Data Processing Principles

Question 1

The processing of personal data will be considered lawful only to the extent to which which legal grounds are met?

Answer 1

Consent, contract performance, legal obligation, vital interest of individuals, public interest, legitimate interests.

CCLVPL

Cats courting lovely Venetian penguins. love!

Question 2

When is legitimate interest permitted as a lawful ground for the processing of personal data?

Answer 2

Where processing is necessary for the purposes of legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interest of fundamental rights and freedoms of the data subject which require protection of personal data, particular where the data subject as a child.

Question 3

The GDPR expressly grants to member states the right to determine more specific legal requirements to ensure lawful and fair processing of personal data in specific processing situations. What are these situations?

Answer 3

Employer – employee relationships; allowing member states to define the age of minors; to protect genetic or biometric data; or for statistical, historical or scientific purposes.

Question 4

Do data controllers have a duty to inform for processing where the data subject is already aware and data was obtained directly from the data subject?

Answer 4

No

Question 5

Do data controllers have the obligation to provide information when personal data is collected from other sou

Answer 5

No where
- provided the information will involve a disproportionate effort or can be considered impossible;
– to protect the data subject’s legitimate interest, in which case, the disclosure is expressly governed by the applicable law; and
– to preserve the confidentiality of the information, also regulated by the laws to which the data controller is subject.

Question 6

What does the data minimisation principal require in terms of concepts?

Answer 6

Necessity and proportionality.

Question 7

When collecting data for statistical or historical purposes what level of accuracy must Controllers maintain?

Answer 7

The controller only needs to maintain the personal data as originally collected.

Question 8

What conditions must a data subject’s consent meet?

Answer 8

Free seals in Uruguay

• Freely given
• Specific
• Informed
• Unambiguous indication of wishes

Question 9

What is the minimum age under article 8 GDPR, where a controller relies on consent as the legitimate processing criterion for information society services to be offered directly to a child?

Answer 9

16. But in some states it varies (eg. UK it is 13)

Question 10

Does a legal obligation imposed on the controller by a third party country meet the requirements of processing for compliance with a legal obligation?

Answer 10

Recital 45 of the GDPR makes it clear that obligations imposed by controllers by third party countries do not fall within this criterion. In all cases, this criterion is interpreted narrowly.

Question 11

Can a controller rely on the fact that processing is necessary where official authority is vested in a third party to whom the data is disclosed?

Answer 11

No. Removed in the GDPR. Only where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Question 12

Can public authorities rely on the legitimate interests ground to justify processing?

Answer 12

No. Recital 47 explains that it is for the legislator to provide by law for the legal basis for public to process personal data.

Question 13

For non-public authorities what are the examples where legitimate interests will be established?

Answer 13

• Recital 47: to prevent fraud
• Recital 48: The sharing of personal data within a group of undertakings or institutions affiliated to the central body for internal administrative purposes such as processing client or employer personal data
• Direct marketing
• Recital 49: to ensure network and information security

Question 14

In the UK, what two tests should a controller follow for the legitimate interests criterion?

Answer 14

1. Establishing the legitimacy of the interest pursued

2. Ensuring that the processing is not unwarranted in any particular case through prejudice to the individual concerned

Question 15

What is the shift in the treatment of legitimate processing criteria under the GDPR?

Answer 15

Under the Directive, the controller does not have to document which legitimate criterion it is relying on when processing personal data, nor is it required to communicate the criterion to the data subject.

Under the GDPR, A controller is required to specify in the privacy notice the legal basis for the processing and when relying on the legitimate interest ground must describe the legitimate interests pursued.

Question 16

Our photographs considered to be sensitive data?

Answer 16

Photographs should not systemically be considered to be processing sensitive data since they are covered by the definition of biometric data only when processed through a specific technical means that allows the unique identification or authentication of an individual.

Question 17

Which are the categories of sensitive data?

Answer 17

1. Racial or ethic origin
2. Political opinions
3. Religious or philosophical beliefs
4. Trade union membership
5. Genetic and biometric data (added by GDPR)
6. Health
7. Sex life or sexual orientation

RPRTGHS

Real phillipines rabbits took grace’s heavy spade

Question 18

For foundations, associations, or any other not– for – profit bodies, they must still process sensitive data in compliance with the requirements of the GDPR even if they make use of the criterion. What are these?

Answer 18

The bodies must assess sensitive data
1) in the course of the legitimate activities
2) with appropriate safeguards and
3) in connection with their specific purposes.
In addition, they may only disclose sensitive data outside the organisation with the explicit consent of the relevant data subject.

Question 19

Previously under the Directive, member states had a greater degree of freedom to establish the exemptions for whether the assessing of sensitive data is a substantial public interest, requiring only that these further exemptions are subject to suitable safeguards. The GDPR adds additional requirements to such laws. What are they?

Answer 19

1. Proportionate to the aim pursued

2. Show respect for the essence of the right to data protection

Question 20

In the UK, a statutory instrument has set out for the criteria for possessing sensitive personal data in the substantial public interest. What is this criteria?

Answer 20

Processing is permitted when it is necessary for the purposes of preventing or detecting any unlawful act or to discharge any function designed to protect the public against dishonesty, seriously improper conduct or mismanagement in the administration of any organisation or association.

Question 21

What is the difference between the GDPR from the directive with regard to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes?

Answer 21

The directive dispenses with the obligation to provide notice to data subjects where personal data was not collected directly from them, as well as provides an exemption from the data subject’s rights of access.

Article 9 of the GDPR now provides a specific criterion for controllers involved in archiving, historical or scientific research, or processing for statistical purposes.

In order to rely on this criterion, it is necessary that the processing must have appropriate safeguards in accordance with article 89(1) and must be necessary for one of those purposes based on EU member state law which must be proportionate, respect the essence of the right to data protection and provide for suitable safeguards.

Question 22

How is data on criminal convictions and offences or related security measures treated under the GDPR?

Answer 22

Article 10 of the GDPR requires that such data be processed only ‘ under the control of an official authority or when the processing is authorised by union or member state law providing for appropriate safeguards for the rights and freedoms of data subjects’.

Question 23

What are binding safe processor rules?

Answer 23

Self – regulatory principles similar to binding corporate rules for processors that are applicable to customer personal data. Once the supplier’s BSPR are approved, a supplier gains “safe processor” status and its customers would be able to meet the EU data protection directive‘s requirements for international transfers in a similar manner as BCR are allowed. BSPR are currently being considered as a concept by the article 29 working party and national authorities.

Question 24

What is the position for research under the GDPR?

Answer 24

Organisations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (article 6(4); recital 50).

As long as they implement appropriate safeguards these organisations also may overwrite a data subject’s right to object to processing and to seek the erasure personal data (article 89).

Additionally, the GDPR may permit organisations to process personal data for research purposes without the data subjects consent. In isolated cases, these organisations may be able to transfer personal data to third countries for research purposes, without any other transfer mechanism in place.

Question 25

How can research be a basis for processing?

Answer 25

Where a controller collects personal data under lawful basis, such as consent, article 6 (4) allows it to process the data for a secondary research purpose.

Research however, is not explicitly designated as a lawful basis for possessing, but, in some cases, it may qualify under article 6(1)(f) as a legitimate interest of the controller.

Thus, while the GDPR explicitly permits repurposing collected data for research, it to me also permits the controller to collect personal data initially for research purposes, without requiring the data subject’s consent.

Question 26

How can researchers make third party transfers on the basis of the legitimate interest ground?

Answer 26

The transfer may be based on this ground only if it’s not repetitive, it concerns a limited number of data subjects, and‘ the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards”.

Moreover, the controller must inform the data subject as well as the data protection authority of the relevant member states of the international transfer.

Question 27

Can further processing of research be done if it impacts individuals?

Answer 27

Under the Directive, further processing for research was permissible only if member states furnished suitable safeguards that in particular rule out the use of the data in support of measures or decisions regarding any particular individual.

The GDPR eliminates this restriction, thereby allowing for the processing for research that impacts individuals. however, the GDPR also creates additional safeguards to protect individuals from this type of processing.

Article 35(2)(a) requires a DPIA where there is profiling.

Question 28

Under what condition is processing sensitive employee data acceptable?

Answer 28

The processing is necessary for the data controller to carry out their obligation in the field of employment law.

GDPR 9(2)(b) provides that processing of sensitive employee data is acceptable when the condition of processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller.

The GDPR allows the processing of sensitive employee data if the controller has explicit consent from the data subject and the business obligation of the controller are justifiable reasons to process this sensitive information.

It is also acceptable if the data subject has given explicit consent to the processing of those personal data for one on one specific purposes.

Question 29

Which is not a compatible purpose for processing data beyond the purpose originally specified at the time of collection?

Answer 29

Performance of a contract