ECM 1407 GDPR Flashcards
What is the General Data Protection Regulation (2018)?
2018 EU regulation law on data protection and privacy
The GDPR regulates how organisation process personal data
It became a model for national laws outside EU
EU-GDPR and UK-GDPR are quite similar
“Six plus one” data principles of the GDPR
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Lawfulness, fairness and transparency
“Data should be processed lawfully, fairly and in a transparent manner in relation to individuals.”
Provide the definitions of lawfulness, fairness and transparency:
- Lawfulness: For processing of personal data to be lawful, you need to identify specific grounds for the processing.
- Fairness: You should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them.
- Transparency: You should be clear, open and honest with people from the start about who you are, and how and why you use their personal data.
What are the lawful bases for processing data?
Consent
Contract
Legal Obligation
Vital Interests
Legitmate Interests
Public task
Case study: WindTre fined for 17m EUR
- Complaints were received from users against unsolicited marketing communication made without their consent via texting emails, faxes, and automated phone calls.
- The MyWind and My3 apps had been configured in such a way as to require the user to consent, on each access, to processing for various purposes including marketing, profiling
“Data should be processed in a manner that ensures appropriate security”
British Airways was fined for £184m
Personal details of more than 400,000 customers were leaked due to a cyberattack, and British Airways lacked adequate security to detect itself against it
fine reduced to economic impact of covid 19
What are the rights of the data subject?
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
GDPR gives individuals “The right to be forgotten”
What is the “right to be forgotten”?
- The right of having personal information removed from services under certain circumstances
What circumstances must be present for “the right to be forgotten” to be applied?
- The organisation no longer needs your data for the original they collected or used it for
- You initially consented to the organisation using your data, but have now withdrawn your consent
- You have objected to the use of your data, and your interests outweigh those of the organisation using it
- You have objected to the use of your data for direct marketing purposes
- The organisation has collected or used your data unlawfully
- The organisation has a legal obligation to erase your data
- The data was collected from you as a child for an online service.
When does the “right to be forgotten” not apply
- For exercising the right of freedom of expression and information
- For compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority
- For reasons of public interest in public health
- For archiving purposes in the public interest
“the right to be forgotten” can be counter-intuitive when the Streisand effect is triggered. What is the Streissand effect?
when attempting to hide a piece of information leads to increasing awareness about it.