Chapter 6 Data Processing Principles Flashcards
What are the data protection principles ?
- Lawfulness, fairness and transparency.
- Purpose limitation
- data minimisation
- accuracy
- storage limitation
- integrity and confidentiality
What does the lawfulness, fairness, and transparency principle espouse?
processing must have a legal ground and be fair and transparent towards the data subjects.
describe the lawfulness principle
there must be a legal basis for processing the data, i.e. within the limits of the applicable laws (beyond data protection laws)
describe six legal grounds
- consent
- contract performance
- legal obligation
- vital interest of individual
- public interest
- legitimate interest
describe consent legal ground
data subject has given free consent to the processing for one or more specific purposes
describe consent contract performance ground
processing necesary for the performance of a contract which the data subject is a party or steps necesary to enter into ta contract with the data subject.
describe legal obligation legal ground
processing is necesary for compliance iwth legal obligation
describe vital interest of individuals legal ground
necessary to protect the vital interests of the dat asubject or another natural perosn.
describe public interest legal ground
necessary for the perofrmance of a task carried out in the public interest or in the exercise of official authority vested in the controller
describe legitimate interest legal ground
necessary for the purposes of legitimate interest of the controller/third party as long as the interests are overriden bu the rights and freedoms of the data subject. *doesn’t apply to public authority processing
describe the fairness principle
means that data subjects must be aware that their data will be processed. incl. how the data will be collected, stored and used. allows the data subject to make a decision.
describe the transparency principle
controller must be open and clear towards data subjects when processing personal data.
What does Recital 89 espouse
eliminates notification of processing to the data protection authorities. instead it is encouraged that data subject be informed.
describe grounds were the GDPR exempts controllers from the duty to inform data subjects?
- were info is obtained directly from the data subject & the subject is aware of the information.
- where providing information would be disproportionate effort
- protecting the subjects legitimate interest in which the disclosure is expressly governed by the applicable law
- presevign the confidentiality of the information
What are controllers expected to do to be ‘transparent’?
provide data subjects with data timeously, clear and concise and easy to understand.
What are the considerations of providing clear and easily accessible information
type of data to be processed, manner it will be collected, where the daa is sourced(i.e. from data subject herself or other sources)
how can processing be transparent when relating to children’s data
use simple and plain language to allow children to understand
how can processing be transparent when done by a professional specialist
no jargon use simple english
how can controllers ensure transparency when making transparency notices
no lengthy privacy notices, simple enlish with on-time privacy notices.
describe the purspose limitation principle
data must be collected and processed to acomtplish explicit and legitimate purposes, and not process beyond such purposes
how can a controller assess whether the secondary use of data is compatible with the original purpose
take into account:
1. link between the original purpose and intended further processing.
2. context which the data was collected (reasonable expectations of data subjects)
3. nature of the personal data
4. consequences of further processing
5. exisistance of propoer safeguards.
*must all be fulfilled
describe data minimisation prinicple
controllers must only collect and process personal data which is relevant, necesary and adequate to accomplish the purpose for which it is purposes.
what are the two considerations when ensuring data minimisations
necessity and proportionality
descirbe the necessity principle
whether the data collected is suitable and reasoable to accomplish the specific purposes
describe the proportionality principle
controller msut consider the amount of data collected and adequacy.
what does the controller consider when assessing adequacy
consider the potential adverse impact of processing, and whether alternative means exist.
describe the accuracy principles
controller must take reasonable measures to ensure the data are accurate and where necesary kept up to date.
what processes can be implemented to ensure accuracy
verify data,
describe the storage limitation prinicple
data must not be kept for longer than is necessary for the purpose it is processed. this applies for each process and data.
How long can controllers retain data for if the law is silent on retention periods
strict minimum
Should controllers document different data retention periods for different data sets
yes.
What should the data controller do with data once the retention period expires
delete or
annonymise
archive for statistical, scientific or research purposes.
descirbe the integrity and confidentiality principle
ensuring appropriate security of the personal data. incl. ensuring against unauthorised or unlawful processing of data.
