CIPP/E European Privacy Online Training

• Origins and Historical Context of Data Protection Law
• Rationale for data protection
• Human rights laws
• Early laws and regulations
• The need for a harmonized European approach
• The Treaty of Lisbon
• A modernized framework

• European Court of Human Rights
• European Parliament
• European Commission
• European Council
• Court of Justice of the European Union

• The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention)
• The EU Data Protection Directive (95/46/EC)
• The EU Directive on Privacy and Electronic Communications (2002/58/EC) (ePrivacy Directive) – as amended
• The EU Directive on Electronic Commerce (2000/31/EC)
• European data retention regimes
• The General Data Protection Regulation (GDPR) (EU) 2016/679 and related legislation

• Personal data
• Sensitive personal data
• Pseudonymous and anonymous data
• Processing
• Controller
• Processor
• Data subject

• Establishment in the EU
• Non-establishment in the EU

• Fairness and lawfulness
• Purpose limitation
• Proportionality
• Accuracy
• Storage limitation (retention)
• Integrity and confidentiality

• Consent
• Contractual necessity
• Legal obligation, vital interests and public interest
• Legitimate interests
• Special categories of processing

• Transparency principle
• Privacy notices
• Layered notices

• Access
• Rectification
• Erasure and the right to be forgotten (RTBF)
• Restriction and objection
• Consent, including right of withdrawal
• Automated decision making, including profiling
• Data portability
• Restrictions

• Appropriate technical and organizational measures
• Breach notification
• Vendor Management
• Data sharing

• Responsibility of controllers and processors
• Data protection by design and by default
• Documentation and cooperation with regulators
• Data protection impact assessment (DPIA)
• Mandatory data protection officers
• Auditing of privacy programs

• Rationale for prohibition
• Adequate jurisdictions
• Safe Harbor and Privacy Shield
• Standard Contractual Clauses
• Binding Corporate Rules (BCRs)
• Codes of Conduct and Certifications
• Derogations a. Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
• Transfer impact assessments (TIAs)

• Supervisory authorities and their powers
• The European Data Protection Board
• Role of the European Data Protection Supervisor (EDPS)

• Process and procedures
• Infringements and fines
• Class actions
• Data subject compensation

• Legal basis for processing of employee data
• Storage of personnel records
• Workplace monitoring and data loss prevention
• EU Works councils
• Whistleblowing systems
• ‘Bring your own device’ (BYOD) programs

• Surveillance by public authorities
• Interception of communications
• Closed-circuit television (CCTV)
• Geolocation
• Biometrics / facial recognition

• Telemarketing
• Direct marketing
• Online behavioral targeting

• Cloud computing
• Web cookies
• Search engine marketing (SEM)
• Social networking services
• Artificial Intelligence (AI)

Best Practices and Key Areas