Datafication 6 Flashcards

1
Q

Rights of Data Subject

A
  • transparency (no request)
  • Obligation to inform (no request)
  • Right to access
  • Right to rectification / correction
  • right to be forgotten
  • right to restrict
  • right to dataportability
  • right to object
  • right not to be subject of an automated decision
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How should privacy policy look like? Transparency Art. 12

A
  • dc must take measures to provide info Art. 13 & 14 to ds & any communication under 15-22 (rights of ds) relating to processing
  • form: concise, transparent, intelligible (= clear & plain language), easy accessible
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Transparency Art. 12 - easy accessible

A

ds should not seek information -> never more than “two-taps away”

  • e.g. not: positioning or color that make text / link less noticeable
  • direct link = clearly visible on each page of website under common used term (e.g. Privacy, Data Protection Notice, Privacy Policy))
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

e.g. apps when to see privacy note?

A
  • necessary information from an online store prior to download
  • after installation still need information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Transparency Art. 12 - transparent

A
  • no vague words = poor practice as ambiguous
  • avoid: “may”, “might”, “some”, “often”, “possible”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What should privacy policy include? Obligation to inform Art. 13 & 14

A

Art. 13: When dc directly collets data from ds
Art. 14: when dc gets data from someone else about ds

1) processing is taking place, 2) what processing entails, 3) rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When inform ds? Obligation to inform Art. 13 & 14

A

Art. 13: At time of collection from ds
Art. 14: Within 1 month when collected from 3rd party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When no obligation to inform (exception)? Art. 13 & 14

A
  • DS already informed
  • Impossible, disappropriate effort
  • Obtaining or disclosure expressly laid down by Union or Member state
  • Pd confidential due to professional secrecy regulated by Eu or MS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

general: exception of dc fulfilling the rights of ds

A
  • not able to identify ds
  • when restrictions can be applied
  • further processing necessary
  • request manifestly unfounded or excessive: charge reasonable fee or refuse to act on request
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

general: rights of ds

A
  • Dc can not refuse action on rights request (exceptions)
  • Dc must inform ds without delay & within 1 month
  • verbally or orally
  • rights provided free of charge (exceptions)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Right of Access Art. 15

A

ds right to obtain confirmation from dc if pd processed & if yes provide copy of pd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Right of Access Art. 15 - Exceptions

A

copy would affect rights & freedoms of others (e.g. trade secrets, info of other ds)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

e.g. Rijkeboer case - Right of Access Art. 15

A

CJEU decided that acces not limited to records kept one year before request (ds would not be able to exercise right to have pd presumed unlawful or incorrect rectified etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Right of Rectification Art. 16

A

ds right to correct inaccurate personal data (= incorrect or misleading) or to complete it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

e.g. Peter Nowak case - Right of Rectification Art. 16

A

student who was declaimed to see his exam papers, court decided: access right with the aim of rectification
- Content of answers reflect knowledge in field & intellect, judgment & info to his handwriting
- Purpose: evaluate professional abilities
- Use of information possibly has effect, e.g. influence change of entering profession

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Right to Erasure Art. 17

A

= “Right to be forgotten”
ds right to erase existing pd (not future pd) if :

  • Processing unlawfully
  • pd no longer necessary for purpose
  • necessary for compliance with legal obligation in Member or State law
  • Processing to offer information society services to child
  • Lawful basis consent & consent withdrawn
  • Lawful basis legitimate interest & no overriding legitimate interest
  • Processing for direct marketing
17
Q

Right to Erasure Art. 17 - Exceptions

A
  • data controller has legitimate interest to retain data
  • processing necessary for freedom of expression & information
  • compliance with legal obligation require processing by Union or Member State of controller
18
Q

e.g. Google spain case - Right to Erasure Art. 17

A

Spanish resident sought deletion of info in Spanish newspaper & Google Search engine
- name in Google -> links to newspaper mentioned his name in connection with real-estate auction for recovery of social security debts
- Result (now repealed) CJEU: operator of search engine obligated to remove from result of search based on name (also if name or info not erased from those web pages and when publication on those pages is lawful)
- Reason: result of search query concerning name makes access to info easier & plays decisive role in the dissemination of info -> search engine more interference with ds fundamental right to privacy than publication on web page

French data privacy authority seeked clarification: de-referencing only on all versions of search engine corresponding to all EU Member States

19
Q

Right to Restrict Processing Art. 18

A
  • permitted to store the pd but not use it; if:
  • ds contests accuracy of pd & controller must verify
  • Processing unlawfully & ds requests restriction instead of erasure
  • Require pd by ds for legal claims
  • ds objected to processing & dc verifies whether legitimate grounds override those of data subject
20
Q

Right to Data Portability Art. 20

A
  • obtain & reuse their pd for own purposes across different services if:
  • Lawful basis consent or contract
  • Processing carried out by automated means (= excluding paper files)
  • Format of the providing data: structured, commonly used, machine-readable
21
Q

Right to Object Art. 21

A
  • object “on grounds relating to his/her particular situation” (individual must provide reason) if:
  • Direct marketing (incl. profiling if related to marketing): absolute right to stop use of data
  • Legal Basis:
  • public task
  • legitimate interests
  • “completing balancing test”: dc can demonstrate legitimate interest overriding others
22
Q

e.g. Manni case - Right to object Art. 21

A

ds erasure of info relation to bankruptcy of a company
- Result CJEU: no right of erasure
- Reason: legitimate purpose of disclosure of pd in company register: need to protect interests of 3rd parties and ensure legal certainty -> potential clients of ds have legitimate interest to know about bankruptcy of his old company

23
Q

Art. 13 Obligation to inform - ds provided pd

A
  • at time of collection
  • identity & contact dc
  • Contact of DPA
  • purpose of processing & legal basis
  • legitimate interest if basis
  • recipients of pd
  • transfer to 3rd country or international organization
  • right to withdraw consent
  • storage period of pd
  • right complaint with supervisory authority
  • automated decision making
  • ds right to object (explicity brought to attention, clearly & separately from other information presented)
24
Q

Art. 14 Obligation to Inform - collected from someone else

A
  • within 1 month after collection
  • categories of pd
  • source of pd
  • storage period of pd
  • right complaint with supervisory authority
  • automated decision making
  • ds right to object (explicity brought to attention, clearly & separately from other information presented)
25
Q

Right to Erasure vs withdraw of consent

A
  • consent withdraw/ future collection prohibited, doesn’t effect existing pd
26
Q

Right to Data Portability - format

A
  • structured, commonly used & machine readable
27
Q

Right to object vs other rights

A

<-> rectification, erasure & restriction = situations where lawfulness of processing questioned