Lecture 5 & 6: Data Subject's Rights Flashcards

1
Q

What does not require a request from the data subject? (related to their rights, but it is an obligation of a controller)

A

Art. 13 & 14: Obligation to inform

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When can the requests of the data subject result in fees for the data subject?

A

The controller can charge a reasonable fee taking into account the administrative costs of providing info or communication or taking the action requested, or they can refuse to act on their requests when the requests are unfolded or excessive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does the right to Transparency of Article 12 entail?

A

The controller shall take appropriate measures to provide any information referred to in Art. 13 and 14 and any communication under Art. 15 to 22 and 24 relating to the processing of personal data to the data subject in a manner that is:

  • concise
  • transparent
  • intelligible(using clear and plain language, in particular for any information addressed specifically to a child)
  • easily accessible

btw: The element “easily accessible” means the data subject should not have to seek out the information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When should the information referred to in Art. 13 and 14 and any communication under Art 15 to 22 and 24 relating to the processing be communicated to the data subject?

A

The information shall be provided in writing, or by other means, including, where appropriate, by electronic means at the time when personal data is obtained.

or

Within one month, if collecting from a third party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What should a controller do when he wants to further process the personal data he collected for a previous purpose?

A

If the controller decides to further process the personal data for a purpose other than that for which the personal data were obtained, the controller must provide the data subject with info on that purpose and with all the relevant info.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Art. 13 and 14 are about the Duty to Inform the data subject. What should the data subject be informed about?

A
  1. Identity and contact details of the controller, and if applicable, the controller’s representative
  2. Contact details of data protection officer
  3. Purposes of the processing, as well as the legitimate basis
  4. If the processing is based on legitimate interests, the data subject must be informed with which legitimate interest is pursued by the controller or the third party
  5. The categories of personal data concerned (only third party collection)
  6. Source; (only third party collection)
  7. the recipients or categories of recipients of the personal data, if any
  8. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards
  9. The period for which personal data will be stored, or if not possible, the criteria used to determine this period.
  10. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
  11. If the processing is based on consent, the subject must be informed that he has the right to withdraw consent at any time.
  12. The right to lodge a complaint with a supervisory authority at any time
  13. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
  14. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When is the controller exempt from the duty to inform?

A
  • The data subject has already been informed
  • Disproportionate effort / information would render impossible or seriously impair the achievement of the objectives of the processing
  • Obtaining or disclosure of personal data is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests
  • The personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Just click “reveal answer” to see some examples of poor practices

A
  • “We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will help develop them);
  • “We may use your personal data for research purposes (as it is unclear what kind of “research”this refers to); and
  • “We may use your personal data to offer personalised services” (as it is unclear what the “personalisation” entails).

the use of may, might should be avoided

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does Art. 15 “the right to access” entail?

A

Individuals have right to access their personal data

This is often referred to as subject access

An individual only has the right to access their own personal data, unless this data is linked with data of other persons, or the subject is acting on behalf of someone else.

Individuals can make a subject access request verbally or in writing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the maximum amount of time a controller should reply to a request?

A

1 month

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does Art. 16 “the right to rectification” entail?

A

The GDPR includes a right for individuals to rectify incorrect or missing data. Personal data is inaccurate if it is incorrect or misleading to any matter of fact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does Art. 17 “the right to erasure”/ “the right to be forgotten” entail?

A

Individuals can make a verbal or written request for their data to be erased

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Art. 17 “the right to erasure” is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data. Do you remember which other one states that you should delete personal data? In which circumstances?

A

The basic principles. You should not keep the data longer than it is necessary. Principle: Data Minimisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When does the right to erasure apply?

A
  • The personal data is no longer necessary for the purpose which you originally collected or processed it for;
  • You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • You are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • You have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  • You have to do it to comply with a legal obligation; or
  • You have processed the personal data to offer information society services to a child.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does Art. 18 “Right to restriction of processing” entail?

A

Individuals have the right to, verbally or in writing, request a restriction of processing in the following circumstances:

  • the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
  • the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
  • you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
  • the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When processing is restricted, you are not permitted to store and use personal data. True or false?

A

False. When processing is restricted, you ARE permitted to store, but not use personal data.

17
Q

Art. 19 is called “Notification Obligation”. What is it about?

A

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with:

  • Article 16 (rectification)
  • Article 17(1) (erasure)
  • Article 18 (restriction)

to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

18
Q

What is the “Right to data portability” laid out in Article 20? What are the requirements?

A

The right to data portability allows individuals to obtain and reuse personal data for their own purposes across different services, however, only when:

  • your lawful basis for processing this information is consent or for the performance of a contract; and
  • you are carrying out the processing by automated means (i.e. excluding paper files).
19
Q

What is the main advantage of data portability?

A

It enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.

20
Q

What does Art. 21 “the right to object” entail?

A

The GDPR gives individuals a right to object, verbally or in writing, to the processing of their personal data in certain circumstances:

  • Individuals have an absolute right to stop their data from being used in direct marketing
  • In other cases where the right to object applies, you may be able to continue processing if you can document a compelling reason for doing so
  • You must tell individuals that they have a right to object
  • You have one calendar month to respond to the objection

An individual can also object where you are relying on one of the following lawful bases:

  • A task carried out in public interest
  • The exercise of official authority vested in you (public task); or
  • Your legitimate interests (or those of a third party).