The global GDPR consulting approach

1. Introduction to EuropeanData Protection

  • Basics ofDataProtection
  • Human Rights Law
  • Early Laws and Regulations
  • The Need for a Harmonised European Approach
  • The Treaty of Lisbon
  • The General Data Protection Regulation
  • Related Legislation

2. European Union Institutions

  • European Parliament
  • European Council
  • Council of the European Union
  • European Commission
  • Court of Justice of the European Union
  • European Court of Human Rights

3. Legislative Framework

  • The Council of Europe Convention
  • The Data Protection Directive
  • The General Data Protection Regulation
  • The Law Enforcement Data Protection Directive
  • The Privacy and Electronic Communications Directive
  • The Data Retention Directive
  • Impact on Member States

4. EuropeanData Protection Law and Regulations

  • Principles
  • Personal Data
  • Sensitive Personal Data
  • Controller and Processor
  • Processing
  • Data Subject

5. Territorial and Material Scope of the General Data Protection Regulation

  • Territorial Scope
  • Material Scope

6. Data Processing Principles

  • Lawfulness, Fairness and Transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality

7. Lawful Processing Criteria

  • Processing Personal Data
  • Processing Sensitive Data
  • Data on Offences, Criminal Convictions and Offences and Security Measures
  • Processing Which Does NotRequire Identification
  • Technical and Organisational Measures for the Protection of Personal Data

8. Information Provision Obligations

  • The Transparency Principle
  • Exemptions to the Obligation to Provide Information to Data Subjects
  • The Requirements of the ePrivacy Directive
  • Fair Processing Notices

9. Data Subjects’ Rights

  • The General Necessity of TransparentCommunication
  • Right to Information (about Personal Data Collection and Processing)
  • Right of Access
  • Right to Rectification
  • Right to Erasure (‘right to be forgotten’)
  • Right to Restriction of Processing
  • Right to Data Portability
  • Right to Object
  • Right Not toBe Subject to Automated Decision-making
  • Restrictions of Data Subjects’ Rights

10. Security of Personal Data

  • The Security Principle and the Risk-based Approach
  • Notification and Communication of Personal Data Breaches
  • Delivering on Security
  • Incident Response

11. Accountability Requirements

  • Responsibility of the Controller
  • Data Protection by Design and by Default
  • Documentation and Cooperation with Regulators
  • Data Protection Impact Assessment
  • Data Protection Officer
  • Other Accountability Measures—Binding Corporate Rules

12. International Data Transfers and Limitations

  • Scope of Data Transfers
  • Meaning of an “Adequate Level of Protection”
  • Procedure to Designate Countries with Adequate Protection
  • The Situation in the United States
  • Providing Adequate Safeguards
  • Data Transfers Within a Multinational Corporate Group—Binding Corporate Rules
  • Relying on Derogations
  • The Future of the Restrictions on International Data Transfers

13. Supervision and Enforcement

  • Self-regulation
  • Regulation by the Citizen
  • Administrative Supervision and Enforcement
  • Competence and International Cooperation
  • Sanctions and Penalties
  • The Law Enforcement Data Protection Directive
  • Regulation Supervision and Enforcement—key Provisions

14. Compliance with European Data Protection Law and Regulations

  • Employment Relationships
  • Employee Data
  • Legal Basis for Processing Employee Personal Data
  • Processing Sensitive Employee Data
  • Providing Notice
  • Storage of Personnel Records
  • Workplace Monitoring and Data Loss Prevention
  • Works Councils
  • Whistle-blowing Schemes
  • “Bring Your OwnDevice” (BYOD)
  • „Corporate Owned Personally Enabled“ (COPE)
  • Applicant Details

15. Surveillance Activities

  • Technology
  • Regulating Surveillance
  • Communications Data
  • Video Surveillance
  • Biometric Data
  • Location Data

16. Direct Marketing

  • Data Protection and Direct Marketing
  • Postal Marketing
  • Telephone Marketing
  • Marketing by Electronic Mail (including email, SMS and MMS)
  • Fax Marketing
  • Location-based Marketing
  • Online Behavioural Advertising
  • Enforcement

17. IT, Internet Technology and Communications

  • Inventory of Hardware and Applications
  • Cloud Computing
  • Cookies, Similar Technologies and IP Addresses
  • Search Engines
  • Social Networking Services
  • Applications on Mobile Devices
  • Internet of Things

18. Outsourcing

  • The Roles of the Parties
  • Data Protection Obligations in an Outsourcing Contract
  • Offshoring and International DataTransfers