II. EU Data Protection Law & Regulation Flashcards
A1. Personal Data
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
A2. Sensitive Personal Data
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. GDPR, Art. 9(1)
A3. Pseudonymous and anonymous data
The GDPR still applies to pseudonymized data because pseudonymization can, in theory, be reversed. (However, pseudonymization is a valid way to mitigate loss and damages.)
The GDPR does not apply to anonymous data. Anonymous data cannot be reversed and linked to a natural person. Rec. 26.
A4. Processing
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
A5. Controller
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Art. 4(7).
A6. Processor
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
A7. Data Subject
A data subject is a natural person from whom data is collected. Art. 4(1).
B1. Establishment in the EU
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union.
B2. Non-establishment in the EU
Offering goods or services (even if for free) to data subjects in the Union
•Monitoring the behavior of data subjects that takes place in the Union
the law says people “in the Union.” Not “EU citizens
C1. Fairness and lawfulness
What is lawfulness
For processing of personal data to be lawful, you need to identify specific grounds for the processing. This is called a ‘lawful basis’ for processing, and there are six options which depend on your purpose and your relationship with the individual.
Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil.
What is fairness
In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.
Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.
In order to assess whether or not you are processing personal data fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually.
You should also ensure that you treat individuals fairly when they seek to exercise their rights over their data
C2. Purpose limitation
Purpose limitation means having one (or a clear list of) specified, explicit purpose(s) for processing. Art. 5(1)(b).
C3. Proportionality (Data minimization )
Both concepts mean that data collected and processed is not excessive for the purpose.
C4. Accuracy
Collecting personal data from data subjects creates an ongoing duty of accuracy.
Art. 5(1)(d).
Accuracy means “every reasonable step must be taken” to keep personal data accurate and, when it is inaccurate, to rectify or erase the inaccurate data “without delay.”
C5. Storage Limitation
Storage Limitation means retaining personal data for no longer than is necessary for the purpose. Art. 5(1)(e).
C6. Integrity and confidentiality
C6. Integrity and confidentiality
Integrity means the data is protected from “accidental loss, destruction or damage.”
Confidentiality means no “unauthorized” “processing” (like due to a breach).
You uphold the integrity and confidentiality principles by “using appropriate technical or organisational measures.” Art. 5(1)(f).
