Data Protection Flashcards
Sources of Data Protection Law: EU Law
EU Treaties - EU Charter of Fundamental Rights
EU Regulation & Directive - GDPR
What is Personal Data?
Personal data is any information (accurate or inaccurate) relating to an identified or identifiable natural person. eg. name, address, eircode, phone number, email address, PPSN, photograph.
What is an Identifiable Natural Person?
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological genetic, mental, economic, cultural or social identity of that natural person.
Personal Data: Special Categories
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade Union Membership
- Physical or mental health or condition
- Sexual life or sexual orientation
- Genetic data
- Biometric data
What is a Data Subject?
A data subject is a natural person whose personal data is processed by a data controller.
Does not apply to companies or to anonymised data.
What is a Data Controller?
A data controller means the natural or legal person (can be a company), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Responsibilities of the Controller
General:
Data controllers must implement appropriate technical and organisational measures to ensure their data processing complies with GDPR.
Review and update:
Measure must be reviewed and updated as necessary to remain effective.
Data Protection Policies:
Where proportionate to the processing activities, controllers should adopt data protection policies to ensure compliance.
What is a Data Processor?
A data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (eg. A third party IT providers or a third party payroll provider).
What does a Data Processor do?
GDPR requires a processor to:
1. Act only on documented instruction and use the personal data for agreed purposes only.
2. Persons authorised to access under an obligation of confidentiality.
3. Assist with data subject rights, data breaches.
4. Return or delete personal data when service ends.
5. Demonstrate compliance.
6. Processors cannot engage sub-processors without the controller’s written approval.
What is Processing?
Processing is any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What is not Processing?
- Activities involving anonymous data.
- Purely personal or household activities, such as maintaining a personal contact list, are excluded from data protection laws.
The Purpose Limitation Principle
Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those stated purposes.
The Data Minimisation Principle
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
The Accuracy Principle
Accurate and, where necessary, kept up to date; every reasonable effort must be taken to ensure that personal data that is inaccurate in regard to the purposes for which it is processed is erased or rectified without delay.
The Storage Limitation Principle
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
The Integrity and Confidentiality Principle
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using technical or organisational measures.
The Accountability Principle
The controller shall be responsible for, and be able to demonstrate compliance with these principles.
Documentary evidence of consent, data processed and legal basis for processing.
Governance:
Practical application of the principles.
Legal Basis for Processing
- Consent of the data subject.
- Necessary for the performance of a contract.
- Compliance with a legal obligation.
- Protect the vital interests of a data subject.
- Task carried out in the public interest or official authority vested in the data controller.
- Legitimate interests pursued by the controller or a third party, except if overridden by the interest or right of the data subject.
Consent & Marketing: When it is Illegal
- No Consent: Tracking via cookies without obtaining your consent or sending unsolicited marketing emails violates GDPR.
- No Opt-Out: If you are not provided a simple and clear way to stop receiving emails.
- Uninformed Processing: Companies fail to inform you about the purpose and legal basis for tracking or emailing you in their privacy policy.
- Unrelated Processing: Your data is used for unrelated purposes without your explicit consent.
Data Subject Rights: Right to be Informed
Ensure transparency by requiring data controllers to inform data subjects about the processing of their data.
Data Subject Rights: Right of Access
To have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her is being processed and, where that is the case, access to the personal data.
Data Subject Rights: Right to Data Portability
To have the right to receive the personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided.
Data Subject Rights: Right to Rectification
To have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him/her.
Data Subject Rights: Right to Erasure
To have the right to obtain from the controller the erasure of personal data concerning him/her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
Data Subject Rights: Rights relating to an automated decision making and profiling
To have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.
Data Subject Rights: Right to Restriction
To have the right to obtain from the controller restriction of processing.
Data Subject Rights: Right to Object
To have the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Data Subject Rights: Right to Object to Direct Marketing
To have the right to object at any time to processing of personal data concerning him/her for direct marketing purposes.
