the galaxy use case under the gdpr
play

The Galaxy use case under the GDPR Regina Becker ELIXIR-LU ELIXIR - PowerPoint PPT Presentation

Jan 09, 2023 •111 likes •308 views

The Galaxy use case under the GDPR Regina Becker ELIXIR-LU ELIXIR AllHands Workshop 7. June 2018 The Galaxy service What GDPR rules apply? kirkpatrickprice.com The Galaxy service Acting as a processor under the GDPR Definition

  1. The Galaxy use case under the GDPR Regina Becker ELIXIR-LU ELIXIR AllHands Workshop 7. June 2018

  2. The Galaxy service — What GDPR rules apply? kirkpatrickprice.com

  3. The Galaxy service — Acting as a processor under the GDPR Definition Art. 4.8 • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller ; Definition Art. 4.2 • ‘processing’ means any operation […], such as collection, recording, organisation , structuring, storage , adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;[…] à By offering a service that includes the processing of personal data, the Galaxy host becomes processor

  4. Obligation as processor – Art. 28 — Processing must be governed by contract Content • Subject-matter and duration of the processing, nature and purpose of the processing, type of personal data and categories of data subjects and obligations and rights of the controller. • Obligations of processor - Process the personal data only on documented instructions from the controller - Ensure authorised persons committed to confidentiality - Take all (security) measures required pursuant to Article 32 - Engage another (sub-)processor only with approval of controller - Assist the controller in compliance with data subject requests - Assist controller in legal obligations pursuant to Articles 32 to 36 - Delete or return all the personal data after the end of services - Allow for and contribute to audits à Existing contracts will probably need revision à Mention participating clouds in the contract

  5. Obligation as processor – Art. 28 — Example clause for sub-processors

  6. Security measures – Art. 32 Proportionality • Measures balance the - Costs of implementation - Nature , scope , context and purposes of processing - Risk of likelihood and severity for the rights and freedoms of natural person Technical and organisational measures • Pseudonymisation and encryption • Ability to ensure the ongoing confidentiality , integrity , availability and resilience of processing systems and services • Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • Process for regularly testing , assessing and evaluating the effectiveness of technical and organisational measures • Ensure compliance of staff à Confidentiality biggest concern à No “one size fits all” required but choice needs justification

  7. Support the controller – Art. 33-36 — Information obligations Data Breach • Inform the controller without undue delay after becoming aware - Nature of the breach, - Categories and approximate numbers of data subjects concerned, - Categories and approximate number of personal data records concerned - Contact point where more information can be obtained - Where appropriate: measures taken Data protection impact assessment • Provide information on technical and organisational safeguards to maintain privacy and integrity of the personal data à You are responsible and accountable for the processing on your side

  8. Processor’s Documentation obligation – Art. 30 — Records of categories of processing Content • Name and contact details processor • Name and contact details of each controller including where applicable: representative and data protection officer • Categories of processing carried out on behalf of each controller • Transfers of personal data to a third country or an international organisation (where applicable) including safeguards • General description of the technical and organisational security measures Form of records • In writing (including electronic form) à You will have to update your book-keeping for DPOs

  9. The Galaxy server — Acting as data controller for data about users http://www.abtassociates.com

  10. The Galaxy server — Acting as controller under the GDPR: lawful processing Legal basis for processing registration data • Consent is not appropriate - As required for service à not freely given • Art. 6.1(b) necessary for the performance of a contract - Processing agreement is required - Even Terms of Service count as contract But: explicit acceptance will be needed - Data needs to be required for service only , no other purposes should be hidden à if additional purposes are envisage: ask for dedicated consent

  11. Transparent processing — Web statistics Use of cookies • IP addresses are identifiers and create personal information (Art. 4.1, Recital (30)) • Cookies overned not only by GDPR but also ePrivacy Directive (Directive 2002/58/EC http://eur-lex.europa.eu/legal- content/EN/TXT/?qid=1525854999759&uri=CELEX:32002L0058) • Most cookies that are not essential for a service require consent • Information on cookies and national differences in legislation https://termsfeed.com/blog/eu-cookies- directive/#Requirements_by_the_EU_Cookies_law Google Analytics • Google Analytics acts as processor • Google offers GDPR compliance tools • It’s the obligation of the controller to choose the right settings

  12. à How come consent is not needed? (ePrivacy required; not GDPR)

  13. Transparent processing — Cookies without consent Criteria • The cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”. • The cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”. WP29 – No consent for cookies needed for… • user-input cookies (session-id) such as first-party cookies to keep track of the user's input when filling online forms, etc. • authentication cookies , to identify the user once he has logged in, for the duration of a session • user-centric security cookies , used to detect authentication abuses, for a limited persistent duration

  14. Transparent processing — Information obligation following Art. 13 Need for privacy policy on webpage • If personal data is processed • Independent of legal basis (i.e. also outside consent) • Easily accessible / findable Content • Controller • Data protection officer • Separately: Purposes of processing, legal basis, data types and recipients • Automated decision making with logic involved and consequences • Data protection rights of the webpage user (Art. 15-21) • Right to withdraw consent (where previously given) • Right to lodge a complaint with data protection authority Nice example http://www.kowi.de/en/system-metanavigation/privacy-policy/ privacy-policy.aspx

  15. Transparent processing — Record keeping following Art. 30 Content of processing records • Name and contact details of controller and, where applicable: joint controller, representative and data protection officer • Purposes of the processing • Categories of data subjects and categories of personal data • Categories of recipients to whom data have been or will be disclosed including recipients in third countries or international organisations • Transfers of personal data to a third country or an international organisation (where applicable) including safeguards • Envisaged time limits for erasure of different categories of data • General description of the technical and organisational security measures

  16. Fair processing — Responsibilities of controller Implementation of technical and organisational measures • Data protection policies • Data minimisation – collect only data needed for purpose! • Keep data only as long as necessary • Access restriction – access only to personnel needed • Secure storage and transfer • Security measures (in accordance with Art. 32) Sharing data • Only with prior information of data subject • Joint controllers: determine transparently the respective responsibilities for compliance with the obligations of the GDPR • Processor: only based on contract following Art. 28

  17. Fair processing — Rights of data subject • Information to be provided where personal Article 13 data are collected from the data subject Article 15 • Right of access by the data subject Article 17 • Right to erasure (‘right to be forgotten’) Article 18 • Right to restriction of processing Article 21 • Right to object (where no consent was given) Article 16 • Right to rectification Article 19 • Notification obligation regarding rectification or erasure of personal data or restriction of processing to other recipients Article 20 • Right to data portability

  18. The Galaxy use case — What else is needed? Data protection officer?? • YES , most likely • Independent of role as controller or processor when - Public bodies - Processing on a large scale of special categories of data pursuant to Article 9 Data protection impact assessment?? • No • Processor only needs to assist • Processing of administrative data and web statistics not likely to result in high risk to rights and freedom of natural person

  19. THANK YOU!

Recommend

Samsung Galaxy S4 cases 2013 Catalogue Galaxy S4 Incline Kickstand case V ersatile Incline

Samsung Galaxy S4 cases 2013 Catalogue Galaxy S4 Incline Kickstand case V ersatile Incline

Samsung Galaxy S4 cases 2013 Catalogue Galaxy S4 Incline Kickstand case V ersatile Incline allows hands free viewing for video on your Galaxy S4. Made from precision engineered PC and zinc alloy, the low profile design protects from shocks

135 views • 11 slides
Data Protection Webinar Case Studies 19 April 2018 INTRODUCTION Overview 1. GDPR Audit

Data Protection Webinar Case Studies 19 April 2018 INTRODUCTION Overview 1. GDPR Audit

Data Protection Webinar Case Studies 19 April 2018 INTRODUCTION Overview 1. GDPR Audit Approach 2. Consent 3. Dealing with Subject Access Requests (SAR) 4. Data Privacy Impact Assessments (DPIA) 2 Case Study: GDPR Audit

526 views • 29 slides
GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data Protection Regulation Came into force on May 25 th Replaces the current 1995 Data Protection Directive and Data Protection Act (1998). What is GDPR?

570 views • 18 slides
Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

garjoh_canuck Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett Johnson (Boston U) Scott Shriver (U Colorado Boulder) GDPR Impact GDPR General Data Protection Regulation EU EEA Brexit GDPR

833 views • 27 slides
Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does

Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does

Presentation by Michalis Mantzaris, PhD Introduction to General Data Protection Regulation (GDPR) Presentation Structure What is the GDPR? When and where does it apply? Consisting elements and Guideline provision Key changes and

605 views • 23 slides
Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do to be compliant? Data Breaches How does the GDPR affect you? Steps to Compliance Summary What is the GDPR? q The EU's General Data

355 views • 17 slides
Galaxy University of Oregon January 25, 2018 Dave Clements Johns Hopkins Univeristy Galaxy

Galaxy University of Oregon January 25, 2018 Dave Clements Johns Hopkins Univeristy Galaxy

Galaxy University of Oregon January 25, 2018 Dave Clements Johns Hopkins Univeristy Galaxy Community bit.ly/gxy-bgmp-2018 #usegalaxy @galaxyproject Agenda What is Galaxy? Features / Live demo Galaxy's audience Galaxy's availability

691 views • 48 slides
PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles

PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles

GENERAL DATA PROTECTION REGULATIONS May 2018 GDPR What is GDPR What is different Principles of of GDPR How does it effect school How are school preparing How does it effect individual staff How can

475 views • 12 slides
Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require? How does an Australian business comply? Action Plan Section 1: GDPR is here Privacy in the digital age Historically, privacy was almost

513 views • 40 slides
Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Almost one year after the GDPR, where are we now? Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The first year of the GDPR can best be described as "quiet test run. What are the most striking

405 views • 8 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
Our Galaxy Chapter 19 19.1 The Milky Way Revealed Our goals for learning What does our

Our Galaxy Chapter 19 19.1 The Milky Way Revealed Our goals for learning What does our

Our Galaxy Chapter 19 19.1 The Milky Way Revealed Our goals for learning What does our galaxy look like? How do stars orbit in our galaxy? What does our galaxy look like? The Milky Way galaxy appears in our sky as a faint band of

967 views • 64 slides
Chapter 19 19.1 The Milky Way Revealed Our Galaxy Our goals for learning What does our

Chapter 19 19.1 The Milky Way Revealed Our Galaxy Our goals for learning What does our

Chapter 19 19.1 The Milky Way Revealed Our Galaxy Our goals for learning What does our galaxy look like? How do stars orbit in our galaxy? What does our galaxy look like? The Milky Way galaxy appears in our sky as a faint band of

365 views • 11 slides
The BEACON use case under the GDPR Regina Becker ELIXIR-LU ELIXIR AllHands Workshop 7. June

The BEACON use case under the GDPR Regina Becker ELIXIR-LU ELIXIR AllHands Workshop 7. June

The BEACON use case under the GDPR Regina Becker ELIXIR-LU ELIXIR AllHands Workshop 7. June 2018 The BEACON tool Processing genetic data to make it Findable Processing genetic data to make it Findable What does the GDPR

891 views • 15 slides
GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont

GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont

GDPR Dont be scared Even if you cant answer all the questions on the form GDPR Dont be scared 60% of people welcome the rights under GDPR 48% of UK adults plan to activate their rights 56% welcome the right to object to marketing

1.32k views • 37 slides
GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the

GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the

GDPR Breach & Automated Decision Making Part 5 of our series on GDPR and its impact on the recruitment industry This webinar is provided for information purposes and is NOT intended to be legal advice pertaining to the subject matter. If you

617 views • 38 slides
GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the

GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the

1 GDPR Webinar Guide Overview and key points Part 1 of our series on GDPR and its impact on the recruitment industry 2 Introduction The rules which underpin the storage of personal data have changed dramatically. The new EU-US Privacy Shield

998 views • 35 slides
GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner

GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner

GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Advising, Monitoring, Enforcing European Data Protection Board Art. 68 - 73 (replacing the Art. 29 Working Party) advise Supervisory

626 views • 8 slides
GDPR Rights and Consent Part 2 of our series on GDPR and its impact on the recruitment industry

GDPR Rights and Consent Part 2 of our series on GDPR and its impact on the recruitment industry

GDPR Rights and Consent Part 2 of our series on GDPR and its impact on the recruitment industry This webinar is provided for information purposes and is NOT intended to be legal advice pertaining to the subject matter. If you have specific

495 views • 35 slides
Connecting Galaxy with the NIH Sequence Read Archive (SRA) Wednesday, June 24 Marius van den

Connecting Galaxy with the NIH Sequence Read Archive (SRA) Wednesday, June 24 Marius van den

Connecting Galaxy with the NIH Sequence Read Archive (SRA) Wednesday, June 24 Marius van den Beek Daniel Blankenberg Dave Clements @galaxyproject #UseGalaxy bit.ly/galaxy-sra-slides Agenda SRA? Galaxy? SRA + Galaxy! A

178 views • 13 slides
GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB

GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB

GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB GDPR TIMELINE Definitions GDPR is a set of EU laws that come into affect on May 25th 2018. GDPR rules are designed to give more control over

587 views • 30 slides
GDPR Hacks For O365 3/27/2018 How O365 And Azure Can Help JB Wissma mann nn Organizations Get

GDPR Hacks For O365 3/27/2018 How O365 And Azure Can Help JB Wissma mann nn Organizations Get

GDPR Hacks For O365 3/27/2018 How O365 And Azure Can Help JB Wissma mann nn Organizations Get Compliant Agenda GDPR at a glance What does GDPR mean for IT departments Microsoft and GDPR M365 O365 Azure Dynamics

349 views • 18 slides
GDPR INFORMATION SEMINAR Dun Laoghaire / Rathdown Sports Partnership March 2018 WHY ? 1. GDPR

GDPR INFORMATION SEMINAR Dun Laoghaire / Rathdown Sports Partnership March 2018 WHY ? 1. GDPR

GDPR INFORMATION SEMINAR Dun Laoghaire / Rathdown Sports Partnership March 2018 WHY ? 1. GDPR applies to you because you hold data it does not discriminate on size / profit 2. Deadline to comply 3. Fines 4. Book stops with you ? 5. Piece

1.05k views • 37 slides
Galaxy Zoo Challenge CLASSIFYING THE MORPHOLOGIES OF DISTANT GALAXIES IN OUR UNIVERSE Is the

Galaxy Zoo Challenge CLASSIFYING THE MORPHOLOGIES OF DISTANT GALAXIES IN OUR UNIVERSE Is the

Galaxy Zoo Challenge CLASSIFYING THE MORPHOLOGIES OF DISTANT GALAXIES IN OUR UNIVERSE Is the galaxy simply smooth and rounded, with no sign of a disk? A Star Feature Galaxy A Spiral Feature Galaxy (2 Spiral arms) Data Set Hubble's CANDELS

459 views • 9 slides

More recommend