Processing Personal Data (4)

Question 1

What does the ‘‘Integrity and Confidentiality’’ principle under GDPR imply?

Answer 1

personal data processed in a manner that ensures appropriate security

Question 2

What are the 7 principles for processing personal data under GDPR?

Answer 2

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Question 3

What principle was violated in the Denmark DPA fine against Taxa related to their management of ride records?

Answer 3

Data Minimization

Taxi company maintained ride records, including phone numbers, after 2 year retention period

Question 4

What are 3 criteria for territorial scope of the GDPR?

Answer 4

1. activities of EU-established organizations (regardlesss of whether processing takes place in EU or not)
2. organizations offer goods and services to or monitor the behavior of individuals in the EU
3. in a place where member state law applies by virtue of international treaties (embassies)

Question 5

What is the material scope of GDPR under Article 2?

Answer 5

1. processing of personal data wholly or partly by automated means
2. personal data which forms part of a filing system, even if not conducted by automated means

Question 6

Which activities fall outside the material scope of GDPR?

Answer 6

1. activities outside the scope of Union law
   (national laws around public security, defense, national security)
2. official bodies carrying out crime prevention, investigation, detection or prosecution of criminal offenses
3. purely personal or household activities

Question 7

What was the decision in Bodil Lindquist vs Aklagarkammaran regarding material scope?

Answer 7

Lindquist maintained private home page of personal data of colleagues

CJEU ruled that private home page accessible to only those who have address is NOT qualified under the household activity exclusion and GDPR does apply

Question 8

What are the 6 lawful grounds for processing personal data?

Answer 8

(obligations)

1. Consent
2. Performance of a contract
3. Compliance with a legal obligation

(interests)

4. Protection of vital interests of data subject or another person
5. Public interest or exercise
6. Legitimate interests

Question 9

What are the 5 original conditions for consent under GDPR?

Answer 9

1. demonstrable
2. clearly distinguishable
3. intelligible and easily acccessible form, using clear and plain language
4. right to withdraw at any time
5. not conditional for performance of contract

Question 10

What are the 2 possible conditions to apply performance of a contract as a lawful basis?

Answer 10

1. processing is necessary to perform the contract and data subject is party to the contract

or

2. if data subject requests processing to enter into contract

Question 11

What legal obligations apply for “Compliance with a legal obligation” as a lawful basis?

Answer 11

legal obligations required by EU and member state laws only

Question 12

What are the conditions for ‘‘Protection of vital interests’’ as a lawful basis?

Answer 12

to ensure an individual’s survival or of another person

only in where processing cannot be manifestly based on another legal basis

some cases may serve both public interest and vital interest (epidemics,

Question 13

Who defines what qualifies as ‘‘processing for public interest’’ as a lawful basis?

Answer 13

Union law or member state law

must be necessary for the task carried out in the public interest

Question 14

What is the exception to processing for ‘‘legitimate interests’’ as a lawful basis?

Answer 14

if overridden by interests or fundamental rights and freedoms of the data subject

in particular where data subject is a child

Question 15

What are the 4 updated requirements for consent in Recital 32?

(demonstrable, distinguishable, right to withdraw, not conditional)

Answer 15

1. Clear affirmative act
2. Freely given, specific, informed and unambiguous
3. Consent given for each purpose
4. For electronic means: clear, concise and not disruptive to use of the service

Question 16

What are the conditions to process children’s data for information society services?

Article 8

Answer 16

consent must be given by parent or guardian if under 16
must make reasonable efforts to verify

Question 17

What are the 10 justifications for processing special category data?

Answer 17

1. Explicit consent
2. Employment, social security or social protection law authorized by Union or Member State law, with safeguards
3. Vital interests, incapable of giving consent
4. Political, philosophical, religious purposes fpr legitimate activities
5. Made public by the data subject
6. Legal claims
7. Substantial public interest
8. Healthcare
9. Public health
10. Archives or research

Question 18

How do you determine if GPDR applies - by the organization or by the processing activity?

Answer 18

Processing Activitiy

Some activities may fall under GDPR and others may not

Question 19

What is the definition of “establishment” in the EU?

Answer 19

effective and real exercise of activity through stable arrangements

Question 20

What did case Weltimmo v NAIH establish with regard to establishment?

Answer 20

Weltimmo, although incorporated in Slovakia, targeted Hungarian market, advertised Hungarian properties and written in Hungarian.

Weltimmo had representative in Hungary, used letter box in Hungary and had Hungarian bank account

Question 21

Is GDPR restricted to individuals within the EU?

Answer 21

No, GDPR applies to:

• activities of an establishment in the EU, regardless of where processing takes place
• processing of personal data of data subjects who are in the Union

Question 22

What are relevant factors in determining if goods or services are being offered to data subjects in the EU?

Answer 22

naming EU states in reference to goods/services

use of an EU language

marketing/advertising directed at EU audiences

paying search engine to facilitate access by individuals in EU

dedicated addresses or phone numbers for individuals in EU

top-level EU domain (.de or .eu)

Question 23

What is “monitoring” according to Recital 24?

Answer 23

tracking individuals online to create profiles, including where used to make decisions concerning them or for analyzing or predicting their preferences, behaviors and attitudes

Question 24

What are examples of monitoring?

Answer 24

behavioral advertising
online tracking (cookies)
personalized health analytics
CCTV
market surveys

Question 25

Can a competent authority be subject to both GDPR and LED?

Answer 25

Yes, if data is processed for purposes other than the purposes of the LED

Question 26

Are EU institutions covered by the GDPR?

Answer 26

No, however regulation 2018/1725 will apply to cover this gap

Question 27

What principle was added by GDPR to the original principles of the Directive?

Answer 27

Accountability

Question 28

What does the lawfulness principle mean?

Answer 28

Personal data must only be processed when data controllers have a legal ground for processing the data

Question 29

What are two things to assess to determine whether processing is “fair”?

Answer 29

1. data subjects are aware of the fact that their data will be processed to make an informed choice
2. how the processing will affect the data subject and if, in the case of negative impact, it is justified

Question 30

What did GDPR remove from the Directive regarding transparency?

Answer 30

the general obligation to notify DPAs of processing of personal data

(instead promotes procedures and mechanisms and notifying data subject)

Question 31

In what case does GPDR exempt data controllers from duty to inform?

Answer 31

when data is obtained directly from the data subject and they are already aware of the information

Question 32

In what cases do data controllers not have to provide notice to data subjects when data is collected from other sources?

Answer 32

1. when providing information represents disproportionate effort
2. to protect data subject’s legitimate interest
3. preserve confidentiality of the information

Question 33

When must notice be given to the data subject if he or she provides the data directly?

Answer 33

at the time of collection

Question 34

When is secondary processing lawfully permitted?

Answer 34

when considered compatible with the original purpose for which the data was gathered

Question 35

What should controllers consider when evaluating compatibility of a secondary purpose with the original purpose?

Answer 35

1. link between original and further processing
2. context personal data was collected in (reasonable expectations of data subject)
3. nature of the personal data
4. consequences of further processing
5. existence of proper safeguards

Question 36

What two concepts should be considered when assessing data minimization?

Answer 36

necessity
proportionality

Question 37

How should a controller comply with the accuracy principle?

Answer 37

implement reasonable measures to ensure data are collected from reliable sources

keep data up-to-date and respond to data subject requests to correct

Question 38

What did GDPR remove from the Directive regarding transparency?

Answer 38

GPDR eliminates the Directive’s general obligation to notify DPAs of processing of personal data

(instead promotes procedures and mechanisms and notifying data subject)

Question 39

Which article outlines lawful bases for processing personal data?

Answer 39

Article 6

Question 40

What does it mean for consent to be “freely given’’?

Answer 40

data subject must have a genuine choice and be able to refuse and withdraw consent

Question 41

What does Recital 43 state regarding consent?

when can it not be relied upon

Answer 41

cannot be relied upon if there is a clear imbalance of power between data subject and controller (in particular when controller is a public authority)

Question 42

What is the EDPB guidance to make consent “specific”?

Answer 42

1. purpose specification
2. granularity in consent requests
3. clear separation of information related to data processing consent (from other matters)

Question 43

What is the minimum that must be provided for valid consent?

Answer 43

1. controller identity
2. purpose of processing operations
3. type of data to be collected/used
4. right to withdraw consent
5. use of data for automated decision-making

6 possible risks of data transfers

Question 44

What has to happen for consent to be valid for multiple controllers?

Answer 44

all controllers must be specifically named

Question 45

What 3 factors are involved in satisfying the “legitimate interest’’ condition?

Answer 45

1. processing must be necessary for the purpose
2. purpose must be a legitimate interest of controller or a third party
3. the legitimate interest cannot be overridden by data subject’s interests or rights and freedoms

Question 46

What is the ICO’s 3-part test for controller’s in establishing legitimate interest?

Answer 46

1. identify the legitimate interest
2. show that processing is necessary to achieve it
3. balance legitimate interest against individual’s interests, rights and freedoms

Question 47

What shifted between the Directive and GDPR with regard to legal basis and notification?

Answer 47

Under GDPR a controller is required to provide a privacy notice that specifies the legal basis for processing

(under directive, controller did not have to document criterion)

Question 48

What influenced the definition of special category data?

Answer 48

Anti-discrimination laws

Question 49

What is different about consent for processing special category data (under Article 9) from consent defined under Article 6?

Answer 49

it must be explicit

(in addition to unambiguous, freely given, specific and informed)

Question 50

What are some of the ways explicit consent can be provided in a digital environment per EDPB?

Answer 50

filling in electronic form
sending an email
using electronic signature
2-stage verification

Question 51

What is different between vital interest under article 6 (legal basis) versus article 9 (special category)?

Answer 51

Article 9: controller must be able to demonstrate it is not possible to obtain consent (data subject legally or physically incapable)

Question 52

What are the requirements for processing special category data related to political, philosophical, religious, trade organizations?

Answer 52

1. processing only in the course of legitimate activities
2. with appropriate safeguards
3. in connection with specific purpose

Question 53

Can a political, philosophical, religious, trade organization disclose sensitive data outside of the organization?

Answer 53

only with explicit consent from data subject

Question 54

What are the 2 requirements for establishing substantial public interest as a basis for processing special category data?

Answer 54

laws that:

1. are proportionate to the aim pursued
2. show respect for the essence of the right to data protection

Question 55

What is processing of personal data?

Answer 55

Any operation, or set of operations, which is performed on personal data or on sets of personal data whether or not by automated means

such as collection, recording, organizing, structuring, storing, adapting, altering, retreiving, consulting, using, disclosing, disseminating or otherwise making available, aligning, combining, restricting, erasing and destroying

Question 56

What does restriction of processing mean?

Answer 56

marking of stored personal data with the aim of limiting their processing in the future

Question 57

What does “cross-border processing” refer to?

Answer 57

1. takes place in the context of activities of establishments in more than one member state
2. takes place in the context of activities of a single establishment in EU but likely to affect data subjects in more than one member state