfers subject to appropriate safeguards
47 Binding corporate rules
48 Transfers of disclosures not authorised by Union law
49 Derogations for specific situations
50 lnternational cooperation for the protection of personal data

Chapter 6 - lndependent supervisory authorities

Section 1: lndependent status
51 Supervisory authority
52 lndependence
53 General conditions for the members of the supervisory authority
54 Rules on the establishment of the supervisory authority
Section 2: Competence, tasks and powers
55 Competence
56 Competence of the lead supervisory authority
57 Tasks
5B Powers
59 Activity reports

Chapter 7 - Cooperation and consistency

Section 1: Cooperation
60 Cooperation between the lead supervisory authority & the other supervisory
authorities concerned
61" Mutualassistance
62 Joint operations of supervisory authorities
Section 2: Consistency
63 Consistency mechanism
64 Opinion of the Board
65 Dispute resolution by the Board
66 Urgency procedure
67 Exchange of information
Section 3: European data protection board
6B European data protection board
59 lndependence
70 Tasks ofthe Board
71, Reports
72 Procedure
73 Chair
74 Tasks ofthe Chair
75 Secreta riat
76 Confidentiality

Chapter 8 - Remedies, liability and penalties

77 Right to lodge a complaint with a supervisory authority
78 Right to an effective judicial remedy against a supervisory authority
79 Right to an effective judicial remedy against a controller or processor
80 Representation of data subjects
81 Suspension of proceedings
82 Right to compensation and liability
B3 General conditions for imposing administrative fines
84 Penalties

Chapter 9 - Provisions relating to specific processing situations

85 Processing and freedom of expression and information
B6 Processing and public access to official documents
87 Processing of the national identification number
88 Processing in the context of employment
B9 Safeguards & derogations relating to processing for archiving purposes in public
interest, scientific or historical research purposes or statistical purposes
90 Obligations of secrecy
91 Existing data protection rules of churches and religious associations

Chapter 10 - Delegated acts and implementing acts

92 Exercise of the delegation
93 Committee procedure
Chapter 11- Final provisions
94 Repeal of Directive 95/46/EC
95 Relationship with Directive 2002/58/EC
96 Relationship with previously concluded Agreements
97 Commission reports
98 Review of other Union legal acts on data protection
99 Entry into force and application
lntroduction to data protection
Activity 2 - identiß¡ing the principle
For each example think about how the principles might be applied in
practice. What would you expect an organisation to do in each case, and
how does that fit with the principles in the GDPR?

Example one
When you sign up with an online shop they ask for some personal
information. They need this information to process your order, and they
might also want to contact you with marketing information in the future
a What kind of information would be appropriate or inappropriate to
collect?
a What would a customer expect the information to be used for?

Example two
Credit reference agencies share information with lenders about what
debts people have. They also collect information recording where people
live. This is used to confirm people's addresses and identities, and to
decide whether a bank will lend money.

. What are the benefits to lenders and individuals?

. What should the agencies consider when they use the information?
. What could go wrong if the information isn't kept in line with the
principles?
Example three
A charity rings the ICO helpline asking for advice. They offer advice to
individuals on various issues, and keep casework records in paper files
The charity wants to change their casework system to one using
computers.

. What potential risks should they charity be aware of?

. What will happen to the old paper files, and which principles need to
be considered?
. How can the charity make sure its staff are ready for the change
and able to comply with their obligations?

Example four
An IT helpline wants to start recording the calls it receives from members
of the public. It wants to do this so that it can monitor the quality of help
given by staff, and use good and bad calls in training exercises.

. What should callers be told?

. What are the other considerations when planning how to record and
store the calls?
. What about if a caller wants to have a recording of their call?