GDPR Flashcards
GDPR
Personal scope of application
The protection of natural persons - Aka “data subjects” - every consumer is a data subject, not every data subject is a consumer; even in a B2B GDPR protects natural persons
A company has such has no privacy rights
Privacy is seen as a fundamental right & freedom of a natural person
Relating to the processing of personal data and rules relating to the free movement of personal data
Material scope of application
Processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system
A credit scoring system
Personal data used to operate a transport agreement, which is stored in a filing system
Exclusions
Personal data processed by a natural person in the course of a purely personal or household activity
A children’s party- If I ask the other parents at a children’s party for their phone numbers, this is in theory data processing - but this is exclude, I don’t have to ask for their consent; If I were the director of a school, and would like to ask parents the same question, I have to ask for their consent, cuz it is in a professional setting
Personal data processed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security- Police wants to give you a ticket, they don’t need to apply GDPR; this is the reason why the policeman cannot do the same things as judiciary policeman; regular traffic cop does not have the same competences as his colleague who might have a mandate from attorney general to look into the database
Does charity event require GDPR?
Yes
I have a lot of data from private interactions with other people, and I want to send invitations, and I can say that this is pure household activity, still GDPR applies
Territorial scope of application
Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not- Facebook is an american company, which theoretically means that the first rule is not applicable, however the second rule protects the users from the Union.
“one leg rule” - once the data subject from the EU is a user of Facebook it is enough to apply the GDPR
Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
The monitoring of their behaviour as far as their behaviour takes place within the Union
What is ‘personal data’?
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
What is ‘processing of data’?
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction- You search someone on LinkedIn, you processed the person’s data
The ‘Controller’
determines the purposes and means of the processing of personal data; Sets the goals for data processing - I’m the bank and I want to do credit score
