Data protection training emea new joiners. mandatory quiz

Data Protection EMEA Training
NEC EMEA New Joiners 2020
NEC Group Internal UseOnly

AGENDA OF THE TRAINING
I. INTRODUCTION
II. DATA PROTECTION KEY REQUIREMENTS.
III. WHAT DOES PERSONAL DATA MEAN.
IV. DATA PROCESSING. ROLES.
V. PRINCIPLES.
VI. NEC ACCOUNTABILITY.
VII. LEGAL BASIS FOR PROCESSING PERSONAL DATA.
VIII. PERSONAL DATA BREACHES.
IX. ENFORCEMENT.
X. NEC EMPLOYEES’ RESPONSIBILITIES
XI. QUIZ
3

• The Convention for the Protection of Individuals
with regard to Automatic Processing of Personal
Data №108.
• OECD Guidelines.
• GDPR and EU members’ data protection law.
• Protection law acts, standards and regulations
which are in force. Protection of Personal Data No.
6698 dated April 7, 2016 (PDPL), Federal Law of July
2006, POPI Act…
• Data privacy cases, precedents, guidelines.
Source @UNCTAD 2020.
4
I. INTRODUCTION. OVERVIEW
Data protection laws generally set out rules and standards for the use and handling ('processing') of
information ('personal data') about living identifiable individuals ('data subjects'). Laws apply to
organizations in all sectors, both public and private.
Data Protection Laws. Global Overview

5
Enforcement
Accountability
Data Protection
Principles
Security on
processing
Registry of
activities
Data Subject
Rights
Data Breaches
II. DATA PROTECTION KEY REQUIREMENTS
DATA PROTECTION LAWS ARE BASED AROUND THE NOTIONS OF PRINCIPLES, INDIVIDUALS RIGHTS, RISK ASSESSMENTS AND THE
ACCOUNTABILITY CONCEPT.
Data protection Laws seek to
protect and prevent the abuse
and misuse of personal data,
owned by individuals whose
information is collected,
processed, and used by the
companies.

III. PERSONAL DATA MEANING UNDER DATA PROTECTION LAWS
 Personal Data means any information relating to an identified or identifiable natural person.
 Sensitive Personal Data includes data consisting of racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health
or data concerning a natural person's sex life or sexual orientation.

77
III. PERSONAL DATA EXAMPLES
Betty Miller
ID Number: N000182
miller-b@nec.com
+33 134 432345
Algeria
male
40 Years
IP: 7000182-23-3019
born: 12.01.1980Moscow Road, London
likes hamburgers
BA of Law 1993,
Engineer. Project Manager Leader
shoe size: 48/12,5
married, 4 kids
John Smith

IV. DATA PROCESSING/ ROLES UNDER DATA PROTECTION LAWS
 Processing: Processing covers a wide range of operations performed on personal data, including
by manual or automated means. It includes the collection, recording, organization, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction of personal data. For example, staff management and payroll administration; access
to/consultation of a contacts database containing personal data.
 Data Controller/Responsible Party/Operator: person or entity who (either alone, jointly, or in
common with others) determines the purposes for which and the manner in which personal data is
processed. In other words, deciding “what” personal data will be processed for and “how” it will be
done. NEC shall act as Data Controller/Responsible Party/Operator when determine the purposes
for which and the way in which, personal data is processed.
 Data Processor/Operator/party that process personal data under Operator’ instructions:
person or entity who processes personal data on behalf of a controller/ Responsible Party/
Operator.
 gathering
 collecting
 uploading
 recalling
 storing
 deleting
 modifying
 auditing
 using
 sending
 distributing
 modulating
 linking
 restricting
 printing
 editing
 erasing
 transferring
 distributing
 adjusting

IV. DATA PROCESSING/ ROLES UNDER DATA PROTECTION LAWS
 It is essential for NEC to be able to determine the role in
which is acting in respect of the processing. This is
particularly important in situations such as a data breach
where it will be necessary to determine which
organisation has data protection responsibility.
 The key distinction is to determine the degree of
independence that each party has in determining how
and in what manner the data is processed, as well as the
degree of control over the content of personal data.
 The fact that one organisation provides a service to
another organisation does not necessarily means that it is
acting as a data processor (called as well operator or
party that over the processing operation.
 NEC cannot assume both roles for process personal data
under Operator’ instructions. It could be a data controller
(called as well responsible party or operator) in its own
right, depending on the degree of control it exercises
the same data processing activity: it must be one or the
other. However can be acting as both in the same
Agreement.
9
Make sure that you comply with NEC GUIDELINES. A data processing agreement (DPA) must be
signed.

V. DATA PROTECTION PRINCIPLES. QUESTIONS
QUESTIONS
1
Is my processing activity lawful? Have the data subject been informed about the
processing activity?
2
Do I use personal data for an specific purpose?
Do I use personal data for other purposes?
3 Are all personal data necessary and not only useful?
4 Are personal data accurate and up to date?
5
Must I delete personal data at the end of the processing activity or are there other
obligations to keep the data?
6 Are personal data sufficiently secure?
© NEC Corporation 2019
Questions to ask prior to the processing of personal data

Lawfulness, Fairness and Transparency
NEC employees must:
• Ensure that you do not do anything with the data in breach of any other laws.
• Identify legal basis for collecting and using personal data.
• Please follow internal policies.
• Use personal data in a way that is fair: you must not process the data in a way that is unduly
detrimental, unexpected or misleading to the individuals concerned.
• Be clear, open and honest from the start about how you will use their personal data.
Examples:
Premises is going to be filming in a certain part of an office for celebrating NEC’s 120
anniversary. NEC asks all the employees who sit in that area for their consent to be filmed.
Those who do not want to be filmed are not penalised and don´t appear any way but instead
are given equivalent desks elsewhere in the building for the duration of the filming.
NEC informs its employees that it will use their email address to keep inform them on IT
updates. However, NEC shares their email address with a provider for a different purpose.
V. DATA PROTECTION PRINCIPLES

Purpose Limitation
NEC employees must:
• Be clear from the start about what are the purposes for processing.
• Record the purposes as part of your documentation obligations and specify them in the privacy
notice for individuals.
• Collect it for a determined, specific, and legitimate purpose. Any further processing must not be
incompatible with the purposes specified at the outset. Collecting person’s data for one purpose,
and then use it for something else without notice or justification is not acceptable.
Examples:
NEC Finance team stores personal data in separate databases, entities, and areas for
each purpose and process. By separating the processing or storage of several sources of
personal data that belong to the same person, the possibility of creating complete
profile of one person is reduced and moreover to avoid linkability between different data
sets.
Mary, from the HR department discloses her employees’ sickness list to her husband,
who runs a travel agency, so that he can offer special holiday deals to those employees
needing recuperation.

Data Minimisation
NEC employees must ensure the personal data processing is:
• Adequate - sufficient to properly fulfil your purpose.
• Relevant: has a rational link to that purpose.
• Limited to what is necessary.
Examples:
NEC offers car-sharing services to employees. For those services NEC requires the
name, address and credit card number of employees, health data and racial origin.
EIS restricts digital file paths and folder using permissions and passwords so only NEC
employees who need access to personal data have access to it.

Accuracy
NEC employees should:
• Ensure the personal data hold is not incorrect or misleading. And if so, take reasonable steps to correct
or erase it as soon as possible.
• Keep the personal data up to date, although this will depend on what you are using it for.
Examples:
A customer places a one-off order with NEC. NEC will probably have a good reason to
retain a record of the order for a certain period for accounting reasons. However, this
does not mean that NEC has to regularly check that the customer is still located at the
same address.
An employee informs HR of a new address, however, the person in charge of HR doesn´t
update the records and keeps sending letters to such address with the risk that another
person, not authorised to receiving them, has access to them.

Storage Limitation
NEC employees must:
• Not keep personal data for longer than you need it.
• Follow NEC Retention Policy and Schedule Instructions.
• Be able to justify, how long you keep personal data. This will depend on your purposes for holding the
data.
• Periodically review the data you hold, and erase, archive or anonymize it when you no longer need it.
• Remember that individuals have the right to erase if you no longer need the data.
Examples:
NEC sales teams receive several applications for a job vacancy. They keep recruitment
records for unsuccessful applicants forever in their mailbox.
NEC should review the personal data it holds about an employee when they leave
NEC’s employment. It will need to retain enough data to enable NEC to deal with, for
example, providing references or pension arrangements. However, it should delete
personal data that it is unlikely to need again, such as the employee’s emergency
contact details, previous addresses, or death-in-service beneficiary details.

Integrity and Confidentiality
This is the integrity, availability and confidentiality principle of Data Protection laws, also known as Data
security principle.
Generally, Data Protection Laws don't define the security measures. It requires to have a level of security
that is appropriate to the risks presented by each processing. Consider this in relation to the state of art
and costs implementation as well as the nature, scope, context and purpose of the processing of personal
data.
Ensure that you have appropriate security measures in place to protect the personal data hold aligned with
local NEC ISMS Policies.
Examples:
Each employee should use an account that has permissions appropriate to the role job
they are carrying out at the time.
Confidential documentation need to be securely stored, but the employee leaves the
office without locking the cabinet.

VI. NEC ACCOUNTABILITY
Accountability requires translate legal requirements into risk-
based, verifiable and enforceable corporate practices and
controls
Accountability is one of the data protection principles - it makes NEC responsible for complying with Data
Protection Laws and says that NEC must be able to demonstrate compliance. NEC must be able to demonstrate
accountability – internally and externally.
Accountability is not static, but
dynamic, reiterative and a constant
journey. Accountability obligations
are ongoing.
Leadership and oversight
Risk Assessment
Policies and procedures.
Transparency
Training and Awareness
Monitoring and verification
Accountability effective
compliance and protection for
individuals
Implement a privacy management framework this can help you
embed your accountability measures and create a culture of
privacy across NEC.
Being accountable can help NEC in
EMEA to build trust with individuals
and may help NEC mitigate
enforcement action.

VII. LEGAL BASIS FOR PROCESSING PERSONAL DATA
 NEC in EMEA must have a valid lawful basis in order to process personal data.
 No single basis is ’better’ or more important than the others – which basis is most
appropriate to use will depend on NEC purpose and relationship with the
individual.
A lawful basis for
processing personal
data may consist of at
least one of those
legal grounds and will
vary per personal data
processing activity,
scope and purpose.
Data Subject provides consent
to the processing.
Legitimate interest of the
controller provided that rights
and freedoms of data subject
are not violated.
Performance of a contract to
which the data subject is party.
Compliance with a legal
obligation.
Protection of vital interests.
Public interest or official
authority.

VIII. PERSONAL DATA BREACHES
Destruction of personal data, where
personal data no longer exits or no longer
exits in a form that is of any use to the
controller.
Damage, where personal data has been
altered, corrupted or is no longer
complete.
Loss of personal data, personal data may
still exist but the controller has lost control
or access to it or no longer has it in
possession.
Unauthorised or unlawful processing may
include disclosure of personal data (or
access by) recipients who are not
authorised to receive (or access) the data,
or any other form of processing which is
not compliant with laws and regulations.
A breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted,
stored or otherwise processed, whether by accidental
or deliberate causes.

VIII. EXPLORING DATA BREACHES
Visibly copying in all
individual recipients to an
email without permission to
share their email address
(assuming its personally
identifiable).
Sending personal data to an
incorrect recipient.
Access to personal data by
an unauthorised third party.
Alteration of personal data
without permission.
Devices/laptops containing
personal data being lost or
stolen.
Deliberate or accidental
action (or inaction) by a
controller or processor.
Insecure disposal of
paperwork containing
personal data.
Inappropriate access controls
allowing unauthorised use. ls
to gain unauthorised access
or make unauthorised
changes to personal data or
information systems.
PERSONAL DATA BREACH is more
than just about losing personal
data. It is about the relative
consequences to the
individuals concerned.

VIII. PERSONAL DATA BREACHES PROCESS
EMEA Personal data Breaches
should be reported
immediately upon discovery to
incident@emea.nec.com.
Be familiar and follow NEC
internal Policies. Please
check EMEA intranet
If determined a personal data breach,
NEC must perform an internal risk
assessment to assess the likely risk to
individuals as a result of a breach.
If appropriate, NEC reports the
personal data breach, if the
threshold is met.
Remediation plan for
containing the data breach.
Data Subjects
Supervisory
authority

IX. ENFORCEMENT
22
 Enforcement can be significant different in each country. However most EMEA Data Protection
Supervisory Authorities are entitled to:
carry out checks;
consider complaints from data subjects;
require the submission of necessary information about personal data processing by the data
controller;
require the undertaking of certain actions according to the law by the data processor,
including discontinuance of the processing of personal data;
file court actions;
initiate criminal cases; and
impose administrative liability.

NEC in EMEA Data Protection Programs. Are you aware of it?
 Data Protection Privacy Framework. Policies, protocols and instructions for EMEA NEC’s
compliance approach to the requirements of Data Protection Laws. You can find the Data
Protection Framework in the Intranet site. https://intra.emea.nec.com/legal.
 Training and awareness. General and refreshing training for NEC employees around the
requirements of Data Protection Laws, new compliance channel for data protection
communications and layers regularly published for specific topics in the EMEA intranet.
 Alignment with NEC Corporation. Alignment within NEC Group on projects where data
protection applies or where NEC EMEA Affiliates are part of.
 Data Protection Governance Structure. Reinforce the Privacy team within EMEA Region (i)
Data Protection Officer(s) and, (ii) Privacy Collaborators.

NEC
Corporation
• Global Chief Compliance Officer.
• Compliance Division.
NEC EMEA
• EMEA Data Protection Officer.
• Privacy Collaborators.
NEC CA's
• Data Protection Officer(s).
• Privacy Collaborators.

All NEC employees are responsible
towards Data Protection.
Data Protection is for the entire
Group.
All employees have an important
role in continuous compliance of
Data Protection Laws.
25

• Be aware of the importance of privacy: Follow and read NEC
Policies.
• Be careful in deciding about Data Protection Laws
compliance without consultation. Always ask!
• Only collect personal data that is reasonably necessary for
the legitimate purposes for which you are collecting that
personal data.
• Do not share any individual’s information with any third
parties unless you have received authorization from your
Manager based on advice from Privacy team.
• Choose the less intrusive privacy approach in your day to
day activities including managing data, designing
products, and services.
• Follow closely the principles and obligations highlighted in
this training.
NEC collects and process personal
data of its customers, employees,
suppliers and any third parties. NEC
is committed to respect the privacy
rights and freedoms of the
individuals whose personal data is
collected and processed by
complying with all applicable data
protection laws.
ATTENTION!
• All NEC employees are
responsible towards Data
Protection compliance.
• All employees, have an
important role in continuous
Data Protection compliance.
Follow NEC internal rules

XI. QUIZ
1)Data protection laws generally set out rules and standards for:
(a)Processing personal data;
(b)About deceased persons;
(c)Apply to private companies;
(d)None of the above.
Answer : a) Data protection laws generally set out rules and standards for the
use and handling ('processing') of information ('personal data') about living
identifiable individuals ('data subjects'). Laws apply to organizations in all sectors,
both public and private.

XI. QUIZ
2) Under the sensitive personal data definition which of the following
is not considered sensitive: :
(e)Trade union membership;
(f)Biometric data;
(g)Financial data ( bank accounts)
(h)Religion;
Answer c) Financial data is considered personal data, however is not sensitive
personal data.

XI. QUIZ
3)Data protection is guided by certain principles on how NEC should
handle personal data. Which one of the following is not one of these
principles?
(a) Only collect what is necessary.
(b) Ensure data is accurate and up to date.
(c) Ensure data is not duplicated to minimise spread of data.
(d) Don’t keep data longer than required and dispose of it properly.
Answer c) Ensure data is not duplicated to minimise its spread. Although data
should be as streamlined as possible, this is not one of the principles. EMEA
intranet site is a good place to look at those.

XI. QUIZ
4) Data Protection Laws introduces a new data protection
accountability concept, please select the correct
a)It makes NEC responsible for complying with Data Protection Laws and says that
NEC must be able to demonstrate compliance
(b) Implement a privacy management framework this can help you embed your
accountability measures and create a culture of privacy across NEC.
(c) Being accountable can help NEC in EMEA to build trust with individuals and may
help NEC mitigate enforcement action;
(d)All the above
Answer d)

XI. QUIZ
5)When a personal data breach occurs, what is the maximum time an
NEC employee have to report it?
(a) 12 hours.
(b) Immediately upon discovery.
(c) No need to report it internally I can manage by my own.
(d) There isn’t a limit.
Answer b) You should report a data breach as soon as you are aware. If you’re
not sure what’s happened or whether what you’ve found is a data breach, the
rule is: If in doubt, report – it’s better to over-report than under-report., NEC
keeps a record of all actual and potential breaches.

XI. QUIZ
6) I sent an internal mail with personal data attached to an incorrect
internal recipient. Which are following steps?
(a) Nothing, that’s is not a data breach. It’s internal and I can handle the situation by
my own.
(b)Report it immediately upon discovery to incident@emea.nec.com.
(c) I recall the message, data breach is closed.
(d) all of the above.
Answer b) Report it immediately upon discovery to incident@emea.nec.com

XI. QUIZ
7) If you have a general question about data protection, where should
you go for more information? Choose as many options you consider.
(a)Always go to your Supervisory Authority.
(b)Check out the Data Protection EMEA intranet site.
(c) Contact your Privacy Collaborator in your NEC CA.
(d) Contact the Data Protection Officer(s).
Answer: b, c and d) You can, of course, speak to your Supervisory Authority or
anyone else, but our Data Protection EMEA intranet sire is a good place to look.
If you can’t find an answer there, contact the Data Protection Collaborators in
your CAs or to your Data Protection Officer (s)

XI. QUIZ
8) Staff management and payroll administration; access
to/consultation of a contacts database containing personal data are
examples of
(a) Data Controller/Responsible Party/Operator;
(b) Data Processor/Operator/party that process personal data under Operator’
instructions;
(c) Processing of personal data;
(d) None of the above;
Answer : c) Processing of personal data;

XI. QUIZ
9) Be clear from the start about what are the purposes for processing
is part of:
(a) Lawfulness, fairness and transparency principle;
(b) Data minimisation principle;
(c) Purpose limitation principle;
(d) Security principle.
Answer : c) Purpose limitation.

XI. QUIZ
10) NEC collects and process personal data of its customers,
employees, suppliers and any third parties. NEC is committed to
respect the privacy rights and freedoms of the individuals whose
personal data is collected and processed by complying with all
applicable data protection laws
(a)True
(b)False
Answer a)

37
Thank you very much for your collaboration

Orchestrating a brighter world
38

Data protection training emea new joiners. mandatory quiz

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Data protection training emea new joiners. mandatory quiz

Semelhante a Data protection training emea new joiners. mandatory quiz (20)

Último

Último (20)

Data protection training emea new joiners. mandatory quiz