Principles of EU data protection law

Question 1

Lawfulness, fairness and transparency

Answer 1

1. Lawfulness means acquisition based on:
   - Consent
   - Contract
   - Legal basis
2. Fairness:
   - Always coupled with transparency
   - Not really legally qualified on its own
3. Transparency:
   - Info provided must be concise easily accessible and understandable
   - Must provide identity of controller, purpose, existence of profiling if applicable…

Question 2

Purpose limitation

Answer 2

1. Data must be collected for specified, explicit and legitimate purposes
2. Data must not be further processed in a manner that is incompatible with those purposes

Question 3

Data minimisation

Answer 3

1. The data must be:
   - Adequate
   - Up to date
   - Limited to what is necessary for the purposes of processing

Question 4

Data accuracy

Answer 4

1. If the data does not respect the principle of data minimisation it must be erased or rectified without delay
2. Connected to the right to rectification and right to erasure

Question 5

Storage limitation

Answer 5

1. Timeline – There must be a period for how long the data will be kept
2. Periodical review
3. Unless:
   - Anonymity – GDPR does not apply
   - Archiving for public interest
   - Scientific/historical research
   - Statistical purposes

Question 6

Integrity and confidentiality

Answer 6

1. Controller must ensure the security of personal data
   - Against unlawful or unauthorised processing
   - Against accidental loss, destruction or damage
2. Technical and organisational measures must be put in place

Question 7

Material scope - General

Answer 7

1. When processing
2. Must be personal data
3. Means of processing - Manual and automated
4. Exceptions

Question 8

Material scope - What is processing?

Answer 8

1. Any operation or set of operations performed on personal data
2. Must be done wholly or partly by automated means

Question 9

Material scope - What is personal data?

Answer 9

1. Data related to an identified person
2. Data related to an identifiable person - Not identifiable if the effort is completely disproportionate in terms of time, cost and man-power
3. Must take into account the means reasonably likely to be used (cost, time, available technology…)
4. Pseudonymisation – GDPR still applies
5. Anonymisation – GDPR does not apply (if done correctly)
6. If sensitive data – Specific regime

Question 10

Material scope - Exceptions

Answer 10

1. If activity falls outside EU law
2. If activity relates to security policy
3. If processing is done for the purpose of prevention of criminal offences – A different directive applies
4. Household exception – For purely personal or household activity

Question 11

Personal scope

Answer 11

1. Controller:
   - Any natural or legal person, public authority, agency or body
   - That determines the purposes and means of processing
   - Alone or jointly (= joint controllers)
2. Processor:
   - Any natural or legal person, public authority, agency or body
   - Which processes data on behalf of the controller
   - Delegates processing, gives instructions

Question 12

Territorial scope

Answer 12

1. For activities of establishment of controller or processor in the EU:
   - It does not matter where is the location of the server or the actual place of processing
   - What actually matters is the place of establishment
2. If the controller or processor is not established in the EU but still processes data of EU residents:
   - If the activities relate to the offering of goods or services to DS in the union, irrespective of payment, even when ‘envisaging’ the offer, check accessibility, language, currency, mention of EU customers…
   - If the activities relate to the monitoring of the behaviour of data subjects in the EU, as far as their behaviour takes place within the EU

Question 13

Grounds for lawful processing

Answer 13

1. Consent
2. Performance of a contract - Must respect data minimisation and purpose limitation
3. Legal obligation of controller - On the basis of EU or MS law but not mandatory if said law breaches FdRs
4. For the vital interest of a DS or another natural person - Only last resort
5. Public interest or exercise of public authority
6. Legitimate interests of controller or 3rd party - Unless overridden by interests of DS, includes administrative purposes, direct marketing and preventing fraud or ensuring cybersecurity

Question 14

Grounds for lawful processing - Consent

Answer 14

1. Freely given - DS must be able to refuse (also practically) and for that purpose, not free if part of a contract dependent on consent
2. Specific
3. Informed
4. Unambiguous indication of agreement with processing
5. Which format? Does not matter but must be separate from other clauses and explicit (no ticked boxes, no silence or inactivity)

Question 15

Grounds for processing sensitive data

Answer 15

1. Consent
2. Social security obligations of controller
3. Vital interests of DS
4. Association with political or religious aims
5. DS makes data manifestly public
6. Substantial public interest
7. Establishment of legal claims
8. Preventive or occupational medicine
9. Public health
10. Archiving, historical or statistical research

Question 16

What are the conditions for the appointment of a DPO?

Answer 16

1. When processing is:
   - Carried out by a public authority
   - Requires regular and systematic monitoring of DS on a large scale due to the nature, scope and purpose of the processing
   - Of special categories of data on a large scale or related to criminal convictions
2. Appointment based on professional qualities and knowledge of data protection law
3. May fulfil other tasks as long as there is no conflict of interest – DPO must be able to carry out his tasks without interference