Datafication 2 Flashcards
Art. 1 Subject Matter & Objective
Protecting np…
(1) …regarding processing of pd
(2) … fundamental rights
(3) Free movement of data in EU
Art. 2 (1) Material Scope: When applies GDPR?
(1) processing of pd
- wholly or partly by automated means &
- forms part or intends filing system (= any structured set of pd accessible according to specific criteria)
Art. 2 (2) Material Scope: When applies GDPR? – exceptions
- activity outside scope of Union law
- Member States carrying out common foreign & security policy (security law) activity
- natural person in purely personal / household activity (-> refers to activity of dc & processor, not ds)
- competent authorities: criminal offences / penalties
Art. 3 Territorial scope: Where applies GDPR?
processing of personal data:
(1) activities of establishment of dc / processor in EU (processing doesn’t have to be in EU)
(2) ds in EU (controller not) if
- offering goods or services to ds in EU (e.g. US company sells something in EU) (independent of payment)
- monitoring of behavior that takes place in EU (e.g. facebook)
Art. 4(1) Personal data
- any information
- relating to natural person
- who can be identified or identifiable
Art. 4(1) Personal data - any information
any sort of statement about person in any format, e.g. photo, acoustic
Art. 4(1) Personal data - any information - relating to natural person
- data subject <-> legal persons e.g. corporations,
- about person = refer to identity, characteristics or behavior of individual, or if such information us used to determine or influence how person is treated or evaluated <-> no necessary that data “focuses” on person to relate to person
Art. 4(1) Personal data - any information relating to natural person - who is identified or identifiable
distinguished or possible to form other group members by identifier
- directly from data info (e.g. name) or
- indirectly from combination of info (5-6 points of data to identify a person, e.g. social security number)
- Means of identifying depend on context (e.g., name, location data, online identifier)
Data Subject
an identified or identifiable natural person to whom the information relates (e.g. never company)
Art 4(2) Processing
- Any operation performed on pd whether or not by automated means
- all processing steps: generation, use, transfer, transformation, storage (= copy of used data), archival (= not used), destruction
Art. 4(5) Pseudonymization
- processing so that that pd not attributable to 1 specific ds without use of additional info (but with identifiable)
- under GDPR
Anonymous data
- data where person not identifiable by data controller or any other person
- considering likely or reasonably means (e.g. time & costs)
- not under GDPR
Art. 4(22) Supervisory Authority
independent public authority which is established by a Member State
- sufficient financial, human resources & infrastructure to cooperate & align with other SA
- main tasks: monitor, enforce & drive awareness on GDPR compliance
Art. 4(7) Data Controller
natural or legal person that determines purpose & means of processing (exercises decision making power)
Art. 4(7) Data Processor
natural or legal person which processes personal data on behalf of data controller
Art. 4(7) Data Processor – details
- only decides on non-essential means (e.g. more practical aspects of implementation, such as choice of hard- or software type / detailed security measures)
- legal status dc or dp not decided by contract or by law
-Not a processor when: Employees or other persons (e.g. temporarily employed) acting under direct authority of controller
e.g. Google Spain case: Data controller of search results?
search engine operator determines purposes and means of data processed to display search results -> Google inc. established in US = data controller of pd processed in connection with its search results
Art. 26 Joint Controller
= >=2 entities: common or converging decision on purpose & means or processing; (processing requires all parties, but not necessarily equal responsibility) -> joint responsibility
Art. 26 Joint Controller - common vs converging
- Common: jointly decision about purpose & means
- Converging: each decision on different aspects of processing, but decisions complement each other & are necessary (e.g. various controllers successively process same personal data in chain of operations, each controller = independent purpose & means in their part)
Art. 29 Subprocessor
processor engages another processor for carrying out specific processing activities on behalf of controller
e.g .under GDPR? Jehovah’s Witness Community: pd collected in door-to-door preaching
= easy retrieved for subsequent use -> under scope (not necessary to include data sheets, specific lists, other search methods)
e.g. under GDPR?
Processing for journalistic or academic purpose
Member States responsible for exemptions or derogations in national law
journalistic purpose
- purpose is disclosure to public of information, opinions or ideas, medium irrelevant
- e.g. Youtube video of police officer: uploading of video is not in itself indicating that purpose
e.g. is personal data? written answers of candidate at professional examination & comment by examiner
yes
e.g. is personal data? e.g. traffic surveillance tools on internet
- yes
- easy to identify behavior of a machine and that of its users
- name not necessary to identify individual
e.g. is personal data? deceased person
not natural person according to civil law (but data may receive protection in some case)
e.g. is personal data? unborn children
depending on national law
e.g. is personal data? legal person or company
- no
- yes: when content, purpose or result of info about legal person relates to natural person
e.g. is personal data? personal data stored on backup tapes, cloud solution or separately
personal data if relates to np
e.g. is personal data? IP addresses
- yes: if internet access providers (using reasonable means) can identify internet user
especially if purpose = identifying user of PC; e.g. for copyright holders want to track & enforce violations
e.g. GDPR apply? Website
- mere accessibility in EU = not in scope (territorial)
Art. 3(2) Territorial scope - monitoring behavior when it takes place in EU
– checked whether np tracked on internet (incl. potential subsequent use of pd processing technique which consist of profiling np)
Art. 3(2) Territorial scope - monitoring behavior when it takes place in EU
– checked whether np tracked on internet (incl. potential subsequent use of pd processing technique which consist of profiling np)