Chapter 4 - Data Protection Concepts Flashcards
What is the definition of personal data? (PD)
-According to GDPR
-Any information relating to an identified or identifiable natural person (data subject(
-Reference to an identifier -> a name, an identification number, location data, an online identifier
-Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
What did WP29 set out as personal data?
-Within Opinion 4/2007
-Four building blocks:
1. Any information
2. Relating to
3. An identified or identifiable
4. Natural person
What is the first building block set out by WP29?
-‘Any information’
-Any type statements about a person - both objective and subjective might be considered PD.
-Example: employment records held by employer - degree/ head of X/ good worker
-Info does NOT need to be true to be considered PD
-Any sort of info - CJEU widely interpreted private & family life concept - can include professional/public sphere of individual
What does the GDPR state about the form of processing?
-In any form - GDPR expressly applies to automated processing
-Article 2(1) includes processing by manual means 0 e..g., computer memory, paper files in hospitals, a tape recording phone calls, images on CCTV
-Recital 15 clarifies GDPR intended to be technolog netural but vague about filing system covered by manual processing
What is the second building block?
-‘Relating to’
-To be PD, info must be about an individual
-Relationship between individual & info is not always easily established
-Info relating to objects, processes, events could be PD e.g., value of a car if asset of owner & paus taxes / by garage if using PD for bill but mileage for example would not be
-Requires context -> customer query email is not but test score relates to student
-Purpose and result element
-Result element exists when processing of certain info ahs an impact on individual’s rights and interests
-However, not always the case - CJEU held case in relation to application for residency permit not PD - lots of national governments disagreed.
What is the 3rd building block -WP29 Personal Data Definition
?
-‘Identified or identifiable’
-In Opinion 4/2007 - WP29 states a natural person is identifiable when it is possible to identify them (even if not now)
-Directly identified by name but also indirectly by IP address/ ID number
-Can be identifiable because info combined with other pieces of info will allow individual to be distinguished from others
e.g., WP29 - Web traffic surveillance tools -> possible to identify the behaviour of machine & its user - individual can be pieced together by attribute
-Element of identifiability challenge for data controllers -> rise of big data, low storage costs & super-fast processing = increased likelihood of jigsaw identification
-Recital 29 - account to be taken of all objective factors & available tech at time of processing/ tech developments.
What is the uncertainty surrounding the 3rd building block -WP29 PD Definition?
-Hypothetical identification is not sufficient to make information identifiable - must be reasonable likelihood
-WP29 recognised that possibility of singling out an individual does not exist - then person isn’t considered as identifiable & info IS NOT PD.
-Some controllers argued if they are unlikely ever to identify most of individuals in data set, data set will not comprise PD although certain elements may become PD once linked to individual.
-E..g, CCTV - small % of material collected
-WP29 has always taken view that this info must be treated as PD since fundamental purpose of processing is to single out & identify individuals where required.
What has the CJEU ruled in relation to identifiability and what was the significance of the Patrick Breyer v Bundesrepublic Duetschland case?
-Confirms wide scope of identifiability
-CJEU rules dynamic IP addresses are capable of constituting PD under certain circumstances
-Patrick Breyer v Bundesrepublic Duestchland - German Federal Court - referred 2 questions - challenges collection & use of dunamic IP addresses to allow data on wesbite to be transferred to correct recipient where new number assigned to device for each connection from websites run by German Gov
-The gov justified this as prevention of crime, particularly denial of service attacks (DOS)
What does Recital 26 GDPR set out?
-To determine whether natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly
-Objective factors -> costs of/ amount of time required for identification, available tech at time of processing & tech developments
What does the CJEU view in relation to dynamic IP addresses?
-That they could constitute PD on the grounds that a person could be ‘indirectly identified’ if IP addresses combined with data held by internet service providers (ISPs)
-E.g., when third party holds info likely to be used to identify website user when put with dynamic IP address held by website provider = IP addresses could be PD
-e.g., federal gov could go to ISPS as a 3rd party to obtain further info - German law provided mechanism to do this legally in event of cyberattack -> create likelihood of combining info to identify individual
What is the GDPR view & application of anonymous data vs psuedonymous?
-GDPR does NOT apply to anonymous info -> info that does not relate to an identified or identifiable natural person/ PD rendered anonymous that data subject no longer identifiable
-Complete anonymisation is difficult within single organisation
-GDPR applies to psuedonymised data & promotes psuedonymisation as important safeguard to achieve data minimisation for privacy/ acknowledges additional protection is helpful
What is psuedonymous data/ psuedonymisation?
-Processing of PD in a manner that it PD can no longer be linked to a specific data subject without the use of additional info, ensuring that the additional info is kept separate & is subject to technical/organisational measures to ensure not linked to id nat person
-Helps to satisfy data minimisation requirements
-Also known as deidentified data, indirectly identifiable data & psuedoanonymised data (not defined in GDPR but still would be psuedo not anon)
-e.g., reference number
What is the uncertain impact of psuedonymisation?
-Data sharing
-If business chose to share psuedonmyised data set with 3rd party for analysis -> 3rd party could reasonably say it was analysing anonymised data
-But this is not the case for all data sets e.g., health records individuals may still be identifiable even if direct identifiers removed
What is personally identifiable info? (PII)
-Not defined in GDPR so CANNOT assume its the same as personal data
-e.g., US sites often state they do not collect PII as they do not consider IP addresses to be PII
What is the fourth building block - WP29 PD Definition?
-‘natural person’
-Applies to natural persons regardless of their country of residence, subject -> to provisions of Article 3 territorial scope
-GDPR does not seek to define natural person -> leaves to MS
-Rectial 27 states GDPR does not apply to PD of deceased, may be protected through standard contractual clauses (SCCs) although MS rules apply
What is sensitive personal data?
-Special categories of PD
-Revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership
-Also processing of genetic data, biometric data for purpose of uniquely identifying a natural person, data concerning health / natural person’s sex life/ sexual orientation
What is genetic data?
-PD relating to inherited or acquired genetic characteristics of a natural person
-Gives unique info about the physiology/ health of that natural person
What is data relating to health?
-PD relating to physical or mental health of a natural person
-Including provision of health care services, health status, past present or current physical or mental health status of data subject
. Info about natural person collected in course of registration/ provision of healthcare services
. Number/ symbol / other identifier assigned to uniquely identify for health purposes
. Info derived from testing/ examination of body part/ bodily substance/ from genetic data or biological samples
. Info on disease, disability, disease risk, clinical treatment etc (from medical device, hospital, health profes)
What is the view on photos/ videos?
-Recitals say processing of photographs should not be considered processing of special category PD as definition covered by biometric data
-GDPR does not address point that photographs may also reveal a persons racial origins, religious beliefs, physical disabilities
-Regulators indicate purpose of processing photos is relevant
-EDPB Guidelines 3/2019 -> video footage showing data subject wearing glasses/ using wheelchair -> NOT considered to be special categ PD
-HOWEVER, if video footage processed to deduce special categ PD then Article 9 applies.
What is a data controller?
-Natural or legal person, public authority, agency, any other body which alone or jointly
-determines the purposes & means of processing PD (how PD collected, stored, used, altered, disclosed)
-KEY decision maker with regard to PD
-According to GDPR, most compliance responsibilites fall on data controller / First target of enforcement action by DPAs
What are the key responsibilites of a data controller under GDPR?
-Responsible for providing info to data subject
-Ensuring processing had legitimate basis
-Data subject’s rights are honoured
-Carrying out DP Impact Assessments (DPIAs) in case of high risk processing
-Ensuring appropriate security for data
-Determining whether notification to DP authorities (DPAs) or data subjects is necessary in case of PD breach
What are the key responsibilites of a data processor under GDPR?
-Ensuring its international data transfers comply with GDPR
-Have appropriate security in place
-Notify data controllers if data breach
What is a data processor?
-A person other than an employee of the controller who processes PD on behalf of the controller
What are the 5 building blocks on concepts of controller and processor in GDPR and which Guidelines were they identified in?
- Natural or legal person, public authority, agency of other body
- Determines
- Alone or jointly with others
- The purposes and means
- Of the processing of PD
-EDPB Guidelines 07/2020
What is first building block for data controllers/ processors set out by EDPB Guidelines?
-Data controller may be legal or natural person
-Could be an individual, organisation or group of individuals
-Even if someone hired to ensure DP law compliance, it is still the organisation that is the legal entity
What is the second building block ‘determines’ set out by the EDPB Guidelines?
-Purposes and means of processing PD
-Article 28(10) if processor infringes Regulation by determining purposes & means then processor will be considered to be controller with respect to that processing
-Why is processing taking place? Who initiated it? Contractual designation of parties’ role is not decisive
-Even if organisation must process PD in accordance with law (e.g., employee registration) the organisation is still the controller (depsite legal obligation to do so)
-Ultimately who exercises the decisive influence on purposes and means of processing & whether processing takes place.
What is the example of determines under EDPB Guidelines?
Example from Guidelines 07/2020:
Scenario: A company uses a cloud storage service provided by a large tech provider.
Service Type: Software-as-a-Service (SaaS) database.
Data Handling: The design of the software determines how data is stored and processed.
Customer’s Role: The customer decides whether to use the service for their data.
Service Provider’s Role: The provider processes and stores data on behalf of the customer, acting as a processor.
What is the 3rd building block ‘alone or jointly with others’ according to EDPB Guidelines?
- Scenario: A controller may determine the purposes of processing alone or jointly with others.
- Key Point: Companies often cooperate on projects and make decisions jointly, especially within the same corporate group.
- Multiple Controllers: Several entities may be controllers for the same processing if they are involved in decision-making.
- Partial Control: An organisation can be a controller even if it doesn’t make all decisions about purposes and means.
- Responsibility: Each organisation involved will be subject to data protection provisions applicable to controllers.
What is the 4th building block according to EDPB Guidelines?
Scenario: The controller determines the purposes (why) and means (how) of processing.
Purpose: The goal or anticipated outcome of processing, such as storing data, maintaining employee records, or CRM.
Essential vs. Non-Essential Means:
Essential Means: Must be determined by the controller to remain the sole controller.
Non-Essential Means: Can be delegated to the processor.
Examples:
Payroll Administrator: Employer instructs on substantive aspects of payment; payroll administrator decides on software and employee access.
Accountants: Determine data needed, analysis methods, and retention period; acting as controllers using professional judgment.
Controller’s Responsibility: Must be informed of the means used by the processor to ensure compliance with GDPR (Articles 24, 28, and 32).
What is the 5th Building Block according to EDPB Guidelines? - Example
-Controllership can be linked to a single processing operation or a set of operations.
-Different actors may be controllers at different stages if their influence is decisive.
Example:
Market Research:
Commissioned Survey: Company specifies information, questions, and demographics; agency conducts survey and provides aggregated results. Company acts as controller.
Annual Surveys: Agency designs and conducts surveys, analyzes results, and offers reports to companies. Agency acts as controller.
Key Point: A company can be a controller without direct contact with personal data.
What is joint controllership?
Concept: Joint controllership involves two or more entities jointly determining the purposes and means of processing.
Importance: Emphasized in GDPR Article 26, increased data-sharing arrangements, and CJEU rulings.
Types of Decisions: Common decisions or converging decisions that complement each other and impact processing.
Example: Fashion ID case - Fashion ID and Facebook were joint controllers for data collection and transmission via a social plug-in.
Responsibility: Entities are controllers for stages where they determine purposes and means. Separate controllership may leave gaps in responsibility.
What is the concept of processor & which GDPR article highlights this?
Role: A processor processes personal data on behalf of the controller without determining purposes.
Example: Pension scheme administrator or cloud provider offering infrastructure as a service (IaaS).
Delegation: Controller can delegate technical or organizational means to the processor.
Obligations: Security, record-keeping, notifying controllers of data breaches, and compliance with international data transfer restrictions.
Article 28: Processor must process data only on controller’s instructions and have a written contract detailing processing nature, purpose, and data categories. Must also assist controller in complying with obligations in Article 32-36. Must at choice of controller delete/ return all PD to controller at end of provision of data processing services.
What is the definition of Processor?
Definition: A processor is a separate legal entity that processes personal data on behalf of the controller.
Building Blocks: Separate legal entity and processing personal data on behalf of the controller.
Examples: Employee benefit support provider, electronic communications services provider.
Delegation: Controller can delegate determination of means to the processor.
Obligations: Security, record-keeping, notifying controllers of data breaches, and compliance with international data transfer restrictions.
What are the consequences of Joint Controllership?
Article 26(1): Joint controllers must determine their respective responsibilities for compliance, especially regarding data subject rights and information provision.
Allocation: Controllers should agree on responsibilities to avoid gaps in compliance.
Considerations: General data protection principles, security measures, breach notifications, DPIAs, use of processors, data transfers, and communication with DPAs.
Documentation: Arrangement should be documented, preferably through a contract or legal act.
Essence: The essence of the arrangement should be made available to data subjects.
What is Processing?
Definition: Any operation performed on personal data, whether automated or not, such as collection, recording, storage, use, disclosure, etc.
Scope: GDPR applies if processing is automated or involves personal data in a filing system.
Filing System: Structured set of personal data accessible according to specific criteria.
What is a data subject?
Definition: An identified or identifiable natural person.
Protection: GDPR protects natural persons, not legal entities.
Deceased Persons: GDPR does not apply to personal data of deceased persons, but member states may have rules in this area.
What are the obligations set out in Article 28 GDPR for processors?
Contract Requirements: Processor must process personal data only on documented instructions from the controller, including data transfers outside the EEA.
Confidentiality: Ensure that persons authorized to process personal data have committed to confidentiality or are under a statutory obligation of confidentiality.
Security Measures: Take all measures pursuant to Article 32 on security of processing.
Subprocessors: Respect conditions for enlisting another processor, including obtaining prior authorization from the controller.
Assistance: Assist the controller with technical and organizational measures to fulfill obligations related to data subject rights, security, DPIAs, and breach notifications (Articles 32-36).
Data Handling: At the controller’s choice, delete or return all personal data after the end of the provision of data processing services.
Compliance: Make available all information necessary to demonstrate compliance with Article 28 obligations and contribute to audits conducted by the controller or another auditor