W3 Lecture: Data Protection Principles

Question 1

Why do you need data protection principles?

Answer 1

• it is that you as a DS that it is not used in an arbitrary fashion against you
  => you protect the data and individuals whilst processing the data => focus is protecting data subject

Question 2

What are the fundamental principles of Art. 5 of GDPR?

Answer 2

1. lawfulness, fairess and transparency
2. purpose limitation
3. data minimization
4. accuracy
5. storage limitation
6. integrity and confidentiality
7. accountability

Question 3

What are the stages of the data processing cycle?

Answer 3

see docs

Question 4

What is purpose specification?

Answer 4

BEFORE starting the processing, controllers must identify a SPECIFIC & LEGITIMATE purpose

➢ The purpose becomes the benchmark to assess how
other principles and rules are applied

➢ Collecting data because they might be useful some day? X BIG NO

➢ Data subject must be informed in a DIRECT & UNEQUIVOCAL (= explicit) way -> so they know whether something is wrong and how to exercise their rights!
(transparency)

• Not vague, not general: must be specific enough to allow for an evaluation of its compliance with the law.
• Data Subjects should have enough information to predict the use of their data, and its consequences.
• Art29WP: “’improving users’ experience’, ‘marketing
  purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of
  being ‘specific’” depending on the context.

Question 5

What is the principle of purpose limitation?

Answer 5

• ALIGNS intended and actual use of the personal data collected by a controller;
• ALIGNS processing the data activities
  with the business model
  of the controller.

1.Personal data shall be: b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

Question 6

How precisely and in how much detail should the purpose be specified according to Article 29 WP?

Answer 6

The purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data
protection safeguards applied.’

Question 7

What happens if the data are processed in an addional way than for the purpose originally indicated?

Answer 7

> This is called ‘further processing’

> This new processing must be evaluated: is this processing incompatible with the purpose originally indicated?

> The assessment must take into consideration all circumstances (not abstract!)

> This test is not necessary if the data subject consents to the further processing

Question 8

What are the criteria to assess compatibility in article 6(4) GDPR?

Answer 8

a) whether the additional processes constitute logical steps implicitly necessary for the original use, or there is another logical connection between the two;

(b) the context from which the data have been collected (and the data subject’s expectations);

(c) the nature of the data (e.g. sensitive data, due to their special protection would limit the possibility for additional processing);

(d) Possible consequences on the data subject (=“situations where the processing may lead to the exclusion or discrimination of individuals”, unpredictability and uncertainty connected to possible unknown future third parties, stress or psychological harms, etc);

(e) possible safeguards (such as encryption or pseudonymization, but also organizational measures)

Question 9

What is the principle of data minimization?

Answer 9

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data
minimisation’);

Question 10

What do you need to establish in order to test data minimization>

Answer 10

a purpose

If you formulate more purposes, then you willfully have more risk of doing something shady

Question 11

What are the lawfulness and fairness principles from article 5 (1)?

Answer 11

lawfulness:
= according to one of the legal grounds listed by art. 6 -> LECTURE 4!

+ not against the law in
general

fairness:
= the relationship between controller and data subject must be based on good faith. The processing must be ethical and the controller must not process data in a way that is unduly detrimental for the data subject, misleading, or (reasonably) unexpected (if not, there must be a good
justification)

Question 12

What is the transparency according to recital 39 GDPR?

Answer 12

The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in
relation to such processing.

TRANSPARENCY:
- Processing is transparent vis-à-vis the data subject = INFORM DATA SUBJECTS about the processing

• Information should be available BEFORE the processing starts, DURING, and AFTER the processing (upon request of the data subject)
• FURTHER SPECIFIED BY ARTICLES 12, 13, 14 GDPR.

Question 13

How must the controller provide information, article 12 GDPR?

Answer 13

• in a concise, transparent, intelligible and easily accessible form, using clear and plain language (esp for children);
• In writing, electronically, orally (only upon request of data subject & id of the data subject is proven);
• Free of charge (unless the request of the data subject is manifestly unfounded or excessive, to be proved by the controller);
• If the controller is sure of the identity of the data subjects (if not, ask for (reasonable) proof!)

Question 14

If personal data are collected directly from DS, at the moment of collection (possily before it starts), provide, article 13 GDPR?

Answer 14

a) identity & contact details of the controller/representative;

b) contact details of data protection officer, where applicable;

c) purposes & legal basis for the processing;

d) the legitimate interests pursued by the controller or by a third party, if applicable based on art. 6 (-> lecture 3!);

e) recipients of personal data, if any;

f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation.

Question 15

Article 14 GDPR, what is some additional info to make sure the processing is fair?

Answer 15

a) storage period (or criteria to determine that period);

b) the existence of the Data Subject rights (arts. 15-22 GDPR);

c) the right to withdraw consent at any time;

d) the right to lodge a complaint with a supervisory authority;

e) If the provision of personal data derives from the law or a contract, explain whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide data;

f) the existence of automated decision-making or profiling (art. 22 GDPR), meaningful information about the logic involved + the envisaged consequences;

+ info on further processing based on a purpose different from the one already communicated

Question 16

Where can you find 3 exceptions as DC to not send the data to DS?

Answer 16

Paragrpah 5 of article 14

Question 17

What is the accuracy principle?

Answer 17

d) accurate and, where necessary, kept up to date;

• every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified
  without delay (‘accuracy’);

= controllers should not use inaccurate and obsolete data
➢ The accuracy is evaluated based on the purpose
➢ Sometimes data must not be updated (e.g. archival reasons)
➢ Inaccurate data can create harms:

Question 18

What is the principle of storage limitation?

Answer 18

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and
freedoms of the data subject (‘storage limitation’);

• INDEFINITE RETENTION IS NOT ALLOWED

-> once the purpose has been fulfilled, either delete the data OR anonymise it!

+ create an internal policy for periodical
erasure of data.

Question 19

What is the principle of security?

Answer 19

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity
and confidentiality’).

See docs

Question 20

What is storage limitation + security + data protection by design?

Answer 20

STORAGE LIMITATION +
SECURITY +
DATA PROTECTION BY DESIGN
=
ANONYMIZATION & PSEUDONYMIZATION ARE YOUR FRIENDS
(but they are not the same and
do not have the same consequences under the GDPR)

Question 21

What is the accountability principle?

Answer 21

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1
   (‘accountability’).

The controller is the one that pays the consequences if the GDPR is not respected -> FINE$$$

If the controller makes use of a processor, and this latter does not comply, both are liable within each other’s competencies

The measures to adopt to respect the GDPR principles vary based on the types of processing and their risks to individuals

Demonstrate compliance?
* DOCUMENTATION
* RECORDING/LOGGING PROCESSING ACTIVITIES -> (AI Act will impose to create logs of operations for AI systems)
* DPIA
* CREATE COMPANY PROCEDURES FOR DATA SUBJECTS RIGHTS
* ADHERE TO CODES OF CONDUCTS
* ETC…

Question 22

How does the DC omply with the data regulation principles?

Answer 22

You have 3 different DC groups
1. small group is sincere and want to comply with the law
2. big group, 50% that want to be compliant, but do not find it intrinsically interesting
3. they do not care about data protection law

Degree of assessing the legislation of GDPR, it has to be really bad and detrimental for it to be that everything is checked or not.

The GDPR is restrictive, some say that much that it is difficult to comply with the law.

Question 23

What is the problem of the GDPR?

Answer 23

the parties who are really big but they are difficult to tackle, since you do not really know what goes on.
Since there is no registration

This shows how GDPR affects groups disproportionally than other groups.