Chapter 4 Data Protection Concepts

Question 1

What are four building blocks that comprise the meaning of PD?

Answer 1

Any information
Related to
Identified or identifiable
Natural Person

Question 2

1. BLOCK - INFORMATION
   Which aspects of the concept “information” help define when information will be considered PD and explain each of them

Answer 2

NATURE - any type of statement about the person, objective or subjective. E.g. the employee is the head of IT; the employee is a good worker. Information does not need to be true to be considered personal data!
CONTENT - any sort of information not limited to the individual’s private or family life. Include any activity undertaken by the individual in professional or public sphere or in private life. E.g. individual’s work phone number.
FORMAT - processed by automated or manual means if the data “form part of the filing system”
Data kept on paper, computer memory, on a tape …
GDPR is technology neutral

Question 3

2. BLOCK - RELATING TO
   Explain the meaning of this block

Answer 3

Information must be about an individual, there must be a relationship between the information and the individual.
Some types of information will always relate to an individual (e.g. tax number), for other types of information (e.g. information that relates to objects, processes and events) it depends on how it is being used or how it is being considered in a particular context.
WP29: for PD to relate to an individual, one of the following 3 elements must apply:
- content element: the information is about the individual in the most common sense of the word
- purpose element: if the info is processed to evaluate, consider, or analyze the individual in a certain way
- result element: processing of certain information has impact on individual’s rights and interests

Question 4

3. BLOCK - IDENTIFIED OR IDENTIFIABLE
   Explain the meaning of this block

Answer 4

Identifiable:
- it is not yet identified but it is possible to do so
- Person may be identified DIRECTLY or INDIRECTLY (e.g. by IP address)
-** information combined with other pieces of information will allow the individual to be distinguished from others**

Possibility of identification: how likely it is for the means of identification to be used to identify the individual - cost of and the time required for identification, technology available and technological developments.

Data anonymisation - is increasingly difficult. Anonymised data is not PD.
Pseudonymisation - helps to satisfy data minimisation requirements but data is still PD. To identify a DS, you need additional information which is kept separately.
Pseudonymisation and data sharing

Question 5

4. BLOCK - NATURAL PERSON

Answer 5

applies to natural persons universally, regardless of their country of residence, taking into account the GDPR’s territorial scope
GDPR does not apply to deceased persons, which may be protected through SCCs.

Question 6

Explain sensitive personal data?

Answer 6

special categories of PD (SCPD) merit specific protection as their nature means their processing could create significant risks to individual’s fundamental rights and freedoms
PD revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for unique identification), data concerning health or sex life/orientation
Genetic data - inherited or acquired genetic characteristics which give unique information about the physiology or health of a natural person and is acquired by an analysis of a biological sample
health information:
- physical or mental health
- provision of health care services
- health status

biometric data - processed through specific technical means allowing unique identification or authentication of a NP
If a photograph or video footage is processed to deduce SCPD, Article 9 applies

Question 7

Why is it important to correctly allocate the role of the controller and processor?

Answer 7

To correctly determine the allocation of legal obligations arising under the GDPR, which is essential for protecting the rights and freedoms of DS

Question 8

Definition of the controller

Answer 8

the natural or legal person, public authority, agency or other body
alone or jointly with others determines the purposes and means of processing
it is a decision maker
carries most of the responsibilities (informing DS, legitimate basis, DS rights, DPIA, security, notification)
controller will be the first target of the enforcement actions by DPAs
by determining the controller we determine who is responsible for the compliance with DP laws and how individuals can exercise their rights
controller carries primary data protection responsibility and liability
allocation of the controller will also determine which SA can supervise the processing activity
the location of the controller is important to determine any local DP laws

Question 9

Definition of the processor

Answer 9

processes PD only on documented instructions by the controller
obligations - international data transfers, security, notifying controllers in case of a data breach

Question 10

Guidelines explaining the controllers/processors

Answer 10

EDPB Guidelines 7/2020

Question 11

5 building blocks within definition of the controller

Answer 11

natural or legal person, public authority, agency or other body
determines
alone or jointly with others
purposes and means
of the processing of PD

Question 12

natural or legal person, public authority, agency or other body

Answer 12

including individual or group of individuals
individual inside an organization, responsible for a processing activity, is not a controller because it acts on behalf of a controller
such individual may not act outside the scope of the authority given by the controller and the controller should have T&O measures in place to prevent this

Question 13

determines

Answer 13

has a decisive influence
legal context and factual elements and circumstances must be considered
- a national or member state law can set out a task and identify the controller
- the law imposes an obligation on an organization which involves the processing of PD - the nature of data is determined by law but the organization that is subject to obligation will be the controller

Question 14

jointly or with others

Answer 14

several different entities may be controllers for the same processing if they are all involved in the relevant decision making.

Question 15

purposes and means

Answer 15

why and how of the processing activity
purpose: goal, anticipated result, reason
means: the customer must determine essential means and can leave non-essential means to the processor but the controller must be fully informed of the means used because of its obligations to:
- - be able to demonstrate compliance with GDPR (A24)
- - only use processors providing sufficient guarantees (A28)
- - ensure appropriate level of security (A32)
systems and infrastructure but also other elements necessary to achieve the purpose (which data, how long, categories of recipients, categories of DS)
non-essential means - more practical aspects (e.g. use of SW)

Question 16

of the processing of PD

Answer 16

controllership may be linked either to a single or a set of processing operations (possible different roles for different operations)
it is not necessary for a company to have actual contact with PD to be a controller of that data

Question 17

Joint controllership

Answer 17

jointly determine the purposes and means
common decision/converging decisions (complement each other and are necessary to determine the P&M of processing)
converging decisions on commercial matters are not relevant
could be different purposes but mutual benefit for the parties - still joint controllers
When in doubt, return to the purpose of the controllership concept - allocation of compliance responsibility: is there a risk that separate controllership will leave a gap in responsibility or make it difficult for DS to enforce its rights?

Question 18

Building blocks for a processor

Answer 18

**separate legal entity **with respect to the controller
processes PD on behalf of the controller

a controller delegates all or part of a processing activity to an external organization or an individual

processor can act as a controller of client’s contact data

the controller can delegate the determination of the means of processing to a processor as far as T&O measures are concerned. This division is reflected in the obligations which GDPR imposes directly processors: security, record keeping, notifying of breaches, international data transfers - this relates to how of processing; obligations related to purpose are always on controllers.

Question 19

Elements of DPA

Answer 19

only on documented instructions, including with regard to transfers outside EEA
confidentiality req. for persons processing PD
measures on security of processing
engaging another processor
assist with T&O measures to respond to DS rights requests
assist in complying with security, DPIA, breach notification
delete or return PD at the end
information, audits

DPA must include:
- nature and purpose of processing
categories of PD
categories of DS

Due diligence and supervision obligations of the controllers - the processor must be able to provide sufficient guarantees that the processing will meet GDPR requirements

DPA should include specific concrete requirements

Question 20

Rules in engaging a sub-processor

Answer 20

prior authorization of the controller - general or specific. If it is general, the P is required to give the controller the opportunity to object to addition or replacement of a sub-processor. General authorization should also be supplemented with criteria to guide the processor’s choice
contract btw. P and SP must include the same mandatory provisions; reflect the same level of protection as DPA
the initial P remains fully liable

Question 21

Consequences of joint controllership

Answer 21

JC must agree who will be responsible for compliance from a practical perspective e.g. in respect of DS rights, duty to inform…

list of things to decide regarding the responsibility:
- who is determining retention periods or legal basis
- security measures
- notification of DB
- DPIA
- use of processors
- 3rd country transfers
- communication with DPAs
Who is the best placed to take over an individual responsibility?
GDPR doesn’t require a written contract but it is a good practice to be able to demonstrate accountability

The essence of the arrangement should be made available to DSs through requirements of Article 13 and 14 - DS should be clearly informed as to how to exercise their DS rights - which controller they have to turn to.

Question 22

PROCESSING

Answer 22

any operation or set of operations which is performed on PD or on sets of PD, whether or not by automated means (e.g. collection, recording, storage, use, organization, ..)

To be covered by GDPR:
- the processing must be wholly or partly carried out by automated means
- if it is not by AM, it must concern PD that FORMS PART OF A FILING SYSTEM OR IS INTENDED TO FORM PART OF THE FILING SYSTEM

Filing system=structured set of PD that are accessible according to specific criteria

Question 23

Data subject

Answer 23

identified or identifiable natural person
doesn’t cover legal person
GDPR does not apply to the PD of deceased persons but member states may provide for rules in this area