Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

digital law > lecture 6 > Flashcards

lecture 6 Flashcards

1
Q

The Data Protection Reform Package

A

Regulation 679/2016/EU:
- In force since May 2016
- Applicable from May 2018
- Replaces Directive 95/46/EC
- Evolutionary aproach

Directive 680/2016/EU
- In force since May 2016
- Applicable from May 2018
- Replaces Council Framework Decision 2008/977/JHA
- Evolutionary aproach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Reality - GDPR
(general data protection regulation)

A
  • No Revolution
  • Higher penalties
  • Higher visibility
  • More administration/documentation
  • Some opportunities and reliefs
  • Serious risk of (further) fragmentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Typical Problems (then and today)

A
  • Personal data
    ◦ Directly/indirectly identifiable information?
    ◦ Aggregation?
    ◦ Pseudonymization?
  • Consent
    ◦ Freely given?
    ◦ Informed?
    ◦ Broad/narrow?
    ◦ In writing?
    ◦ Revocable?
  • Purpose Limitation
    ◦ Specific?
    ◦ Identical/compatible?
    ◦ Legitimate/proportionate?
  • Transfer
    ◦ Legitimacy?
    ◦ Third Country?
  • Role of Supervisory Authority
    ◦ Independence?
    ◦ Alignment with other authorities?
  • User Rights
    ◦ Identification?
    ◦ Representation?
    ◦ Costs?
  • Data Security
    ◦ State of the Art?
    ◦ Proportionate?
    ◦ Privacy Breach Notification?
  • Specific Cases of public interest
    ◦ Media?
    ◦ (Medical) Research?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Personal Data

A
  • any information
    ◦ relating to an
  • identified or identifiable
  • natural person (‘data subject’);
  • an identifiable person is one who can be identified, directly or indirectly, in
    particular by reference to an identification number or to one or more factors
    specific to his physical, physiological, mental, economic, cultural or social
    identity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Case Law

A
  • C-582/14 (Breyer)
  • General Court T-527/20 (under appeal)
  • C-487/21 (Öst. Datenschutzbehörde)
    -579/21 (Pankki)
  • C-300/21 (Öst. Post)
  • C-604/22 (IAB Europe)
  • C-319/22 (VIN)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Principles, Art. 5

A

Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those
purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal
data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving
purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)
subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to
safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
(‘integrity and confidentiality’).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Art. 5 II

A

The controller shall be responsible for, and be able to demonstrate
compliance with, paragraph 1 (‘accountability’).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Scope (VERY broad)

A

Material (Art. 2)
* processing of personal data wholly or partly by
automated means and to the processing other
than by automated means of personal data
which form part of a filing system or are
intended to form part of a filing system
* Exemptions (in particular)
◦ Law enforcement
◦ Houshold exemption

Territorial (Art 3)
* Establishment of a controller or a processor in the Union,
regardless of whether the processing takes place in the Union
or not
* Processing of personal data of data subjects who are in the
Union by a controller or processor not established in the
Union, where the processing activities are related to:
◦ the offering of goods or services, irrespective of whether a
payment of the data subject is required, to such data
subjects in the Union; or
◦ the monitoring of their behaviour as far as their behaviour
takes place within the Union.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Legal Basis

A

Art. 6 + 9
* Informed Consent + x
* Art. 6 (f) !
* Purpose binding principle (Art. 5 (1) (b) + Art. 6 (4)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Processing non-sensitive personal data, Art. 6

A

Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in
order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the
third party or parties to whom the data are disclosed, except where such interests are overridden by the
interests for fundamental rights and freedoms of the data subject which require protection under Article
1 (1).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Sensitive Data?

A
  • Recent CJEU Decision
  • C-184/20
    *
    „Article 8(1) of Directive 95/46 and Article 9(1) of Regulation 2016/679 must
    be interpreted as meaning that the publication, on the website of the
    public authority responsible for collecting and checking the content of
    declarations of private interests, of personal data that are liable to
    disclose indirectly the sexual orientation of a natural person constitutes
    processing of special categories of personal data, for the purpose of those
    provisions.”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Processing sensitive personal data, Art 9

A
  1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
  2. Paragraph 1 shall not apply where:
    (a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject’s giving his consent;
    or
    (b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the
    field of employment law in so far as it is authorized by national law providing for adequate safeguards; or
    (c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or
    (d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation,
    association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on
    condition that the processing relates solely to the members of the body or to persons who have regular contact with it
    in connection with its purposes and that the data are not disclosed to a third party without the consent of the data
    subjects; or
    (e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Consent

A
  • Art. 7 + Art. 8 (additional safeguards for minors)
    ◦ Art. 4:
  • freely given,
  • specific,
  • informed and
  • unambiguous indication of the data subject’s wishes
  • by which he or she, by a statement or by a clear affirmative action, signifies agreement to
    the processing of personal data relating to him or her
    ◦ May be withdrawn at any time (art. 7 par 3)
    ◦ It shall be as easy to withdraw as to give consent. (art. 7 par 3)
    ◦ “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a
    service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

digital law (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions