General Data Protection Regulation (GDPR)

Sushant Agarwal / Sabrina Kirrane / Johannes Scharf The new EU General Data Protection Regulation (GDPR) has more than 80 pages of legal text with 99 articles. These 99 articles have many interconnections defined in the text, illustrated in figure 1. For instance, the obligation to ensure that information given to data subjects is transparent as defined in Article 12 para 1 1 cannot be checked in isolation as it is related to other obligations defined in Article 15-22 and 34. Thus articles cannot be analysed in solitude for ascertaining the compliance level. In total, there are approximately 350 interconnections defined, making it quite difficult and time-consuming to consider the applicable obligations as well as all the defined interconnections in order to check the compliance. Figure 1 shows a graph that illustrates all of the defined interconnections. Currently, a lot of human-readable reports have been prepared to provide a high-level list of requirements for the compliance checking process. However, to best of our knowledge no tool for filtering out applicable obligations defined in the interconnected mesh of the 99 articles of the GDPR exists. A software based tool can process all these interdependencies and can dynamically filter out the applicable obligations, easing the process of understanding the obligations as well as checking compliance.

pseudonymity; anonymity; untraceability; privacy-preserving protocols; informatics; data reporting; data protection; research ethics Overview There have been significant developments in European Union (EU) data protection law recently that will have an impact on health care professionals, particularly those engaged in research and audit. The General Data Protection Regulation (GDPR) has replaced the current legislation and comes into full effect in 2018 [1]. The implications for the handling of health care data of the GDPR will be discussed in this paper. Despite the recent referendum vote in the United Kingdom to leave the EU, the GDPR will continue to be relevant to the United Kingdom, whether this is due to cooperation in European projects or

Parliament adopted ‘Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)’ 18 . In accordance with the Article 94 of GDPR, the 1995 Directive will be repealed as of 25 th of May 2018. 19 The new GDPR will become a single law that is applicable in all MS of EU. The national laws of MS that are currently effective will be non applicable, due to primacy of EU law over the national law. 20 The predominant aims of new GDPR are to ‘strengthen fundamental citizens’ rights and facilitate business by simplifying rules for companies in Digital Single Market’ 21 . Secondly, in accordance with the assessment provided by the European Commission, new GDPR ‘as a single law should do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year’ 22 . The most significant difference in terms of legislation of data

Abstract. The concerns about privacy and personal data protection resulted in reforms of the existing legislation in European Union (EU). The General Data Protection Regulation (GDPR) aims to reform the existing measures on the topic of personal data protection of the European Union citizens, with a strong input on the rights and freedoms of people and in the establishment of rules for the processing of personal data. OpenEHR is a standard that embodies many principles of interoperable and secure software for electronic health records. This work aims to understand to what extent the openEHR standard can be considered a solution for the requirements needed by GDPR. A list of requirements for a Hospital Information Systems (HIS) compliant with GDPR and an identification of openEHR specifications was made. The requirements were categorized and compared with the specifications. The requirements identified for the systems were matched with the openEHR specifications, which result in 16 requirements matched with openEHR. All the specifications identified matched at least one requirement. OpenEHR is a solution for the development of HIS that reinforce privacy and personal data protection, ensuring that they are contemplated in the system development. The institutions can secure that their Eletronic Health Record are compliant with GDPR while safeguarding the medical data quality and, as a result, the healthcare delivery.

Abstract This paper deals with the current issue of protecting individuals regarding the processing of their personal data and the free movement of such data. As this matter is also regulated by the European Union legisla- tion, the paper describes and analyzes the scope, implications, methods and tools for applying the new EU regulation adopted on 27 April 2016 by the Parliament and the Council of the European Union. The subject matter is the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The short title of this Regulation is General Data Protection Regulation (GDPR). The term GDPR is thus in common everyday use in companies and among business people, and will also be used in this paper. In addition, the paper analyzes the research conducted on the existing state of affairs and the way in which all collected personal data are processed and used by all stakeholders in the company Atlantic Grupa d.d., Zagreb. In addition, a harmonized project of a structured and methodologically correct procedure for implementation of the provisions of the new Regulation is described for the purpose of achieving the highest degree of compliance of all members of Atlantic Grupa d.d. with the provisions of the GDPR. Finally, the basic objective of the described project is explained, which is to avoid situations that would lead to the extremely high fines for non-compliance with the Regulation.

2 Polytechnic of Rijeka, Business Department, Trpimirova 2/V, Rijeka, Croatia 3 University of Zagreb, Faculty of organization and informatics Varazdin, Pavlinska 2, Varaždin, Croatia Abstract – One of the main goals of the General Data Protection Regulation (GDPR) is to protect the personal data of individuals. Each organization (company, association, school, institution, university, etc.) has an obligation to protect all of the individual data that it obtains. Those data can belong to employees, members, students, clients, etc. The research in this paper is related to the higher education students in Croatia.

Keywords. GDPR, General Data Protection Regulation, bibliometrics, scientometrics 1. Introduction With the proliferation of invasive digital technologies and the emergence of data- exploiting business practices, it is increasingly difficult for individuals to maintain control over their own personal data. Consequently, this issue of control over personal data has become a significant subject in European privacy law. Compared to earlier regulations, the General Data Protection Regulation (GDPR) explicitly addresses the rights of individuals concerning this issue [1]. This means that organizations are no longer able to use individuals’ personal data without their consent. GDPR dictates that entities collecting and processing data related to European Union (EU) residents adhere to GDPR articles regardless of where these entities are located, or where the data is stored.

companies should handle personal consumer data – specifically cites her book as one of the inspirations for the law. 4 Although this of course doesn’t directly validates her theory, it does show its prominence and the applicability of this theory in law making. Lastly, both Nissenbaum and the General Data Protection Regulation use similar terminology. By privacy they mean the protection of personal data of individuals and Nissenbaum cites the European Union Directive, the General Data Protection Regulation’s legal predecessor, as her definition of personal data. This definition being: ‘any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his [or her] physical, physiological, mental, economic, cultural or social identity’. 5

Data Protection in Clinical Studies – Implications of the New EU General Data Protection Regulation The DPR does not solve the issue of data transfers from the EU to a recipient with its seat outside of the EU, e.g. transfer of clinical data from a European investigator to its US sponsor. The DPR maintains the restriction on transfers of personal data from EU Member States to other countries outside of the EU where the legal regime does not ensure an adequate level of privacy protection for individuals, for example the US. The DPR retains existing data transfer solutions, including EU standard contractual clauses and binding corporate rules. In order to force the use of binding corporate rules in global companies the DPR clarifies the definition of binding corporate rules and requirements for their approval by the authorities. The framework set by the DPR will likely give foreign companies easier guidelines on how to draft such corporate binding rules.

These benefits are also already being felt in the public sector and estimates suggest that big data could save European governments as much as €300bn through increased operational efficiency, fraud reductions and enhanced tax collection. 5 However, developments on this scale inevitably create tensions and repeated studies have found concerns by consumers over their ability to understand what information is held about them and to control the way it is used. 6 In 2012 the European Commission issued a proposal to revise the current legal framework for data protection in the European Union by replacing the current Directive (which dates from 1995) 7 with a new General Data Protection Regulation (the Proposed Regulation). The stated objective of the Proposed Regulation is to ‘strengthen online privacy rights and boost Europe’s digital economy. 8 The Commission estimates that the Proposed Regulation will help to harmonise and simplify regulation for businesses, leading to administrative savings of €2.3bn for the European economy. 9

2. Our Commitment Route Mobile Limited is committed to ensure the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection policy in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding our Data Protection program to meet the demands of the GDPR and the Indian Information Technology Act, 2000 and The Indian Contract Act, 1872.

There has been much debate around whether consent provides a valid legal ground for processing where there is a significant imbalance between the data subject and data controller. The GDPR states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract. This may affect some e-commerce services, among others. In addition, Member States may provide more specific rules for use of consent in the employment context. The Recitals add that consent is not freely given if the data subject had no genuine and free choice or is unable to withdraw or refuse consent without detriment.

OVERVIEW DPO (Data Protection Officer) A natural or legal person with expert knowledge of data protection law whose role includes assisting the controller or processor to monitor internal compliance with the GDPR and overseeing data protection strategy & implementation. The DPO should also be proficient in IT process management, data security and other critical issues

Those that are aware of the GDPR see it as very important, with 73% of com- panies agreeing the new rules are the most significant changes in privacy leg- islation for 20 years. Four out of five companies (82%) say the requirements will improve data protection for consumers, while 65% see the significance more in terms of their own business practice, saying it will increase their ability to secure budget for privacy processes. A total of 77% of those who know about the GDPR say that the new legislation will have a positive impact on their company’s data protection policies and procedures – which will of course be of benefit to their customers, staff and suppliers, and perhaps more surprisingly 45% say the GDPR will have a positive impact on their bottom line.

The Snowden debacle encouraged the EU to push the GDPR forward quickly and it looked set to become law in May 2014. However, the Regulation came under attack from external sources and, more surprisingly perhaps, from within the senior ranks of the EC itself. The UK lobbied to have the Regulation either downgraded to a Directive or abolished altogether, suggesting each nation should determine its own privacy laws based on national priorities and the possibility that the proposed restrictions will inhibit business innovation.

• Other EU members have their own data protection regulations • The current UK regulation is ‘light touch’ compared to some others regimes Under GDPR • There will be a single Regulation across the EU which will be passed into law in all EU member states

The Digital Single Market aims for improved data sharing across the EU which will facilitate cross-border healthcare and research. Harmonisation will be improved under the GDPR with a concomitant raising of standards for some countries, although there is still room for national differences according to the reasonable expectations of different publics. This advance makes cross-border projects more easily ethically justifiable and more feasible.[37] The requirements for anonymisation have not been changed, except to clarify that pseudonymised data must still be considered as personal data. The GDPR will facilitate medical research, except where it is research not considered in the public interest. In that case, more

The conducted research indicated a diverse attitude of the administration employees towards the introduction of the GDPR adapted to the European Union legislation. Most of the respondents positively assessed their state of knowledge about the new regulations, and it is worth noting that all respondents took part in at least one training on the implementation of practices consistent with GDRP. We can also see the openness of administration staff to broaden knowledge about the ways and possibilities of personal data protection, which is reflected in the declarations of participation in training and the will to expand knowledge in the aforementioned scope. It is worth noting that the employees did not report any major problems resulting from the adaptation of their own activities after the entry into force of the Regulation, except extended working hours and an occasional problem in the selection of right actions to a specific situation. Despite the discourse in the media on the possibility of financial sanctions, the majority of respondents are not afraid of penalties resulting from non-compliance with the regulation.

regulation may well squeeze smaller advertising networks even more, po- tentially magnifying the dominance of this duopoly in online advertising. These smaller ad networks, for example, typically lack the direct consumer relationships needed to secure consent from users on their own behalf, but may also find that media publishers and other website hosts are reluctant to ask for user consent for the broad range and volume of data that these advertisers can presently access without hindrance. Without access to the data on which they currently rely, smaller advertising networks may be sim- ply cut out of the online market altogether unless they can find a way to gain some advantage over the platforms in compliance, user-friendliness, or rates. In this environment, platform companies and website hosts—such as media companies—that have a brand-name relationship to their users are likely to have more success in persuading individuals to give up their infor- mation, and therefore may have increased power in the advertising market under the GDPR.

copycat laws at both the state and federal level, with revitalized commitment from US institutions like the US Federal Trade Commission and the US Department of Justice for privacy enforcement. California has been the first of the US states to pass and enact a data protection law, the California Consumer Protection Act (CCPA) in 2018. While the CCPA is narrower in comparison to the GDPR with respect to applicability and scope, it is arguably the strongest consumer privacy law in the US, and was motivated by the GDPR. 285 There is overlap in the rights of the data subject, including the right to disclosure, data portability, deletion and transparency requirements from the company. 286 On the other hand, the CCPA does not afford the data subject the right to rectification, the right to resist processing or the right to object to processing. In contrast to the GDPR, the CCPA provides a right to “opt-out” of personal information sales, which requires companies to have a “Do Not Sell My Data” link on their homepage. If a consumer decides to opt-out, a reauthorization request should not occur for another twelve months. 287 The same identifiers, or categories of data, are covered under both laws. If damages are pursued via private right of action, consumers are able to seek damages ranging from $100 to $750 per consumer per incident. 288 While this is not comparable to the sanctions that a company can endure under the GDPR, a single consumer may seek damages for several incidents that occurred in a single visit to the website. If damages are pursued under civil fines, then the data subject can pursue penalties of $2,500 per incident, and $7,500 if it is intentional infringement. 289