Chapter 2A: Data Protection Concepts Flashcards
The WP29 set out four ‘building blocks’ in Opinion 4/2007 to comprise the meaning of personal data. What are they?
‘Any information’
‘Relating to’
‘An identified or identifiable’
‘Natural person’
Define ‘any information’ under WP29’s definition of personal data.
Made up of nature, content and format.
Nature - any statements about a person, objective or subjective, true or false
Content - personal data that includes information about an individual’s private life or any activity undertaken
Format - Information processed by automated means, including processing by manual means as well if part of a filing system
Define ‘relating to’ under WP29’s definition of personal data.
Must be about an individual. Information that relates to objects, processes or events may constitute personal data in certain circumstances (e.g. an individual owns the car)
Define ‘identified or identifiable’ under WP29’s definition of personal data.
A natural person is ‘identifiable’ when although the person has not been identified yet it’s possible to do it. A person can also be identifiable with combined information. There must however be reasonable likelihood that they could be identified.
How could dynamic IP addresses constitute personal data?
An individual could be indirectly identified if the IP addresses were combined with data held by internet service providers (e.g. time of connection or pages visited).
How does the regulation react to anonymised data?
It does not apply if it does not relate to an individual and the individual can no longer be identified - but complete anonymisation is difficult.
What does pseudonymised data offer an organisation?
It helps to satisfy data minimisation requirements however still acts as personal data so is subject to the same rights.
Aggregation of data for statistical purposes is likely to result in non-personal data, but why should care be taken?
Context may allow identification of individuals if the sample size is not sufficient.
Define ‘natural person’ under WP29’s definition of personal data.
Recital 27 states that the regulation does not apply to the personal data of deceased persons, which may be protected through standard contractual confidentiality clauses but not subject to GDPR.
Why does special category personal data merit specific protections?
The nature of the data could create significant risk to the individuals’ fundamental rights and freedoms.
How is genetic data defined?
Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person which result, in particular, from an analysis of a biological sample”
What is the definition of ‘data that relates to health’?
Data related to physical or mental health of a natural person, including the provision of health care services, which reveals information about health status. This can be past, present or future health status.
What is a data controller?
The natural or legal person/public authority or any body which alone or jointly determined the purposes and means of processing of personal data. They’re the key decision maker in regards to a set of data.
What is a data processor?
A subordinate figure required to process personal data only on documented instructions from a controller. The controller retains liability, but a processor should ensure international data transfers comply with the regulation and that they have appropriate security and a process for notifying data controllers of data breaches.
Different organisations can be controllers of the same set of personal data, but this does not always mean that they’ll be joint data controllers - give an example of these independent controllers.
A person books a holiday through a travel agent and that travel agent forwards the details to the chosen airline and hotel. They all hold identical data, but separately and for different purposes - they each determine separately what they do with the data.
A shared database between them would change this.
