Datafication 2

Question 1

Art. 1 Subject Matter & Objective

Answer 1

Protecting np…
(1) …regarding processing of pd
(2) … fundamental rights
(3) Free movement of data in EU

Question 2

Art. 2 (1) Material Scope: When applies GDPR?

Answer 2

(1) processing of pd
- wholly or partly by automated means &
- forms part or intends filing system (= any structured set of pd accessible according to specific criteria)

Question 3

Art. 2 (2) Material Scope: When applies GDPR? – exceptions

Answer 3

• activity outside scope of Union law
• Member States carrying out common foreign & security policy (security law) activity
• natural person in purely personal / household activity (-> refers to activity of dc & processor, not ds)
• competent authorities: criminal offences / penalties

Question 4

Art. 3 Territorial scope: Where applies GDPR?

Answer 4

processing of personal data:
(1) activities of establishment of dc / processor in EU (processing doesn’t have to be in EU)

(2) ds in EU (controller not) if
- offering goods or services to ds in EU (e.g. US company sells something in EU) (independent of payment)
- monitoring of behavior that takes place in EU (e.g. facebook)

Question 5

Art. 4(1) Personal data

Answer 5

• any information
• relating to natural person
• who can be identified or identifiable

Question 6

Art. 4(1) Personal data - any information

Answer 6

any sort of statement about person in any format, e.g. photo, acoustic

Question 7

Art. 4(1) Personal data - any information - relating to natural person

Answer 7

• data subject <-> legal persons e.g. corporations,
• about person = refer to identity, characteristics or behavior of individual, or if such information us used to determine or influence how person is treated or evaluated <-> no necessary that data “focuses” on person to relate to person

Question 8

Art. 4(1) Personal data - any information relating to natural person - who is identified or identifiable

Answer 8

distinguished or possible to form other group members by identifier
- directly from data info (e.g. name) or
- indirectly from combination of info (5-6 points of data to identify a person, e.g. social security number)
- Means of identifying depend on context (e.g., name, location data, online identifier)

Question 9

Data Subject

Answer 9

an identified or identifiable natural person to whom the information relates (e.g. never company)

Question 10

Art 4(2) Processing

Answer 10

• Any operation performed on pd whether or not by automated means
• all processing steps: generation, use, transfer, transformation, storage (= copy of used data), archival (= not used), destruction

Question 11

Art. 4(5) Pseudonymization

Answer 11

• processing so that that pd not attributable to 1 specific ds without use of additional info (but with identifiable)
• under GDPR

Question 12

Anonymous data

Answer 12

• data where person not identifiable by data controller or any other person
• considering likely or reasonably means (e.g. time & costs)
• not under GDPR

Question 13

Art. 4(22) Supervisory Authority

Answer 13

independent public authority which is established by a Member State
- sufficient financial, human resources & infrastructure to cooperate & align with other SA
- main tasks: monitor, enforce & drive awareness on GDPR compliance

Question 14

Art. 4(7) Data Controller

Answer 14

natural or legal person that determines purpose & means of processing (exercises decision making power)

Question 15

Art. 4(7) Data Processor

Answer 15

natural or legal person which processes personal data on behalf of data controller

Question 16

Art. 4(7) Data Processor – details

Answer 16

• only decides on non-essential means (e.g. more practical aspects of implementation, such as choice of hard- or software type / detailed security measures)
• legal status dc or dp not decided by contract or by law
  -Not a processor when: Employees or other persons (e.g. temporarily employed) acting under direct authority of controller

Question 17

e.g. Google Spain case: Data controller of search results?

Answer 17

search engine operator determines purposes and means of data processed to display search results -> Google inc. established in US = data controller of pd processed in connection with its search results

Question 18

Art. 26 Joint Controller

Answer 18

= >=2 entities: common or converging decision on purpose & means or processing; (processing requires all parties, but not necessarily equal responsibility) -> joint responsibility

Question 19

Art. 26 Joint Controller - common vs converging

Answer 19

• Common: jointly decision about purpose & means
• Converging: each decision on different aspects of processing, but decisions complement each other & are necessary (e.g. various controllers successively process same personal data in chain of operations, each controller = independent purpose & means in their part)

Question 20

Art. 29 Subprocessor

Answer 20

processor engages another processor for carrying out specific processing activities on behalf of controller

Question 21

e.g .under GDPR? Jehovah’s Witness Community: pd collected in door-to-door preaching

Answer 21

= easy retrieved for subsequent use -> under scope (not necessary to include data sheets, specific lists, other search methods)

Question 22

e.g. under GDPR?
Processing for journalistic or academic purpose

Answer 22

Member States responsible for exemptions or derogations in national law

Question 23

journalistic purpose

Answer 23

• purpose is disclosure to public of information, opinions or ideas, medium irrelevant
• e.g. Youtube video of police officer: uploading of video is not in itself indicating that purpose

Question 24

e.g. is personal data? written answers of candidate at professional examination & comment by examiner

Answer 24

yes

Question 25

e.g. is personal data? e.g. traffic surveillance tools on internet

Answer 25

• yes
• easy to identify behavior of a machine and that of its users
• name not necessary to identify individual

Question 26

e.g. is personal data? deceased person

Answer 26

not natural person according to civil law (but data may receive protection in some case)

Question 27

e.g. is personal data? unborn children

Answer 27

depending on national law

Question 28

e.g. is personal data? legal person or company

Answer 28

• no
• yes: when content, purpose or result of info about legal person relates to natural person

Question 29

e.g. is personal data? personal data stored on backup tapes, cloud solution or separately

Answer 29

personal data if relates to np

Question 30

e.g. is personal data? IP addresses

Answer 30

• yes: if internet access providers (using reasonable means) can identify internet user
  especially if purpose = identifying user of PC; e.g. for copyright holders want to track & enforce violations

Question 31

e.g. GDPR apply? Website

Answer 31

• mere accessibility in EU = not in scope (territorial)

Question 32

Art. 3(2) Territorial scope - monitoring behavior when it takes place in EU

Answer 32

– checked whether np tracked on internet (incl. potential subsequent use of pd processing technique which consist of profiling np)

Question 33

Art. 3(2) Territorial scope - monitoring behavior when it takes place in EU

Answer 33

– checked whether np tracked on internet (incl. potential subsequent use of pd processing technique which consist of profiling np)