Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Data Privacy & Law > Reading Week 6 > Flashcards

Reading Week 6 Flashcards

You may prefer our related Brainscape-certified flashcards:
Civil Procedure 1L flashcards MBE flashcards MPRE flashcards
1
Q

What are the two scenarios and two points in time at which the DC must provide info to the DS under the GDPR?

A
  • Where the personal data is obtained directly from the data subject, the controller
    must notify the data subject about all of his or her related information and rights
    under the GDPR at the time the data are obtained.
    If the controller intends to further process the personal data for a different purpose, the controller shall provide all the relevant information prior to the processing taking place.
  • Where the personal data has not been obtained from the data subject directly,
    the controller is obliged to provide the information about the processing to the
    data subject “within a reasonable period after obtaining the personal data, but
    at the latest within one month”, or before data are disclosed to a third party.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the Convention 108 tell about informing DS?

A

The Explanatory Report of Modernised Convention 108 stipulates that if informing
data subjects is not possible when commencing the processing, it can be done at
a later stage, such as when the controller is put in contact with the data subject for
any reason.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Under which article from the GDPR are there exceptions provided to the obligation to inform DS?

A

Under Article 13 (4) and
Article 14 (5) of the GDPR, the obligation to inform data subjects does not apply
if the data subject already has all of the relevant information.541

In addition, where
the personal data have not been obtained from the data subject, the obligation to
inform will not apply if the provision of information is impossible or disproportionate,
in particular where the personal data is processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do member states enjoy a margin of discretion under the GDPR to restrict obligations?

A

Furthermore, Member States enjoy a margin of discretion under the GDPR to restrict
obligations and rights provided to individuals under the regulation if this is a necessary and proportionate measure in a democratic society, for instance, to safeguard national and public security, defence, protection of judicial investigations and proceedings, or the protection of economic and financial interests, as well as private
interests which are more compelling than data protection interests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are some exceptional cases and what must national law respect?

A

Any exemptions or restrictions must be necessary in a democratic society and proportionate to the aim pursued.

In very exceptional cases, for instance because of
medical indications, the data subject’s protection may itself require a restriction of
transparency; this relates especially to restricting the right of access of every data
subject.544

As a minimum level of protection, however, national law must respect
the essence of the fundamental rights and freedoms protected under EU law.545 This
requires that the national law contains specific provisions clarifying the purpose of
the processing, categories of personal data included, safeguards and other procedural requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When can Union or Member states law provide derogations (afwijkingen) from the obligation to inform where data are collected for scientific, historical research purposes, statistical purposes or for archiving purposes in the public interest?

A

Where data are collected for scientific or historical research purposes, statistical purposes or for archiving purposes in the public interest, Union or Member States law
can provide derogations from the obligation to inform if it is likely to render impossible or seriously impair the achievement of the specific purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do these limitations exist under CoE law?

A

Similar limitations exist under CoE law, where rights granted to data subjects under
Article 9 of Modernised Convention 108 can be subject to possible restrictions under
Article 11 of Modernised Convention 108, under strict conditions. Furthermore,
according to Article 8 (2) of Modernised Convention 108 the obligation of transparency of processing imposed to controllers does not apply where the data subject
already has the information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How is the right of access to an individual’s own data acknowledged under CoE law?

A

Under CoE law, the right of access to an individual’s own data is explicitly acknowledged in Article 9 of Modernised Convention 108.

This provides that every individual
has the right to obtain, upon request, information about the processing of personal
data relating to him or her, which is communicated in an intelligible manner. The right
of access has been recognised not only in the provisions of Modernised Convention 108, but also in ECtHR case law. The ECtHR has repeatedly held that individuals have a right to access information about their personal data, and that this right arises
from the need to respect private life.548

However, the right to access personal data
stored by public or private organisations may in certain circumstances be limited.5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How is the right of access to an individual’s own data acknowledged under EU law?

A

Under EU law, the right to access one’s own data is explicitly acknowledged in Article 15 of the GDPR and it is also set out as an element of the fundamental right to
the protection of personal data in Article 8 (2) of the EU Charter of Fundamental
Rights.550 An individual’s right to gain access to his or her own personal data is a key
element of European data protection law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are certain info about the processing include that the DS has the obligation to be informed about under the GDPR?

A

The GDPR provides that every data subject has the right to access his or her personal data and certain information about the processing, which the controllers must
provide.552

In particular, every data subject has a right to obtain (from the controller)
confirmation as to whether or not data relating to him or her are being processed,
and information about at least the following:
* processing purposes;

  • categories of data concerned;
  • recipients or categories of recipients to whom the data are disclosed;
  • period for which the data is intended to be stored, or, if not possible, the criteria
    used to determine that period;
  • existence of rights to rectify or to erase personal data, or to restrict personal
    data processing;
  • right to lodge a complaint with the supervisory authority;
  • any available information about the source of the data undergoing processing if
    the data are not collected from the data subject;
  • in the case of automated decisions, the logic involved in any automated processing of data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What must the DC provide the DS with when asked about what data is being processed?

A

The data controller must provide the data subject with a copy of the personal data
being processed. Any information communicated to the data subject must be provided in an intelligible form, which means that the controller must make sure the
data subject can understand the information being provided. For example, including
technical abbreviations, coded terms or acronyms in response to an access request
will usually not suffice, unless the meaning of these terms is explained. Where automated decision-making is carried out, including profiling, the general logic involved
in the automated decision-making will need to be explained, including the criteria
which have been considered when evaluating the data subject. Similar requirements
exist under CoE law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What must be done with the info about the source of the data?

A

Information about the source of data – when the data are not collected from the data
subject – must be given in the response to an access request, as far as this information is available. This provision must be understood in the context of the principles of
fairness, transparency and accountability. A controller may not destroy information
about the source of data in order to be exempt from disclosing it, – unless the deletion would have taken place despite the access request having being received – and
it must still comply with its general ‘accountability’ requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How must the right to access personal data not be unduly be restricted by time limits?

A

As set out in CJEU case law, the right to access personal data may not be unduly
restricted by time limits. Data subjects must also be given a reasonable opportunity
to gain information about data processing operations that took place in the past.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How can DS invoke their right to object to personal data processing?

A

Data subjects can invoke their right to object to personal data processing on grounds
relating to their particular situation and to data processed for direct marketing purposes. The right to object can be exercised by automated means

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the e right to object on grounds related to the data subjects’
particular situations?

A

Data subjects do not have a general right to object to the processing of their data.590

Article 21 (1) of the GDPR empowers the data subject to raise objections on grounds
relating to their particular situation where the legal basis for the processing is the
controller’s performance of a task carried out in the public interest, or where the
processing is based on the controller’s legitimate interests.591

The right to object applies to profiling activities. A similar right has been recognised in Modernised
Convention 108.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does the right to object on grounds relating to the DS’s particular situation aim to do?

A

The right to object on grounds relating to the data subject’s particular situation aims
to strike the correct balance between the data subject’s data protection rights and
the legitimate rights of others in processing their data.

The CJEU, however, has clarified that the data subject’s rights override ‘as a general rule’ the economic interests
of a data controller depending on “the nature of the information in question and
its sensitivity for the data subject’s private life and on the interest of the public in
having that information”.593

Under the GDPR, the burden of proof is vested in controllers, who must show compelling grounds for continuing the processing.594 Similarly,
the Explanatory Report of Modernised

Convention 108 clarifies that the legitimate
grounds for data processing (which may override the data subjects’ right to object)
will have to be demonstrated on a case-by-case basis.

17
Q

What is a successful objection?

A

The effect of a successful objection is that the controller may no longer process the
data in question. Processing operations performed on the data subject’s data prior to
the objection, however, remain legitimate.

18
Q

What is the right to object to processing of data for direct marketing purposes?

A

Article 21 (2) of the GDPR provides for a specific right to object to the use of personal data for the purposes of direct marketing, bringing further clarification to Article 13 of the e-Privacy Directive. Such a right is also laid down in the Modernised
Convention 108, as well as in the CoE Direct Marketing Recommendation.597 The
Explanatory Report of Modernised Convention 108 clarifies that objections to data
processing for direct marketing purposes should lead to unconditional erasure or
removal of the personal data in question.598

The data subject has the right to object to the use of his or her personal data for
direct marketing purposes at any time and free of charge. Data subjects must be
informed of this right in a clear manner, separate from any other information.

19
Q

What is the right to object by automated means?

A

Where personal information is used and processed for information society services,
the data subject may exercise his or her right to object to the processing of his or her
personal data by automated means.

Information society services are defined as any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

Data controllers offering information society services must have in place appropriate
technical arrangements and procedures to ensure that the right to object by automated means can be exercised effectively.600 For example, this may involve blocking
cookies on web pages or turning off the tracking of internet browsing.

20
Q

What is the right to object for scientific or historical research purposes
or statistical purposes under EU law?

A

Under EU law, scientific research should be interpreted in a broad manner, including,
for example, technological development and demonstration, fundamental research,
applied research and privately funded research.601 Historical research also include
research for genealogical purposes, bearing in mind that the regulation should not
apply to deceased persons.602 Statistical purposes mean any operation of collection
and the processing of personal data necessary for statistical surveys or for the production of statistical results.603 Again, the particular situation of a data subject is the
legal basis regarding the right to object to personal data processing for research purposes.604 The only exception is the necessity of the processing for the performance
of a task carried out for reasons of public interest. However, the right to erasure shall
not apply when processing is necessary (with or without reasons of public interest)
for scientific or historical research purposes or statistical purposes.

21
Q

How does the GDPR balance the requirement of scientific, statistical or historical research?

A

The GDPR balances the requirements of scientific, statistical or historical research
and the rights of data subjects with specific safeguards and derogations in Article 89. Thus, Union or Member State law may provide derogations of the right to
object insofar as such right is likely to render impossible or seriously impair the
achievement of the research purposes, and if such derogations are necessary for the
fulfilment of those purposes.

22
Q

What is the right to object for scientific or historical research purposes
or statistical purposes under CoE law?

A

Under CoE law, Article 9 (2) of Modernised Convention 108 establishes that restrictions on the data subjects’ rights, including the right to object, may be provided
for by law regarding data processing for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes when there is no recognisable risk of infringement of the rights and fundamental freedoms of data
subjects.

However, the Explanatory Report (paragraph 41) also recognises that data subjects
should have the opportunity to give their consent only to certain areas of research
or parts of research projects to the extent that the intended purpose allows, and
object in case they perceived the processing to excessively encroach on their rights
and freedoms without a legitimate ground.

In other words, such processing would therefore be considered a priori compatible
provided that other safeguards exist and that the operations, in principle, exclude
any use of the information obtained for decisions or measures concerning a particular individual.

23
Q

What are automated decisions?

A

Automated decisions are decisions taken using personal data processed solely by
automatic means without any human intervention.

24
Q

What holds under EU law concerning automated decisions?

A

Under EU law, data subjects
must not be subject to automated decisions which produce legal effects or have
similarly significant effects. If such decisions are likely to have a significant impact
on the lives of individuals as they relate, for example, to creditworthiness, e-recruitment, performance at work, or the analysis of conduct or reliability, then special protection is necessary to avoid negative consequences.

Automated decision-making
includes profiling, which consists of any form of automatic evaluation of “personal
aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal
preferences or interests, reliability or behaviour, location or movements”.

25
Q

What does article 29 Working party say about automated decisions?

A

According to the Article 29 Working Party, the right not to be subject to decisions
based solely on automated processing that may result in legal effects for the data subject or that significantly affect him or her equates to a general prohibition and does not
require the data subject to proactively seek an objection to such a decision.

The Article 29 Working Party has provided further guidance on the use of automated decision-making under the GDPR.

26
Q

When would automated decision-making according to the GDPR be acceptable?

A

Nevertheless, according to the GDPR, automated decision-making with legal effects
or that significantly affect individuals may be acceptable if it is necessary for entering a contract or the performance of a contract between the data controller and data
subject, or if the data subject gave explicit consent.

Also, automated decision-making is acceptable if it is authorised by law and if the data subject’s rights, freedoms
and legitimate interests are appropriately safeguarded.

27
Q

What must DC provide to the DS about informing under the GDPR?

A

The GDPR also provides that among the controller’s obligations regarding the information to be provided where personal data are collected, data subjects must be told about
the existence of automated decision-making, including profiling.609

The right to access
the personal data processed by the controller remains unaffected.610 The information
should not only indicate the fact that profiling will occur, it should also contain meaningful information about the logic involved in the profiling and the envisaged consequences for individuals of the processing.611

For instance, a health insurance company
using automated decision-making on applications should provide data subjects with
general information on how the algorithm works, and which factors the algorithm uses
to calculate their insurance premiums.

Similarly, when exercising their ‘right of access’,
data subjects can request information from the controller on the existence of automated decision-making and meaningful information about the logic involved.

28
Q

What is the intention behind the info provided to the DS?

A

The information provided to data subjects is intended to provide transparency and
enable data subjects to provide informed consent, if that is the case, or to obtain
human intervention. The data controller is required to implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests. This includes at least the right to obtain human intervention on the part of the controller
and the possibility for the data subject to express a point of view and to contest a
decision based on the automated processing of their personal data.

29
Q

What holds under CoE law about automated decision-making?

A

Under CoE law, individuals have a right not to be subject to a decision which will
significantly affect them and which is based solely on automated processing without
having their views taken into consideration.615

The requirement to consider the data
subject’s views when decisions are based solely on automated processing means
that they have a right to challenge such decisions, and should be able to contest any
inaccuracy in the personal data the controller uses, and challenge whether any profile applied to them is relevant.616

However, an individual cannot exercise this right
if the automated decision is authorised by a law to which the controller is subject
and which also lays down suitable measures to safeguard the data subject’s rights,
freedoms and legitimate interests.

In addition, data subjects have the right to obtain,
upon request, knowledge of the reasoning underlying the data processing carried
out.

30
Q

What does the Profiling Recommendation do?

A

The Profiling Recommendation, albeit not legally binding, specifies the conditions
for the collection and processing of personal data in the context of profiling.619

It includes provisions on the need to ensure that the processing in the context of
profiling should be fair, lawful, proportionate and for specified and legitimate purposes.
It also includes provisions on the information controllers should provide
to data subjects.

The data quality principle – which requires controllers to take measures to correct data inaccuracy factors, to limit the risks or errors that profiling may entail, and to periodically evaluate the quality of the data and algorithms used – also
features in the recommendation.

31
Q
A

Data Privacy & Law (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions