DATA PROTECTION: GDPR, PCI & Data Security
Protecting our Customers' Data
Navigation
Back to Home
Introduction
Back to Index
Lorem Ipsum
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
Back Page
Next Page
Index
Objectives
Introduction
PCI DSS
Data Breaches
Quiz
GDPR
Introduction
What is it?
Data protection is both the practice and the technology of protecting valuable and sensitive company and customer data, such as personal or financial information.
Why is it important?
- It helps reduce the number of data breaches that an organization can suffer
- It helps prevent loss of revenue
- It helps protect customer’s privacy
- For maintaining and improving brand value
20
Million Euros is the fine for businesses that do not comply with the GDPR law
Up to
By the end of this training you will learn....
01
PCI DSS
What PCI DSS is and how to comply with it
02
What GDPR is and how to comply with it
GDPR
03
How to handle customers' requests related to their Data Subject Rights
Data Subject Rights (DSR)
PCI DSS
PCI DSS
What is it?
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
PCI DSS: Rules
There are a number of rules you need to follow on a daily basis in order to ensure PCI compliance. Click on each element to learn more!
PCI DSS: Penalties
Payment brands and Banks
Each payment brand can fine the banks for PCI DSS violations. Banks on their side can withdraw the ability to accept card payments from eDreams ODIGEO due to non-compliance.
PCI DSS: Penalties
PCI and GDPR
PCI DSS violation is also a GDPR law violation. Therefore eDreams ODIGEO can face a fine of up to €20 million or 4% of annual turnover (whichever is higher).
It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.
GDPR
GDPR: Definition
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
GDPR: Personal Data
Personal data is any information related to an identified or identifiable natural person.
GDPR: Personal Data
A natural person can be identified by any of the following identifiers:
Location Data
Name
Online identifier (ex. IP Address)
Identification number
GDPR: Sensitive Personal Data
Any data revealing information related to any of the below traits can also help identify a natural person. This type of data is classified as Sensitive Personal Data and we must protect it:
Physical
Economic
Physiological
Cultural
Genetic
Social Identity
Mental
GDPR: Data Subject Rights (DSR)
What is it?
Data Subject Rights (DSR) are data protection rights of the individuals ("data subjects") whose personal data is being processed. Our customer as "data subjects" can exercise their rights at any time and we have the obligation to respond accordingly.
GDPR: Data Subject Rights (DSR)
RIGHT TO OBLIGATION TO NOTIFY RECIPIENTS
RIGHT TO ACCESS
GDPR: Data Subject Rights (DSR)
RIGHT TO ERASURE
RIGHT TO OBJECT
GDPR: Data Subject Rights (DSR)
RIGHT TO RECTIFICATION
RIGHT TO PORTABILITY
GDPR: Data Subject Rights (DSR)
RIGHT TO WITHDRAW CONSENT
What happens if we do not comply?
GDPR: Penalties
A fine up to €10 million or up to 2% of the annual worldwide turnover
A fine up to €20 million or up to 4% of the annual worldwide turnover
Regular data protection audits
A warning in writing
Types of Data Breaches
Data Breaches
Case studies
Case Study - Right to Object
Page 1 / Page 2
Solution 1
Solution 2
I want to no longer receive your Newsletter.
"I understand your concern but for data protection reasons it is the responsibility of the customer to unsubscribe their personal data. I'm sorry but we cannot act on your behalf. But to make things easier for you, I can send you an email with the direct link to our dedicated Help Centre article."
"For security reasons, we cannot process this request, as you have to do it yourself. You will find all the information directly in the "Unsubscribe" article of our Help Centre, which you will find at the bottom of "Cancellation " section."
Customer
wants to exercise his/her Right to Object.
+ info
+ info
Case Study - Right to Object
Page 2 / Page 2
Challenges
Solution 3
I want to no longer receive your Newsletter.
Customer is still receiving emails after unsubscribing from the website
"For security and legal reasons we do not have access to customer personal data, BUT we will try to send the request on your behalf, to our dedicated team. Could you please confirm your email address? It will take 24h to delete your personal data (and/or Account) from our database."
Customer has encountered some issues during the unsubscription process
Customer
wants to exercise his/her Right to Object.
+ info
Case Study - ANY GDPR Right request
Page 1 / Page 2
Solution 1
For security reasons, we cannot process data protection request, as you have to do it yourself.
The easier way to do this is by filling the Privacy form enabled for this purpose, as the request will be automatically processed.
You can find the Privacy form in the Privacy policy area of the website. Or if you prefer to address your request in writing to our Legal department to following address: eDreams International Network, SL
Attn. Data Protection Officer
Carrer Bailèn, 67-69.
08009 Barcelona
Spain (European Union)
I want a copy of my data.
Customer
wants to exercise ANY of his/her GDPR Rights.
+ info
Case Study - ANY GDPR Right request
Page 2 / Page 2
Solution 2
"I understand your concern but for data protection reasons it is the responsibility of the customer to exercise their Data Protection rights.
I'm sorry but we cannot act on your behalf. But to make things easier for you, I can send you an email with the Privacy form."
I want a copy of my data.
+ info
Customer
wants to exercise ANY of his/her GDPR Rights.
Memory check
Quiz 1/5
Do not use phones while working from the office or home
Always stop the call recording when collecting credit card data
Which one of the three is NOT a rule of PCI Compliance?
Never ask customers for credit card details over the phone
Quiz 2/5
Only companies based in the European Union
All companies who deal with and store personal data of EU nationals.
The GDPR law applies to:
Quiz 3/5
RIGHT TO ERASURE
RIGHT TO RECTIFICATION
Which of the answers are Consumer Rights under the GDPR law?
ALL ANSWERS ARE CORRECT
RIGHT TO OBJECT
Quiz 4/5
A written warning
Up to €20 Million or 4% of global turnover (whichever is higher)
What is the most severe penalty for GDPR non-compliance?
Up to €10 Million or 2% of global turnover (whichever is higher)
Quiz 5/5
Yes, Always
Yes, but only in exceptional cases when the customer was unable to do it themselves
If a customer wants to unsubscribe from the Newsletter, can we do it on their behalf?
Quiz
Good work!
Quiz
Wrong!
Now time for the final Knowledge test!
EN-PCI, GDPR and Data Security
Ekaterina Shumova
Created on April 29, 2021
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Math Lesson Plan
View
Primary Unit Plan 2
View
Animated Chalkboard Learning Unit
View
Business Learning Unit
View
Corporate Signature Learning Unit
View
Code Training Unit
View
History Unit plan
Explore all templates
Transcript
DATA PROTECTION: GDPR, PCI & Data Security
Protecting our Customers' Data
Navigation
Back to Home
Introduction
Back to Index
Lorem Ipsum
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
Back Page
Next Page
Index
Objectives
Introduction
PCI DSS
Data Breaches
Quiz
GDPR
Introduction
What is it?
Data protection is both the practice and the technology of protecting valuable and sensitive company and customer data, such as personal or financial information.
Why is it important?
20
Million Euros is the fine for businesses that do not comply with the GDPR law
Up to
By the end of this training you will learn....
01
PCI DSS
What PCI DSS is and how to comply with it
02
What GDPR is and how to comply with it
GDPR
03
How to handle customers' requests related to their Data Subject Rights
Data Subject Rights (DSR)
PCI DSS
PCI DSS
What is it?
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
PCI DSS: Rules
There are a number of rules you need to follow on a daily basis in order to ensure PCI compliance. Click on each element to learn more!
PCI DSS: Penalties
Payment brands and Banks
Each payment brand can fine the banks for PCI DSS violations. Banks on their side can withdraw the ability to accept card payments from eDreams ODIGEO due to non-compliance.
PCI DSS: Penalties
PCI and GDPR
PCI DSS violation is also a GDPR law violation. Therefore eDreams ODIGEO can face a fine of up to €20 million or 4% of annual turnover (whichever is higher).
It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.
GDPR
GDPR: Definition
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
GDPR: Personal Data
Personal data is any information related to an identified or identifiable natural person.
GDPR: Personal Data
A natural person can be identified by any of the following identifiers:
Location Data
Name
Online identifier (ex. IP Address)
Identification number
GDPR: Sensitive Personal Data
Any data revealing information related to any of the below traits can also help identify a natural person. This type of data is classified as Sensitive Personal Data and we must protect it:
Physical
Economic
Physiological
Cultural
Genetic
Social Identity
Mental
GDPR: Data Subject Rights (DSR)
What is it?
Data Subject Rights (DSR) are data protection rights of the individuals ("data subjects") whose personal data is being processed. Our customer as "data subjects" can exercise their rights at any time and we have the obligation to respond accordingly.
GDPR: Data Subject Rights (DSR)
RIGHT TO OBLIGATION TO NOTIFY RECIPIENTS
RIGHT TO ACCESS
GDPR: Data Subject Rights (DSR)
RIGHT TO ERASURE
RIGHT TO OBJECT
GDPR: Data Subject Rights (DSR)
RIGHT TO RECTIFICATION
RIGHT TO PORTABILITY
GDPR: Data Subject Rights (DSR)
RIGHT TO WITHDRAW CONSENT
What happens if we do not comply?
GDPR: Penalties
A fine up to €10 million or up to 2% of the annual worldwide turnover
A fine up to €20 million or up to 4% of the annual worldwide turnover
Regular data protection audits
A warning in writing
Types of Data Breaches
Data Breaches
Case studies
Case Study - Right to Object
Page 1 / Page 2
Solution 1
Solution 2
I want to no longer receive your Newsletter.
"I understand your concern but for data protection reasons it is the responsibility of the customer to unsubscribe their personal data. I'm sorry but we cannot act on your behalf. But to make things easier for you, I can send you an email with the direct link to our dedicated Help Centre article."
"For security reasons, we cannot process this request, as you have to do it yourself. You will find all the information directly in the "Unsubscribe" article of our Help Centre, which you will find at the bottom of "Cancellation " section."
Customer
wants to exercise his/her Right to Object.
+ info
+ info
Case Study - Right to Object
Page 2 / Page 2
Challenges
Solution 3
I want to no longer receive your Newsletter.
Customer is still receiving emails after unsubscribing from the website
"For security and legal reasons we do not have access to customer personal data, BUT we will try to send the request on your behalf, to our dedicated team. Could you please confirm your email address? It will take 24h to delete your personal data (and/or Account) from our database."
Customer has encountered some issues during the unsubscription process
Customer
wants to exercise his/her Right to Object.
+ info
Case Study - ANY GDPR Right request
Page 1 / Page 2
Solution 1
For security reasons, we cannot process data protection request, as you have to do it yourself. The easier way to do this is by filling the Privacy form enabled for this purpose, as the request will be automatically processed. You can find the Privacy form in the Privacy policy area of the website. Or if you prefer to address your request in writing to our Legal department to following address: eDreams International Network, SL Attn. Data Protection Officer Carrer Bailèn, 67-69. 08009 Barcelona Spain (European Union)
I want a copy of my data.
Customer
wants to exercise ANY of his/her GDPR Rights.
+ info
Case Study - ANY GDPR Right request
Page 2 / Page 2
Solution 2
"I understand your concern but for data protection reasons it is the responsibility of the customer to exercise their Data Protection rights. I'm sorry but we cannot act on your behalf. But to make things easier for you, I can send you an email with the Privacy form."
I want a copy of my data.
+ info
Customer
wants to exercise ANY of his/her GDPR Rights.
Memory check
Quiz 1/5
Do not use phones while working from the office or home
Always stop the call recording when collecting credit card data
Which one of the three is NOT a rule of PCI Compliance?
Never ask customers for credit card details over the phone
Quiz 2/5
Only companies based in the European Union
All companies who deal with and store personal data of EU nationals.
The GDPR law applies to:
Quiz 3/5
RIGHT TO ERASURE
RIGHT TO RECTIFICATION
Which of the answers are Consumer Rights under the GDPR law?
ALL ANSWERS ARE CORRECT
RIGHT TO OBJECT
Quiz 4/5
A written warning
Up to €20 Million or 4% of global turnover (whichever is higher)
What is the most severe penalty for GDPR non-compliance?
Up to €10 Million or 2% of global turnover (whichever is higher)
Quiz 5/5
Yes, Always
Yes, but only in exceptional cases when the customer was unable to do it themselves
If a customer wants to unsubscribe from the Newsletter, can we do it on their behalf?
Quiz
Good work!
Quiz
Wrong!
Now time for the final Knowledge test!