An easy explanation for European Data Governance Act (DGA) for implementation in software projects
The protection of personal data (hereinafter referred to as PDA) in the European Union is considered as an integral element of the fundamental rights and freedoms of man and citizen, along with personal integrity. The right of citizens to ZPA is guaranteed by the founding treaties of the EU. Thus, according to Article 8 of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of personal data concerning him or her. Moreover, this right applies not only to citizens of the European Union, but also to citizens of third countries legally located in the EU, regardless of the duration of their stay .
Introduced the concepts of cross-border data transfer, pseudonymization, established a number of rights of personal data subjects, and defined the role of the data protection officer (DPO, data protection officer).
In particular, the following concepts were introduced:
- data controller - a natural or legal person, public authority, institution or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data, for example a social network or a taxi service;
- data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller, for example a cloud service provider;
- data subject (person) - an individual whose data is processed;
- special categories of personal data - data about race, political opinion, religious or philosophical beliefs, genetic data, trade union membership, biometric data that allows you to identify a specific person, health data, sexual orientation.
- legality, fairness and transparency - there must be legal grounds under the GDPR for the collection and use of data, non-violation of any laws, openness, honesty from start to finish about the use of personal data;
- limitation by purpose - processing must be limited to what was stated to the data subject. All specific tasks must be enshrined in the privacy policy and must be strictly followed;
- data minimization - using the minimum necessary amount of data to achieve set goals;
- accuracy – personal data must be accurate and not misleading; erroneous data must be corrected;
- limiting data storage - do not store data longer than necessary, periodically audit data and delete unused data;
- integrity and confidentiality, security - store data in a safe place and pay sufficient attention to data safety.