A Meta-Model Driven Method for Establishing Business Process Compliance to GDPR

2016. aasta aprillis kiitis Euroopa Parlament ja Nõukogu heaks ning võttis vastu uue isikuandmete kaitse määruse - GDPRi (Isikuandmete kaitse üldmäärus), mis jõustub 2018. aasta mai lõpus Euroopa Liidus (EL). GDPRi eesmärgiks on lahendada ELi kodanike isikuandmete kaitse ja kasutamisega seotud päevakohaseid probleeme. Uue määruse kohaselt kõik organisatsioonid, mis kasutavad ELi kodanike isikuandmeid oma igapäevases tegevuses, peavad oma infosüsteeme ja äriprotsesse ümber hindama, et need vastaksid uutele eeskirjadele ja piirangutele. Isikuandmete väärkasutus võib ettevõttele olla väga kulukas - kuni 20 miljonit eurot või 4% aastasest käibest trahvidena. Sellele vaatamata puudub tehniline juhis või selge lähenemisviis, mis aitaks hinnata infosüsteemide äriprotsesside vastavust GDPRi nõuetele. Käesolev töö käsitleb mainitud probleemi, uurides üldmääruse õigusakti teksti ja pakkudes välja infosüsteemide äriprotsesside analüüsimise metoodikat, mis aitaks viia äriprotsesse vastavusse GDPRi nõuetele. Pakutud metoodika aitab kaardistada isikuandmete liikumist erinevate osapoolte vahel ja tuua välja äriprotsessi probleemsed kohad, mis aitab vähendada isikuandmete kuritarvitamist. Pakutud metoodikat saab kasutada ka automatiseeritud tööriista väljatöötamiseks.In the April 2016, the European Parliament and Council approved the new personal data protection regulation - GDPR (General Data Protection Regulation), which will take effect at the end of the May 2018 in all Member States of European Union (EU). The GDPR is addressing common problems of the protection and the usage of the personal data of EU citizens. According to the new regulation, all organizations that use personal data of EU citizens in their day-to-day activities - have to re-evaluate their business processes and information systems to comply with the new rules and constraints. The punishment for misuse of personal data can be very costly to the company - up to 20 million euros or 4% of the annual global turnover in fines. Nevertheless, there is no technical guidance or clear approach that would help to evaluate business processes of an information system to comply with GDPR. This thesis will address mentioned issue by researching the GDPR legislation text and proposing an actual methodology for analysing business processes of information systems and aligning them with the GDPR. The proposed methodology will also help to map the flow of the personal data between different parties and highlight the problematic places in the business processes suggesting measures to reduce the misuse of personal data. This approach could be used as a reference point for developing the automated tool for analysing the processes of an information system to comply with GDPR

Halal Logistic Business Model Development in Indonesia

As the study on halal logistic has been gaining recognition, this study aims to develop the business model for the halal logistic in Indonesia. With the biggest number of Muslim population, the shifting toward to halal logistic becomes critical in keeping the business sustainability. Adopting the VIP framework, this study defines a business model through an elaboration of primary and secondary data. Primary data is derived from an in-depth interview with three industries representing agribusiness, retail, and logistic provider; while secondary data is derived from a comprehensive literature review to discover the halal logistic business model development. Through an extensive analysis, value exchange (V), information exchange (I), and business process (P) are presented as the basis to construct a business model of halal logistic in Indonesia

Smart Companies: Company & board members liability in the age of AI

Artificial Intelligence, although at its infancy, is progressing at a fast pace. Its potential applications within the business structure, have led economists and industry analysts to conclude that in the next years, it will become an integral part of the boardroom. This paper examines how AI can be used to augment the decision-making process of the board of directors and the possible legal implications regarding its deployment in the field of company law and corporate governance. After examining the three possible stages of AI use in the boardroom, based on a multidisciplinary approach, the advantages and pitfalls of using AI in the decision-making process are scrutinised. Moreover, AI might be able to autonomously manage a company in the future, whether the legal appointment of the AI as a director is possible and the enforceability of its action is tested. Concomitantly, a change in the corporate governance paradigm is proposed for Smart Companies. Finally, following a comparative analysis on company and securities law, possible adaptations to the current directors’ liability scheme when AI is used to augment the decisions of the board is investigated and future legal solutions are proposed for the legislator

Towards Transparent Legal Formalization

A key challenge in making a transparent formalization of a legal text is the dependency on two domain experts. While a legal expert is needed in order to interpret the legal text, a logician or a programmer is needed for encoding it into a program or a formula. Various existing methods are trying to solve this challenge by improving or automating the communication between the two experts. In this paper, we follow a different direction and attempt to eliminate the dependency on the target domain expert. This is achieved by inverting the translation back into the original text. By skipping over the logical translation, a legal expert can now both interpret and evaluate a translation

EU Privacy seals project: Inventory and analysis of privacy certification schemes

The objective of this report is to comprehensively inventory and analyse privacy and related certification schemes in the European Union and, where relevant, at the international level. The report will provide insights into the importance of privacy seal schemes and present information on the operational aspects of these schemes. The report will also help understand the privacy and data protection elements of the analysed schemes and provide and initial analysis of their shortcomings. The report specifically aims to understand whether (if at all) the analysed schemes address the requirements proposed under the GDPR. It will highlight the main convergences and differences between the schemes, who benefits from such schemes and what the impact of such schemes is.JRC.G.7-Digital Citizen Securit

Labor Relations Law in North America

[Excerpt] In establishing their Agreement on Labor Cooperation as a complement to the North American Free Trade Agreement, the governments of Canada, the United States and Mexico accepted the fact that each nation had evolved a different system of labor law and administration. They agreed that those systems should continue to evolve independently within each sovereign jurisdiction. But they also recognized the extremely important fact that these three systems were based on underlying principles which were held in common and which could be articulated. These are the 11 Labor Principles of the NAALC. Each principle defines a sector of labor law, which is given concrete expression by the statutes and jurisprudence of the different jurisdictions. The parties to the NAALC undertake solemn obligations to ensure that their laws in these sectors are effectively enforced. Thus all competitors in the North American Free Trade area will operate under the law in regard to labor matters, administered openly and consistently. Such is a major objective of the NAALC. The objective of this publication by the Commission for Labor Cooperation is to enable the public at large in North America, and not just specialists in comparative labor law, to know simply and clearly what those different labor law regimes are and how they are administered. The NAALC relies primarily on the public to draw attention to any deficiencies which may occur in regard to labor law administration. It is thus imperative that the public have ready access to the content of the laws and how they are meant to apply, organized following the schema of the NAALC

Data protection in a smart city bike system: the example of Turku

This study aims at analysing the data protection measures necessary in the city of Turku’s bike system. The city of Turku, Finland, has launched a city bike service, handled by the public transportation service ‘Föli’ and providing 300 bikes for rental all over the city. This new city feature makes Turku attractive, easily discoverable, eco-friendly and smart. For the purpose of this thesis, Turku is even considered as a smart city, as together with other smart services the city bikes allow for smart transportation and enhances urban life. Yet, as smart as the city can be, data protection should not be despised. The new General Data Protection Regulation 2016/679 (GDPR), enforceable on May 25th 2018, changes the rules for processing personal data and organisations are required to get compliant with it. Compliance with the GDPR encompasses several aspects, both from a technical and a legal point of view. This thesis analyses Turku’s city bike system and particularly all the steps requiring processing of personal data. This paper examines the possible technical risks, the actors involved and their liability under the GDPR, the applicable data protection requirements as well as the possible solutions for a smooth processing of personal data. The research has been made in concertation with Turku’s city bike system team with the aim of identifying the legal steps necessary to this system for a lawful processing of personal data