Chapter 4 - Data Protection Concepts Flashcards
What is the definition of personal data? (PD)
-According to GDPR
-Any information relating to an identified or identifiable natural person (data subject(
-Reference to an identifier -> a name, an identification number, location data, an online identifier
-Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
What did WP29 set out as personal data?
-Within Opinion 4/2007
-Four building blocks:
1. Any information
2. Relating to
3. An identified or identifiable
4. Natural person
What is the first building block set out by WP29?
-‘Any information’
-Any type statements about a person - both objective and subjective might be considered PD.
-Example: employment records held by employer - degree/ head of X/ good worker
-Info does NOT need to be true to be considered PD
-Any sort of info - CJEU widely interpreted private & family life concept - can include professional/public sphere of individual
What does the GDPR state about the form of processing?
-In any form - GDPR expressly applies to automated processing
-Article 2(1) includes processing by manual means 0 e..g., computer memory, paper files in hospitals, a tape recording phone calls, images on CCTV
-Recital 15 clarifies GDPR intended to be technolog netural but vague about filing system covered by manual processing
What is the second building block?
-‘Relating to’
-To be PD, info must be about an individual
-Relationship between individual & info is not always easily established
-Info relating to objects, processes, events could be PD e.g., value of a car if asset of owner & paus taxes / by garage if using PD for bill but mileage for example would not be
-Requires context -> customer query email is not but test score relates to student
-Purpose and result element
-Result element exists when processing of certain info ahs an impact on individual’s rights and interests
-However, not always the case - CJEU held case in relation to application for residency permit not PD - lots of national governments disagreed.
What is the 3rd building block -WP29 Personal Data Definition
?
-‘Identified or identifiable’
-In Opinion 4/2007 - WP29 states a natural person is identifiable when it is possible to identify them (even if not now)
-Directly identified by name but also indirectly by IP address/ ID number
-Can be identifiable because info combined with other pieces of info will allow individual to be distinguished from others
e.g., WP29 - Web traffic surveillance tools -> possible to identify the behaviour of machine & its user - individual can be pieced together by attribute
-Element of identifiability challenge for data controllers -> rise of big data, low storage costs & super-fast processing = increased likelihood of jigsaw identification
-Recital 29 - account to be taken of all objective factors & available tech at time of processing/ tech developments.
What is the uncertainty surrounding the 3rd building block -WP29 PD Definition?
-Hypothetical identification is not sufficient to make information identifiable - must be reasonable likelihood
-WP29 recognised that possibility of singling out an individual does not exist - then person isn’t considered as identifiable & info IS NOT PD.
-Some controllers argued if they are unlikely ever to identify most of individuals in data set, data set will not comprise PD although certain elements may become PD once linked to individual.
-E..g, CCTV - small % of material collected
-WP29 has always taken view that this info must be treated as PD since fundamental purpose of processing is to single out & identify individuals where required.
What has the CJEU ruled in relation to identifiability and what was the significance of the Patrick Breyer v Bundesrepublic Duetschland case?
-Confirms wide scope of identifiability
-CJEU rules dynamic IP addresses are capable of constituting PD under certain circumstances
-Patrick Breyer v Bundesrepublic Duestchland - German Federal Court - referred 2 questions - challenges collection & use of dunamic IP addresses to allow data on wesbite to be transferred to correct recipient where new number assigned to device for each connection from websites run by German Gov
-The gov justified this as prevention of crime, particularly denial of service attacks (DOS)
What does Recital 26 GDPR set out?
-To determine whether natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly
-Objective factors -> costs of/ amount of time required for identification, available tech at time of processing & tech developments
What does the CJEU view in relation to dynamic IP addresses?
-That they could constitute PD on the grounds that a person could be ‘indirectly identified’ if IP addresses combined with data held by internet service providers (ISPs)
-E.g., when third party holds info likely to be used to identify website user when put with dynamic IP address held by website provider = IP addresses could be PD
-e.g., federal gov could go to ISPS as a 3rd party to obtain further info - German law provided mechanism to do this legally in event of cyberattack -> create likelihood of combining info to identify individual
What is the GDPR view & application of anonymous data vs psuedonymous?
-GDPR does NOT apply to anonymous info -> info that does not relate to an identified or identifiable natural person/ PD rendered anonymous that data subject no longer identifiable
-Complete anonymisation is difficult within single organisation
-GDPR applies to psuedonymised data & promotes psuedonymisation as important safeguard to achieve data minimisation for privacy/ acknowledges additional protection is helpful
What is psuedonymous data/ psuedonymisation?
-Processing of PD in a manner that it PD can no longer be linked to a specific data subject without the use of additional info, ensuring that the additional info is kept separate & is subject to technical/organisational measures to ensure not linked to id nat person
-Helps to satisfy data minimisation requirements
-Also known as deidentified data, indirectly identifiable data & psuedoanonymised data (not defined in GDPR but still would be psuedo not anon)
-e.g., reference number
What is the uncertain impact of psuedonymisation?
-Data sharing
-If business chose to share psuedonmyised data set with 3rd party for analysis -> 3rd party could reasonably say it was analysing anonymised data
-But this is not the case for all data sets e.g., health records individuals may still be identifiable even if direct identifiers removed
What is personally identifiable info? (PII)
-Not defined in GDPR so CANNOT assume its the same as personal data
-e.g., US sites often state they do not collect PII as they do not consider IP addresses to be PII
What is the fourth building block - WP29 PD Definition?
-‘natural person’
-Applies to natural persons regardless of their country of residence, subject -> to provisions of Article 3 territorial scope
-GDPR does not seek to define natural person -> leaves to MS
-Rectial 27 states GDPR does not apply to PD of deceased, may be protected through standard contractual clauses (SCCs) although MS rules apply
What is sensitive personal data?
-Special categories of PD
-Revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership
-Also processing of genetic data, biometric data for purpose of uniquely identifying a natural person, data concerning health / natural person’s sex life/ sexual orientation
What is genetic data?
-PD relating to inherited or acquired genetic characteristics of a natural person
-Gives unique info about the physiology/ health of that natural person
What is data relating to health?
-PD relating to physical or mental health of a natural person
-Including provision of health care services, health status, past present or current physical or mental health status of data subject
. Info about natural person collected in course of registration/ provision of healthcare services
. Number/ symbol / other identifier assigned to uniquely identify for health purposes
. Info derived from testing/ examination of body part/ bodily substance/ from genetic data or biological samples
. Info on disease, disability, disease risk, clinical treatment etc (from medical device, hospital, health profes)
What is the view on photos/ videos?
-Recitals say processing of photographs should not be considered processing of special category PD as definition covered by biometric data
-GDPR does not address point that photographs may also reveal a persons racial origins, religious beliefs, physical disabilities
-Regulators indicate purpose of processing photos is relevant
-EDPB Guidelines 3/2019 -> video footage showing data subject wearing glasses/ using wheelchair -> NOT considered to be special categ PD
-HOWEVER, if video footage processed to deduce special categ PD then Article 9 applies.
What is a data controller?
-Natural or legal person, public authority, agency, any other body which alone or jointly
-determines the purposes & means of processing PD (how PD collected, stored, used, altered, disclosed)
-KEY decision maker with regard to PD
-According to GDPR, most compliance responsibilites fall on data controller / First target of enforcement action by DPAs
What are the key responsibilites of a data controller under GDPR?
-Responsible for providing info to data subject
-Ensuring processing had legitimate basis
-Data subject’s rights are honoured
-Carrying out DP Impact Assessments (DPIAs) in case of high risk processing
-Ensuring appropriate security for data
-Determining whether notification to DP authorities (DPAs) or data subjects is necessary in case of PD breach
What are the key responsibilites of a data processor under GDPR?
-Ensuring its international data transfers comply with GDPR
-Have appropriate security in place
-Notify data controllers if data breach
What is a data processor?
-A person other than an employee of the controller who processes PD on behalf of the controller
What are the 5 building blocks on concepts of controller and processor in GDPR and which Guidelines were they identified in?
- Natural or legal person, public authority, agency of other body
- Determines
- Alone or jointly with others
- The purposes and means
- Of the processing of PD
-EDPB Guidelines 07/2020
