Chapter 6 - Data Processing Principles Flashcards
What are the data processing principles under GDPR and which article?
-Article 5 GDPR lists the data processing principles
-Lawfulness, Fairness &Transparency
-Purpose limitation
-Data minimisation
-Accuracy
-Storage limitation
-Integrity & confidentiality
-GDPR redefines and reinforces the existing principles from the DP Directive
-Adds the accountability principle, requiring data controllers to demonstrate compliance.
What does fairness mean under GDPR?
-Data subjects must be aware that their PD will be processed, including how the data will be collected, kept, and used.
-Allows them to make informed decisions and exercise their DP rights.
-Processing is deemed fair if it is automatically permitted by law, regardless of the data subject’s knowledge or preferences e.g., employee pay being shared to tax authorities.
-Fairness also requires assessing how the processing will affect the data subject and ensuring that any negative impact is justified e.g., travel agency raising prices based on user analytics may be deemed as unfair
-However fair in cases like police officer collecting PD from individual driving above limit.
What does lawfulness mean under GDPR?
-PD must only be processed when data controllers have a legal ground for processing the data.
Requires the data processing to be allowed by and carried out within the limits of applicable laws, including DP laws and other regulations such as employment, competition, health, tax, or public interest.
-Under GDPR, processing is lawful if one of the following legal grounds is met:
(1) consent, (2) contract (3) performance, (4) legal obligation, (5) vital interest, (6) public interest, or (7) legitimate interest.
What does transparency mean under GDPR?
-Controller must be open and clear towards data subjects when processing personal data.
-GDPR eliminates the general obligation to notify DPAs & instead promotes informing data subjects about how their PD are processed -> reinforced by Recital 89
-GDPR prescribes the minimum information data controllers must provide, depending on whether the data are obtained directly from the data subject or from other sources.
-Transparency requires the information to be clear, concise, easy to understand, and provided in a timely manner.
-To children -> GDPR stresses need for simple/plain language for children to understand Medical -> plain language Digital environment ->short, layered privacy notices/ on-time
What is purpose limitation under GDPR?
-Data controllers must only collect and process PD to accomplish specified, explicit, and legitimate purposes.
-PD should not be processed beyond these purposes unless the further processing is considered compatible with the original purposes.
-Secondary processing is lawful if it is compatible with the original purpose.
-If not, a separate legal ground is required, such as (1) legitimate interest, (2) legal obligation, or (3) consent
What are key examples of compatible and incompatible purposes for data processing under the GDPR?
Compatible Purpose:
Fitness App: Collecting and processing personal data to recommend a personalized fitness routine. Further processing to identify technical errors in the app is compatible because it is linked to the original purpose and reasonably expected by users.
Incompatible Purpose:
Medication Reminder App: An app developed to remind patients to take their medication. Sharing personal information with a company that sells the medication for promotion and commercialization is not compatible with the original purpose.
Health Professional: Collecting personal data to assess and treat patients. Sharing the patient list with an insurance company to offer services (e.g., life or health insurance) is incompatible with the original purpose.
What is data minimisation under GDPR?
-Data controllers must only collect and process personal data that are relevant, necessary, and adequate to accomplish the purposes for which it is processed.
-According to European DP Supervisor -> controllers should limit the collection of personal information to what is directly relevant and necessary.
-This principle requires applying concepts of necessity and proportionality to the data processing.
What does necessity mean under GDPR?
-Controllers must assess whether the PD to be collected is suitable and reasonable to accomplish the specific purposes.
-PD should be collected only if it is necessary to attain the purpose.
-Controllers should verify if the purpose can be accomplished using anonymous or anonymised data.
-If PD is required, controllers should ensure that the data collected is relevant and necessary.
What does proportionality mean under GDPR?
-Controllers should consider the amount of data to be collected and its adequacy in relation to the purpose.
-Collecting excessive data without restrictions is considered disproportionate and a breach of the data minimisation principle.
-Controllers should assess the potentially adverse impact of the processing and verify if alternative means exist that may lead to less intrusive processing.
What is an example of proportionality and data minimisation?
-The Spanish Data Protection Agency (AEPD) stated that a fingerprint recognition system is proportional only if:
It is limited to certain dependencies of the university.
The algorithms of the students’ fingerprints remain in their possession and are not incorporated into the system.
Disproportionate Uses:
Other Biometric Data: The AEPD considered the use of keystrokes and facial recognition disproportionate because less intrusive means could achieve the same purpose.
-Avoiding excessive data collection & using less intrusive methods when possible.
What is accuracy under GDPR?
-Controllers must take reasonable measures to ensure the data are accurate and, where necessary, kept up to date.
-Includes implementing processes to prevent inaccuracies during data collection and ongoing processing.
-Controllers must ensure the data are collected from reliable sources and preserve accuracy when integrating and combining data from multiple sources.
-Accuracy may require updating information and correcting errors.
-E.g., UK ICO states its okay to keep records of events happened in error - for example misdiagnosis of medical condition
-Embodies responsibility to respond to DSRs (data subject requests) to correct records that contain incomplete info/ misinfo
What is storage limitation under GDPR?
-PD must not be kept for longer than necessary for the purposes for which the data is processed.
-Once the information is no longer needed, personal data must be securely deleted.
-Article 5(1)(e) of the GDPR states that personal data must be kept in a form that permits identification of data subjects for no longer than necessary.
-Controllers must assess the purposes for which the data are used and set data retention periods accordingly.
-Once storage periods expire, data must be deleted / anonymised in absence of sound new reason to retain it.
-When organisations store PD in 3rd party environments -> controller may consider establishing internal controls to ensure PD deleted by 3rd party
What is integrity and confidentiality under GDPR?
-According to Article 5(1)(f) GDPR PD must be processed in a manner that ensures appropriate security, protection against unauthorised/ unlawful processing and accidental loss, destruction, or damage.
-Controllers must implement technical and organisational measures to protect PD -> e.g., pseudonymisation and encryption.
-Controllers should consider internationally recognised standards like ISO/IEC 27001 (Information Security Management) or NIST (National Institution of Standards and Technology)
-Additional care to be taken when processing sensitive PD
Overview of Data Processing Principles
-GDPR embraces and redefines data processing principles / most globally prominent DP law
-Requires organisations to implement privacy principles such as minimising data collection, limiting data retention, handling personal data transparently and securely, ensuring accuracy, and respecting data subject rights.
-GDPR imposes the burden of proof on organizations to demonstrate compliance with these principles.
-As virtual social interactions and technologies evolve, these principles remain essential to preserving privacy in the changing international cyberspace.
