DATA CONTROLLERS AND PROCESSORS Flashcards
What is a data controller?
The organisation that is collecting and using information about the data subjects. They decide how and why the data will be collected. They do that either on their own or in collab with other organisations. They also have accountability obligations. Datermines tge measn of the processing of personal data.
What is a data processor?
You are a service provider to a data controller. The processor should not have any decision making authority. They can only do what the controller tells them to do with the data. Responsibilities are more around accountability. Processins data on behalf of the controller.
What is a supervisory authority?
You regulate what the controllers and processors do with data subjects’rights. The data subjects can bring complaints to the DPA.
Who is a data subject?
The individual from who the information is collected
What is data processing?
Any operation performed on personal data or sets of personal data whether or not by automated means.
What are the OECD data protection principles?
Guielines on The Rules require that personal data be processed in a transparent manner for legitimate purposes to deliver the relevant mission and work programme. Personal data are to be adequate, relevant, kept up-to-date, limited to what is needed and retained for no longer than necessary.
What are the GDPR processing principles?
Article 5: 1) lawfulness, fairness and transparency of processing.
2) purpose limitation (compatibility test) 3) data minimisation (relevant and necessary)
4) accuracy 5)storage limitation (relevant and necessary) 6) integrity and confidentiality 7) accountability
What is the terrirotial scope of the GDPR?
Article 3: 1) when a controller or processor is established in the EU, 2) processing of data subjects in the EU relating to offering goods or services or monitoring behaviour in the EU, 3) By a controller in a place where MS law applies by virtue of public international law. Non cumulative clauses.
What is the material scope of the GDPR?
Processing personal data wholly or partly by automated means
Processing other than by automated data means of personal data that form part of a filing system
Exclusions: acitvities outside the scope of the EU law, law enforcement and public security and purely personal or household activities
What are the lawful grounds that controllers can rely on to process personal data?
Article 6
1. Consent
2. Contract (e.g. purchase of goods or service from organisation)
3. Legal obligation (by EU or MS law)
4. Vital interests (to ensure individual’s survival, used only in emergency situations)
5. Public interst of official authotiry necessity (MS law can decide what fall in this category e.g. administration of justice, tax collection and research or statistical purposes)
6. Legitimate interests
When can consent be used as a legal basis?
When its freely given, specific, informed, unambiguous,
When can a child’s consent be used?
Usually it can be provided by a parent if the child is less than 16. Sometimes MS law can lower the age threshold.
How can special categories of data be processed?
Article 9: the processing is prohibited but there is a number of exceptions and the controller must make at least one of the lawful grounds of processing.
1. explicit consent
2. in the context of employment (when its necessary for the controller to comply with a legal obligation under employment, social security and social protection law)
3. vital interests of the individual (the controller must be able to prove that consent could not be provided)
4. political, philosophical and religious pusposes.
5. sensitive data manifestly made public by the data subject
6. medicine and social healthcare
7. public health
8. public archives or historical research or statistical purposes
9. establishment, exercise or defence of legal claims
