Datafication 6

Question 1

Rights of Data Subject

Answer 1

• transparency (no request)
• Obligation to inform (no request)
• Right to access
• Right to rectification / correction
• right to be forgotten
• right to restrict
• right to dataportability
• right to object
• right not to be subject of an automated decision

Question 2

How should privacy policy look like? Transparency Art. 12

Answer 2

• dc must take measures to provide info Art. 13 & 14 to ds & any communication under 15-22 (rights of ds) relating to processing
• form: concise, transparent, intelligible (= clear & plain language), easy accessible

Question 3

Transparency Art. 12 - easy accessible

Answer 3

ds should not seek information -> never more than “two-taps away”

• e.g. not: positioning or color that make text / link less noticeable
• direct link = clearly visible on each page of website under common used term (e.g. Privacy, Data Protection Notice, Privacy Policy))

Question 4

e.g. apps when to see privacy note?

Answer 4

• necessary information from an online store prior to download
• after installation still need information

Question 5

Transparency Art. 12 - transparent

Answer 5

• no vague words = poor practice as ambiguous
• avoid: “may”, “might”, “some”, “often”, “possible”

Question 6

What should privacy policy include? Obligation to inform Art. 13 & 14

Answer 6

Art. 13: When dc directly collets data from ds
Art. 14: when dc gets data from someone else about ds

1) processing is taking place, 2) what processing entails, 3) rights

Question 7

When inform ds? Obligation to inform Art. 13 & 14

Answer 7

Art. 13: At time of collection from ds
Art. 14: Within 1 month when collected from 3rd party

Question 8

When no obligation to inform (exception)? Art. 13 & 14

Answer 8

• DS already informed
• Impossible, disappropriate effort
• Obtaining or disclosure expressly laid down by Union or Member state
• Pd confidential due to professional secrecy regulated by Eu or MS

Question 9

general: exception of dc fulfilling the rights of ds

Answer 9

• not able to identify ds
• when restrictions can be applied
• further processing necessary
• request manifestly unfounded or excessive: charge reasonable fee or refuse to act on request

Question 10

general: rights of ds

Answer 10

• Dc can not refuse action on rights request (exceptions)
• Dc must inform ds without delay & within 1 month
• verbally or orally
• rights provided free of charge (exceptions)

Question 11

Right of Access Art. 15

Answer 11

ds right to obtain confirmation from dc if pd processed & if yes provide copy of pd

Question 12

Right of Access Art. 15 - Exceptions

Answer 12

copy would affect rights & freedoms of others (e.g. trade secrets, info of other ds)

Question 13

e.g. Rijkeboer case - Right of Access Art. 15

Answer 13

CJEU decided that acces not limited to records kept one year before request (ds would not be able to exercise right to have pd presumed unlawful or incorrect rectified etc.)

Question 14

Right of Rectification Art. 16

Answer 14

ds right to correct inaccurate personal data (= incorrect or misleading) or to complete it

Question 15

e.g. Peter Nowak case - Right of Rectification Art. 16

Answer 15

student who was declaimed to see his exam papers, court decided: access right with the aim of rectification
- Content of answers reflect knowledge in field & intellect, judgment & info to his handwriting
- Purpose: evaluate professional abilities
- Use of information possibly has effect, e.g. influence change of entering profession

Question 16

Right to Erasure Art. 17

Answer 16

= “Right to be forgotten”
ds right to erase existing pd (not future pd) if :

• Processing unlawfully
• pd no longer necessary for purpose
• necessary for compliance with legal obligation in Member or State law
• Processing to offer information society services to child
• Lawful basis consent & consent withdrawn
• Lawful basis legitimate interest & no overriding legitimate interest
• Processing for direct marketing

Question 17

Right to Erasure Art. 17 - Exceptions

Answer 17

• data controller has legitimate interest to retain data
• processing necessary for freedom of expression & information
• compliance with legal obligation require processing by Union or Member State of controller

Question 18

e.g. Google spain case - Right to Erasure Art. 17

Answer 18

Spanish resident sought deletion of info in Spanish newspaper & Google Search engine
- name in Google -> links to newspaper mentioned his name in connection with real-estate auction for recovery of social security debts
- Result (now repealed) CJEU: operator of search engine obligated to remove from result of search based on name (also if name or info not erased from those web pages and when publication on those pages is lawful)
- Reason: result of search query concerning name makes access to info easier & plays decisive role in the dissemination of info -> search engine more interference with ds fundamental right to privacy than publication on web page

French data privacy authority seeked clarification: de-referencing only on all versions of search engine corresponding to all EU Member States

Question 19

Right to Restrict Processing Art. 18

Answer 19

• permitted to store the pd but not use it; if:
• ds contests accuracy of pd & controller must verify
• Processing unlawfully & ds requests restriction instead of erasure
• Require pd by ds for legal claims
• ds objected to processing & dc verifies whether legitimate grounds override those of data subject

Question 20

Right to Data Portability Art. 20

Answer 20

• obtain & reuse their pd for own purposes across different services if:
• Lawful basis consent or contract
• Processing carried out by automated means (= excluding paper files)
• Format of the providing data: structured, commonly used, machine-readable

Question 21

Right to Object Art. 21

Answer 21

• object “on grounds relating to his/her particular situation” (individual must provide reason) if:
• Direct marketing (incl. profiling if related to marketing): absolute right to stop use of data
• Legal Basis:
• public task
• legitimate interests
• “completing balancing test”: dc can demonstrate legitimate interest overriding others

Question 22

e.g. Manni case - Right to object Art. 21

Answer 22

ds erasure of info relation to bankruptcy of a company
- Result CJEU: no right of erasure
- Reason: legitimate purpose of disclosure of pd in company register: need to protect interests of 3rd parties and ensure legal certainty -> potential clients of ds have legitimate interest to know about bankruptcy of his old company

Question 23

Art. 13 Obligation to inform - ds provided pd

Answer 23

• at time of collection
• identity & contact dc
• Contact of DPA
• purpose of processing & legal basis
• legitimate interest if basis
• recipients of pd
• transfer to 3rd country or international organization
• right to withdraw consent
• storage period of pd
• right complaint with supervisory authority
• automated decision making
• ds right to object (explicity brought to attention, clearly & separately from other information presented)

Question 24

Art. 14 Obligation to Inform - collected from someone else

Answer 24

• within 1 month after collection
• categories of pd
• source of pd
• storage period of pd
• right complaint with supervisory authority
• automated decision making
• ds right to object (explicity brought to attention, clearly & separately from other information presented)

Question 25

Right to Erasure vs withdraw of consent

Answer 25

• consent withdraw/ future collection prohibited, doesn’t effect existing pd

Question 26

Right to Data Portability - format

Answer 26

• structured, commonly used & machine readable

Question 27

Right to object vs other rights

Answer 27

<-> rectification, erasure & restriction = situations where lawfulness of processing questioned