CIPPE Module 4 - Processing Personal Data

Question 1

What are the OECD Guidelines on protection of privacy and trans-border flow of personal data?

Answer 1

1. Collection Limitation
2. Data Quality
3. Purpose specification
4. Use Limitation
5. Security Safeguards
6. Openness
7. Individual Participation
8. Accountability

Question 2

What are the GDPR processing principles?

Answer 2

Defined by Article 5 of the GDPR
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data Minimization
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality
7. Accountability

Question 3

What is data processing?

Answer 3

Defined by Article 4 (2)
- Any operation on data whether automated or manual
- Collecting, Storing, Using, Sharing, Deleting etc.

Question 4

What is the territorial scope of the law?

Answer 4

GDPR applies when (Article 3):
1. Controller or Processer is established in the EU AND the context of the processing is related to that establishment.
2. Data subjects in the EU and the DC or DP is processing data in relation to offerings of goods/services or DS is in the EU and DC&DP are monitoring behavior in the EU - this applies even if the DC & DP are not in the EU.
3. Controller not in the Union but in a place where member law applies by virtue of public international law.

Question 5

What is the material scope of the law?

Answer 5

GDPR applies when (Article 2):
- Personal data is processed by automated or manual means

Exclusions are:
* Activities outside scope of EU law - e.g. national security activities
* Law enforcement and public security
* Purely personal or household activities

Question 6

What are the lawful grounds for processing personal data?

Answer 6

Six criteria defined by Article 6 of GDPR:
1. Consent
2. Performance of a contract - e.g. to complete a sale
3. Compliance with a legal obligation - e.g. an EU law.
4. Protect the vital interest of a data subject - e.g. to render critical medical assistance
5. Performance of a task in the public interest or exercise of authority - e.g. tax collection
6. Legitimate interests of the controller/3rd party balanced with the rights of the data subject -e.g. a company keeps an address book for its employees to reach each other.

Question 7

What are the characteristics of consent that is a valid basis for processing personal data?

Answer 7

1. Freely given
2. Specific (i.e. to the purpose, and distinct - not bundled with other matters).
3. Informed (no legal mumbo jumbo) - a) identity of the controller, b) purpose of each processing operation c) type of data collected d) right to withdraw consent e)any automated decision and f) transfer to third country.
4. Unambiguous

Best not to rely on consent as a basis.

Employer-employee relations are inherently unequal and employers will find it difficult to claim that consent was freely given. Same with children who may not have the capacity to give consent.

Controller must keep a record of the consent.

Question 8

When is consent not an acceptable basis for processing personal data?

Answer 8

1. When there is an power imbalance between controller and data subject - e.g. controller is a public authority
2. A service or performance of a contract should not be conditional upon consent.
3. Public authorities may not use “legitimate interests” as a grounds for processing personal data.

Question 9

GDPR Principles - what is lawfulness, fairness and transparency mean?

Answer 9

1. Lawfulness - the basis of personal data has to be lawful
2. Fair - Processing has to be fair and should not negatively impact the subject - e.g. travel website increase ticket prices for certain destinations preferred by the data subject
   3 Transparent - open and clear; no technical mumbo jumbo

Question 10

GDPR Principles - what is Purpose Limitation?

Answer 10

Data Controllers must only collect and process personal data to accomplish specified, explicit and legitimate purpose.

Any secondary purpose requiring further processing must be compatible with the original stated purpose. Or else, new consent/legal basis is required to do so.

Question 11

GDPR Principles - what is Data Minimization?

Answer 11

• Data controllers must only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed.
• Involves the concept of necessity and proportionality.
• Necessity - is the data collected suitable and adequate?
• Proportionality - avoiding a “save everything” approach

Question 12

GDPR Principles - what is Data Accuracy?

Answer 12

Controllers must take reasonable measures to ensure the data is accurate and, where necessary, kept up to date.

Question 13

GDPR Principles - what is Storage Limitation?

Answer 13

Personal data must not be kept for longer than necessary for the purposes for which the personal data is processed.

Question 14

GDPR Principles - what is Integrity and Confidentiality?

Answer 14

Personal data must be ‘processed in a manner that ensures appropriate security of the personal data. Use of technical and organizational measures.
Requirement to implement a information security framework.