- 1. Data Protection Concepts
- Personal data
- Sensitive personal data
- Pseudonymous and anonymous data
- Processing
- Controller
- Processor
- Data subject
2. Territorial and Material Scope of the General Data Protection Regulation
- Establishment in the EU
- Non-establishment in the EU
3. Data Processing Principles
- Fairness and lawfulness
- Purpose limitation
- Proportionality
- Accuracy
- Storage limitation (retention)
- Integrity and confidentiality
4. Lawful Processing Criteria
- Consent
- Contractual necessity
- Legal obligation, vital interests and public interest
- Legitimate interests
- Special categories of processing
5. Information Provision Obligations
- Transparency principle
- Privacy notices
- Layered notices
6. Data Subjects’ Rights
- Access
- Rectification
- Erasure and the right to be forgotten (RTBF)
- Restriction and objection
- Consent, including right of withdrawal
- Automated decision making, including profiling
- Data portability
Restrictions
7. Security of Personal Data
- Appropriate technical and organizational measures
a. protection mechanisms (encryption, access controls, etc.)
a. Risk reporting requirements
- Vendor Management
- Data sharing
8. Accountability Requirements
- Responsibility of controllers and processors
a. joint controllers
- Data protection by design and by default
- Documentation and cooperation with regulators
- Data protection impact assessment (DPIA)
a. established criteria for conducting
- Mandatory data protection officers
- Auditing of privacy programs
9. International Data Transfers
- Rationale for prohibition
- Adequate jurisdiction
- Safe Harbor and Privacy Shield
- Standard Contractual Clauses
- Binding Corporate Rules (BCRs)
- Codes of Conduct and Certifications
- Derogations
- Transfer impact assessments (TIAs)
10. Supervision and enforcement
- Supervisory authorities and their powers
- The European Data Protection Board
- Role of the European Data Protection Supervisor (EDPS)
11. Consequences for GDPR violations
- Process and procedures
- Infringements and fines
- Class actions
- Data subject compensation