Processing Personal Data (4) Flashcards
What does the ‘‘Integrity and Confidentiality’’ principle under GDPR imply?
personal data processed in a manner that ensures appropriate security
What are the 7 principles for processing personal data under GDPR?
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
What principle was violated in the Denmark DPA fine against Taxa related to their management of ride records?
Data Minimization
Taxi company maintained ride records, including phone numbers, after 2 year retention period
What are 3 criteria for territorial scope of the GDPR?
- activities of EU-established organizations (regardlesss of whether processing takes place in EU or not)
- organizations offer goods and services to or monitor the behavior of individuals in the EU
- in a place where member state law applies by virtue of international treaties (embassies)
What is the material scope of GDPR under Article 2?
- processing of personal data wholly or partly by automated means
- personal data which forms part of a filing system, even if not conducted by automated means
Which activities fall outside the material scope of GDPR?
- activities outside the scope of Union law
(national laws around public security, defense, national security) - official bodies carrying out crime prevention, investigation, detection or prosecution of criminal offenses
- purely personal or household activities
What was the decision in Bodil Lindquist vs Aklagarkammaran regarding material scope?
Lindquist maintained private home page of personal data of colleagues
CJEU ruled that private home page accessible to only those who have address is NOT qualified under the household activity exclusion and GDPR does apply
What are the 6 lawful grounds for processing personal data?
(obligations)
- Consent
- Performance of a contract
- Compliance with a legal obligation
(interests)
- Protection of vital interests of data subject or another person
- Public interest or exercise
- Legitimate interests
What are the 5 original conditions for consent under GDPR?
- demonstrable
- clearly distinguishable
- intelligible and easily acccessible form, using clear and plain language
- right to withdraw at any time
- not conditional for performance of contract
What are the 2 possible conditions to apply performance of a contract as a lawful basis?
- processing is necessary to perform the contract and data subject is party to the contract
or
- if data subject requests processing to enter into contract
What legal obligations apply for “Compliance with a legal obligation” as a lawful basis?
legal obligations required by EU and member state laws only
What are the conditions for ‘‘Protection of vital interests’’ as a lawful basis?
to ensure an individual’s survival or of another person
only in where processing cannot be manifestly based on another legal basis
some cases may serve both public interest and vital interest (epidemics,
Who defines what qualifies as ‘‘processing for public interest’’ as a lawful basis?
Union law or member state law
must be necessary for the task carried out in the public interest
What is the exception to processing for ‘‘legitimate interests’’ as a lawful basis?
if overridden by interests or fundamental rights and freedoms of the data subject
in particular where data subject is a child
What are the 4 updated requirements for consent in Recital 32?
(demonstrable, distinguishable, right to withdraw, not conditional)
- Clear affirmative act
- Freely given, specific, informed and unambiguous
- Consent given for each purpose
- For electronic means: clear, concise and not disruptive to use of the service
What are the conditions to process children’s data for information society services?
Article 8
consent must be given by parent or guardian if under 16
must make reasonable efforts to verify
What are the 10 justifications for processing special category data?
- Explicit consent
- Employment, social security or social protection law authorized by Union or Member State law, with safeguards
- Vital interests, incapable of giving consent
- Political, philosophical, religious purposes fpr legitimate activities
- Made public by the data subject
- Legal claims
- Substantial public interest
- Healthcare
- Public health
- Archives or research
How do you determine if GPDR applies - by the organization or by the processing activity?
Processing Activitiy
Some activities may fall under GDPR and others may not
What is the definition of “establishment” in the EU?
effective and real exercise of activity through stable arrangements
What did case Weltimmo v NAIH establish with regard to establishment?
Weltimmo, although incorporated in Slovakia, targeted Hungarian market, advertised Hungarian properties and written in Hungarian.
Weltimmo had representative in Hungary, used letter box in Hungary and had Hungarian bank account
Is GDPR restricted to individuals within the EU?
No, GDPR applies to:
- activities of an establishment in the EU, regardless of where processing takes place
- processing of personal data of data subjects who are in the Union
What are relevant factors in determining if goods or services are being offered to data subjects in the EU?
naming EU states in reference to goods/services
use of an EU language
marketing/advertising directed at EU audiences
paying search engine to facilitate access by individuals in EU
dedicated addresses or phone numbers for individuals in EU
top-level EU domain (.de or .eu)
What is “monitoring” according to Recital 24?
tracking individuals online to create profiles, including where used to make decisions concerning them or for analyzing or predicting their preferences, behaviors and attitudes
What are examples of monitoring?
behavioral advertising
online tracking (cookies)
personalized health analytics
CCTV
market surveys
Can a competent authority be subject to both GDPR and LED?
Yes, if data is processed for purposes other than the purposes of the LED
Are EU institutions covered by the GDPR?
No, however regulation 2018/1725 will apply to cover this gap
What principle was added by GDPR to the original principles of the Directive?
Accountability
What does the lawfulness principle mean?
Personal data must only be processed when data controllers have a legal ground for processing the data
What are two things to assess to determine whether processing is “fair”?
- data subjects are aware of the fact that their data will be processed to make an informed choice
- how the processing will affect the data subject and if, in the case of negative impact, it is justified
What did GDPR remove from the Directive regarding transparency?
the general obligation to notify DPAs of processing of personal data
(instead promotes procedures and mechanisms and notifying data subject)
In what case does GPDR exempt data controllers from duty to inform?
when data is obtained directly from the data subject and they are already aware of the information
In what cases do data controllers not have to provide notice to data subjects when data is collected from other sources?
- when providing information represents disproportionate effort
- to protect data subject’s legitimate interest
- preserve confidentiality of the information
When must notice be given to the data subject if he or she provides the data directly?
at the time of collection
When is secondary processing lawfully permitted?
when considered compatible with the original purpose for which the data was gathered
What should controllers consider when evaluating compatibility of a secondary purpose with the original purpose?
- link between original and further processing
- context personal data was collected in (reasonable expectations of data subject)
- nature of the personal data
- consequences of further processing
- existence of proper safeguards
What two concepts should be considered when assessing data minimization?
necessity
proportionality
How should a controller comply with the accuracy principle?
implement reasonable measures to ensure data are collected from reliable sources
keep data up-to-date and respond to data subject requests to correct
What did GDPR remove from the Directive regarding transparency?
GPDR eliminates the Directive’s general obligation to notify DPAs of processing of personal data
(instead promotes procedures and mechanisms and notifying data subject)
Which article outlines lawful bases for processing personal data?
Article 6
What does it mean for consent to be “freely given’’?
data subject must have a genuine choice and be able to refuse and withdraw consent
What does Recital 43 state regarding consent?
when can it not be relied upon
cannot be relied upon if there is a clear imbalance of power between data subject and controller (in particular when controller is a public authority)
What is the EDPB guidance to make consent “specific”?
- purpose specification
- granularity in consent requests
- clear separation of information related to data processing consent (from other matters)
What is the minimum that must be provided for valid consent?
- controller identity
- purpose of processing operations
- type of data to be collected/used
- right to withdraw consent
- use of data for automated decision-making
6 possible risks of data transfers
What has to happen for consent to be valid for multiple controllers?
all controllers must be specifically named
What 3 factors are involved in satisfying the “legitimate interest’’ condition?
- processing must be necessary for the purpose
- purpose must be a legitimate interest of controller or a third party
- the legitimate interest cannot be overridden by data subject’s interests or rights and freedoms
What is the ICO’s 3-part test for controller’s in establishing legitimate interest?
- identify the legitimate interest
- show that processing is necessary to achieve it
- balance legitimate interest against individual’s interests, rights and freedoms
What shifted between the Directive and GDPR with regard to legal basis and notification?
Under GDPR a controller is required to provide a privacy notice that specifies the legal basis for processing
(under directive, controller did not have to document criterion)
What influenced the definition of special category data?
Anti-discrimination laws
What is different about consent for processing special category data (under Article 9) from consent defined under Article 6?
it must be explicit
(in addition to unambiguous, freely given, specific and informed)
What are some of the ways explicit consent can be provided in a digital environment per EDPB?
filling in electronic form
sending an email
using electronic signature
2-stage verification
What is different between vital interest under article 6 (legal basis) versus article 9 (special category)?
Article 9: controller must be able to demonstrate it is not possible to obtain consent (data subject legally or physically incapable)
What are the requirements for processing special category data related to political, philosophical, religious, trade organizations?
- processing only in the course of legitimate activities
- with appropriate safeguards
- in connection with specific purpose
Can a political, philosophical, religious, trade organization disclose sensitive data outside of the organization?
only with explicit consent from data subject
What are the 2 requirements for establishing substantial public interest as a basis for processing special category data?
laws that:
- are proportionate to the aim pursued
- show respect for the essence of the right to data protection
What is processing of personal data?
Any operation, or set of operations, which is performed on personal data or on sets of personal data whether or not by automated means
such as collection, recording, organizing, structuring, storing, adapting, altering, retreiving, consulting, using, disclosing, disseminating or otherwise making available, aligning, combining, restricting, erasing and destroying
What does restriction of processing mean?
marking of stored personal data with the aim of limiting their processing in the future
What does “cross-border processing” refer to?
- takes place in the context of activities of establishments in more than one member state
- takes place in the context of activities of a single establishment in EU but likely to affect data subjects in more than one member state
