GDPR and European Privacy Law Part II: GDPR Rights, Obligations, and Data Transfer (2023)


This course provides an overview of the GDPR’s data protection responsibilities, rights of data subjects, and data transfer requirements and methods. (3-month access)



To learn about the rights of data subjects under the GDPR, to understand the obligations that the GDPR imposes on data controllers and processors, to learn how the GDPR handles data breaches and vendor management, and to understand how data can be transferred across borders.


Length: Approximately 1 hour

Written by: Professors Daniel J. Solove and Paul M. Schwartz

Instructor: Professor Daniel J. Solove




Preview this Course


This course provides an overview of the GDPR’s data protection responsibilities, rights of data subjects, and data transfer requirements and methods.  It discusses data subject rights including transparency, access, rectification, erasure, restriction of processing, data portability, and automated decision-making, among others.  The course then covers the obligations of data controllers and processors, such as having a Data Protection Officer (DPO), data protection by design and default, records of data processing activities, and data protection impact assessments (DPIA). Additionally, the course covers the GDPR’s rules for data breach notification and vendor management.  The course also covers the GDPR’s approach to international data transfer as well as the various mechanisms for such transfer, such as the model contractual clauses, BCRs, and Privacy Shield.


Although this course can stand alone, it is recommended that this course be taken along with its companion course: GDPR and European Privacy Law Part I: The European System and the Structure of GDPR.


To obtain a broad overview of privacy law, to understand the key issues involved, to learn how privacy law works, and to understand the differences and similarities between various privacy laws. Please note that certificates for the GDPR courses will only be provided for people who successfully complete both Parts I and II.



About this Course
GDPR: Rights of Data Subjects

Right of Access
Right to Rectification
Right to Erasure
Right to Restriction of Processing
Right to Data Portability
Right to Object
Automated Decision-Making

GDPR: Obligations of Data Controllers and Processors

Data Protection Officer
Data Protection by Design and Default
Records of Data Processing Activities
Data Protection Impact Assessments

When Is a DPIA Required?
What Must a DPIA Contain?
How Should a DPIA Be Conducted?

GDPR: Data Breach Notification

GDPR: Vendor Management

International Data Transfer

Adequate Level of Protection
Model Contractual Clauses
Binding Corporate Rules (BCRs)
Privacy Shield




Required Readings

Handout: TeachPrivacy, GDPR Whiteboard
Handout: Rights of Data Subjects Under the GDPR
Handout: Obligations of Data Controllers and Processors Under the GDPR
Handout: EU-US Privacy Shield Principles
Article: Paul Schwartz & Karl Nicholaus Peifer, Transatlantic Data Privacy, 106 Geo. L. J. 115 (2017)

Recommended Readings

Handout: TeachPrivacy, GDPR Training Guide