Origins and Historical Context of Data Protection Law

• Rationale for data protection

• Human rights laws

• Early laws and regulations

• The need for a harmonized European approach

• The Treaty of Lisbon

• A modernized framework

European Union Institutions

• European Court of Human Rights

• European Parliament

• European Commission

• European Council

• Court of Justice of the European Union

Legislative Framework

• The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention)

• The EU Data Protection Directive (95/46/EC)

• The EU Directive on Privacy and Electronic Communications (2002/58/EC) (ePrivacy Directive) – as amended

• The EU Directive on Electronic Commerce (2000/31/EC)

• European data retention regimes

• The General Data Protection Regulation (GDPR) (EU) 2016/679 and related legislation

Data Protection Concepts

• Personal data

• Sensitive personal data

• Pseudonymous and anonymous data

• Processing

• Controller

• Processor

• Data subject

Territorial and Material Scope of the General Data Protection Regulation

• Establishment in the EU

• Non-establishment in the EU

Data Processing Principles

• Fairness and lawfulness

• Purpose limitation

• Proportionality

• Accuracy

• Storage limitation (retention)

• Integrity and confidentiality

Lawful Processing Criteria

• Consent

• Contractual necessity

• Legal obligation, vital interests and public interest

• Legitimate interests

• Special categories of processing

Information Provision Obligations

• Transparency principle

• Privacy notices

• Layered notices

Data Subjects’ Rights

• Access

• Rectification

• Erasure and the right to be forgotten (RTBF)

• Restriction and objection

• Consent, including right of withdrawal

• Automated decision making, including profiling

• Data portability

• Restrictions

Security of Personal Data

• Appropriate technical and organizational measures

• Breach notification

• Vendor Management

• Data sharing

Accountability Requirements

• Responsibility of controllers and processors

• Data protection by design and by default

• Documentation and cooperation with regulators

• Data protection impact assessment (DPIA)

• Mandatory data protection officers

• Auditing of privacy programs

International Data Transfers

• Rationale for prohibition

• Adequate jurisdictions

• Safe Harbor and Privacy Shield

• Standard Contractual Clauses

• Binding Corporate Rules (BCRs)

• Codes of Conduct and Certifications

• Derogations a. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

• Transfer impact assessments (TIAs)

Supervision and enforcement

• Supervisory authorities and their powers

• The European Data Protection Board

• Role of the European Data Protection Supervisor (EDPS)

Consequences for GDPR violations

• Process and procedures

• Infringements and fines

• Class actions

• Data subject compensation

Employment Relationship

• Legal basis for processing of employee data

• Storage of personnel records

• Workplace monitoring and data loss prevention

• EU Works councils

• Whistleblowing systems

• ‘Bring your own device’ (BYOD) programs

Surveillance Activities

• Surveillance by public authorities

• Interception of communications

• Closed-circuit television (CCTV)

• Geolocation

• Biometrics / facial recognition

Direct Marketing

• Telemarketing

• Direct marketing

• Online behavioral targeting

InternTechnology and Communications

• Cloud computing

• Web cookies

• Search engine marketing (SEM)

• Social networking services

• Artificial Intelligence (AI)