Chapter 4 Data Protection Concepts

Question 1

What is personal data?

Answer 1

Any information, relating to, an identified/identifiable person

Question 2

What information will be considered personal data under the GDPR?

Answer 2

Nature - any statement about a person (both objective/subjective)
Content - any sort of information
Format - GDPR specificcally applies to information processed by automated means & processed by manual means if the data forms part of a filing system

Question 3

Does the value of Tim’s car qualify as personal data, if it is used for the purpose of calculating their tax liability?

Answer 3

Yes, because the information relates to a person.

Question 4

What three elements must be present for personal data to relate to an individual?

Answer 4

content - when the info relates to the person in the most common sense of the word.
Purpose - used to evaluate,consider or analyse the individual in a certain way
result - processing has an impact on the individuals rights

Question 5

When is a natural person identifiable according to Working Party 29?

Answer 5

if identified or there is a possibility to do so.

Question 6

What was the Patrick Breyer v. Bundesrepublik Deutschland decision

Answer 6

dynamic IP addresses could be personal data because a person could be indirectly identified by combining the dynamic IP Address with ISP data, which the government could obtain legally.

Question 7

Does the GDPR apply to anonymous data?

Answer 7

No.

Question 8

What is Pseudonymisation?

Answer 8

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Question 9

What is a natural person?

Answer 9

not defined in the GDPR left to national legislation.

Question 10

Does the GDPR apply to deceased person information?

Answer 10

No, Recital 27 states that GDPR does not apply to personal data of deceased persons.

Question 11

What is sensitive personal data?

Answer 11

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation

Question 12

What is genetic data?

Answer 12

personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question

Question 13

what is data concerning health?

Answer 13

related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status, including all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject

Question 14

What is a data controller?

Answer 14

natural or legal person, public authority, agency or other body which alone or jointly determines the purposes and means of the processing of personal data.

Question 15

What is a processor?

Answer 15

a person (other than an controller’s employee), who processes personal data on behalf of a controller.

Question 16

What are the 5 building blocks for identifying a controller,

Answer 16

According to Guidelines 07/2020:

1. ‘The natural or legal person, public authority, agency or other body’
2. ‘Determines’
3. ‘Alone or jointly with others’
4. ‘The purposes and means’
5. ‘Of the processing of personal data’

Question 17

elaborate on “the natural or legal person, public authority, agency or other body” building block.

Answer 17

doesn’t include employees of a controller unless the employee in question processes said data exceeding the authority.

Question 18

How can you determine whether a person ‘determines’ the processing?

Answer 18

who initiated the process, why the processing was initiated, is it a legal obligation on the processor? in the case of SaaS it is the business who purchased the system.

Question 19

Explain

alone or jointly with others

Answer 19

many entities may be controllers for the same processing.

Question 20

What is the difference between essential and non-essential means of processing?

Answer 20

essential means are key in determining who the controller is. they include systems and infrastructure and other elements necessary to achieve the purpose of processing.

Question 21

Describe the judgment in the Fashion ID case

Answer 21

that Fashion ID and Facebook were joint controllers. This was based on the fact that Fashion ID collected data through their facebook plugin on their website, even though they did not have direct access to the data which was collected on Facebooks end

Question 22

Describe the Wirtschaftsakademie case

Answer 22

a facebook page administrator was found to be a joint controller with Facebook as he defined the parameters which determined Facebooks processing which gave him statistical data.

Question 23

What is a processor?

Answer 23

a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller per the GDPR.

Question 24

What are the two building blocks for a person to be a processor?

Answer 24

1. separate legal person
2. processing personal data on behalf of the controller

Question 25

can an entity's department be a processor?

Answer 25

No, but another entity in the same organisational group may be.

Question 26

Can a controller delegate the determination of the means of processing?

Answer 26

Yes, only for technical or organisational questions are concerned. but the processor cannot determine the purpose of processing.

Question 27

Describe the content of a processing contract.

Answer 27

must stipulate: - data must only processed on documented instructions. - that authorised persons to process the personal data have committed to confidentiality - take measures pursuant to article 32 on security of processing - respect the conditions for enlisting another processor - advise the controller on technical and organisational measures to fulfil requests to exercise data subject rights - assist in complying with obligations 32 - 36 - delete/ return all personal data to the controller after the end of data processing services - be able to show compliance with Art 28, allow for audits and inspections by controller orauditor mandated by controller.

Question 28

What does Article 28 (3) of the GDPR refer to

Answer 28

the written agreement for the processing by a processor, and the contents of said agreement.

Question 29

What must a processor do to outsource processing to another processor?

Answer 29

article 28 (2)of GDPR: obtain written authorisation, which may be general or specific and give the controller the opportunity to object.

Question 30

does outsourcing sub-processing absolve the processor of its liability to the controller?

Answer 30

No.

Question 31

should a data subject be notified of the arrangement between joint controllers?

Answer 31

Yes, but only the essence. According to Guidelines 07/2020: the essensce should address the elements referenced in Act 13 & 14

Question 32

Define processing?

Answer 32

operation/set of operations performed on personal data or sets of personal data, whether by automated or non-automated means. However, for the GDPR to apply, the processing must be automated means/or form part of a filing system.

Question 33

Who is a data subject?

Answer 33

not defined in the GDPR. Additionally, one may be a data subject but not have the GDPR apply to them.