Chapter 3D: Internet Technology and Communications Flashcards
When may a cloud service supplier be considered a controller?
When it determined substantial and essential elements of the means of processing
When it processes data for its own purposes
When it determines aspects of the processing outside the controller’s instructions
When might the GDPR be applicable to a cloud provider outside of the EU?
When the customer is subject to the GDPR (resident) - in which case the processing contract should contain required controls and obligations set out in the GDPR.
When are cookies collection and analysis subject to the GDPR under Recital 30 of the GDPR?
Where the information collected from them is personal data.
Who is the controller in instances of web cookie collection?
The website operator is a controller of personal data collected by its own first-party cookies
Where the third party determines the means and purposes of processing of the personal data gathered from its third party cookies, it’s a controller
What lawful basis do many organisations now rely on to process personal data in the form of online identifiers?
Consent.
What does article 5(3) of the ePrivacy directive say about access to a user’s terminal equipment?
Organisations must obtain prior informed consent for storage or access to information stored on a user’s terminal equipment.
What cookies are exempt from the consent requirement of the eprivacy directive?
‘Strictly necessary’ cookies used solely for carrying out communication transmission.
Who is the controller of personal data processed by search engines?
Search engines (because they determine the purposes and means of processing data about their users)
Search engine marketers (when web traffic is processed by search engines and provided as analytics, e.g. Google Analytics, to search engine marketers that fall within scope of the GDPR, the organisations conducting the marketing are also controllers)
Examples of cases re: search engines as controllers
Google v AEPD (2014)
CJEU ruled that Google remove from its search results linked to a 1998 newspaper article about the plaintiffs foreclosed house
This established that search engines are also controllers of personal data contained in third party webpages.
Search engines outside the EU are likely subject to the GDPR in respect of their processing of personal data contained in third party web pages if they have an EU establishment whose activities are economically linked to the search engine’s core activities.
What steps can search engine marketers take to ensure that aspects of the web traffic analysis process are anonymised?
Ensuring that data, including IP addresses, is not stored in Google Analytics even after the user has accepted the placement of cookies
Anonymising IP addresses before storage of processing takes place
Who is the controller of a social networking service?
The social networking service itself because it provides platforms for publishing and exchanging personal info as well as determining the use of personal information for advertising purposes
Authors of applications designed for SNS platforms that provide services in addition to the SNS
Users who act on behalf of an organisations or knowingly extend access to personal data beyond selected contacts
Re sensitive personal data and social networks…
Explicit consent usually is required to publish data on the internet, unless its published by the data subject.
An SNS requesting personal data must ensure the individual knows that the provision of data is voluntary.
Re third-party personal data and social networks…
If third-party individuals’ personal data is published (for example, photo tags), the SNS must have a legal basis
for processing that personal data. According to the former Article 29 Working Party, third-party data of individuals who are not members of the SNS may not be aggregated to form profiles of those individuals.
Re children’s data and social networks…
As discussed in Module 4, processing children’s data
on the basis of consent requires parental consent.
This applies to
children under 16 years old; member States may lower this age limit to
13 years old. Processing on the grounds of legitimate interest may not
be possible (GDPR, Article 6[f]). According to the former Article 29
Working party, a controller should have regard for the best interests of
the child.
In the context of behavioral advertising, what is another name used to refer to website operators?
Publishers