GDPR ComplianceThe Basics: Members
GETTING TO KNOW THE
GDPR
GENERAL DATA PROTECTION REGULATION REGULATION (EU) 2016/679
GDPRIt is a regula,on by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protec2on for all individuals within the European Union. It also addresses the export of personal data outside the European Union!
It was adopted on 27 April 2016 and will enter into force on 25 May 2018, a"er a
two-‐year transi-on period!
It will replace the Data Protec-on Direc-ve (Direc've 95/46/EC) and does not require
na#onal legisla#on to be binding!
It aims primarily to give control back to ci/zens and residents over their personal data and to simplify the regulatory environment for interna3onal business by unifying the regula/on
within the European Union!
THE IMPORTANCE OF THE GDPR TO
AIESEC
GDPR AIESECWe deal with people from the European Union, either as our members or as our
exchange par+cipants!
It is a way to improve the experience of our customers, since we will have to
develop new ways of working which are based on the key principles of trust and
transparency!
We will be trusted, since customers shall have a good image of
a compliant organisa(on.
NON-‐COMPLIANCE may result in fines of up to EUR 20.000.000 or 4% of the annual global turnover!
THE TWO BASIC
CONCEPTS OF THE GDPR
PERSONAL DATAAny informa+on rela+ng to an iden+fied or iden+fiable natural person ("data subject”). An
iden%fiable natural person is one who can be iden%fied, directly or indirectly, in par%cular by reference to an iden,fier such as a name, an iden,fica,on number, loca,on data, an online iden%fier or to one or more factors specific to the physical, physiological, gene%c, mental,
economic, cultural or social iden0ty of that natural person!
GENERAL CATEGORIES OF PERSONAL DATA
SPECIAL CATEGORIES OF PERSONAL DATA
NAME DATE OF BIRTH MARITAL STATUS PHONE NUMBER E-‐MAIL ADDRESS
RESIDENTIAL ADDRESS ID NUMBER
ACADEMIC BACKGROUND PROFESSIONAL BACKGROUND
ETC.
ETHNIC/RACIAL ORIGIN POLITICAL OPINION RELIGIOUS BELIEFS
PHILOSOPHICAL BELIEFS TRADE UNION MEMBERSHIPS
GENETIC DATA BIOMETRIC IDENTIFICATION DATA SEX LIFE AND SEXUAL ORIENTATION
HEALTH DATA CRIMINAL DATA
These categories are considered “more sensi1ve” by nature: their processing is prohibited, unless when it can be jus*fied by a lawful basis (*e.g.: consent).
Criminal data has par.cular specifica.ons.
This is a non-‐exhaus-ve list: since the regula-on says that personal data is any informa1on rela1ng to an iden%fied or iden%fiable individual, much more could
be covered by the scope.
PROCESSING ACTIVITYAny opera*on or set of opera*ons which is performed on personal data or on sets of personal
data, whether or not by automated means, such as collec3on, recording, organisa3on, structuring, storage, adapta0on or altera0on, retrieval, consulta0on, use, disclosure by
transmission, dissemina-on or otherwise making available, alignment or combina-on, restric-on, erasure or destruc+on!
PRINCIPLES OF THE GDPR
LAWFULNESS, FAIRNESS AND TRANSPARENCY
Personal data shall be processed lawfully, fairly and in a transparent manner in rela-on to the
data subject!
PURPOSE LIMITATION Personal data shall be collected for specified, explicit and legi)mate purposes and not further processed in a
manner that is incompa.ble with those purposes!
DATA MINIMISATION Personal data shall be adequate, relevant and limited to what is necessary in rela/on to the purposes for
which they are processed!
ACCURACY Personal data shall be accurate and, where
necessary, kept up-‐to-‐date!
STORAGE LIMITATION Personal data shall be kept in a form which permits
iden%fica%on of data subjects for no longer than is necessary for the purposes for which the personal data are processed!
INTEGRITY AND CONFIDENTIALITY Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protec'on against unauthorised or unlawful processing and against accidental loss, destruc0on or damage, using
appropriate technical or organisa/onal measures!
ACCOUNTABILITY The controller shall be responsible for, and be
able to demonstrate compliance with the GDPR!
RIGHTS OF THE DATA SUBJECT
RIGHT TO BE INFORMED ARTICLES 13 AND 14 OF THE GDPR
The data subject must be informed about the processing of his/her personal data: being informed is a basic prerequisite for data subjects to be able to make decisions regarding their privacy and have control over their personal data. The details which must be supplied to the
data subject depend on the source of the personal data (*i.e., if it was obtained directly from the data subject or if it was provided by a third party).
Usually, a public privacy policy is the best way to comply with such right: it must reflect the reality of the organisa/on and be up-‐to-‐date, easily accessible, easy to understand and brief.
RIGHT TO ACCESS ARTICLE 15 OF THE GDPR
The data subject has the right to access his/her own personal data and the right to receive any relevant informa-on regarding the processing of his/her personal data: thus, the data subject shall be able to know if and what kind of personal data is being processed, why it is being
processed and who is processing it, being able to enforce his/her rights.
Compliance with such right can be achieved by providing the data subject with a copy of all personal data concerning him/her. Please note that only the data subject can have access to his/her informa-on: therefore, iden&ty must be verified using “reasonable means”. Informa&on must be provided in an appropriate format, free of charge (*as a general rule) and within one
month of receiving the request.
RIGHT TO RECTIFICATION ARTICLE 16 OF THE GDPR
The data subject has the right to have his/her personal data rec6fied/completed in case it is inaccurate/incomplete. If inaccurate or incomplete informa2on has been disclosed to third
par$es, they must be no$fied of the rec$fica$on and, where possible, the data subject should be informed about the third par0es which have already had access to such data.
RIGHT TO OBJECT ARTICLE 21 OF THE GDPR
In some circumstances, the data subject has the right to object (*i.e., say that he/she does not – or no longer – agree with the processing and asks the controller to stop) to the processing of his/her personal data regarding his/her par0cular situa0on. This right applies to processing based on direct marke+ng purposes, legi+mate interests (of the controller or of a third party), performance
of a task in the public interest (or exercise of official authority) and/or scien9fic/historical research/sta)s)cs.
The right to object to direct marke1ng is absolute, so the controller must not challenge the decision of the data subject and must stop the processing immediately. The other categories
have some exemp+ons, so they are not absolute.
RIGHT TO ERASURE ARTICLES 17 AND 19 OF THE GDPR
The data subject may request the erasure of personal data where there is no compelling reason for its con*nued processing. Please note that the right to erasure does not provide an absolute
“right to be forgo,en”: the data subject has the right to have personal data erased and to prevent processing in specific circumstances, such as when the personal data is no longer
necessary in rela+on to the purpose for which it was originally collected/processed, when the individual withdraws consent, when the data subject objects to the processing (and there is no overriding legi+mate interest for con+nuing the processing), when processing was unlawful, in
order to comply with a legal obliga2on and/or when processing relates to the offering of services to a child. There are some specific circumstances where the right to erasure does not apply and
the controller can refuse to deal with a request.
RIGHT TO RESTRICTION OF PROCESSING ARTICLES 18 AND 19 OF THE GDPR
The controller may have to suspend/pause the processing of personal data, either because of a request of the data subject or because of a situa1on which demands it to do so. Restric1on is not a permanent state, but the controller must suspend all processing ac4vi4es (except for
storage) un,l a final decision is taken. This right is applicable to situa,ons where an individual contests the accuracy of the personal data, where an individual has objected to the processing, when processing is unlawful (and the individual requests restric6on instead of erasure) and/or when personal data is no longer necessary, but the individual requires the data to establish,
exercise or defend a legal claim.
RIGHT TO DATA PORTABILITY ARTICLE 20 OF THE GDPR
The data subject may obtain his/her data from the controller so as to transfer it to another system: thus, this right gives more control to the data subjects, allowing them to go from one service provider to another without losing relevant data. The right to data portability only
applies when the data subject was the one who provided his/her personal data to the controller (either because of consent or because of a contract) via automated means.
The transfer to the new controller appointed by the data subject (upon his/her request) must happen in a structured, commonly used and machine readable form – and, in general, without
any cost.
AUTOMATED DECISION-‐MAKING ARTICLE 22 OF THE GDPR
The data subject has the primary right to not be subject to ac5vi5es only based on automated processing and whose decision has legal or relevant effects on him/her. Secondarily, whenever
automated decision-‐making is carried out either because of a contract or because of the consent of the data subject, he/she has the rights to be informed (*about the existence of
automated decision-‐making, its logics/criteria and consequences), express his/her point of view, challenge the decision and obtain human interven3on.
“Automated decision-‐making” refers to the process of taking a decision about an individual by automa7c means. Please note that, as a general rule, individual automated decision-‐making (including profiling) shall not be carried out if the ac;vity is only based on automated processing (i.e., without human interven.on) and if the decision has legal or relevant effects on the data subject. There are three excep.ons to this rule (*i.e., when automated decision-‐making is authorised by the law, when the data subject consents to it and when the ac8vity is necessary for a contract), but it
is strictly forbidden when the subject is a child and, in general, when data is “sensi,ve”.
RIGHT TO COMPENSATION AND LIABILITY ARTICLE 82 OF THE GDPR
The data subject has the right to compensa4on, based on the provisions of the GDPR: thus, any person having suffered material or non-‐material damage as a result of an infringement to the data protec*on rules has the right to receive compensa*on from the controller/processor. The
liability depends on the specific situa2on, so it is determined on a “case-‐by-‐case” basis.
BEHAVIOURS WHILST DEALING WITH PERSONAL DATA
DOs WHAT SHOULD WE DO?
• Read the GDPR; • Read the internal policies, guidelines and rules; • Par$cipate in trainings regarding the GDPR and data protec+on;
• Apply strong passwords to every system and device, including your EXPA/aiesec.org account;
• Ensure that physical documents are secure; • Take care of personal data whenever carrying it outside the office;
• Report personal data breaches and incidents involving personal data to the Data Protec3on Officer;
THIS IS A NON-‐EXHAUSTIVE LIST OF PRACTICES
• Contact the Data Protec-on Officer in case of doubts;
• Lock computer screens whenever they are le# una(ended and log off pla*orms which are not being used;
• Get to know the people in charge of data security within the en-ty;
• Contribute to the security of offices and physical documents, locking the doors and the appropriate desks, for example;
• Understand and respect the data processing principles and the rights of the data subjects;
• Use your AIESEC Mail only for AIESEC issues.
DON'Ts WHAT SHOULDN'T WE DO?
• Don’t process special categories of personal data without explicit consent from the individual and advice from the Data Protec'on Officer;
• Don’t disclose informa.on about an individual via internet or social media without proper permission;
• Don’t leave personal data insecure; • Don’t take personal data outside the office of your en(ty without par(cular care for security;
• Don’t process personal data on insecure systems, computers and/or other devices;
• Don’t open insecure e-‐mails/websites; • Don’t use personal data for purposes which are different from the one(s) agreed by the data subject;
• Don’t disclose informa.on to people outside AIESEC (formally or informally);
• Don’t disclose informa1on to people who are not part of the experience flow and/or to irrelevant par+es;
• Don’t share your personal passwords; • Don’t process personal data if you do not have the appropriate authorisa-on and a legal basis to do so.
THIS IS A NON-‐EXHAUSTIVE LIST OF PRACTICES
ACTIONS TOWARDS COMPLIANCE
ACTIONS
AIESEC Interna,onal and its CEEDer are suppor,ng en,,es, providing them with materials, guidance and tools so that
they can move towards compliance. There is a global checklist which covers points in five main areas: legal, brand/
marke&ng, talent management, partnerships and systems.
AIESEC Interna,onal is also coun,ng on the support of lawyers with knowledge of the GDPR. Furthermore, every effort is being made so as to raise awareness and adapt our current prac*ces so that our pla/orms, our processes and our
documents at global level are compliant with the GDPR.
AIESEC INTERNATIONAL
RAISE AWARENESS AND EDUCATE THE NETWORK
UPDATE SYSTEMS AND PLATFORMS
REACH LEGAL COMPLIANCE
Records of Data Processing Ac#vi#es, Na#onal Compendiums, Internal Policies and Legal Support
Privacy No+ces, Cookie Policies, Technical (IT) Methods and
Internal Measures Educa&on for LCPs, MCs, MCPs, DPOs and Members