Chapter 4 (Data Protection Concepts)

Question 1

Is the concept of personal data broader under the GDPR or US state data breach laws?

Answer 1

It is broader under the GDPR.

Question 2

Under the GDPR what is the definition of personal data?

Answer 2

Any info relating to an identified or identifiable natural person (data subject).

Question 3

Under the GDPR, who qualifies as an identifiable natural person?

Answer 3

One who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, id number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.

Question 4

According to the Article 29 Working Party (WP29) what are the 4 building blocks that comprise the meaning of personal data?

Answer 4

1. Any information
2. Relating to
3. An identified or identifiable
4. Natural person

Question 5

What 3 aspects of the concept of information help define what info will be considered personal data?

Answer 5

Its
1. Nature
2. Content
3. Format

Question 6

Does info need to be true to be considered personal data?

Answer 6

No.

Question 7

The content of personal data can include what type of info?

Answer 7

1. Info about individual’s private life
2. Info about an activity taken by an individual (whether related to professional, public, or private life)
3. Online identifiers like IP address, cookies, or radio frequency identification

Question 8

Under the GDPR, personal data can come in what form?

Answer 8

Includes personal data processed by automotive means as well as data processed by manual means if the data from part of a filing system (e.g. paper patient records at a hospital).

Question 9

For personal data to relate to an individual one of the following 3 elements must apply.

Answer 9

1. Content element
2. Purpose element
3. Result element

Question 10

Explain the content element for determining whether information “relates” to an individual.

Answer 10

Present when the info is about an individual in the most common sense of the word. E.g. the result of a test clearly relates to a student.

Question 11

Explain the purpose element for determining whether information “relates” to an individual.

Answer 11

Depends on whether the info is processed to evaluate, consider, or analyze the individual in a certain way.

Question 12

Explain the result element for determining whether information “relates” to an individual.

Answer 12

Exists when the processing of certain info has an impact on the individual’s rights and interests.

Question 13

When is a natural person identifiable?

Answer 13

When although the person has not been identified yet, it is possible to do so.

Question 14

Is a hypothetical possibility of identification sufficient to make info identifiable?

Answer 14

No. There must be a reasonable likelihood of identification.

Question 15

In Patrick Breyer v. Bundesrepublik Deutschland what did the CJEU find?

Answer 15

That dynamic IP addresses could constitute personal data on the grounds that a person could be indirectly identified if the ip addresses were combined with data held by the ISPs, such as time of connection and pages visited on the website.

Question 16

Does the GDPR apply to anonymized data?

Answer 16

No.

Question 17

How does the GDOR define anonymized data?

Answer 17

Info which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Question 18

How does the GPDR define pseudonymisation?

Answer 18

Processing personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional info (provided that the info is kept separately and protected).

Question 19

Does having pseudonymised data remove an org’s obligations under the GDPR?

Answer 19

No.

Question 20

Pseudonymisation is an important safeguard to achieve what?

Answer 20

Data minimization requirements.

Question 21

Are the terms deidentified data, indirectly identifiable data, and pseudoanonymised data defined under the GDPR?

Answer 21

No.

Question 22

Does the GDPR apply to deceased persons’ personal data?

Answer 22

No.

Question 23

Under the GDPR, what info qualifies as special categories of personal data that merit specific protections?

Answer 23

Personal data revealing:
1. Racial or ethnic origins
2. Political opinions
3. Religious or philosophical beliefs
4. Trade Union membership
5. Processing of genetic data
6. Biometric data for the purpose of uniquely identifying a natural person
7. Data concerning health
8. A natural person’s sex life or sexual orientation

Question 24

Under the GDPR, how is genetic data defined?

Answer 24

Personal data relating to inherited or acquired genetic characteristics on a natural person which give unique info about the physiology or the health of that natural person and which result, in particular, from analysis of a biological sample from the person in question.

Question 25

How does the GDPR define personal data that relates to health?

Answer 25

Data related to the physical or mental health of a person including
1. Provision of health care services (reveals info on health status)
2. All data pertaining to the health status of a data subject which reveal info relating to the past, current, or future physical or mental health status of the data subject.

Question 26

What type of info relates to the past, current, or future physical or mental health status of the data subject.

Answer 26

1. Info about the natural person collected in the course of registration for or the provision of health care services.
2. A number, symbol, or other identifier assigned to a natural person to uniquely identify the natural person for health purposes.
3. Info derived from the testing or examination of a body part or bodily substance, including from genetic or biological samples.
4. Any info on, for example, a disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device.

Question 27

Under the GDPR what is a data controller?

Answer 27

The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purpose and means of processing personal data.

Question 28

Under the GDPR, what are some of the responsibilities of data controllers?

Answer 28

1. Providing info to data subjects.
2. Ensuring processing has a legit basis and data subjects’ rights are honored.
3. Carrying out Data Protection Impact Assessments (DPIA) in the case of high risk processing
4. Ensuring there is appropriate security for data
5. Determining whether notification to Data Protection Authorities (DPAs) or data subjects is necessary in the case of personal data breach.

Question 29

The first and foremost role of a data controller is what?

Answer 29

Determining who shall be responsible for compliance with data protection law and how individuals can exercise their rights (i.e. allocating responsibility).

Question 30

What are the 5 building blocks identified in the EDPB’s
Guidelines on the concepts of controller and processor?

Answer 30

1. The natural or legal person, public authority, agency, or other body
2. Determines
3. Alone or jointly with others
4. The purpose and means
5. Of the processing of personal data

Question 31

When an individual within an org or body is appointed to ensure compliance with data protection law or process personal data does this appointment turn them into a data controller?

Answer 31

No, because they will be acting on behalf of the legal entity in carrying out their role.

Question 32

Is the contractual designation of parties roles decisive in determining who is a controller or processor under the GDPR?

Answer 32

No, because the legal designations may differ from what is happening in practice.

Question 33

What questions should be asked to assess who “determines” what data is processed and how it is used?

Answer 33

1. Why is the processing taking place?
2. Who initiated the processing?

Question 34

Explain how the concept of purpose relates to data controllers.

Answer 34

Data controllers determine the goal or anticipates outcome of processing (i.e. the reason the controller has decide to conduct processing).

Question 35

What are some of the essential means a controller must decide with regard to processing personal data?

Answer 35

1. What data should be processed
2. How long the data should be processed
3. The categories of data recipients
4. The categories of data subjects

Question 36

Is it necessary for a company to have actual contact with personal data to be the controller of that data?

Answer 36

No.

Question 37

What are the 3 reasons joint controllership has become more important under the GDPR than it was under the Directive?

Answer 37

1. There is a greater emphasis on the concept in the GDPR, which introduced specific rules for joint controller relationships in Article 26.
2. The increase in complex data-sharing arrangements between orgs, particularly in the online world.
3. A series of decisions from the CJEU which brought clarifications on this concept and its implications.

Question 38

What is at the essence of joint controllership?

Answer 38

It’s about allocation of factual responsibilities for processing, i.e. assessing who determines the purposes and means of processing.

Question 39

What are the two types of decisions that underlie joint controllership?

Answer 39

1. Decision that is made together (a common decision)
2. Joint participation that stems from converging decsions

Question 40

What are converging decisions?

Answer 40

Relate to joint controllership and exist if they complement each other and have a tangible impact on the determination of the purposes and means of the processing.

Question 41

The CJEU has established that there may be joint controllership in what circumstance? What is one of the most high profile examples?

Answer 41

When there is a mutual benefit for both parties and they both participate in the means of the relevant processing operation.

Fashion ID case (online fashion shop places a social plug in, a Facebook like button, on its site that collected visitors info regardless of whether they interacted with the plug in). Facebook and Fashion ID held to be joint controllers re collection and onward transmission of data).

Question 42

Why is it important to separate the overall processing of personal data into its different elements?

Answer 42

Because not all entities will be involved equally at all stages of the processing chain.

Question 43

Does sharing data or infrastructure automatically equate to joint controllership?

Answer 43

No.

Question 44

How does the GDPR define processor?

Answer 44

A natural or legal person, public authority, agency, or other which processes personal data on behalf of the controller.

Question 45

What two building blocks must be present for a person to be a data processor?

Answer 45

1. The person is a separate legal entity with respect to the controller.
2. The person processes personal data on behalf of the controller.

Question 46

Can a subsidiary be a processor for another company in the same corporate group?

Answer 46

Yes, because the subsidiary is a separate legal entity.

Question 47

Can a department be a data processor for another department in the same company?

Answer 47

No, because a department isn’t a separate legal entity.

Question 48

Under the GDPR, processors focus on how data is processed. What are some of the responsibilities placed on processors relating to how they process data?

Answer 48

1. Security requirements
2. Record keeping requirements
3. Notifying controllers of data breaches
4. Ensuring compliance with the restrictions on international data transfers, outlined in Chapter 5 of the GDPR

Question 49

What happens if a processor goes beyond their mandate and decides on the purpose of the processing or the essential means of processing?

Answer 49

It will be considered a controller with regards to that processing.

Question 50

The GDPR restricts how processor processes personal data. What are 2 of these restrictions?

Answer 50

1. May only process on the controllers’ instructions
2. Must respect a contract or binding legal act regulating the relations between controller an processor

Question 51

What 8 details should be included in a processing contract?

Answer 51

1. Process the personal data only on documented instructions from the controller, including transfers of data outside of the EEA.
2. Ensure that persons authorized to process personal data have committed themselves to confidentiality
3. Take all measures pursuant to Article 32 on security of processing
4. Respect the conditions for enlisting another processor
5. Assist the controller in responding to requests to exercise data subjects’ rights.
6. Assist the controller in complying with the obligations in Articles 32-36 (security, DPIAs, and breach notification)
7. At the choice of the controller, delete or return all personal data to controller after the end of services
8. Make available to the controller all info necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Question 52

Who is responsible for ensuring that there is a contract or other legal act to govern between controller and processor re how processing should be handled?

Answer 52

Both the processor and controller are responsible for making sure such a contract exists.

Question 53

Does a processing contract between controller and processor satisfying Article 28(1) of the GDPR if it restates the provisions of the GDPR?

Answer 53

No, it should include specific requirements of how the GDPR’s requirements will be met.

Question 54

What are 3 criteria Article 28 of the GDPR places on subcontracting processing?

Answer 54

1. A processor may not engage another processor without prior authorization of the data controller.
2. The contract between the initial processor and its subprocessors must include the mandatory provisions set out in original processing agreement.
3. The initial processor remains fully liable to controller for the performance of its subprocessors.

Question 55

With regards to joint controllers what are 7 areas where there may be overlap or uncertainty re GDPR compliance?

Answer 55

1. Implementation of general data protection principles in Article 5- who is determining retention periods or the legal basis of processing?
2. Security measures
3. Notification of personal data breaches- will one controller always take the lead in notifying DPA of data beaches?
4. DPIAs
5. Use of processors
6. Transfers of data to third countries
7. Communicating with DPAs

Question 56

Under the GDPR what conditions must exist in order for processing to occur?

Answer 56

1. The processing must be wholly or partly carried out by automated means, or
2. Where the processing is not by automated means, it must concern personal data that forms part of a filing system or is intended to form part of a filing system.

Question 57

Under the GDPR what qualifies as a filing system for purposes of determine whether processing occurs?

Answer 57

Refers to a structured set of personal data that are accessible according to specific criteria.

Question 58

Does the GDPR provide a definition for data subject?

Answer 58

No.

Question 59

Does the GDPR’s protection of personal data extend to legal entities?

Answer 59

No.