creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-gdpr-data-protection-controls/references/standards.md
T

5.4 KiB
Raw Blame History

GDPR Standards Reference

Primary Legislation

Regulation (EU) 2016/679 - General Data Protection Regulation

  • Adopted: April 14, 2016
  • Effective: May 25, 2018
  • Scope: Applies to any organization processing personal data of EU/EEA residents
  • Chapters: 11 chapters, 99 articles, 173 recitals
  • Enforcement: Supervisory authorities in each EU member state
  • Penalties: Up to EUR 20 million or 4% of annual global turnover (whichever is greater)

Key Articles Reference

Chapter II - Principles (Articles 5-11)

  • Art. 5: Core processing principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability)
  • Art. 6: Six lawful bases for processing
  • Art. 7: Conditions for consent
  • Art. 8: Child's consent (minimum age varies by member state, 13-16)
  • Art. 9: Special categories of data (health, biometric, genetic, racial/ethnic, political, religious, trade union, sexual orientation)
  • Art. 10: Criminal conviction data

Chapter III - Rights of the Data Subject (Articles 12-23)

  • Art. 12: Transparent communication (one month response deadline)
  • Art. 13: Information for direct collection
  • Art. 14: Information for indirect collection
  • Art. 15: Right of access (copy of data, processing purposes, recipients, retention periods, safeguards for transfers)
  • Art. 16: Right to rectification
  • Art. 17: Right to erasure (applies when: consent withdrawn, purpose fulfilled, unlawful processing, legal obligation)
  • Art. 18: Right to restriction of processing
  • Art. 20: Right to data portability (structured, commonly used, machine-readable format)
  • Art. 21: Right to object (especially direct marketing - absolute right)
  • Art. 22: Automated individual decision-making including profiling

Chapter IV - Controller and Processor (Articles 24-43)

  • Art. 24: Responsibility of the controller
  • Art. 25: Data protection by design and by default
  • Art. 26: Joint controllers
  • Art. 28: Processor (DPA requirements: subject-matter, duration, nature/purpose, personal data types, data subject categories, controller obligations/rights)
  • Art. 30: Records of processing activities
  • Art. 32: Security of processing
  • Art. 33: Notification to supervisory authority (72 hours)
  • Art. 34: Communication to data subject (when high risk to rights and freedoms)
  • Art. 35: Data Protection Impact Assessment (DPIA)
  • Art. 36: Prior consultation with supervisory authority
  • Art. 37-39: Data Protection Officer

Chapter V - International Transfers (Articles 44-49)

  • Art. 45: Adequacy decision (EU Commission determines adequate countries)
  • Art. 46: Appropriate safeguards (SCCs, BCRs, codes of conduct, certification)
  • Art. 47: Binding Corporate Rules
  • Art. 49: Derogations (explicit consent, contract, public interest)

Supporting Standards and Guidance

ISO/IEC 27701:2019

  • Privacy Information Management System (PIMS) extension to ISO 27001
  • Maps GDPR requirements to ISO management system controls
  • Provides controller and processor-specific guidance

EDPB Guidelines

  • Guidelines on Data Protection Impact Assessment (WP 248)
  • Guidelines on Data Breach Notification (WP 250)
  • Guidelines on Consent (updated 2020)
  • Guidelines on International Data Transfers (post-Schrems II)
  • Guidelines on Data Protection by Design and Default (04/2019)

Transfer Mechanisms Post-Schrems II

  • Standard Contractual Clauses (SCCs): New modular SCCs adopted June 2021
    • Module 1: Controller to Controller
    • Module 2: Controller to Processor
    • Module 3: Processor to Processor
    • Module 4: Processor to Controller
  • Transfer Impact Assessment (TIA): Required to supplement SCCs
  • Supplementary Measures: Technical (encryption, pseudonymization), contractual, organizational
  • EU-US Data Privacy Framework: Adequacy decision adopted July 2023

DPIA Criteria (Article 35(3) and EDPB)

DPIA required when processing involves:

  1. Systematic and extensive evaluation of personal aspects (profiling)
  2. Large-scale processing of special categories or criminal data
  3. Systematic monitoring of publicly accessible areas
  4. New technologies with potential high risk
  5. Large-scale data processing
  6. Matching or combining datasets
  7. Data concerning vulnerable subjects
  8. Innovative use of biometric data
  9. Data transfers outside EU without adequacy
  10. Processing that prevents data subjects from exercising rights

Supervisory Authorities

Country Authority Website
EU-wide European Data Protection Board (EDPB) edpb.europa.eu
France CNIL cnil.fr
Germany BfDI (Federal), State DPAs bfdi.bund.de
Ireland DPC dataprotection.ie
Netherlands Autoriteit Persoonsgegevens autoriteitpersoonsgegevens.nl
Spain AEPD aepd.es
Italy Garante garanteprivacy.it
UK ICO (UK GDPR post-Brexit) ico.org.uk

Key Enforcement Decisions (Benchmark)

  • Meta (Ireland DPC, 2023): EUR 1.2 billion - Transfers to US without adequate safeguards
  • Amazon (Luxembourg CNPD, 2021): EUR 746 million - Advertising targeting
  • WhatsApp (Ireland DPC, 2021): EUR 225 million - Transparency failures
  • Google (CNIL, 2022): EUR 150 million - Cookie consent
  • H&M (Hamburg DPA, 2020): EUR 35.3 million - Employee surveillance
Reference in New Issue View Git Blame Copy Permalink