Chapter 2C: Data Processing Principles

Question 1

What 6 principles are listed under Article 5 of the GDPR?

Principles related to processing personal data.

Answer 1

Lawfulness, Fairness & Transparency
Accuracy
Purpose limitation
Data minimisation
Storage limitation
Integrity & Confidentiality

Question 2

Re: lawfulness, fairness and transparency, this means that…

Answer 2

Personal data must be processed only if there is a legal ground and the processing must be carried out in a fair and transparent manner towards the data subject.

Question 3

What lawful bases are applicable for data processing?

Answer 3

Art. 6

Consent
Contractual performance
Legal obligation
Vital interest
Public interest
Legitimate interest

Question 4

What is ‘consent’ as a lawful basis?

Answer 4

Data subject gives consent to the processing of their data for one or more specific processes.

Question 5

What is ‘contract performance’ as a lawful basis?

Answer 5

Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

Question 6

What is ‘legal obligation’ as a lawful basis?

Answer 6

Processing is necessary for compliance with a legal obligation to which the controller is subject.

Question 7

What is ‘vital interest’ as a lawful basis?

Answer 7

Processing is necessary in order to protect the vital interests of the data subject or another natural person.

Question 8

What is ‘public interest’ as a lawful basis?

Answer 8

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Question 9

What is ‘legitimate interest’ as a lawful basis?

Answer 9

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights of the data subject - in particular when a child is concerned.

Question 10

What makes processing ‘fair’?

Answer 10

Fairness is linked to the idea that data subjects must be aware that their data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree to it and enable them to exercise their data rights.

Question 11

How can an organisation assess fairness?

Answer 11

With an assessment on how the processing will affect the data subject - if it negatively affects individuals and the detriment is not justified, the processing is unfair.

Question 12

What does the principle of transparency mean?

Answer 12

A controller must be open and clear toward data subjects when processing personal data.

Question 13

On what basis did the regulation eliminate the Directive’s general obligation to also notify data protection authorities of the processing of personal data?

Answer 13

This did not necessarily contribute to protecting personal data. Recital 89 explains that such indiscriminate general notification obligations should be abolished and replaced by effective procedures and mechanisms which focus instead on processing operations likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.

Question 14

What does the regulation promote instead of notifying DPAs of processing?

Answer 14

Notifying data subjects of how their data will be processed; the regulation prescribes minimum amount of information controllers should provide, but considers whether collected directly from the data subject or a third party.

Question 15

What does the GDPR say about the duty to inform in cases where the data was obtained directly from the data subject and the data subject is already aware of the information?

Answer 15

They are exempt from the duty to inform in this case.

Question 16

When are data controllers free from the obligation to provide information where personal data is collected from other sources?

Answer 16

Providing information involves a disproportionate effort or can be considered impossible

To protect the data subject’s legitimate interest, in which case the disclosure is expressly governed by applicable law

To preserve the confidentiality of the information, also regulated by the laws to which the data controller is subject

Question 17

When should information be provided to a data subject under the transparency principle?

Answer 17

In a timely manner - when obtained directly from the data subject, it should be provided at the time of collection.

Question 18

What requirements are in place for the information provided to data subjects?

Answer 18

It should be clear, concise and easy to understand and provided in an accessible manner.

Question 19

What does the transparency principle say about information provided to children?

Answer 19

When processing involves personal data of children, the communication should be drafted in simple and plain language for the child to understand it.

Question 20

What does the transparency principle say about information obtained in the context of a medical examination?

Answer 20

The patients must be informed using plain language (no scientific or medical terms that may not be understood by individuals who are not medical practitioners must be included unless clearly explained) - this must be provided before examination is carried out.

Question 21

What mechanism is frequently used in a digital environment to inform individuals?

Answer 21

Privacy notices - using short and adhoc privacy notices instead of long legal texts is recommended and considered best practice.

Question 22

What does the regulation promote as a visual tool for transparency?

Answer 22

The use of visual and standardises icons or symbols as an alternative means to inform individuals in a concise and clear way.

Question 23

What does purpose limitation mean?

Answer 23

Data controllers must only collect and process personal data to accomplish specified, explicit and legitimate purposes and not process beyond these purposes unless processing is considered compatible with the purpose. for which it was originally collected.

Question 24

What should a controller do before processing personal data to comply with purpose limitation?

Answer 24

Identify the purpose for which personal data will be processed.

Question 25

The use of personal data for statistical purposes, public interest, scientific or historical research purposes will be considered compatible as long as…

Answer 25

Such secondary processing takes place within the limits set out by the EU or member state’s law that governs the particular processing. If not, controllers must consider whether this is compatible with the purposes for which personal data was originally collected.

Question 26

Secondary processing can only be lawfully carried out when…

Answer 26

Such processing is considered compatible with the original purpose for which the data was collected.

Question 27

To assess whether secondary processing is compatible with original purposes, the controller should take into account…

Answer 27

Any link between those purposes
The context in which the data has been collected and the reasonable expectations of the data subject
The nature of the personal data
Consequences for the data subjects
The existence of appropriate safeguards in both original and intended processing operations

Question 28

When the second processing is considered incompatible with the original processing purpose, what is required?

Answer 28

A separate legal ground (e.g. consent) before processing the data for this new purpose. They will also need to inform the data subjects.

Question 29

What does the principle of data minimisation mean?

Answer 29

Data controllers must only collect and process data that is relevant, necessary and adequate to accomplish the designated purpose.

Question 30

What two concepts are applied in data minimisation?

Answer 30

Necessity and proportionality.

Question 31

What is the concept of necessity re: data minimisation?

Answer 31

Data collected must be suitable and reasonable to accomplish the specified purpose (i.e. of a nature necessary to attain that purpose). Verifying whether the specific purpose can be accomplished by using anonymous data is a useful starting point, or if the scope can be broadened (e.g. an age bracket rather than date of birth being sufficient).

Question 32

What is the concept of necessity re: proportionality?

Answer 32

Controllers should consider the amount of data to be collected - excessive data collection may be disproportionate.
Daa controllers should take into consideration the adverse impact of means of processing, and verify whether less intrusive means exist or means with less adverse consequences.
Example of excessive or disproportionate means may include using biometric data to identify individuals when they could just have an identity card.

Question 33

Data protection law is applicable and valid in relation to big data projects; true or false?

Answer 33

True.
To legally process and successfully use and protect personal data in the digital economy, DPOs and data scientists are expected to work together to find creative ways to implement data minimisation re: big data projects.

Question 34

What is big data?

Answer 34

Big data is a term that describes the large volume of data – both structured and unstructured – that inundates a business on a day-to-day basis

Question 35

What does the principle of accuracy mean?

Answer 35

Controllers must take reasonable measures to ensure that data is accurate and, where necessary, kept up to date.

Question 36

What ‘reasonable measures’ can be taken to ensure data is accurate?

Answer 36

Implementing processes to prevent inaccuracies in data collection process (i.e. verifying data is accurate, complete and not misleading) and for ongoing use. The controller must consider the type of data and specific purposes to maintain the accuracy in relation to the purpose.
Controllers should evaluate how reliable the source is and take additional care where inaccuracy could be to the data subject’s detriment.

Question 37

When might the inaccuracy of personal data occur during the collection process?

Answer 37

If controllers do not properly verify the authenticity of the information

Question 38

What does the ICO say about keeping records of errors?

Answer 38

It’s acceptable to keep records of events that happened in error provided those records are not misleading about the facts.
For instance, a misdiagnosis of a medical condition can continue to be part of a patient’s medical records for the purpose of explaining previous treatment given to the patient.

Question 39

What responsibility does a controller have over incorrect data already collected?

Answer 39

It should respond to data subject requests to correct records that contain incomplete information or inaccuracies.

Question 40

What is the storage limitation principle?

Answer 40

Personal data must not be kept for longer than necessary for the purposes of processing. It should be securely deleted once the purpose has run its course.

Article 5(1)(e) personal data must be kept in a form which permits identification for no longer than necessary.

Question 41

When can personal data be kept beyond its purpose for processing?

Answer 41

It can only be kept for longer periods if processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Question 42

How should a controller ensure that data is not kept longer than required?

Answer 42

Time limits should be established for erasure or periodic review. The controller must assess whether the data is to be used for one or several purposes and limit the processing to a period during which its needed to accomplish these purposes.
(e.g. deletion of data at the end of a recruitment process)

Question 43

What should a controller do in relation to statutory data retention periods?

Answer 43

Verify whether they exist for the type of processing (e.g. tax, health and safety, employment regs) - when the law is silent, internal retention periods should be set to meet the storage limitation principle.

Question 44

Data controllers may keep personal data for an unlimited period if…

Answer 44

The data has become irreversibly anonymised.

Question 45

What is the principle of integrity and confidentiality?

Answer 45

Article 5(1)(f) - Personal data must processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Question 46

To protect and preserve personal data throughout its life cycle, controllers should…

Answer 46

Implement an information security framework

Look to techniques such as pseudonymisation and encryption

Question 47

When processing sensitive personal data, additional care should be taken. In this respect, a controller must take into account…

Answer 47

Potential impact on individuals that a breach of the integrity or confidentiality may cause to implement sufficient measures.

Question 48

How does the regulation reinforce all privacy principles?

Answer 48

Imposing the burden of proof re: proper implementation of the principles upon organisations which may be required to present evidence at any time on a supervisory authority’s request.