Data Processing Principles & Lawful Processing Criteria Flashcards
What are the data processing principles established under the GDPR?
- Accuracy
- Purpose Limitation
- Storage Limitation
- Integrity and Confidentiality
- Data minimisation
- Accountability
- Lawfulness, Fairness, Transparency
What is a Mnemonic device for remembering the data processing principles?
APSIDAL
What is “APSIDAL”?
Mnemonic device for remembering the key data processing principles.
What is the L in APSIDAL?
Lawfulness, fairness and transparency.
Key data processing principle.
What is the definition of the “lawful, fair and transparent” data processing principle?
Personal data should be processed in a lawful, fair and transparent manner.
What factors must be present for processing to be lawful?
ONE OF THESE MUST BE PRESENT:
(a) Consent
(b) Contract performance
(c) Legal Obligation
(d) Vital Interest of individual
(e) Public Interest
(f) Legitimate Interest
What is a pattern to remember the six types of lawful processing?
CC-VP-LL
What is CC-VP-LL?
Pattern to remember conditions for lawful processing:
Consent
Contract Performance
Vital interest of individual
Public Interest
What is the definition of consent in terms of lawful processing?
Consent is when data subject has given consent to processing of personal data for one or more SPECIFIC PURPOSES.
What is the definition of contract performance in terms of lawful processing?
Processing is lawful when the processing is necessary for the performance of a contract to which the data subject is a party.
What is the definition of “legal obligation” in terms of lawful processing?
Processing is lawful when necessary for compliance with a legal obligation to which the controller is subject.
What are the six methods for lawful processing recognized by the GDPR?
CC-VP-LL
- Consent
- Contract Performance
- Vital Interest of Individual
- Public Interest
- Legitimate Interest
- Legal Obligation
What is the definition of vital interest in terms of lawful processing?
Processing is necessary to protect a vital interest of the data subject.
What is the exception to lawful processing for a legitimate interest?
Processing is necessary for the purposes of legitimate interests pursued by the data controller EXCEPT where such interests are OVERRIDDEN BY FUNDAMENTAL RIGHTS OF THE DATA SUBJECT.
Define “fairness” in terms of data processing principles.
For processing to be fair, data subjects must be aware of the fact data will be processed, how its collected/used and allow them to make an informed decision.
True or False: For data processing to be fair, the data subject must be able to make an informed decision.
True
Name this concept: A data controller must be open and clear toward data subjects when processing their data.
Transparency
True or False: The Controller’s obligation to be transparent has no exceptions.
False.
Exceptions:
- Data was obtained directly from the data subject
- Process exceptions including:
(a) Providing information would have DISPROPORTIONATE EFFECT, or is impossible, and
(b) Disclosure is govern by applicable law
True or False: Data controller must notify the data subject with how their data is processed, with no time requirement.
False - Trick question:
Yes, Data controller must provide notice, but: (a) it must be in a TIMELY MANNER, and (b) clear, concise and easy to read.
What is the data principle of purpose limitation?
Data controllers must only collect and process personal data to accomplish SPECIFIC, EXPLICIT and LEGITIMATE purposes and not process data beyond such purpose.
What is the data processing principle of data minimisation?
Data controller must only collect and process personal data that is RELEVANT, NECESSARY and Adequate to accomplish the purposes.
What are the two key principles required for data minimisation?
(1) necessity, and (2) Proportionality
What is the definition of accuracy?
Data controller must take reasonable measures to ensure the data is accurate and kept up to date.
True or False: If a data controller has implemented processes to prevent inaccuracies, then they have met the processing principle of accuracy?
True - likely :)
True or False: Data controllers may kept personal data for unlimited amount of time?
False - this violates the data processing principle of storage limitation.
What is the principle of storage limitation?
Personal data must be kept for no longer than necessary for the purposes for which the personal data is processed.
What is the definition of the data processing principle of “integrity and confidentiality”?
The personal data must be processed in a manner that ensures APPROPRIATE SECURITY OF PERSONAL DATA, including:
(i) protection against unauthorized processing
(ii) using technical or organisational measures.
Name this concept: Data is processed in a manner that ensures appropriate security of personal data, including protection against authorized or unlawful processing
Integrity and Confidentiality
Name this concept: personal data must not be kept for longer than is necessary
Storage limitation
Name this concept: Data controller must take reasonable measures to ensure data is kept up to date
Accuracy
Name this concept: data controller only collects/processes personal data that is relevent, necessary and adequate
Data minimisation
Name this concept: Data controller only collects and processes personal data to accomplish specific, explicit and legitimate purposes.
Purpose limitation
Name this concept: Controller must be open and clear
Transparency
Name this concept: Data subject must be aware of the fact personal data will be processed
Fairness
Name this concept: data subject has given consent to processing of personal data for specific purpose
Lawful processing by consent
Name this concept: processing is necessary for the performance of a contract (DS is a party)
Lawful processing by contract performance
Name this concept: processing is necessary for compliance with legal obligation to which controller is subject
Lawful processing by legal obligation
Name this concept: processing is necessary for legitimate interests pursued by controller, except where such interests are overridden by fundamental rights of data subejct
lawful processing by legitimate interest
Which Article of the GDPR establishes lawful processing criteria generally?
Article 6
What is defined in Article 6 of the GDPR?
Lawful basis for processing personal data.
Consent is a lawful basis for processing personal data - what is the definition of consent?
Consent must include the following to be valid:
- Freely given
- Specific
- Informed
- Unambiguous
For lawful processing on the basis of consent, such consent must be freely given, what are some factors to confirm consent was freely given?
(a) Data subject must have a genuine choice.
(b) There is balance between data controller and data subject (no employee/employer relationship).
(c) data subject has the freedom to revoke
The data subject gave consent with (i) genuine choice, (ii) balance in relationship to data controller and (iii) power to revoke – what does this mean?
Consent was freely given.
One of four factors of consent: freely given, specific, informed and unambiguous.
What does it mean when consent to processing what specific?
Data subject gave consent for a specific purpose of processing.
*Watch for consent creep.
What does it mean when data subject’s consent was informed?
Data subject gave consent after receiving ALL necessary details of the processing activity, in a language they can understand and form they can understand.
What does it mean when a data subject has given consent to processing AFTER receiving all necessary details of processing, in a language and form they can understand.
It means the data subjects consent was INFORMED.
Name at least 3 requirements for a data controller’s notice so that data subjects consent can be INFORMED.
- Identity of controller
- Purpose of processing
- Type of data collected
- Possible risk of transfer to third country without adequacy decision or appropriate safeguards
Who has the burden of proof regarding whether consent was given with sufficient information (ie. informed consent)?
Data Controller
True or False: For consent to be informed, the data subject must at least be aware of the data controller and the purpose of the data processing?
True.
What does it mean that the data subjects consent to processing must be unambiguous?
Data subject must consent with a statement or clear affirmative act with no doubt to their intention.
What does it mean that the data subjects consent to processing must be unambiguous?
Data subject must consent with a statement or clear affirmative act with no doubt to their intention.
True or False: Data subjects selection of tick box for terms qualifies as unambiguous consent.
True. Tick box ok, pre-checked NOT OK.
True or False: Data subjects consent is based on pre-ticked box of terms and qualifies as unambiguous consent.
False. This consent is ambiguous.
True of False. Opt out feature qualifies as unambiguous consent.
False. Opt out feature fails and is ambiguous consent.
True of False. Opt out feature qualifies as unambiguous consent.
False. Opt out feature fails and is ambiguous consent.
True or False: Consent obtained from a 12 year old for processing geared toward children is valid.
False. Age of consent under GDPR is 13.
What is the age minimum of consent under the GDPR?
Age 13
What is the minimum age of consent for child services?
Age 16
When do the minimum age rules for consent apply?
Only in context of: (1) information services offered directly to children, and (2) where controller relies solely on consent for lawful processing.
True or False: a data subjects consent is perpetual as long as the processing does not change.
Likely false. Consent is not perpetual. It’s recommended that consent get updated regularly. But as soon as processing changes, new consent is required.
What does it mean when the lawful processing is based on necessity?
Processing was necessary for certain reason.
TEST –> close substantial connection between the processing and the purposes.
True or False: Processing that is unavoidable to complete a contract the data subject is a party to is lawful processing?
True. Necessary for the performance of a contract.
True or False: Processing that is required to protect the vital interests of the data subject is lawful processing?
True - vital interests = life or death.
True or False: Processing for public interests only is not a lawful means or processing.
False - processing necessary for the performance of a task carried out in public interest IS LAWFUL PROCESSING.
True or False: A data subject may object to the use of their personal data when processing is based on public interest.
True.
What is the most common basis for lawful processing?
Legitimate interests
Define the concept of legitimate interests.
Legitimate interests is a basis for lawful processing of personal data under the GDPR.
Data controller must prove they have legitimate interest for processing personal data (Except where fundamental rights of data subject OVERRIDE such legitimate interest).
What is the except to lawful processing for legitimate interests?
Where the legitimate interest is overridden because it violates the data subjects fundamental rights.
What are the interests that must be balanced with the processing is based on legitimate interest of the data controller?
(1) Necessary for purpose.
(2) Purpose = legitimate interest
(3) Legit interest is not overridden by fundamental rights.
What is the test to determine whether a legitimate interest is overridden by a fundamental interest?
Reasonable expectations of data subjects.
If a data subject would reasonably expect that the right would be protected, then the legitimate interest basis fails.
True or False: Lawful processing based on (i) legal obligations or (ii) public interests can apply to law of any recognized nation.
False - applies to EU and member state law ONLY.
What does Article 9 of the GDPR govern?
Processing of sensitive data.
What are the categories of sensitive data?
- Race or ethnic origin
- Political opinion
- Religious or philosophical beliefs
- Trade Union Membership
- Genetic or Biometric data for the purpose of identifying a specific natural person
What is different about the consent requirements for sensitive personal data?
Consent must be explicit in addition to:
- Freely given
- Specific
- Informed, and
- Unambiguous
What is an example of valid consent for processing sensitive personal data?
Handwritten consent with signature (vs. just a tick of box.)
What are some examples of the exceptions to Article 9 default rule?
Default rule - processing of sensitive data is prohibited.
Exceptions:
- Necessary processing for employment or social security obligations
- Necessary processing for vital interests
- Processing by religious, philosophical or trade union nonprofit
- Processing for medical care
- Processing for public health
- Processing for scientific research or historical research.
What are the categories of sensitive data?
- Race or ethnic origin
- Political opinion
- Religious or philosophical beliefs
- Trade Union Membership
- Genetic or Biometric data for the purpose of identifying a specific natural person