Processing Personal Data

Question 1

What is the definition or processing (include GDPR article)?

Include examples from various sectors

Answer 1

Article 4(2)

“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”

Examples:

• Recording: a customer service call with a client to demonstrate accountability for following company procedures
• Retrieving: discovering a typo and correcting the mistake to access account information
• Disclosure: an HR director shares a list of candidates for an open job position with their team
• Storage: HR department stores the newly hired employee’s file containing their employment application, performance reviews, and benefits information
• Collection: a product dev team collects results from customer satisfaction surveys at a trade show
• Adaptation or alteration: hard copies of the surveys are digitized and the data is aggregated
• Structuring: Aggregated data is shown on a graph that compares it with results from previous surveys

Question 2

What are the OECD Guidelines?

Answer 2

Collection limitation
Data quality
Purpose specification
Use limitation
Security safeguards
Openness
Individual participation
Accountability

Question 3

What is collection limitation?

Answer 3

OECD Guideline

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject

Question 4

What is data quality?

Answer 4

OECD Guideline

Personal data should be relevant to the purposes for which they are used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date

Question 5

What is purpose specification?

Answer 5

OECD Guideline

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose

Question 6

What is use limitation?

Answer 6

OECD Guideline

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the purpose specification principle] except a) with the consent of the data subject; or b) by the authority of law

Question 7

What are security safeguards?

Answer 7

OECD Guideline

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data

Question 8

What is opennness?

Answer 8

OECD Guideline

There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as their identity and usual residence of the data controller

Question 9

What is individual participation?

Answer 9

OECD Guideline

An individual should have the right:

a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such a denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.

Question 10

What is accountability according to the OECD?

Answer 10

OECD Guideline

A data controller should be accountable for complying with measure which give effect to the principles stated above

Question 11

What is lawfulness, fairness, and transparency of processing?

Answer 11

GDPR Processing Principle (Article 5)

Requires honest practices, such as communicating openly with data subjects about processing activities

Question 12

What is purpose limitation?

Answer 12

GDPR Processing Principle (Article 5)

Requires collecting and processing personal data for the specified purpose only.

To determine if personal data may be processed further, use a compatibility test to look for links between purposes, nature of the data, method of collection, consequences of secondary uses and safeguards.

Question 13

What is data minimization?

Answer 13

GDPR Processing Principle (Article 5)

Processing only personal data that is relevant and necessary for the purpose

Question 14

What is accuracy?

Answer 14

GDPR Processing Principle (Article 5)

Processing complete and up-to-date personal data

Question 15

What is storage limitation?

Answer 15

GDPR Processing Principle (Article 5)

Storing only personal data that is relevant and necessary for the purpose

Question 16

What is integrity and confidentiality?

Answer 16

GDPR Processing Principle (Article 5)

Require ensuring personal data is secure

Question 17

What is accountability under GDPR?

Answer 17

GDPR Processing Principle

Processing personal data responsibly and demonstrating compliance with EU and member state data protection laws

Question 18

When does the GDPR apply? Which articles relate to the scope?

Answer 18

When 1 of the three criteria for territorial scope is met (as explained in Article 3) AND when activities fall within the material scope (as outlined in Article 2)

Question 19

How does the GDPR define territorial scope (include article)?

Answer 19

Article 3

Lays out 3 criteria; only 1 of these criteria must be met for the GDPR to be applicable:

1. Processing of personal data when a controller or processor is established in the EU (regardless of whether the actual processing takes place in the EU);
2. Processing the personal data of subjects in the EU relating to offering goods or services or monitoring behavior in the EU (where the controller or processor is not established in the EU;
3. By a controller in a place where member state law applies by virtue of public international law

Question 20

What is the material scope of the GDPR (include article)?

Answer 20

Article 2

Material scope must also be met for GDPR to apply (in addition to below)

Includes:

• Processing personal data wholly or partly by automated means…any processing with or without human intervention (do NOT confuse with automated decision-making, which has strict restrictions under the GDPR
• Processing other than by automated means of personal data which form part of a filing system;

Question 21

What are the exclusions for the material scope of the GDPR?

Answer 21

These exclusions for data processing are not regulated by GDPR for purposes that include:

• activities outside the scope of EU law (ie national security activities)
• law enforcement and public security
• purely personal or household activities

Question 22

Name the six lawful grounds for processing personal data (include article)

Answer 22

Article 6

One of the six must me bet for processing of personal data to be lawful:

1. Consent from the data subject for a specific processing purpose;
2. Performance of a contract if the processing is necessary to perform the contract and the data subject is party to the contract or the data subject requests to enter into the contract;
3. Legal obligation (compliance with one to which the controller is subject);
4. Protection of vital interests of the data subject or another natural person;
5. Necessity for the public interest or in the exercise of official authority of a controller;
6. Legitimate interests of the controller or a third party, UNLESS overridden by the interests, rights, or freedoms of the data subject

Question 23

What is unique about consent under the GDPR?

Answer 23

It is a common basis used to lawfully process personal data, but under the GDPR, additional conditions must be met to use this option.

It must be:

• Freely given
• Specific
• Informed
• Unambiguous

*Children

Question 24

Explain the “performance of a contract” as a lawful ground for processing personal data according to GDPR

Answer 24

Processing personal data may be necessary to perform a contract.

Commonly, a customer may purchase a good or service from an organization.

For that good or service to be provided, the organization must process the personal data of the customer.

Question 25

Explain “compliance with legal obligation” as a lawful ground for processing personal data

Answer 25

Compliance with a legal obligation to which a controller is subject is meant to be interpreted narrowly.

It applies to legal obligations required by EU and member state laws ONLY. It does not include legal obligations of contracts or those of third countries (outside the EU).

Question 26

Explain how protection of vital interests may be used as lawful grounds for processing personal data under GDPR

Answer 26

If personal data must be processed to ensure an individual’s survival, a controller may rely on vital interests for lawful processing.

This basis for processing should only be used in an emergency situation and if no other option is available.

Question 27

Explain how the necessity for the public interest or in the exercise of official authority of the controller may be used as lawful grounds for processing personal data under GDPR

Answer 27

A controller may be required to process personal data in the public interest, and member state legislation may determine what tasks fall within the public interests.

Examples include the administration of justice, tax collection, and research and statistical purposes, such as census.

Question 28

Explain how legitimate interests may be used as a lawful ground for processing personal data?

Answer 28

Legitimate interest of the controller or a third party has often been used as a safety net in the absence of another lawful basis for processing personal data, and while it may still prove a more realistic option than consent, it should be used with caution.

Question 29

What is consent?

Answer 29

It is permission from a data subject that provides the controller with permission to process the individual’s personal data for a specific purpose.

It must be:

• clearly distinguishable from other matters
• intelligble
• in clear and plain language

*Controller should keep records of consent as they may be obligated to demonstrate that it was obtained

Question 30

What is freely given consent?

Answer 30

If a controller relies on consent, data subjects must be able to choose to have their personal data processed AND they must be free to withdraw consent at any time.

Withdrawing consent should be as easy as giving consent.

Question 31

When is consent forbidden as a lawful grounds for processing under GDPR?

Answer 31

If there is a clear imbalance between the controller and the data subject (e.g. when a controller is a public authority)

Also, a service or the performance of a contract should not be conditional upon consent unless it is necessary for the performance of a contract.

Question 32

What is specific consent?

Answer 32

Data subjects must be informed of all intended purposes for processing their personal data at the time of consent.

If another purpose arises, the data controller may be required to obtain additional consent.

Question 33

What is unique about consent for research and scientific purposes?

Answer 33

Data subjects should be able to give their consent to certain areas of scientific research when keeping with recognized ethical standards.

Data subjects must give consent with as much specificity as possible, while knowing that other uses within the same general area of scientific research may arise.

Question 34

What is informed consent?

Answer 34

For consent to be legitimate, the data subject must be informed of the controller’s identity, purpose and information about how processing may affect data subjects.

It must be communicated to data subjects using understandable language and form.

It is the controller’s responsibility to demonstrate that data subjects were informed prior to consent.

Question 35

What is unambiguous consent?

Answer 35

The wishes of the data subject must be ABSOLUTELY clear. This requires an AFFIRMATIVE action, such as checking opt-in or choosing technical settings for web apps.

Silence, pre-ticked boxes, and non-activity do not count as unambiguous expression of a data subject’s wishes.

Question 36

When must a parent give consent for a child?

Answer 36

When the child is younger than 16 years old.

*However, some member states can lower this threshold to as young as 13 years old.

Question 37

Describe the burden on controllers when relying on legitimate interests as the basis for processing

Answer 37

The controller must show that the data subjects’ fundamental rights and freedoms have not been compromised

Question 38

What are measures that the controller can take to demonstrate that they have met their obligation to data subjects if relying on legitimate interest?

Answer 38

Obligation=showing the data subjects’ rights have not been compromised

Transparency, adequate safeguards and compliance can help support the controller’s case

Question 39

When relying on legitimate interest, the controller must:

Answer 39

Ensure that the purpose of processing is a legitimate interest of the controller or a third party

Ensure that processing the personal data is necessary for the legitimate interest

Inform data subjects, at the time data is collected, of the controller’s claimed legitimate interests

Balance the legitimate interests with those of the data subjects

Uphold fundamental rights and freedoms of data subjects

Question 40

Why is the controller-data subject relationship important with legitimate interest?

Answer 40

Because it has an effect on data subjects’ reasonable expectations.

Question 41

What are some examples of purposes of controllers with a legitimate interest?

Answer 41

Fraud prevention
Direct marketing
Administrative purposes
Information security

Question 42

Who/what may not rely on legitimate interest as grounds for processing personal data?

Answer 42

Public authorities

Question 43

What are the exceptions to the prohibition on processing special categories of data?

Answer 43

Explicit consent

Employment Context

Vital interests of the individual

Establishment, exercise, or defense of legal claims

Political, philosophical, and religious purposes

Substantial public interest

Medicine and social healthcare

Public health

Public archives or scientific or historical research or statistical purposes

Question 44

Explain the differences in consent between Articles 6 and 9

Answer 44

The consent under Article 9 (processing special categories of data) is different from that under Article 6 in that it must be EXPLICIT.

Any Article 9 consent must still be unambiguous, freely given, specific, and informed, but in addition, it must be a clear affirmative act by the data subject.

Regulators and courts require a strict level of compliance from controllers who wish to rely on the explicit consent of data subjects to use special categories of data.

Question 45

Employment Context

Answer 45

An exception to prohibiting processing of special categories of data

When necessary for the controller to comply with a legal obligation under employment, social security, and social protection law

Relevant when data subjects are candidates, employees, and contractors

Question 46

Vital interests of the individual in Article 6 vs. Article 9

Answer 46

Essentially identical to the provision in Article 6, but under Article 9, the controller must be able to demonstrate that it is not possible to obtain consent.

There are emergency examples where it will not be possible to obtain consent for the processing of special categories (e.g. if the data subject is unconscious). However, this qualification indicates that the controller is expected to attempt to seek consent.

Question 47

Political, philosophical and religious purposes

Answer 47

An exception to the prohibition on processing special categories of data

Covers particular foundations, associations, and not-for-profit bodies and any with a trade union aim.

Relates to processing of special categories of data about members of the organization, former members, or those who have regular contact with the organization for the organization’s purposes.

Appropriate safeguards must be in place to protect the personal data, and the data must not be disclosed outside the organization without the data subject’s consent.

Question 48

Sensitive data manifestly made public by the data subject

Answer 48

Exception to prohibition on processing sensitive categories of personal data

Criterion met when data subjects disclose sensitive data about themselves (e.g. when individuals provide details about their political opinions or health when giving media interviews)

Data collected from social networking sites that enable individuals to disclose information about themselves, including special categories of personal data, could also potentially fall within this criterion

Question 49

Establishment, exercise, or defense of legal claims

Answer 49

Exception to prohibition on processing of sensitive personal data

Using special categories of data may be necessary for a controller to establish, exercise, or defend legal claims. Requires the controller to establish necessity.

There must be a close and substantial connection between the processing and the purpose.

Question 50

Substantial public interest

Answer 50

Exception to the special categories processing prohibition

Narrower under the GDPR than it was under the Data Protection Directive

Requires the reason for processing special categories of data in the public interest to be balanced with the data subject’s right to data protection

Suitable and specific measures must be in place to safeguard data subjects’ fundamental rights and interests. Member states have the power to specify the reasons of public interest (including preventing and detecting crime)

Question 51

Medicine and social healthcare

Answer 51

Exception to the special categories processing prohibition

Allows for processing of special categories of info for medical or social care purposes, including assessing the working capacity of an employee, making a medical diagnosis, providing health or social care or treatment, and managing health or social systems or services.

The reason for processing must be based on EU or member state law or be necessary to fulfil a contract

Question 52

Public health

Answer 52

Exception to the special category processing prohibition

Based on EU or MS law, processing special categories of personal data without a data subject’s consent may be required for public health reasons.

Examples provided by the GDPR are “protecting against serious cross-border threats to health or ensuring high standards of quality and safety in health care and of medicinal products or medical devices”

Question 53

Public archives or scientific or historical research or statistical purposes

Answer 53

Exception to the special categories processing prohibition

Requires further interpretation from member state law. May include scientific or historical research and statistical purposes.

The processing of special categories of personal data must be proportionate to the purpose and respect data subjects’ rights to data protection. Again, suitable and specific measures must be in place to safeguard data subjects’ fundamental rights and interests.