Data Privacy Concepts

Question 1

Within Opinion 4/2007, the WP29 set out four building blocks that comprise the meaning of personal data:

Answer 1

Any information
Relating to
An identified or identifiable
Person

Question 2

Are subjective statements included in the definition of personal data?

Answer 2

Yes, both objective and subjective statements maybe considered personal data.

Question 3

Does information need to be considered to be true to be considered personal data

Answer 3

No

Question 4

In Opinion 4/2007, the WP29 considered that for personal data to relate to an individual, one of the following three elements must apply:

Answer 4

Content, purpose, or result

The content element is present when the information is about an individual.

The existence of the purpose element depends on whether the information is processed to evaluate, consider or analyse the individual in a certain way.

The results element exists when the processing of certain information has an impact on the individuals rights and interests.

Question 5

What is the threshold for the possibility of identification?

Answer 5

Recital 26: To determine whether a natural person is identifiable, account should be taken off all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

Question 6

Why is CCTV data treated as personal data?

Answer 6

CCTV information must be treated as personal data since the fundamental purpose of the processing is to single out and identify individuals when required.

Question 7

Does the GDPR apply to anonymized data?

Answer 7

No where the information has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Question 8

Is pseudonymised data still personal data?

Answer 8

Yes and still subject to GDPR

Question 9

Does the GDPR apply to the personal data of deceased persons or organisational data?

Answer 9

No. The data of deceased persons or organisational data may be protected through standard contractual confidentiality clauses, although member states may provide for rules in this area.

Question 10

What does health data include?

Answer 10

(A) Information about the natural person collected and the cost of the registration for or for the provision of, healthcare services

(B) A number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes

(C) information derived from the testing for examination of a body part or bodily substance, including from genetic data and biological samples

(D) any information on, for example, a disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the data subject independent of its source, for examples, from the physician or other health professionals, the hospital, a medical device or an in vitro diagnostic test.

Question 11

When is processing of photographs considered processing of special categories of personal data?

Answer 11

Covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.

However, they do not address the point that photographs may also reveal a person’s racial origin, religious beliefs or certain physical disabilities which may be regarded as information about the individual’s health status.

Question 12

What is a data controller

Answer 12

A data controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Question 13

What is the key aspect of a controller?

Answer 13

Ability to determine the purposes for which personal data is being collected, stored, used, altered and disclosed.

Question 14

When does a parent company become a joint controller with its subsidiaries?

Answer 14

If the parent company conducts its own independent operations on the data, for example, to compare the rates of employee turnover across the group, it may become a joint controller with its subsidiaries.

Question 15

What is the opinion that sets out a number of circumstances where a controller can be identified by the source of control?

Answer 15

Opinion 1/2010

Control stemming from explicit legal competence is – explicit appointment of a controller under national or community law. More typically, the law establishes a task or imposes a duty on someone to collect data.

Control stemming from implicit competence – control stems from common legal provisions of established legal practice (e.g., an employer with employee data). The capacity to determine processing activities can be considered to be attached to the functional role of an organisation.

Control stemming from factual influence – responsibility as controller is attributed on the basis of an assessment of the factual circumstances. Where the matter is not clear, an assessment should consider the degree of actual control exercised by a party, the impression given to individuals and a reasonable expectations of individuals on the basis of this visibility

Question 16

How do you determine whether the “purposes and means” of processing meets the threshold for that person to be considered a controller?

Answer 16

1. Why is the processing happening
2. What is the role of those parties involved in the processing?

The opinion 1/2010 allows the processor to have some discretion as to how it carries out the processing on behalf of the controller without itself becoming a controller. But this outcome is possible only if the processor can point to another party who is responsible for the overall processing.

Question 17

In the processor context, what are the key aspects that demonstrate that a processor is acting as a controller?

Answer 17

A person who decides how Long data should be stored or which other parties have access to the data is acting as a controller.

Question 18

What are the requirements in a multi-layered subcontracting?

Answer 18

A. Prior authorisation, which may be general or specific. If general, the processor is required to give the controller an opportunity to object to the addition or replacement of other processors;

B. The contract with the sub processor must include the mandatory provisions;

C. The initial processor remains fully liable to the controller for the performance of its sub-processors.

Question 19

What are the criteria to determine the roles of the parties to distinguish between the role of data controller and data processor?

Answer 19

Opinion 1/2010 sets out the following criteria:

• Level of prior instruction given by the controller, which determines the degree of independent judgment the processor can exercise;
• Monitoring by the controller of the execution of the service
• Visibility / image portrayed by the controller to the individual and expectations of the individual on the basis of this visibility
• Expertise of the service provider

Question 20

The technology – neutral Directive 95/46/EC didn’t have certain things the GDPR has. Name a couple.

Answer 20

• Stronger rights for individuals in an online environment
• Data protection by design and default
• Accountability
• Increased powers for supervisory authorities
• Broader applicability to anyone targeting EU customers