Ch. 4 Flashcards
Personal data
Any information relating to identified or identifiable individuals
Relation of personal data with individual, 3 ways
Content, purpose, content
Identified/identifiable?
Take into account all the means reasonably likely to be used to identify the person. Wide scope.
Pseudonymization
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’
Categories of special data (9)
Racial/ethnic origin, Political belief, Religious beliefs, Tradeunion membership, genetic data, sex life, biometric data, health
Exceptions for processing ban of art. 9
- consent of subject for specific purpose, except when this is not possible under Union or Member State law
- some functions in scheme of employment / social security law
- subject incapable of giving consent, and data is vital to protect his interests/another person
Data controller
determines the purposes and means of the processing
Factors to consider when distinguishing the roles of data controller and data processor (
- Level of prior instruction given by the controller
- Monitoring by the controller of the execution of the service
- Visibility/image portrayed by the controller to the individual
- Expertise of the processor: the greater the expertise of the service provider relative to that of its customer, the greater the likelihood that it will be classified as a controller
Subprocessing
processor may not engage another processor without prior authorisation of the data controller. The initial processor remains fully liable to the controller for the performance of its subprocessors.
Data processing definition
- Any operation or set of operations which is performed on personal data,
- by automated means or manually if part of filing system
- such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’
Territorial scope GDPR
- Controller/processor is established in EU (doesn’t matter whether processing takes place in EU)
- Data subjects are in the EU, and processing relates to offering goods/services or monitoring behavior in the EU
- Controller not established in EU, but in a place where member state law applies via international law.
‘establishment’
implies the effective and real exercise of activity through stable arrangements’ → legal form of arrangement is not determinative.
in context of
‘inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller’
Monitoring behaviour
- specifically includes the tracking of individuals online to create profiles, e.g. for analysing or predicting their personal preferences, behaviours and attitudes.
- ‘the behaviour monitored must first relate to a data subject in the Union and … the monitored behaviour must take place in the Union’
- does not require that the controller or processor have an intention to monitor individuals in the EU, and in this regard, it is wider than the test in Article 3(2)(a) GDPR.
Not under material scope
- activities outside scope of EU law
- data processed in course of household activity
- processing of personal data ‘by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences / for public security’
