Chapter 4 Data Protection Concepts Flashcards
What is personal data?
Any information, relating to, an identified/identifiable person
What information will be considered personal data under the GDPR?
Nature - any statement about a person (both objective/subjective)
Content - any sort of information
Format - GDPR specificcally applies to information processed by automated means & processed by manual means if the data forms part of a filing system
Does the value of Tim’s car qualify as personal data, if it is used for the purpose of calculating their tax liability?
Yes, because the information relates to a person.
What three elements must be present for personal data to relate to an individual?
content - when the info relates to the person in the most common sense of the word.
Purpose - used to evaluate,consider or analyse the individual in a certain way
result - processing has an impact on the individuals rights
When is a natural person identifiable according to Working Party 29?
if identified or there is a possibility to do so.
What was the Patrick Breyer v. Bundesrepublik Deutschland decision
dynamic IP addresses could be personal data because a person could be indirectly identified by combining the dynamic IP Address with ISP data, which the government could obtain legally.
Does the GDPR apply to anonymous data?
No.
What is Pseudonymisation?
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
What is a natural person?
not defined in the GDPR left to national legislation.
Does the GDPR apply to deceased person information?
No, Recital 27 states that GDPR does not apply to personal data of deceased persons.
What is sensitive personal data?
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
What is genetic data?
personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
what is data concerning health?
related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status, including all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject
What is a data controller?
natural or legal person, public authority, agency or other body which alone or jointly determines the purposes and means of the processing of personal data.
What is a processor?
a person (other than an controller’s employee), who processes personal data on behalf of a controller.
What are the 5 building blocks for identifying a controller,
According to Guidelines 07/2020:
- ‘The natural or legal person, public authority, agency or other body’
- ‘Determines’
- ‘Alone or jointly with others’
- ‘The purposes and means’
- ‘Of the processing of personal data’
elaborate on “the natural or legal person, public authority, agency or other body” building block.
doesn’t include employees of a controller unless the employee in question processes said data exceeding the authority.
How can you determine whether a person ‘determines’ the processing?
who initiated the process, why the processing was initiated, is it a legal obligation on the processor? in the case of SaaS it is the business who purchased the system.
Explain
alone or jointly with others
many entities may be controllers for the same processing.
What is the difference between essential and non-essential means of processing?
essential means are key in determining who the controller is. they include systems and infrastructure and other elements necessary to achieve the purpose of processing.
Describe the judgment in the Fashion ID case
that Fashion ID and Facebook were joint controllers. This was based on the fact that Fashion ID collected data through their facebook plugin on their website, even though they did not have direct access to the data which was collected on Facebooks end
Describe the Wirtschaftsakademie case
a facebook page administrator was found to be a joint controller with Facebook as he defined the parameters which determined Facebooks processing which gave him statistical data.
What is a processor?
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller per the GDPR.
What are the two building blocks for a person to be a processor?
- separate legal person
- processing personal data on behalf of the controller
can an entity’s department be a processor?
No, but another entity in the same organisational group may be.
Can a controller delegate the determination of the means of processing?
Yes, only for technical or organisational questions are concerned. but the processor cannot determine the purpose of processing.
Describe the content of a processing contract.
must stipulate:
- data must only processed on documented instructions.
- that authorised persons to process the personal data have committed to confidentiality
- take measures pursuant to article 32 on security of processing
- respect the conditions for enlisting another processor
- advise the controller on technical and organisational measures to fulfil requests to exercise data subject rights
- assist in complying with obligations 32 - 36
- delete/ return all personal data to the controller after the end of data processing services
- be able to show compliance with Art 28, allow for audits and inspections by controller orauditor mandated by controller.
What does Article 28 (3) of the GDPR refer to
the written agreement for the processing by a processor, and the contents of said agreement.
What must a processor do to outsource processing to another processor?
article 28 (2)of GDPR: obtain written authorisation, which may be general or specific and give the controller the opportunity to object.
does outsourcing sub-processing absolve the processor of its liability to the controller?
No.
should a data subject be notified of the arrangement between joint controllers?
Yes, but only the essence. According to Guidelines 07/2020: the essensce should address the elements referenced in Act 13 & 14
Define processing?
operation/set of operations performed on personal data or sets of personal data, whether by automated or non-automated means. However, for the GDPR to apply, the processing must be automated means/or form part of a filing system.
Who is a data subject?
not defined in the GDPR. Additionally, one may be a data subject but not have the GDPR apply to them.
