Ch 7 - Data Protection Flashcards
Define the meaning of the term sensitive personal data pursuant to Article 9 of the GDPR.
Sensitive Personal Data
Article 9 GDPR states that this includes data in relation to:
(i) racial or ethnic origin, political opinions, religious or philosophical beliefs;
(ii) trade union membership; or
(iii) physical or mental health or condition, or sexual life or sexual orientation (including genetic data and
biometric data).
A data controller is required to obtain the consent of a data subject for the purpose of processing their
sensitive personal data.
However, the GDPR recognises a number of exceptions to this requirement. List these exceptions.
Exceptions Regarding Processing of Sensitive Personal Data
The express consent of the data subject is not required where:
(i) the data is necessary for employment;
(ii) the data is necessary for social security or social protection law;
(iii) processing is necessary for reasons of substantial public interest;
(iv) the data is used for statistical purposes only;
(v) the use of the data to obtain legal advice or in relation to legal proceeding.
Explain the rules regarding obtaining the consent of the data subject in relation to the processing of their
personal data.
(i) the Data Controller must be able to demonstrate that the data subject has consented to the processing of
their personal data – this consent must be active and cannot be passive;
(ii) this consent must be genuine and given freely in that the data subject must be informed of their right not to
consent, and cannot be exposed to a detriment arising from their refusal to consent;
(iii) the data subject must also be clear on what they are consenting to, and the request for consent must be
presented in a manner that is clear;
(iv) the data subjects consent to obtaining and processing data cannot be obtained in conjunction with other
consents;
(v) the consent must also be in an intelligible and easily accessible format, using clear and plain language;
(vi) the data subject must be informed of their right to withdraw their consent at any time, and where the
processing is of an ongoing nature this should be highlighted to the data subject at least once every 12
months; and
(vii) it is not legal for the Data Controller to make consent necessary for the completion of a contract, where such
consent is not necessary for the performance of that contract.
Define the meaning of the term Data Controller.
Definition of a Data Controller
This is defined as:
(i) any person who controls the content and use of personal data;
(ii) any person who determines the purposes and manner by which any personal data is processed;
(iii) a Data Controller must be a person recognised by law, therefore they can be a natural person, a legal
person, a public authority or agency.
A DPO will be required if:
Prerequisites to the Appointment of a Data Protection Officer (DPO)
This is necessary where:
(i) the entity is a public body;
(ii) the entity is a private body whose core activity involves:
(a) regular and systematic monitoring of data subjects on a large scale; or
(b) the handling of a large scale of special categories of data (sensitive personal data).
Outline the circumstances where a Data Controller will be required to undertake a Data Protection Impact
Assessment (DPIA)
(i) where the data will undergo a systematic and extensive evaluation of personal aspects relating to natural
persons which is based on automated processing, including profiling, and upon which decisions will be based
that produce legal or similarly significantly effects on the natural person;
(ii) where there is processing on a large scale of special categories of sensitive data, or of personal data relating
to criminal convictions and offences;
(iii) where there is a systematic monitoring of a publicly accessible area on a large scale.
Conclusion: CIC will have to undertake a DPIA as they will be profiling users and based on the nature of the
site CIC will be likely to be handling users sensitive personal data.
List the information that must be included in a DPIA.
(i) a description of the envisaged processing operations and the purposes of the processing;
(ii) an assessment of the necessity and proportionality of the processing operations;
(iii) an assessment of the risks to the rights and freedoms of data subjects;
(iv) details of the measures envisaged to address the risks, including safeguards, security measures and
mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulation,
taking into account the rights and legitimate interests of data subjects and other persons concerned.
Advise on obligations that will be imposed upon CIC if they offer information society services to
children (i.e, someone under 13).
(i) obtain consent for processing of the child’s data by the parents of that child (or persons acting in loco
parentis) where the child is under the age of 13;
(ii) ensure that they have adequate systems in place to verify individual ages and gather the relevant consents.
(iii) Where a service is provided directly to a child, a privacy notice must be drafted in a clear and plain way, so
that the child can understand it.
Outline the main functions of a Data Protection Officer under the GDPR.
(i) informing and advising Data Controllers and processors of their obligations under the Regulation;
(ii) monitoring compliance with GDPR in the context of policies, assignment of responsibilities, raising
awareness and training of staffing;
(iii) providing advice regarding Data Protection Impact Assessments;
(iv) co-operating with the Information Commissioner’s Office;
(v) acting as a contact point with the Information Commissioner’s Office on issues relating to processing.
Discuss the rights of a data subject pursuant to the terms of the GDPR in relation to:
(i) The right to information when personal data is being collected;
(ii) The right to restriction of processing;
(iii) The right to data portability.
(i) The Right to Information when Personal Data is being Collected
Except where the data subject already received this information, Article 13 of the GDPR states that where the
personal information relating to a data subject is collected, the Data Controller must provide the data subject
with information in relation to:
1 their identity, or that of their representatives;
2 the contact details of the data protection officer, where applicable;
3 the purposes and legal basis for the processing of personal data;
4 the recipients of the personal data;
5 where data is being transferred to a third country or international organisation, reference to the safeguards
that are in place to ensure compliance with the GDPR and where the data subject can obtain a copy of them
or where they are available;
6 details regarding the period of retention;
7 details regarding the right of access, rectification and erasure;
8 notification of the right to withdraw consent;
9 notification of the right to make a complaint to the Information Commissioner’s Office.
The Right to Restriction of Processing
The data subject will have the right to obtain from the Data Controller restriction of processing where any one
of the following conditions applies:
1 the accuracy of the data is being contested by the data subject;
2 the processing is unlawful, and the data subject opposes its erasure and requests the restriction of its use
instead;
3 the Data Controller no longer needs the data for the purpose of processing, but the data subject requires it
for the establishment, exercise or defence of legal claims;
4 the data subject has objected to processing, and this objection is pending the verification of whether the
legitimate grounds of the Controller override those of the data subject.
In this regard, restriction means the marking of stored personal data with the aim of limiting its processing in
the future.
Within the ambit of this right the data subject also has the right to object to a decision based solely on
automated processing, including profiling, that has legal or significant effects.
(iii) The Right to Data Portability
The data subject has the right to:
1 receive his personal data in a structured, commonly used and machine readable format; and
2 to have their data transmitted from one Data Controller to another, where technically feasible.
Explain the right of a data subject to have their data corrected and erased, where appropriate.
Articles 16 and 17 give an individual the right to have personal data rectified or erased in circumstances
where:
1 it is incorrect, incomplete or misleading,;
2 where the data is retained for an excessive period;
3 where consent to processing has been withdrawn;
4 where the data has been unlawfully processed;
5 where there is no compelling justification for its continued processing by the data controller; or
6 where erasure is required in compliance with a legal obligation.
The data subject also has the right to be forgotten by having information about them removed from the
results of an internet search carried out against their name.
A Data Controller must comply with the request as soon as is practicable, but in any event not less than one
month after it was brought to their attention.
Define a Data Processor.
This is defined as any natural or legal person (other than an employee of the Data Controller) who processes
data on behalf of the Data Controller.
Explain the obligations imposed upon a Data Controller.
The Regulation imposes specific obligations governing the relationship between Data Controllers and Data
Processors in relation to the protection of data.
1 As per Regulation 28 GDPR, written contracts (or a contract in an equivalent form – such as an electronic
agreement) between Data Controllers and Processors will be required to include specified terms, including:
(i) the subject matter and duration of the processing;
(ii) the nature and purpose of the processing;
(iii) the type of personal data and categories of data subjects;
(iv) the obligations and rights of the Data Controller;
(v) the Data Controllers authorisation and instructions to the Processor - particularly in relation to the transfer of
data to a third country or internal organisation;
(vi) commitments from the Processor regarding security measures and confidentiality;
(vii) the deletion and return of data on completion of the contract;
(viii) penalties for breach of the contract;
(ix) the right of inspection of the Data Controller of the Processors premises to ascertain compliance;
(x) adherence by the Processor in relation to any approved Code of Conduct or approved certification
mechanism.
2 Data Controllers must undertake a thorough vetting of their Data Processing partners and should only use a
Data Processor who can demonstrate that they have implemented appropriate technical and organisational
measures to demonstrate compliance with the requirements of the Regulation.
3 Where a Data Processor acts outside the authorisation of the Data Controller, they will be deemed liable for
any resulting breach.
Outline the obligations imposed upon a Data Processor pursuant to the GDPR.
(i) Sub-processing by a Data Processor is prohibited absent the authorisation of the Data Controller; and
(ii) A Data Processor is required to disclose any breach of data protection, without delay, to the Data Controller
State the main criminal sanctions that Stafford and Furnish may be exposed to if they act in breach of their
obligations under the General Data Protection regulation.
Criminal Sanctions
Breach of GDPR can result in:
(i) an administrative fine of up to £10,000,000, or in the case of an undertaking, up to 2% of total worldwide
annual turnover of the preceding financial year, whichever is the greater
(ii) depending upon the nature of the breach (as well as non-compliance with certain Orders of the Information
Commissioner’s Office) administrative fines of up to £20,000,000, or in the case of an undertaking, up to 4%
of total worldwide annual turnover of the preceding financial year, whichever is the greater.
