GDPR Flashcards
Criteria for Data to be personal
- The mere possibility of identification renders the data personal (Art. 4.1 GDPR).
- If personal data are anonymised, GDPR doesn’t apply
Definition Data
(electronically) stored information, signs, or indications.
Difference between anonymized and pseudonymised data.
anonymized: GDPR does not apply
pseudonymised: GDPR applies
The payroll administration of X, a company established in Spain, transmits information to B, a bank also established in Spain, so that they can carry out the monthly payment to X ́s employees. For making the payment, B needs to process X ́s employee’s personal data. B decides independently from X on which data they process, the storage period, and the purpose and means for processing the data.
*Please determine whether X and B are controllers or processors.
Both X and B are controllers. B is a controller for the processing of the data for making the payments, and the transmission of personal data from the payroll administration is a disclosure of information between two controllers.
X, a company established in Italy, is recruiting staff, and Y, a company established in Spain, assists X in the recruitment process. Y selects candidates from among those who have sent their CVs to Y and those it already has in its own database. This database is created and managed by Y. X and Y jointly participate in the process to find suitable candidates. To this end, Y organises and manages its services according to X’s needs, and Y enriches its database with the CVs it receives. Once a few candidates have been selected, X organises the interviews, concludes the contract, and manages the HR data.
*Please determine whether X and Y are processors or controllers, and for which processing activities.
- X and Y are joint controllers of such processing.
- Y is the sole controller of the processing necessary to manage its database.
- X is the sole controller of the subsequent hiring processing.
*X is a Spanish company that sells tickets for concerts. These tickers can only be booked online. *To carry out the booking process, customer data needs to be processed and stored.
*X stores these data in a cloud that is operated by C, another company also established in Spain. *Please whether X and C are controllers or processors, and whether the GDPR applies.
- X is the controller and X is the processor.
- As they carry out their activities in the context of their EU establishments, the GDPR applies.
X, an Australian company uses the cloud provided by C, a German company, to process its Australians consumers ́ personal data.
* X offers and directs its services only to the Australian market.
*Is the GDPR applicable to X and C?
- X, the controller, does not process personal data in the context of the activities of an establishment in the EU (Art. 3.1 GDPR). It neither targets persons on the territory of the EU nor monitors their behaviour. Then, the processing by X, which is established outside the EU, is not subject to the GDPR (Art. 3.2 GDPR).
- C, the processor, is established in Spain, and its processing fall within the scope of the GDPR (Art. 3.1 GDPR).
- X is located in Australia and runs an online shop. For this purpose, it stores consumers ́ data. *X has no subsidiaries or representatives abroad and the online shop is only available in English. * Payment is accepted in Australian dollars and euros, and deliveries are possible in Germany. *Is GDPR applicable?
X addresses customers located in the EU, so GDPR applies (Art. 3.2 GDPR).
X is a company located in Australia that sells dresses online.
* Payment is only allowed in Australian dollars and delivery to Europe is not offered.
*Anyone visiting the website needs to accept the usage of cookies, so X analyses the IP geolocation data to determine the country where the user is located and their preferences.
*Is GDPR applicable?
X is using web tracking to analyse the preference of the customers located in the EU, so GDPR applies (Art. 3.2 GDPR).
X, a company established in Ney York, sells shoes on site and online.
*X seeks to expand its business in the EU.
*When clients enter the website, they need to accept the usage of cookies. Subsequently, X analyses the IP geolocation data to determine the country where the user is located, and therefore how many European customers it has and what are their interests.
*Does X need to comply with the GDPR?
*Does X need to appoint a Data Protection Officer?
X needs to comply with the GDPR because it monitors their behaviour (Art.3.2 GDPR).
* X is using tracking information to eventually expand its business. The purpose of X is the sole targeting of European customers to expand its business to Europe. This constitutes an important element of its business strategy. Then, X is obliged to designate a Data Protection Officer.
X is a Spanish company offering an app for photo editing. Users must give their consent to the processing of their personal data and must have their GPS localisation activated when using the app. Otherwise, it does not work.
*X claims that the processing of the location data are necessary for the provision of its services.
*Can X rely on the consent of the users to process the location data?
Solution: the location data are not necessary for providing the photo editing service. Therefore, the processing of such personal data go beyond what is necessary for providing the core service. Since users cannot use the app without consenting to these purposes, the consent is not freely given.
An online pharmacy carries out marketing based on the medicines and other products customers have purchased, including products obtained by prescription.
* It analyses this information – combined with demographic information about customers – for example, their age and gender – to build up a ‘health and wellbeing’ profile of individual customers. Clickstream data is also used, which is collected not only about the products the customers purchased but also about other products and information they were browsing on the website.
* The customer profiles include information or predictions suggesting that a particular customer is pregnant, suffering from a particular chronic illness, or would be interested in purchasing dietary supplements, suntan lotion, or other skin-care products at certain times of the year.
* The online pharmacy’s analysts use this information to offer non-prescription medicines, health supplements, and other products to particular individuals by email.
* Can the pharmacy rely on its legitimate interest to carry out these processing activities?
the pharmacy cannot rely on its legitimate interests when creating and using its customer profiles for marketing. There are several problems posed by the profiling described. The information is particularly sensitive and can reveal a great deal about matters that many individuals would expect to remain private.120 The extent and manner of profiling (use of click-stream data, predictive algorithms) also suggest a high level of intrusiveness. Consent based on Article 7(a) and Article 8(2)(a) (where sensitive data are involved) could, however, be considered as an alternative where appropriate.
An internet company providing various services including search engine, video sharing, and social networking, develops a privacy policy which contains a clause that enables it to combine all personal information collected on each of its users in relation to the different services they use, without defining any data retention period.
*According to the company, this is done in order to ‘guarantee the best possible quality of service’.
*The company makes some tools available to different categories of users so that they can exercise their rights (e.g.,
deactivate targeted advertisement, as opposed to setting a specific type of cookies).
*However, the tools available do not allow users to effectively control the processing of their data: users cannot control the specific combinations of their data across services and users cannot object to the combination of data about them.
*Can the company rely on its legitimate interest for carrying out these data processing activities?
Overall, there is an imbalance between the company’s legitimate interest and the protection of users’ fundamental rights and Article 7(f) should not be relied on as a legal ground for processing. Article 7(a) would be a more appropriate ground to be used, provided that the conditions for valid consent are met.
A company installs a CCTV camera to monitor the main entrance to its building. A sign informs people that CCTV is in operation for security purposes.
*CCTV recordings show that the receptionist is frequently away from her desk and engages in lengthy conversations while smoking near the entrance area covered by the CCTV cameras. The recordings, combined with other evidence (such as complaints), show that she often fails to take telephone calls, which is one of her duties.
*Can the company process the personal data obtained for security purposes and also for monitoring the performance of the employees?
a reasonable data subject would assume from the notice that the cameras are there for security purposes only. Monitoring whether or not an employee is appropriately carrying out her duties is an unrelated purpose that would not be reasonably expected by the data subject. This gives a strong indication that further use is incompatible. Other factors, such as the potential negative impact on the employee (for example, possible disciplinary action), the nature of the data (video-footage), the nature of the relationship (employment context, suggesting an imbalance in power and limited choice), and the lack of safeguards (such as, for example, notice about further purposes beyond security) may also contribute to and confirm this assessment.
A department store uses loyalty card data to analyse the purchasing habits of its clients, identify new marketing trends, make special offers, and send discount coupons to its customers.
* A new analytics software used by the department store predicts with a high degree of probability whether a female customer is pregnant and by how many months. This information is used to adapt marketing offers to their profile.
*No specific information is provided to the customers when they register for a loyalty card. The detailed terms and conditions (which are available on the department store’s website) only mention that ‘loyalty card data may be used for marketing purposes, including providing customers with special offers and discount coupons’.
* The department store receives a complaint from a girl who finds out that she is pregnant following suspicions about the increased number of pregnancy-related advertisements received.
* Can the pharmacy process the personal data obtained for “direct marketing” and also for predicting pregnancy?
the way in which the profiling is carried out (secret algorithms to predict pregnancy) is one that many customers would find unexpected, inappropriate, and objectionable. The problem is less related to the nature of the data collected (which may be non-intrusive in itself) but rather to the way the data is combined, further processed, and used to predict a general profile (pregnancy and a number of months) using a secret and objectionable algorithm. On balance, there is a strong indication of incompatibility primarily due to the way the data are processed and the lack of safeguards (such as transparency, as well as genuine and informed consent).
