Lecture 3: Principles and Sanctions Flashcards
In order to lawfully process personal data, one must primarily: (2 points)
- Be in compliance with the basic principles of processing personal data laid out in Article 5 of GDPR
- Have a legal basis for processing personal data Article 6 for normal data or Article 9 for sensitive data (or Article 10 for Criminal, Or Article 8 for Child consent)
Name in brief the 6 (and 7th if you count that) basic principles of GDPR.
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and Confidentiality
- Accountability
What does the first basic principle of processing personal data entail? (lawfulness, fairness, and transparency)?
What does each one mean?
Personal data shall be:
“processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”
Lawful = be in compliance with the requirements set out in The Charter of Fundamental Rights, the GDPR, and the national law
Fair = fair to the data subject
Transparent = overarching requirement of the GDPR, you know what it means
What does the second basic principle of GDPR entail? (Purpose Limitation). and what does each requirement mean?
Personal data shall be:
“Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”
Specified = sufficiently defined to delimit the scope of the processing operations. ("marketing purpose", "IT security purposes" too vague) Explicit = clearly revealed and explained to the data subjects, taking into consideration relevant cultural and linguistic backgrounds) Legitimate = the processing requires a legal ground
What does the principle of data minimization entail?
Personal data should be:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)”
Basically:
don’t collect data that is nice to have
don’t keep it more that you should
When should personal data be processed?
Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
What does the 4th basic principle of GDPR entail? Accuracy
Personal data should be:
“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”
Basically:
Personal data must be kept up to date and incorrect personal data must be deleted or rectified
What does the 5th basic principle of GDPR entail? Storage limitation
Personal data should be:
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
What does the 6th basic principle entail? Integrity and Confidentiality
Personal data should be:
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)
Companies have an obligation to implement security measures appropriate to the risk → Article 32
What does the principle of Accountability entail?
> The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
The controller must be able to demonstrate compliance with the 6 principles.
What are the three remedies laid out in Articles 77, 78,79, following a GDPR breach?
- Art 77: Right to lodge a complaint with a supervisory authority
- Art 78: Right to an effective judicial remedy against a supervisory authority
- Art 79: Right to an effective judicial remedy against a controller or processor
What can you say about the sanctions following GDPR non-compliance?
The GDPR requires fines to be “Effective, proportionate and dissuasive”
The amount of the fine will depend on a number of factors, including the nature of the breach, degree of fault, prior breaches, etc.
- Conditions - Fines up to €10M or 2% of global annual turnover
- Conditions - Fines up to €20M or 4% of global annual turnover
In addition to regulatory fines, Article 82 states that …. (you can see it as a right of the data subject after they suffered losses from a GDPR breach)
A data subject may claim compensation from the data controller or data processor for the damage suffered
The Supervisory Authority has a number of corrective powers as described in Article 58. Can you name a few?
- issue warnings to the data controller or processor
- issue reprimands to the data controller or processor following a non-compliant GDPR practice
- order the controller to communicate a personal data breach to the data subject
- ban or impose a limitation on a processing
- impose administrative fines
- order the rectification, restriction or erasure of data
etc.