GDPR Flashcards
Sector
All
Year Passed/Amended
2018
Key principles
Lawfulness, Fairness and Transparency Purpose limitation Data minimization Accuracy Storage limitation Integrity and confidentiality Accountability
Data subject rights
Right to be informed of transparent communication and information Right of access Right to rectification Right to erasure Right to restriction of processing Right to data portability Right to object (to processing) Right not to be subject to automated decision-making
Primary requirements
On data controllers:
Implement data protection by default and by design
Provide instructions to data processors
Ensure data security
Report data breaches
Cooperate with DPAs
Appoint a DPO/EU representative for the business
Identify the legal basis for processing
Maintain data processing records
Conduct data protection impact assessments
On data processors:
Compliance with instructions of the controller
Confidentiality
Keep a record of processing activities
Data security
Report data breaches
Cooperate with DPAs
Must also facilitate all of the data subject rights
Any processing requires “consent:” freely given, specific, informed, and an unambiguous indication of the data subject’s wishes.
Entities subject to the law
EU-based data controllers and data processors
Anyone processing the data of EU data subjects, regardless of location
Data controller: an entity that “determines the purposes and the means of the processing of personal data”
Data processor: an entity that “processes personal data on behalf of the controller”
Term for relevant PII or regulated data
Two classes: personal data and sensitive personal data
Definition of relevant PII or regulated data
Personal data: any data that relates to an identified or identifiable natural person, including data that can be grouped together to identify a person.
Deidentified/encypted/pseudonymized data is still personal data if it can be used to identify a person, and data is only considered anonymized if the process is irreversible.
Examples: First and last name Home address Email address including first and last name ID card number Location data IP address Cookie ID Advertising ID on a phone Data held by a doctor or hospital, even if separated from a patient's name
Examples that are not personal data:
Registration number for a company
Email addresses such as support@company.com
Anonymized data
Sensitive personal data: no overall definition provided. Requires "explicit consent" to use. Examples: Race or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Genetic data Biometric data Health data Sex life or sexual orientation
Civil or criminal?
Civil and criminal, at the discretion of member states
Enforcing authority - civil
Data Protection Authorities (DPAs) - one per member country, except Germany, which has one federal one for public sector and one for the commercial sector in each Lander
Penalties - civil
Higher-level fines: up to the greater of 20 million Euro or 4% of global revenues
Imposed for infringements related to basic principles of processing (e.g. consent, lawfulness of processing, and processing sensitive personal data), rights of data subjects, and transfers to recipients outside the EU.
Lower-level fines: up to the greater of 10 million Euro or 2% of global revenues.
Imposed for infringements related to integrating data protection by default or by design, records or processing, cooperation with DPAs, security of processing data, notification of breach, and designation of DPO.
Enforcing authority - criminal
DPAs?
Penalties - criminal
Up to the member states?
Private right of action?
Yes. Additionally, data subjects can file complaints with DPAs. If unsatisfied, can appeal to national court
FIP individual rights implicated
Notice, choice and consent, access (so, all)
Notice provisions - non-breach
In order to get informed consent, the business must provide:
Controller’s identity
Purpose of processing
Types of data to be collected
Information about the right to withdraw consent
Information about automated processing
Risks of transfers outside Europe
Notice provisions - breach
Data controllers: must report breach to DPA within 72 hours of becoming aware of the breach, where feasible. If not feasible, must provide the reason for the delay with the notice.
If a breach is likely to result in a “high” risk to individuals’ rights and freedoms, the controller must notify affected data subjects without undue delay. At minimum, it must:
Be in clear and plain language
Include the data controller’s name
Include the likely consequences of the breach
Include any mitigating measures the controller took
Data processors: have to notify controllers “without undue delay”
Exceptions for notice - non-breach
None?
Exceptions for notice - breach
Not required to report to DPA if it is unlikely to result in a risk to individuals’ rights and freedoms (i.e. the data are encrypted), but still have to document it
Not required to notify data subjects if:
(a) it is unlikely to result in a risk to individuals’ rights and freedoms (i.e. the data are encrypted), but still have to document it;
(b) the controller has taken steps to protect the data (e.g. by suspending accounts); AND
(c) the notice would impose disproportionate effects on the controller
Consent provisions
Can express consent by statement or by clear affirmative action (must be proven by business)
In order to get informed consent, the business must provide the data subject with the following info:
Controller’s identity
Purpose of processing
Types of data to be collected
Information about the right to withdraw consent
Information about automated processing
Risks of transfers outside Europe
Exceptions for consent
none?
Access provisions
Data subjects have the right of access, defined as:
(a) confirmation of whether a data controller is processing their data;
(b) a copy of their personal data;
(c) any other info that should be provided in a privacy notice.
Data subjects also have the right to rectification and the right to erasure or, alternatively, the right to restriction of processing
Requirements for right to erasure
(a) The personal data is no longer necessary…for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent, and there is no other legal basis for processing;
(c) the data subject objects to the processing based on legitimate interests, and there is no overriding legitimate interest in processing;
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased to comply with a legal obligation;
(f) the personal data have been collected to offer information services to children
Requirements for right to restriction of processing
(a) accuracy is contested and the controller is verifying the accuracy;
(b) processing is unlawful, and data subject prefers to have processing restricted instead of having data erased;
(c) controller no longer need the data, but data subject needs it for the establishment, exercise or defense of legal claims;
(d) data subject has objected to processing, and the controller is verifying whether it has overriding legitimate grounds for continuing
