General Data Protection Regulation (GDPR) Flashcards
Personal Data
Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Principles of GDPR
- Lawfulness: Be able to rely on a legal justification for using the data.
- Fairness: Do not use the data in a manner that is unexpected, detrimental, or misleading.
- Transparency: Be clear about what you are doing with data.
- Purpose Limitation: Be clear why you are collecting/using data and only use it for a purpose compatible with what was originally specified.
- Data minimization: Only process data that is necessary for the purpose you have identified.
- Accuracy: Keep data accurate and/or give data subjects ability to correct.
- Storage Limitation: Do not store data for longer than you need it.
- Data integrity and Security: Implement appropriate measures to ensure data security and avoid breaches.
- Accountability: Burden is on the company to be able to demonstrate compliance.
Legal Bases
- Consent
- Contractual necessity
- Legitimate interests
(Not important/rare)
4. Compliance with a legal obligation
5. To protect the vital interests of a person
6. Performance of a task carried out in the public interest
Consent
- Freely Given
- Specific
- Informed
- Unambiguous indication of data subject’s wishes
Contractual Necessity
Lawful when “processing is necessary for the performance of a contract.”
You must be able to demonstrate that the specific processing is necessary for the service.
a. Necessity is to be assessed objectively, according to the perspective of a hypothetical reasonable data subject.
b. If there are realistic and less intrusive alternatives to the type of processing envisaged, it is not necessary.
Legitimate Interest
Most appropriate when you can use people’s data:
- in ways they would reasonably expect
- have a minimal privacy impact
- or where there is a compelling justification for the processing
Elements:
1. Identify a legitimate interest,
2. Show that the processing is necessary to achieve it,
3. Balance it against the individual’s interests, rights, and freedoms.
Rights of the Data Subject
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
Exceptions to Access and Portability Rights
- Where access would adversely affect the rights and freedoms of other consumers
- Where data constitutes the controller’s trade secrets
- Where requests are manifestly unfounded or excessive
- Where the requestor’s identity cannot be verified
Data Protection Impact Assessment (DPIA)
Process designed to help systematically analyze, identify and minimize the data protection risks of a project.
Initial fact gathering and documenting-> Seeking additional information-> Assessing the design-> Identifying risks-> Mitigating risks-> Documenting decisions
Consequence X Probability = Overall Risk
Sensitive Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data Protection Authorities (DPAs)
Independent public authorities that monitor and supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints that may have breached the law.
Data Protection Officer (DPO)
Appointed by a controller, they must be an expert in data protection who informs the controller of their responsibilities under GDPR and monitors their compliance. A DPO can be an employee but must not have a conflict of interest between business interests’ and GDPR compliance.
