Chapter 2D: Lawful Processing Criteria Flashcards

1
Q

Define what it means for consent as a lawful basis to be ‘freely given’.

A

Consent must be freely given;
it cannot be relied on if the service is conditional on consent,
or if there’s a clear imbalance of power between the data subject and the controller.

It needs to be as easy to withdraw as it is to give.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define what it means for consent as a lawful basis to be ‘specific’.

A

All purposes must be outlined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define what it means for consent as a lawful basis to be ‘informed’.

A

The consent section should be clearly distinguishable from other matters, and
intelligible and in clear and plain language; it should also be
compatible with the original purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define what it means for consent as a lawful basis to be ‘unambiguous’.

A

The consent is absolutely clear.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define what it means for consent as a lawful basis to reflect an ‘indication of wishes’.

A

It should be a clear, affirmative action (e.g. opting in) and not be accepted as silence, inactivity, a pre-ticked box or opt out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the conditions for consent?

A

Demonstrable - if a written declaration, it should be clearly distinguishable.
They should have the right to withdraw at any time and it should not be conditional for performance of a contract.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does ‘legitimate interest’ mean as a processing criteria?

A

The legitimate interest basis incorporates a balancing test weighing the legitimate interests of the data controller with the interests and rights of the data subject; the most flexible lawful basis

Three-part analysis:
(1) Purpose test – are you pursuing a legitimate interest
(2) Necessary test – is the processing necessary for that purpose
(3) Balancing test – do the individual’s interests override the legitimate interest

Many things can be legitimate interests (e.g. fraud prevention, direct marketing etc.)
- Even trivial interests may be legitimate
- Should consider the reasonable expectations of the data subject

WP29 suggests three-prong test:
1) It must be Lawful
2) It must be sufficiently clarly articulated to allow the balancing test to be carried out
3) It must present a real and present interest (non speculative)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the restrictive criteria of legitimate interest?

A

It must be compliant with other legal obligations

Transparent

Economic interests aren’t necessarily sufficient

Fundamental rights and freedoms of the data subjects should be held

Must be compatible with use limitation

Should be adequate safeguards for secondary uses, e.g. pseudonymisation and encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Special categories of data are prohibited except if…

A

Explicit consent

In the context of employment

For vital interests of individual

Political, philosophical, and religious purposes

The sensitive data is manifestly made public by the DS

Establishment, exercise, or defense of legal claims

Substantial public interest

Medicine and social healthcare

Public health

Public archives, scientific or historical research, statistical purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Consent for Special Category Data (Art. 9)

A

Freely given
Specific to the processing at issue
Informed
Unambiguous (clear affirmative act)
Explicit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Context of employment for special category data

A

Only where necessary for a controller to comply with a legal obligation under employment law for candidates, employees or contractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Vital interests for special category data

A

Controller must be able to demonstrate that it’s not possible to obtain consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Political, philosophical and religious purposes re special category data

A

Covers particular foundations, associations, not for profit bodies or any with trade union aims

Relates to processing of data about members of an organisation or formal members with regular contact

Appropriate safeguards must be in place

The data must not be disclosed outside the organisation without consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The sensitive data is manifestly made public by the DS re special category data

A

Self-disclosed by the data subject e.g. media interview, social networking sites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Conditions of establishment, exercise or defence of legal claims re: consent

A

Controller must establish necessity and there should be a close and substantial connection between processing and purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Conditions of substantial public interest re: consent

A

This is narrower under GDPR; there should be a balance between reason for processing and DS’ right to data protection. Specific and suitable measures should be taken for DS’ rights and interests. Member states can specify reasons of public interest (e.g. preventing and detecting crime)

17
Q

Conditions of medicine and social healthcare re: consent

A

To be used to assess the working capacity of an employee, making a medical diagnosis, providing health or social care treatment or managing systems or services

The reason for processing must be based on EU or member state law or necessary to fulfil a contract

18
Q

Conditions of public health re: consent

A

Must be based on EU or member state law and be protecting against serious cross-border threats to health or ensuring high standards of quality and safety in health care and of medicinal products or medical devices

19
Q

Conditions re: public archives or scientific or historical research or statistical purposes for consent

A

Further interpretation from member state law

Processing proportionate to purpose

Suitable and specific measures to safeguard data subject’s fundamental rights and interests

20
Q

What are the six lawful grounds for processing personal data?

A
Consent
Contractual necessity
Legal obligation
Vital Interests
Public interest
Legitimate interest
21
Q

What is contractual necessity as a lawful basis?

A

Where processing is for performance of a contract or taking steps before entering into a contract

22
Q

What is compliance with a legal obligation as a lawful basis?

A

There’s a legal basis of a high standard for processing - from EU or member state law

23
Q

What is protection of vital interests as a lawful basis?

A

Should be based on common sense but best interests of an individual (think life or death)

24
Q

What is public interest as a lawful basis?

A

For an official authority, e.g. tax authority - where specific requirements from member states