Datafication 3 Flashcards
principles of processing personal data
Art. 5 (1) 6:
1. Lawful, Fair & Transparent in relation to data subject
2. Purpose Limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and Confidentiality
Art. 5(2): Accountability
Requirements for processing lawfully
- 6 Principles Art. 5 and
- 1 Legal Basis Art. 6 & 9
Lawfullness of Processing - Art. 5(1)(a)
- Processing in compliance with data protection legislation (not: e.g. processing data when collected under threat)
- establish a legitimate basis – GDPR art. 6 & 9
Fairness of Processing - Art. 5(1)(a)
- Reasonable from data subjects point of view (only relevant information)
- Need to be seen in context (of lawfulness)
Transparency of Processing - Art. 5(1)(a)
- Applies to 3 areas:
1. provision of info to ds related to fair processing
2. way dc communicates rights to ds
3. way dc facilitate exercising of rights to data subjects - Duty to inform ds
1. about a) risks, rules, safeguards & rights of processing & b) how to exercise rights
2. in clear (= easy to understand) & accessible way
Purpose limitation - Art. 5(1)(b)
- pd must be collected for purpose that is:
1. Specified
2. Explicit
3. Legitimate - no further processing incompatible with purpose of pd
- Purpose must be clear at time of collection
- Processing must be within scope of dc activities (e.g. employment HR)
Purpose limitation - Art. 5(1)(b) - Purpose must be specific
sufficiently defined to
a) implement necessary data protection safeguards &
b) limit scope of processing
Purpose limitation - Art. 5(1)(b) - Purpose must be explicit
- sufficiently unambiguously & clearly revealed
- in intelligible form
- no vagueness or ambiguity of meaning or intent, considering relevant cultural & linguistic backgrounds
Purpose limitation - Art. 5(1)(b) - Purpose must be legitimate
- Compatible with broader legal principles of applicable law (e.g. employment law, consumer protection law, fundamental rights)
- Processing requires a legal basis
e.g. purpose? “improving users experience”, “marketing purposes”, “IT-security purposes” or “further research”
vague or general -> usually not sufficiently specific (depends on particular context)
Data minimization - Art. 5(1)(c)
- Pd must be
1) adequate, 2) relevant & 3) limited
to what is necessary in relation to purpose for which it is processed - Dc aim: process as few pd as possible “Must have to fulfill job vs nice to have”
- pd storage time limited to strict minimum -> time limits should be established by controller for erasure & periodic review
Accuracy - Art. 5(1)(d)
Pd must be kept up to data & incorrect must be deleted or rectified (dc own initiative <-> ds rights such as right to rectification must be initiated by ds)
Storage limitation - Art. 5(1)(e)
- Limit: no longer than necessary for purpose (never unlimited) e.g. selling bed with guarantee 10 years -> storing limit 10 years because its needed
Integrity & Confidentiality - Article 5 (1) (f)
- Processed in manner ensuring appropriate security
- protection against unauthorized or unlawful processing & access & accidental loss destruction or damage
- Obligation: implement technical & organizational security measures appropriate to risk (article 32 = security of processing)
Accountability - Art. 5(2)
principles of Art 5(1)
- dc responsible (= actively & continuously implement measures to promote & safeguard principles) &
- must be able to demonstrate compliance (= to ds & supervisory authorities) )