Processing Personal Data

Question 1

What is the definition of processing (include Article)?

Include examples from various sectors.

Answer 1

Article 4(2) - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means

Examples:

• Recording: a customer service call with a client to demonstrate accountability for following procedures
• Retrieving: discovering a typo and correcting the mistake to access account information
• Disclosure: an HR director shares a list of candidates for an open position with their team
• Storage: HR department stores the newly hired employee’s file containing their employment application, performance reviews and benefits information
• Collection: a Product Dev team collects results from customer satisfaction surveys at a trade show
• Adaptation or alteration: hard copies of the surveys are digitised and the data is aggregated
• Structuring: aggregated data is shown on a graph that compares it with results from previous surveys

Question 2

What are the OECD Guidelines?

Answer 2

1. Collection limitation
2. Data quality
3. Purpose specification
4. Use limitation
5. Security safeguards
6. Openness
7. Individual participation
8. Accountability

Question 3

What is collection limitation?

Answer 3

OECD Guideline - there should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject

Question 4

What is data qualify?

Answer 4

OECD Guideline - personal data should be relevant to the purposes for which they are used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date

Question 5

What is purpose specification?

Answer 5

OECD Guideline - the purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose

Question 6

What is use limitation?

Answer 6

OECD Guideline - personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the purpose specification principle except (a) with the consent of the data subject; or (b) by the authority of law

Question 7

What are security safeguards?

Answer 7

OECD Guideline - personal data should be protected by reasonable security safeguards against such risks as loss or authorised access, destruction, use, modification or disclosure of data

Question 8

What is openness?

Answer 8

OECD Guideline - there should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

Question 9

What is individual participation?

Answer 9

OECD Guideline - an individual should have the right to: (a) obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) have communicated to him, data relating to him within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him; (c) be given reasons if a request made under paras (a) and (b) is denied, and to be able to challenge such a denial; and (d) challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed, or amended.

Question 10

What is accountability?

Answer 10

OECD Guideline - a data controller should be accountable for complying with measure which give effect to the principles stated above

Question 11

What is lawfulness, fairness and transparency of processing?

Answer 11

GDPR Processing Principle (Article 5)

Requires honest practices, such as communicating openly with data subjects about processing activities

Question 12

What is purpose limitation?

Answer 12

GDPR Processing Principle (Article 5)

Requires collecting and processing personal data for the specified purpose only.

To determine if personal data may be processed further, use a compatibility test to look for links between purposes, nature of the data, method of collection, consequences of secondary uses and safeguards

Question 13

What is data minimisation?

Answer 13

GDPR Processing Principle (Article 5)

Processing only personal data that is relevant and necessary for the purpose

Question 14

What is accuracy?

Answer 14

GDPR Processing Principle (Article 5)

Processing complete and up-to-date personal data

Question 15

What is storage limitation?

Answer 15

GDPR Processing Principle (Article 5)

Storing only personal data that is relevant and necessary for the purpose

Question 16

What is integrity and confidentiality?

Answer 16

GDPR Processing Principle (Article 5)

Require ensuring personal data is secure

Question 17

What is accountability?

Answer 17

GDPR Processing Principle (Article 5)

Processing personal data responsibly and demonstrating compliance with EU and Member State data protection laws

Question 18

When does the GDPR apply?

Answer 18

Article 3 - territorial scope i.e. applies to the processing of personal data:

1) in the context of the activities of an establishment of a controller or a processor in the Union (regardless of whether the processing takes place in the Union or not); or
2) of data subjects who are in the Union by a controller or processor NOT in the Union, where the processing activities are related to: (a) the offering of goods or services to data subjects in the Union; or (b) monitoring of their behavior as far as their behaviour takes place within the Union; or
3) by a controller NOT established in the Union but in a place

Question 19

What is the material scope of the GDPR (include Article)?

Answer 19

Article 2 - GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Question 20

What are the exclusions for the material scope of the GDPR?

Answer 20

Article 2(2) - the exclusions for data processing are not regulated by GDPR for purposes that include:

• activities outside the scope of EU law (i.e. national security activities)
• law enforcement and public security
• purely personal or household activities

Question 21

Name the six lawful grounds for processing personal data (include Article)?

Answer 21

Article 6

1. Consent from the data subject
2. Performance of a contract if the data subject is party or requests to enter into the contract
3. Legal obligation (compliance with one to which the controller is subject)
4. Protection of vital interests of the data subject or another natural person
5. Necessity for the public interest or in the exercise of official authority of a controller
6. Legitimate interests of controller/third party UNLESS overridden by the rights of data subject

Question 22

What is unique about consent under the GDPR?

Answer 22

Additional conditions must be met to use this option.

Consent must be:

• freely given
• specific
• informed
• unambiguous