Datafication 4 Flashcards

1
Q

Steps of finding a legal basis

A
  1. Define what kind of personal data specific processing
  2. Find >= 1 legal basis for processing that are required to fulfill the purpose(s)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Kind of personal data

A
  • Ordinary Information Art. 6
  • Sensitive Information Art. 9
  • National ID Art. 87 = regulation possible by Member States
  • Criminal convictions & offences Art. 10 = control of authorities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Sensitive Information Art. 9

A

exhaustive list in Art. 9, wide interpretation (due to protection of fundamental rights)::
- Race or ethnic origin,
- political opinion,
- religion/philosophy,
- genetic data, biometric data
- trade union membership
- health physically & mental
- sex life & sex. orientation

  • not: salary
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Legal Basis Art. 6: Ordinary Information

A
  1. Consent
  2. Legitimate Interest
  3. Performance of a Contract
  4. Compliance with a legal obligation
  5. Protection of vital interest
  6. Public interest or official authority
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Consent definition

A
  • Any freely given, specific, informed & unambiguous indication of ds wishes that signifies agreement to processing
    FSIU (Ferdi Schmidt ist Ultra)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Consent - freely given

A

refusal & withdraw without detriment (genuine & free choice)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Consent - specific

A
  • choice for each specific purpose
  • goal: user control & transparency for ds, safeguard against function creep (Zweckerweiterung)

-> Granularity in consent request
-> Clear separation from information about other matters (Art. 7)
-> written declaration: intelligible & easily accessible form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Consent - informed

A
  • ds info on at least 1) dc identity, 2) purpose
    (and: 3) what data collected & used, 4) right of withdraw, 5) use of data for automated decision making, 6) risk of data transfers)
  • info must be proportionate to average ds expectations & right to privacy impact
  • info provided as user-friendly as possible
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Consent - unambigious

A
  • obvious that ds gave consent to particular processing &
  • affirmative action written or oral (= active declaration; indirect answer not enough)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

e.g. Consent: prepicked boxes?

A
  • no
  • not unambigious including no affirmative action
  • yes: ticking boxes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

e.g. consent: click fatigue in digital context?

A

consent questions no longer read -> obligation on controller to solve issue, incl. obtaining consent of internet users via their browser setting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

withdraw of consent

A

as easy as given -> dc must erase personal data without undue delay (if no other legal basis) (Art. 7)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Responsibility of dc: consent

A
  • Controller must be able to demonstrate consent given (Art. 7)
  • Always necessary before processing of pd
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Legitimate Interest - definition

A
  • balancing test”:
  • processing necessary for legitimate interests of controller or 3rd party (e.g. public)
  • except overridden by interest or fundamental rights & freedoms of ds which require protection of personal data (especially when data subject = child)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Legitimate Interest - balancing interest steps

A
  1. Identify a legitimate interest of data controller or 3rd party (incl. commercial, individual or societal beneficial interests)
  2. Show that processing is necessary to achieve legitimate interest pursued
  3. Balance it against individuals’ interests, rights & freedoms (cause harm?; inc. impact on ds, safe-guards)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Legitimate interests- necessity

A

check if other less invasive means are available to serve the same end

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

e.g. Legitimate interests - limitations on monitoring

A

Mitigation measures (to ensure proper balance; especially in case of monitoring employees): limitations …
- Geographical e.g. monitoring only in specific places & not in sensitive areas such as religious places, sanitary zones, break rooms
- Data-oriented e.g. no monitoring of personal electronic files & communication)
- Time-related e.g. sampling instead of continuous monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

e.g. Rigas satiskme case (taxi company wanted to sue passenger for damages, police refused to provide contact information)

A
  • CJEU basis = legitimate interest
  • 3 steps: 1. Requesting pd to sue person for causing property damage = legitimate interest of 3rd party, 2. Obtaining pd such as address or ID = strictly necessary to identify person, 3. Balance against individuals interests, rights & freedoms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

e.g. legal basis in employment context?

A
  • consent rarely “freely-given” -> legitimate interest as basis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Performance of a contract - definition

A

processing necessary for performance of a contract with data subject as party or to take steps at data subject request prior to entering contract

Legal basis for normal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

e.g. legal basis in employment contract

A
  • performance of contract = legal basis
  • needs name, address, bank account etc. to fulfill obligations as employee to ds
22
Q

e.g. legal basis for purchasing goods & services online

A
  • performance of contract = legal basis
  • webshop needs name, shipping address etc. to deliver on contract
23
Q

Compliance with a legal obligation - definition

A

processing necessary for compliance with legal obligation to which controller subject

24
Q

e.g. legal basis for employer processes employees info

A
  • Compliance with a legal obligation = legal basis
  • must process pd about employees for social security & taxation
  • or: performance of a contract
25
Q

e.g. legal basis for processing customer info in private sector

A
  • Compliance with a legal obligation = legal basis
  • process pd about customers for VAT & bookkeeping
26
Q

Protection of vital interest - definition

A

= Processing necessary to protect vital interest of data subject or other natural person (other: only if cannot manifestly be based on another legal basis)

27
Q

e.g. legal basis if accident & use phone

A
  • vital interest = legal basis
  • use pd to save life, retrieving identity of ds by opening data subjects mobile phone when accident
28
Q

e.g. legal basis for monitoring epidemics & humanitarian emergencies

A
  • public & vital interest = legal basis
29
Q

Public interest or official authority - definition

A

processing necessary for performance of task carried out in public interest or in exercise of official authority vested in controller (often in conjunction with legal obligation basis)

30
Q

e.g. legal basis for Huber case

A
  • no: not interest of official authority
  • system by German authorities when investigating & prosecuting criminal activities or those which threaten public security - CJEU: only if contains only data necessary to apply that legislation & centralized nature of application makes legislation more effective
  • case: data from refugees & migrants for use by authorities responsible for the right of residence (only data from non-nationals) -> discrimination & prohibited
31
Q

Legal Basis Art. 9: Sensitive Information

A
  • Explicit Consent
  • Employment & social security & social protection law
  • Protection of vital interest
  • Manifestly made public
  • Legal claims
  • Archiving purposes in public, research or statisticsl interest
  • charities or non-for-profit bodies
  • in substantial public interest
  • preventive/ occupational medicine
  • public health
32
Q

processing sensitive information

A

(1) processing of sensitive data = prohibited
(2) exceptions if one of following legal basis
= negatively framed basis (exemption from general prohibition)

33
Q

Explicit Consent Art 9 (2) (a)

A
  • ds: express statement of consent (e.g. signed or written statement) for >= 1 specific purpose
  • must be tied to specific data or categories of data
34
Q

e.g. signed statement necessary for explicit consent?

A
  • not necessary
  • e.g. digital or online: can also give explicit consent filling in an electronic form, sending an email, uploading a scanned document with normal or electronic signature
  • e.g. oral statement also sufficient but may be difficult to prove for dc
35
Q

Employment & social security & social protection law Art 9 (2) (b)

A

processing necessary for obligations or rights of dc or ds in this field

36
Q

Protection of vital interest Art 9 (2) (c)

A

processing necessary to protect ds or other persons vital interest where ds is physically or legally incapable of giving consent (cannot manifestly be based on another legal basis)

37
Q

Manifestly made public 9 (2) (e)

A

Pd manifestly made public by data subject (<-> not consent!) as a result of free & deliberate decisions / affirmative act

38
Q

e.g. legal basis for fireman publishing video of himself?

A
  • yes: manifestly made public if he publishes video or photos on public internet page
  • not if televisoin broadcasts a video from video surveillance camera showing him
39
Q

Legal claims 9 (2) (f)

A

processing necessary for establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity

40
Q

e.g. legal basis for processing genetic data to establish parentage?

A
  • yes: legal claims
41
Q

e.g. legal basis for health status when part of evidence concerns details of an injury sustained by victim of crime

A
  • yes: legal claims
42
Q

Archiving purposes in public, research or statistical interest 9 (2) (j)

A

processing necessary for archiving purposes in public interest, scientific or historical research purposes or statistical purposes

43
Q

charities or non-for-profit bodies 9(2) (d) - requirements

A
  • processing must relate to (former) member or frequent contact
  • not shared with outside without consent
44
Q

e.g. legal basis for protecting against serious cross-border risks of health?

A
  • yes: public health
45
Q

Art. 9(4): National conditions

A

Members states maintain or introduce further conditions & limitations with regard to processing of genetic, biometric or health data

46
Q

e.g. legal basis for employer asks employees to provide criminal records?

A
  • consent questionable (not freely given)
  • national laws can allow
47
Q

Consent? Imbalance between ds & dc

A

not freely given
-> consent no valid legal ground)
e.g. dc = public authority or employer; business-consumer relation

48
Q

Consent? contract depends on consent even if not required for contract performance

A
  • Not freely given
    -> consent not valid legal ground
    Art. 7(4)) (cookies denying -> less functionality -> not clarified
49
Q

intelligible & easily accessible form

A

clear & plain language, no unfair condition

50
Q

Consent informed e.g. cookies

A

consent obtained after providing clear & comprehensive info