Data Protection

Question 1

What case decided the contect of establishment within the EU

Answer 1

Weltimo he court suggested this meant that this:

results in a flexible definition of the concept of ‘establishment’, which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered. Accordingly, in order to establish whether a company, the data controller, has an establishment, both the degree of stability of the arrangements and the effective exercise of activities must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet.2

Question 2

What is the test to determine whether a business operating an online presence would be established in a state

Answer 2

To determine whether or not a business operating an online presence would be established in a state, the court set out a three-stage test:

1. Is there an exercise of real and effective activity—even a minimal one?
2. Is the activity sufficient to constitute a stable arrangement?
3. Is personal data processed in the context of the activity?

Question 3

What case discussed the right to be forgotten

Answer 3

Google Spain

Question 4

Give a summary of the Google Spain Case

Answer 4

A similar expansive approach was taken in the Google Spain case.21 This case, which will be discussed in much greater detail at 23.2, dealt with an application by a Spanish citizen to have data about him removed from Google search returns (the so-called ‘right to be forgotten’). It was clear that Google’s Spanish subsidiary, Google Spain, was established in Spain and was subject to supervision by the Spanish data protection agency (Agencia Española de Protección de Datos). The issue was whether the authority of the agency could extend to Google Inc. which had no direct establishment in Spain, but which operated search facilities there

Question 5

State verbatimt the holding of google spain

Answer 5

the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable

Question 6

State verbatim the holding of google spain

Answer 6

the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable

Question 7

What is the object of the Data Protection directive

Answer 7

Applying the principle that ‘the objective of [the Data Protection] Directive of ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data, those words cannot be interpreted restrictively

Question 8

Recite the GDPR article 3

Answer 8

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Question 9

Who will the GDPR affect. What kinds of persons

Answer 9

We are told by Art. 1(1) that it applies to ‘natural persons with regard to the processing of personal data and rules relating to the free movement of personal data’.

Question 10

When wont the regulation apply

Answer 10

This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of [the EU common foreign and security policy];
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Question 11

What was the decision in Durant v Financial Services

Answer 11

Largely it said that the information held by the bank was about his complain not him . THis has been overturned hen asked whether files held by the FSA relating to Mr Durant’s complaint against Barclays Bank were personal data, Buxton LJ recorded that ‘on the ordinary meaning of the expression, relating to him, Mr Durant’s letters of complaint to the FSA, and the FSA’s investigation of that complaint, did not relate to Mr Durant, but to his complaint’. He explained that ‘the [Data Protection] Act would only be engaged if, in the course of investigating the complaint, the FSA expressed an opinion about Mr Durant personally, as opposed to an opinion about his complaint’.38 This decision was criticized at the time,39 and now is no longer considered good law.

Question 12

What does related to mean

Answer 12

When there’s a direct link to the person , indirect link where information can be tied to an individual. Where the context relates to the individual and where the purpose of the data is to evaluate, treat in a certain way or influence the status or behavior of an individual

Question 13

Who are data subjects

Answer 13

an identified or identifiable natural person

Question 14

Who is a data controller

Answer 14

‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.

Question 15

What is the controller required to do

Answer 15

he controller is required to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’ and to ensure ‘those measures shall be reviewed and updated where necessary

Question 16

What case deals with the rile of the data controller

Answer 16

Facebook fan page case

Question 17

What was the facebook fan page case about

Answer 17

The case involved a private educational company who offered services by means of a fan page hosted on Facebook. Administrators of fan pages can obtain anonymous statistical information on visitors to the fan pages via a function called ‘Facebook Insights’ which Facebook makes available to them free of charge under non-negotiable conditions of use. The information is collected by means of cookies, each containing a unique user code, which are active for two years and are stored by Facebook on the hard disk of the computer or on other media of visitors to fan pages. The user code, which can be matched with the connection data of users registered on Facebook, is collected and processed when the fan pages are opened. The data protection supervisor for Schleswig-Holstein (a federal state in Germany) ordered the operator of the fan page to deactivate the page or face a fine as neither it nor Facebook, had the permission of the visitors to the page to have the tracking cookie installed on their machine and to process their data connected to it. The operator of the page challenged this finding, arguing that the processing of personal data by Facebook could not be attributed to it and that it had not commissioned Facebook to process data that it controlled or was able to influence. They argued that the data protection supervisor should have acted directly against Facebook instead of it.

Question 18

Who is a controller what article

Answer 18

‘aim [of] Article 2(d) of the directive defines the concept of “controller” broadly as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data’

Question 19

What is processing as per the GDPR

Answer 19

ocessing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Art 4(2)

Question 20

What is special data

Answer 20

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Article 9

Question 21

what case dealt with ainress and lawfullness

Answer 21

Johnson v Medical Defence Union Ltd

Question 22

What was Johsnon v Medical about

Answer 22

they didnt renew his emembership he submitted it amounted to damage to reputation there was no damage and the gorup held the right to nor renew membership

Question 23

What is consent

Answer 23

Recital 32 tells us ‘consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement’. This form of consent may be ‘ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.’ As consent must be an affirmative act, ‘silence, pre-ticked boxes or inactivity should not constitute consent’. Article 7(2) makes it clear that where consent is sought in the framework of a wider set of declarations or documents (such as the terms and conditions of use of a web page or social media platform) ‘the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language’.

Question 24

What is purposes under the 8 principles

Answer 24

it must be legitimate interest test is three-fold. The data controller must: (1) identify a legitimate interest; (2) show that the processing is necessary to achieve it; and (3) balance it against the individual’s interests, rights, and freedoms. This is known as the purpose, necessity, and balancing test.

Question 25

Explain the case that overturned durant

Answer 25

s Moses LJ notes: ‘a name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure’.22 He took some time to examine what qualified as personal data, reviewing Durant and Edem as well as Dawson-Damer. He found that the definition of personal data was actually quite simple: ‘the definition of “personal data” consists of two limbs: (i) Whether the data in question “relate to” a living individual; and (ii) Whether the individual is identifiable from those data.’

Question 26

What are the three data subject rights

Answer 26

Subject Access, Correcting and managing data and the right to be forgotten

Question 27

What article allows dor the rectification of data

Answer 27

Article 16 GDPR, as given domestic effect by s. 46 of the DPA 2018, gives the data subject the right to obtain from the controller without undue delay and at the latest within one month of receipt of the request, the rectification of inaccurate personal data concerning him or her. This includes the requirement that the data controller complete incomplete information, where this makes the information inaccurate, by way of adding information provided by the data subject.

Question 28

what article is the right to be forgotten found

Answer 28

If at any time the data subject wishes to have their data permanently deleted, they may make an application under Art. 17 GDPR/s. 47 DPA 2018. The right to data erasure as set out in full in Art. 17:

Question 29

brief summary of the google spain case

Answer 29

n the late 1990s a Spanish citizen by the name of Mario Costeja González was the subject of a debt recovery action by the Spanish state. It appears that he owed the Ministry of Labour and Social Affairs debts by way of social security payments. At the time it is certain neither he nor the Spanish state could imagine the impact his debt and the recovery of it would have. As part of the process of recovering the debt the Ministry ordered a public auction of items of real estate by way of a public auction and to maximize the return at auction they placed an announcement of the auction in the newspaper La Vanguardia. The auction proceeded and in the normal run of affairs that would have been the end of the matter.
Unfortunately, La Vanguardia later digitized that copy of the newspaper and now it can be accessed online.50 This of itself would not be a problem for Sr González except this data (like much internet data) was then indexed by Google which meant that when you searched for his name the most prominent data returned was this information relating to a long-extinguished debt. Obviously, Sr González felt this affected his standing in business and generally reflected data which should be deleted under the principles of Art. 6(1)(c) of the 1995 Data Protection Directive, that data must be ‘adequate, relevant and not excessive’ and Art. 8 of the Charter of Fundamental Rights of the European Union that one has a right to data privacy. Therefore, in March 2010 Sr González lodged a complaint with the Agencia Española de Protección de Datos (AEPD), the Spanish data protection agency claiming that La Vanguardia must delete or amend the irrelevant data in a way to prevent his identification and that Google must stop linking to it in search returns.

Question 30

explain the point of Innovations Mail Order v. DPR DA/92 31/49/1

Answer 30

nnovations case where the Data Protection Tribunal found that the collection of data
in the context of telephone sales, with the intention of being disclosed to third parties for direct marketing
purposes, is not fair if the individuals were not so informed at the time of data collection. In this case, individuals were ‘mislead or deceived’ and there was no lawful ground for their data being traded in this way.
Innovations (Mail Order) Ltd v Data Protection Registrar (Case DA/92 31/49/I), Data Protection Tribunal Decision
of 28 September 1993.

Question 31

What is data protection

Answer 31

is the process of
safeguarding important information from
corruption, compromise or loss.

Question 32

What is data privacy

Answer 32

is when an organization or
individual must determine what data in a
computer system can be shared with
third parties

Question 33

What is the constutional provisions for data protection in Data priv

Answer 33

The barbadian constitution Section 11(B), The Jamaica constitution Section 13(3)J

Question 34

What are the eight data protection principles?

Answer 34

Fair and lawful processing, Purpose limitation, Data minimization, Data accuracy, Storage limitation, Compliance, Security, Equivalence

Question 35

What does the fair and lawful processing principle require?

Answer 35

Data must not be obtained by any deception or misleading information. Fairness focuses on the source of the information and notification of the data subjects. Lawful focuses on the acceptable bases for data processing, and consent of the data subject must be prioritized as it must be obtained before data processing unless there is a legal reason.

Question 36

What is the Innovative Mail Order case about?

Answer 36

Whether the customer data could be fairly obtained if a warning notice that their personal data may be traded would be provided at the time of advertisement or when goods are procured.

Question 37

What is the Purpose Limitation principle?

Answer 37

The data controller must refrain from personal data in a manner incompatible with the purposes for which it was given. Data controllers must specify why the data is being obtained and cannot use the data for other reasons without informing and, where necessary, receiving the consent of the subject.

Question 38

What is the Data Minimization principle?

Answer 38

It reigns in the excessive collection of data relative to the purpose for which it is collected. Data collected must be adequate, relevant and not excessive in relation to the purpose for which they are processed.

Question 39

What is the Data Accuracy principle?

Answer 39

Personal data must be accurate and kept up to date where necessary. If inaccurate information is provided by the data subject or a third party, the controller must take reasonable steps to verify the data.

Question 40

What is the Smeaton v Equifax case about?

Answer 40

Smeaton’s credit file said that he was subject to a bankruptcy order, but this was wrong. Equifax updated the records but refused compensation, so the court held that they were liable to pay compensation as they had a duty to ensure that the data retained and provided to lenders was accurate.

Question 41

What is the Storage Limitation principle?

Answer 41

Personal data must be deleted when it is no longer needed. The timeline for deletion is on a case by case basis.

Question 42

What is the Google Spain case about?

Answer 42

It concerns the right to be forgotten, where citizens have the right to request that commercial search firms remove links to private information when asked, provided that the information is no longer relevant, inadequate or excessive in light of that time that had elapsed.

Question 43

What is the Compliance principle?

Answer 43

The data must be processed in accordance with the data protection statutes and standards.

Question 44

What is the Security principle?

Answer 44

Personal data must be protected using appropriate technical and organizational measures to prevent unauthorized or unlawful processing of data as well as any accidental loss or destruction of, or damage to, the data.

Question 45

What is the Equivalence principle?

Answer 45

Personal data shall not be transferred to a state or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.

Question 46

What are the factors to consider in determining an adequate level of protection under the Equivalence principle?

Answer 46

The nature of the data, the State or territory of the final destination, the laws of the State or territory, the international obligations of the State and security measures taken by the State.

Question 47

RIGHTS OF THE DATA SUBJECTS

Answer 47

Right of access to personal data
2. Right to prevent processing
3. Right to prevent processing for the purposes of direct marketing
4. Right to object to automated decision making
5. Right to reconciliation of inaccuracies.

Question 48

Accuracy case

Answer 48

Smeaton v Equifax Plc [2012] EWHC 232. RAs (credit reference agencies) were under a duty to ensure that the data retained and provided to lenders was accurate. If the data was not accurate, they would be responsible for losses resulting from the wrong information.
Equifax had breached the Data Protection Act 1998, in particular the fourth data protection principle (accuracy of data), but also the first principle (fair processing) and fifth principle (retention of personal data), on the basis that Equifax had failed to take reasonable steps to ensure the accuracy of its data;

Question 49

Storage limitations case

Answer 49

google Spain

Question 50

Purpose

Answer 50

Lindquivist