Chapter 4 Data Protection Concepts Flashcards
What is personal data?
Any information, relating to, an identified/identifiable person
What information will be considered personal data under the GDPR?
Nature - any statement about a person (both objective/subjective)
Content - any sort of information
Format - GDPR specificcally applies to information processed by automated means & processed by manual means if the data forms part of a filing system
Does the value of Tim’s car qualify as personal data, if it is used for the purpose of calculating their tax liability?
Yes, because the information relates to a person.
What three elements must be present for personal data to relate to an individual?
content - when the info relates to the person in the most common sense of the word.
Purpose - used to evaluate,consider or analyse the individual in a certain way
result - processing has an impact on the individuals rights
When is a natural person identifiable according to Working Party 29?
if identified or there is a possibility to do so.
What was the Patrick Breyer v. Bundesrepublik Deutschland decision
dynamic IP addresses could be personal data because a person could be indirectly identified by combining the dynamic IP Address with ISP data, which the government could obtain legally.
Does the GDPR apply to anonymous data?
No.
What is Pseudonymisation?
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
What is a natural person?
not defined in the GDPR left to national legislation.
Does the GDPR apply to deceased person information?
No, Recital 27 states that GDPR does not apply to personal data of deceased persons.
What is sensitive personal data?
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
What is genetic data?
personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
what is data concerning health?
related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status, including all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject
What is a data controller?
natural or legal person, public authority, agency or other body which alone or jointly determines the purposes and means of the processing of personal data.
What is a processor?
a person (other than an controller’s employee), who processes personal data on behalf of a controller.
What are the 5 building blocks for identifying a controller,
According to Guidelines 07/2020:
- ‘The natural or legal person, public authority, agency or other body’
- ‘Determines’
- ‘Alone or jointly with others’
- ‘The purposes and means’
- ‘Of the processing of personal data’
elaborate on “the natural or legal person, public authority, agency or other body” building block.
doesn’t include employees of a controller unless the employee in question processes said data exceeding the authority.
How can you determine whether a person ‘determines’ the processing?
who initiated the process, why the processing was initiated, is it a legal obligation on the processor? in the case of SaaS it is the business who purchased the system.
Explain
alone or jointly with others
many entities may be controllers for the same processing.
What is the difference between essential and non-essential means of processing?
essential means are key in determining who the controller is. they include systems and infrastructure and other elements necessary to achieve the purpose of processing.
Describe the judgment in the Fashion ID case
that Fashion ID and Facebook were joint controllers. This was based on the fact that Fashion ID collected data through their facebook plugin on their website, even though they did not have direct access to the data which was collected on Facebooks end
Describe the Wirtschaftsakademie case
a facebook page administrator was found to be a joint controller with Facebook as he defined the parameters which determined Facebooks processing which gave him statistical data.
What is a processor?
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller per the GDPR.
What are the two building blocks for a person to be a processor?
- separate legal person
- processing personal data on behalf of the controller