We are talking about the General Data Protection Regulation. It will come in May 2018. It's a European regulation.

And there are only a few things Germany could, is allowed to make better, make harder. Like a kid's age, the European law says something about kids with 16 are allowed to decide by their own.

Germany could make this for 13. Anyway, there is a new German data protection law, but it's not valid yet. And it's a question if it ever will get valid, because it's against the European law.

Anyway, what I will tell here is mostly what's relevant for software developers, what needs to be changed or considered. My slides are only valid with my talk. They have no standalone meaning. That's very important.

They belong to the talk. I made my slides bilingual, because there are so many law words that even I didn't know in English before, that I said I will do the slides mostly in German and English,

so that when you don't know the English word, you may know the German word. And by doing this, I also figured out a bug in the German translation, which I posted to the European Union, and they said, wow, that's a translation bug, you are right. It was really funny.

So, my name is Susanne Hölzgäfe. Some of you know me from PostgreSQL and my SQL, MariaDB, already, but I have a second hobby or a second business. I do it also. It's also my business.

It's data protection, and I'm a data officer, data protection consultant and trainer, so I educate data protection officers. And I'm a member of the Deutscher Verheinigung für Datenschutz,

that's the oldest group we have in Germany, that's about me. So, the first question I have,

what do you think means data protection? No, I know that you know it. Don't ask me, yeah.

Data protection, so the reason for the laws in Maine is to protect your data from the governments. The governments don't get your data and by using your data, having power over you.

And data protection, the second reason why we have so strong data protection laws is to protect you from advertising. That's the two biggest reasons. I have a second question, why you can't think.

Half a minute, what means private for you? It's a very personal question, what means private,

because there are people, they need more private space than others. There are couples who say it's totally fine and my husband or my wife reads my emails and my chats with my friends and there are others who say, oh no, that's a no-go,

my husband or my wife should not read it, I won't read it from my partner too. It's just an example. Private is very individual, there are rules what the government or the laws call private, but that's the example I just gave, it's pretty private.

So, data protection is self-determination instead of alien determination. I looked for a translation for the word Fremptbestemung, I found of course the official Latin word,

but when I would tell you, nobody knows what it is. And there were, yeah, alien determination was the most close and I thought it's funny to have this word alien in it, it's what Google translated on it. So, yeah.

There is no real translation for the German word Mündigkeit. Mündigkeit means the ability to care for your own, that you are responsible for what you are doing by your own, you are able to care for your own, the government don't need to care for you.

Yeah, data protection means privacy protection, data protection means anonymity, data protection means freedom, and data protection means protection against government and advertising,

I already told you. There are three very important reasons for data protection,

sorry, three reasons for them. It's lawfulness, so data protection should be lawfulness, fairness and transparency, that's the background behind data protection, lawfulness, fairness and transparency.

And when you read the German data protection rules from the European Union, you will find a translation in it for fairness that's incorrect. So fairness means what we call in German fairness. True.

So more, another reason for the law is the purpose limitation. So you are only allowed to store data for one purpose or for the purpose,

so you are not allowed to take my data that you got from me for purpose A to use them for purpose B without my agreement. So purpose limitation. Then another is mandatory.

You are only allowed to ask me for personal data if it's really mandatory to make a business with me. And you are only allowed to store this data when it's mandatory for the business

we have with each other without my aloneness. For all other, when you want to store any other single information about me, you need my aloneness. So when you are an online shop and I want to buy new shoes from you,

you are allowed, of course, to ask where to deliver. That's okay. And of course you are allowed to ask about my shoe size because you need it to send me the right shoes. But you are not allowed to ask me about my hair color or whatever else.

If I don't need an invoice, you are not even allowed to ask an invoice address. Because you don't need it. But you are allowed to store it as long as the package is delivered,

as long as the business isn't finished without my aloneness. When you want to store it more longer or when you want to send me advertising, you need to ask me.

And when you ask me and I say yes, I always have the possibility to withdraw this and you immediately have to react.

So when I say stop sending me advertising, you immediately should stop sending me advertising. So it's data minimization. So you should not store too much data. So we have a deleting duty in the European law

and we have a really deleting duty. In the actual German law you have a deleting duty but it's okay to lock the information when it's too difficult to delete them. That's not anymore in the European law.

In the European law you need to delete them. The European law says when your tool isn't able to delete it, then it's the wrong tool, then you should use a new tool, you should redesign your tools. Deleting is important, there is a deleting duty.

There's one, locking justice allowed. When there is a law that allows you to store the data more longer, for example for banking secrets or whatever else, but then you need to sort of anonymize the data.

But usually you have to delete them after the purpose is fulfilled. Another thing is accuracy. So it's up to you to make sure that the data are correct, valid.

If the data aren't valid or if you aren't sure that they are valid, you have to delete them.

Storage limitation, that's also deletion. So storage limitation is you have to delete the data after the purpose is fulfilled or when it was a storage for which you have my allowances. When I withdraw the allowance,

you immediately have to delete the information about me. Then we have integrity and confidential. So you make sure that my data, that all your employees

and all the companies where you, all your sub-companies that you have who act confidential with my data.

So it's up to you when you hire a sub-company to make sure that my data are confidential, that they really take a confidential care. And the last is accountability. So you have to tell the users what you are doing with their data precisely.

So if we had this slide, I don't know. So there are special, all information about a single person

doesn't have the same priority or the same confidential. There are kinds of informations, categories of informations which are highly confidential.

That are information about racial and ethnic origin, political opinion, religious or philosophic beliefs, trade or trade union membership, and the processing of genetic data, biometric data,

data concerning health or data concerning a natural person, is sex life for sexual orientation and data for when you were in prison. That are special categories of data. I won't tell more about this in this talk

because it's a very difficult area. You have to consider way more of stuff. But you can ask me a lot about it because I'm a specialist for this kind of data. So you have a deleting dollar duty, I already said it.

Immediately after fulfillment of purpose, you need to delete the informations after opposition period. So that means a fulfill of purpose means after opposition period.

Locking instead of deleting is not allowed anymore. We're thinking towards a tool decision I already told you and every information that can be,

that belongs to a group of minimum of three persons, because that's when it's not anonymity anymore, has to have an expired date. So when you say an expired date, after that you have to delete it.

New is pseudo-niminization. And that's awful. For pseudo-niminization you need minimum three physical separate servers. You need one for the origin data, one for the key

and one for the pseudo-nimic data set. And you have to be sure that when you pseudo-niminize your data set, that with all the informations in your data set,

you can't find a group of three people, less than three people. So that means when you just have the pseudo-nimic data set, nobody should be able to figure out to whom belong these data sets.

And three people always is the minimum you need for anonymization, for that's not clear anymore to whom they belong. There's a minimum of three people for that.

So it has to be impossible to identify a person by data set content. Soil-nimization, you usually, you always need, generally, need for sensible data.

That was this group of health and sexual life and political opinion and so on. And after the purpose fulfill, when you have a law that says you need to store the data further on the next three, six, ten years, you need to pseudo-niminize them.

Yeah, for storage duty. That's awful because it's lots of work if you didn't start it yet. The penalty if you, for not following the European data protection rules is

20 or 40 million dollars, you, or if that's not enough for your company,

two or four percent of your worldwide, oh, I don't know the English word, what? Revenue. Revenue, yeah, revenue from the last year. So, the European Union wants that it really hurts when you finally don't...

Yeah, do you have a question? Yeah, when you want to pseudo-niminize, that means you have a key with which you can get the data back.

You have a key like, yeah, encryption key, yeah, an encryption key, yeah. Yeah, to get it back, so that's the difference between an anonymization and pseudo-nimization.

An anonymization, you have to make sure that nobody will ever can get their origins back and by pseudo-niminization, you can get it back.

Yeah, but you need to be direct. So, not the administrators have to be three different persons. So, the administrator of the polynomial server should not be allowed to figure out what's the original data.

So, I just, that's typical at the moment, how health do it, they have three servers. They have this encryption key on one server, they have the original data because the doctor needs to still work with it and they have subsoiliniminization data for research, for example.

And in any way, you have to make sure, and you also have to make sure that the service people for the database aren't the same person for your origin data and for your polynomials. Yeah, you'll be just, for storage reasons, you just need two, you need the key and the polynomization

so that you get it back, yeah. But when you need the origin data for the health reason, for example, because there you always need two polynomials. Yeah, there is another new thing.

Most web online shops and online have it already, but for others it might be a lot of more work. The European law says the controller should provide remote access to a secure system

which would provide the data subject with direct access to his or her own or her personal data. That means I always should be able to watch my own data. It's just looking, it's just reading.

So I know lots of companies already provided and you are also able to change your own data. I could change my last name after I married, lots of companies, I could change my last name by my own or when you move you could change your own address and so on and so on.

But there are lots of companies where you can't see it. Also Facebook and Twitter, you are able to change your own interests. You always can say, no, that's not my interest, but you need to do it very often

because they always find, think you have very odd interests, yeah? You should. And it's in the pre-definition of, so it's in the pre-definition it's 663, so you should.

What? All what you can, all what belongs to a single, all information is about a single person.

All information is about a single person. So information that you can, that can be, which with, you can describe a single person.

So where you can match, for example it's when your shoe size, when I have Sergei and your last name, I don't want to tell it now, Sergei and Sergei has a black t-shirt, he loves programming, he always wears green shoes or whatever else,

all personal information about you.

Yeah, yeah, but when you store them with your name, it's your shoe size. So it's not, I'm a shoe vendor and I have shoes in 38, 39, 40 and so on, that's of course no personal information, but when I store Sergei, he has shoe size 39 for example,

then it's a personal information. So sexual orientation, there is a classical, they discuss it at the moment that we need a spacer,

so we expect that the judges will decide that way. The data protection law always just rules for living for, don't rule for dead people.

But when we have genetic data, it can be that the person is dead, but it's an illness, he has had an illness, where it's very,

where the chance is his son also will get this illness, so when he's dead, and so the whole family is hit, so that's sensible data too.

Maybe you're kind of thinking where can we highly confidently identify you as belonging to a particular group? You are not allowed to store that, even not with the law net.

Yeah, exactly.

Yes, exactly, and that's what when you combine it, then you have personal information

and on the sensible information they are only allowed to store and to ask for from from non-profit organisations, where the main business is around that you are asking for.

So health data only from health information and sexual information from sexual...

You are not allowed to ask for it. I can't follow the results, we can discuss it later, because, so...

Transparency. Transparency means you have to be concise, transparent, the transparency has to be concise, transparent, intelligible,

easily accessible from, from, using clear and plain language. That's very important. And all the informations you have to hand out to your users, to your, to the people from whom you have personal informations,

they have to be written in clear and plain language. When you have, when you store informations about children,

it's even more than clear, more than plain. In German it means leicht, I don't know the English word for leichtesprache. So, usually it's enough to have einfacheesprache, but when you have children you have to write it in leichtesprache, yeah?

No, no, this information needs to be in plain form, we will see it on the next slide. You need to, the information needs in plain text or even spoken or even with pictograms. Yeah, so that every person from whom you collect informations will understand it.

Yeah, children have to understand it. Providing in writing, that's, yeah, you have it, providing in writing. When requested additional, overly.

So, for example, when you have customers who only understand overly, then it's when they request for overly, you have to read it to them, yeah? The information of the person, transparency, yeah, exactly.

No, no, not the permission you give, always. Also, when you don't need a permission from me, you have to inform, you have to inform the person from whom you store the data, what you are doing with it, and so on and so on,

and we will see it, what you all have to, what informations you have to give them, and that has to be in simple language or in plain language. Simple language is the word for the other. So, yeah, that's what I said, you have to inform them, and it's a lot what you need to inform them.

So always, before or while, you're asking for the data. So, my idea is, when you're asking for informations on webpages, or via internet, you could

do it like we do it today with the business rules between you and the customer. Just make a page where all is given, and then make a checkbox where the user needs to check if I've read it, before he can go further on.

So, that's the information duty, what needs to be in it, you need to point out

who I can contact, who is responsible for the data, who is your data's data protection officer,

you need to point out the data protection officer contact address. At the moment it's hard, every company needs, or most companies need the data protection officer, lots of companies, and the data protection officer, you always can, are allowed to talk with the data protection officer without the company knowing about it,

but it's mostly difficult to find out who is the data protection officer without contacting the company. So, today you have to go to the government, and the government will ask the company, and then you get the data protection officer and contact data.

It's difficult, and so the European Union says that this contact data needs to be given public. You have to make it public, or you have to tell every person from whom you store the data, the information, or from whom you will get the data,

who is your data protection officer, and how you can contact him or her. And you need to make sure, make clear who is responsible for the data, so who will pay for it when the data gets lost. So, that's easy, most times. There are organizations where it's not clear who is responsible, but most often it's clear.

You need to point out the purpose, why you need the data, and when there is a legal basis, you need to point out the legal basis,

if there isn't a legal basis, you either have a real good reason, like I can't deliver the package when you don't tell me where to deliver, it's a pretty clear and logical reason, and otherwise you need the agreement, and also for other purpose.

So you can't just say, I want your data for sending you an invoice and for advertising.

So that's not okay, so you can't see for invoice, and then you can point out the invoice legal laws, but the tax law paragraphs, but for advertising there is no legal law, so you would need an agreement.

Then, where the processing is based on point, so where the process is based on F, okay.

You need to point out who will get your data, who will work with it, for example marketing, but it's not good having marketing without agreement, but also when you have others who will work with it.

You need to point out to whom you transfer the data, and if you transfer them to a third party company,

to a non-European Union country, and international organizations are similar to non-European countries, non-European means non-European Union, nor Switzerland, nor Norway.

So Norway and Switzerland, the law says is okay, but nothing else. So, but that's not all, that's all information you already need to provide now, because we have this already in the German law, that you need to provide this.

If you didn't do it at the moment, you should do it, because it's way more penalty if you don't have it. And that's something, if you don't have this information, it's the 40, no 20 million, 40 million, it's a higher one, 40 million or 4%, or 20 million and 4%, something like this.

So, 20 and 4 is this, yeah, yeah. So, but you need to inform the people more.

There are much more. You need to inform the person, yeah, for when the data obtained.

The period, how long you will store the data, it's also something you already needed to have, but the existence of the right to request.

So, when you have an agreement, then you need to tell the user, the person, that they have the right to request, but immediately, and you will immediately stop whatever you did with the data and delete the information.

And you need to inform the person in plain language. So, yeah, you need to point out all this law that he has, that he can

complain, also that he can complain at the government or at the government office with controlling this. You need to inform him and, yeah, so you have to do lots of law stuff.

All this right the person has, you need to inform the person about their rights,

that's very important. I not yet saw it, but maybe there will be some people who provide forms and examples how you can write this legal stuff. I not yet saw it somewhere, but yes, that's also when you do profiling and so on,

you need to inform them. I just wanted to stop because it's a lot of information, and so it's just you need to read it anyway what you need to inform them, but it's a lot, and when you don't inform the user or the person, yeah, it's very expensive.

Yeah, and you also need them if you want to use the data to different profiles, of course. As I said, the solution is easy. When you have online business, just mark, I read it, and good.

The most effort I think is writing all this stuff. What's the most important you need to consider? It's the deleting duty, it's the remote access, it's the pseudonymization, and it's the information duty.

That's the four most important points you need to consider. This information duty, half of them you already have from German law at the moment when you did it, when you didn't did it, so now you really should do it.

Pseudonymization I guess is most effort for all, and remote access, yeah, most have it anyway. Usually when I'm customer of a company who provides something online,

I can change my data, I cannot even read my data, I also can change it. The deleting duty, because we have in Germany at the moment, you should delete, but when you can't delete, you can lock, and most companies just block, or there are lots of companies where even is the, you can't remember, they think it's very difficult to delete even when it's easy,

so what's difficult to delete is a feeling, yes?

Logging with Guy, you are not allowed to, you are generally not allowed to control your employees,

for example, or, yeah, yeah, yeah, no, you are, you would not, there is no law for this,

so you are not allowed without my allowness to log, to store that anyway, to store that in any kind. No, no, sorry, I, when I said there is no,

there is no law, of course there are bank secret laws, there are some laws where they have, like banks have own secret laws, churches often have it, health companies, yes?

Yeah, yeah, yeah, exactly, yeah, exactly, statistics should be,

yeah,

so the question is, now, in any case, statistical data needs to be minimum,

you are not allowed that you can, so that's same for health data, for example, you always have, when you have statistical data, they have to be sort of minimized, and in that case, they have to be un-anonymized, because you have no law, no right to do it,

there is no law that, besides banking or so, but in standard use, you don't have a law for it, and then you are not allowed to do it, it's very simple, and when they, so your customer also can say, okay, you start my IP address, you didn't ask me for it, and then you

have to pay the penalty, he can go to the officer and say, hey, here, look, and what's also allowed is that not only the person himself can go to the officer,

it's at the moment, oh, no, I don't know if it's still at the moment, I don't know, that's the German law, so there can be organizations going against you, like, they are allowed to complain about you at the officer, and then the officer also will

get you a penalty, so at the moment, the old law was that only the person who, the person himself and the data protection officer were allowed to announce it or to complain

at the officer, but there is a new German law that says that also organizations like can complain.

So a month is not a problem anyway, because three months is minimum for,

or what's the English word, I forgot it, and usually at the moment the officers say deleting a year is okay,

but that's not in the law, that's how our judges decided and they said when you delete remove all by end of your year, your business year, it's okay, but the three months you have anyway, so of course the law says immediately,

but immediately means after the retention time is over, so you have the three months,

judges are a little bit more, okay, latest at the end of your business year, so there is a law for it, also for health services.

Yes, anyway, you need to, when you have archiving law, without deletion,

anyway, when you have a storage or archiving law, then you need to because there is the law that you need to archive it,

and it's the same, and for health of course you need to already, but on other data you need to when you start archiving.

No, it's pretty clear what is personal data, the question is what is personal data? Personal data are all data that belongs to you.

So let me first repeat for the camera,

so any information with which a single person can be identified, the example was when you have a group of people and just one is wearing glasses, it doesn't matter how big the group is, so the one of wearing glasses always can be identified,

and it needs to be minimum for people or three and more, is my information, that you can't identify with same information, where judges say you can't identify a single

person any more, so when you have a group of four people wearing glasses, then it's okay, but when you just have a group of 100 people wearing glasses, then the person with glasses is clearly to identify. Yeah, your second question.

So for companies it would be kind of like what am I allowed to store at all without facing

having any questions, so I guess that's kind of the... You're only allowed to store when you really need the information for the business. The person who wears glasses isn't personally identifiable,

so you don't need to ask people or you don't need to delete if you can store this much information, the person who wears glasses is also not identified with you, when you store the glasses or you don't need to delete it, you don't need to store it. No, because you don't know which...

When you don't have any other further information, the persons wear green t-shirts, that's not personal information, but when you have the names of the persons, green t-shirt, green t-shirt, green t-shirt, then of course you know who wears green t-shirts in your data set.

Yeah, but you need a second, when you just have...

When there's no other information, just persons with glasses and without glasses, you don't know who, and when you have 3,000 customers, you don't know who is wearing glasses. Five minutes, okay.

Anything? Anything? Email is difficult, because email always is difficult, because email always you have a combination of two persons,

because it's a chat between two persons. So both persons have rights.

Yeah, and they need to do it. They don't need to delete data where there is a right that they have to store them and what was it?

Yeah, pretension or... Yeah, where you keep the information. There must be an easy way for you as a person to ask for it. So they have to accept it in written form anyway.

No, it doesn't matter if email or not. No, not anyway. Of course, they need to make sure that you are the person to whom belongs the data. So that is something to identify you as the data owner, but no, it has to be a very easy form and it has to be given in this information

you need to give the person anyway, so yeah. First of all, what happens with this data in the cloud? Like Amazon, that can be moved without your consent or notice from area to area.

For example, it can be moved from Frankfurt to some other region. So what happens with the data in cloud? Like Amazon, Amazon is an international organisation, it's a party.

It's even worse. In my case I'm buying things in Germany, in the US and in India. So in India is mandatory for the Indian organisation or they don't...

No, that's exactly the European law just works for you. Yeah, but I mean, is the US have to comply with that? Is the UK going to comply with that once the Brexit is done?

We don't know, we don't know. Okay, great. Britain has stated that they will comply to the US and the US.

Yes, exactly, EU, no, no, no, that's why, so the law just is for you,

that's why you need to point out that you will give you the data out of the European Union.

And there are no way Switzerland belongs to it too, and yeah, as he said, UK too. So I want to wait what UK still is you, but there was a question and there was a question and we have five seconds, I think we can, what?

European Union countries. Is it already there? Yeah. And you had a question. Someone? Yeah. The data is stored in the EU? Yes. The law also of course would protect not European citizens

as long as the data and the businesses is in the EU and you are living in the EU, so it protects you as every European people. Yeah. We have to stop.

58 seconds after. Okay. Thank you.