Week 4

Question 1

What three key dimensions are in play when considering data protection?

Answer 1

• Privacy (philosophy): The right to be let alone
• EU General Data Protection Regulation (law)
• Information Security (technology, procedures, governance)

Question 2

Explain Responsibility, Accountability, Liability and Due process

Answer 2

• Responsibility: free moral agents are responsible for the actions they take (forward looking)
• Accountability: agents should be held accountable to others for the consequences of their actions (backward looking)
• Liability: agents are liable for damages they incur to others (legal)
• Due process: laws are known and understood, and there is an ability to appeal to a higher authority to ensure laws are carried out

Question 3

Why would people prefer secrecy over transparency?

Answer 3

• To preserve something precious, private, prohibited, shameful or sacred (e.g. early love; ritual)
• To prevent harm (e.g. national security)
• To protect plans before execution (e.g. in negotiations)
• To protect personal identity (e.g. musical choice)
• To protect property (e.g. copyright; patents)

Question 4

What is the GDPR?

Answer 4

The GDPR is a regulation applying its ‘force’ directly to its member-states and subjects. The GDPR governs (inter alia) how, when and why ‘Data Controllers’ and Processors process ‘Personal Data’. It aims to harmonize practices and strengthens the protection of natural persons.

Question 5

What is personal data?

Answer 5

Personal Data: any information relating to an identified or identifiable natural person (‘data subject’)

Question 6

What are the 3 actors of GDPR?

Answer 6

• Data subject: Natural person, about whom data is processed
• Data Controller: [Art. 4(7)]: Determines purposes and means of processing of personal data
• Data Processor: [Art. 4(8)]: Processes personal data on behalf of the controller

Question 7

Explain Profiling

Answer 7

Profiling: the use of personal data to evaluate certain personal aspects relating to a natural person.

Question 8

Explain processing

Answer 8

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

Question 9

Explain Consent

Answer 9

Consent: Any freely given, specific, informed and unambiguous indication that the data subject by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Question 10

5 special categories of personal data

Answer 10

• Racial or ethnic origin;
• Political opinion, religious or philosophical beliefs
• Trade union membership
• Genetic and/or biometric data processed for the purpose of identifying a person
• Health, sexual life or sexual orientation

Question 11

Explain GDPR principle 1: Lawfulness, Fairness and Transparency

Answer 11

Lawfulness: GDPR provides the following grounds for lawful processing:

• Consent of the data subject
• Necessity to enter a contract
• A legal obligation
• Necessity to protect the vital interests of the data subject or of another person
• Necessity for performing a task in the public interest
• Necessity for the legitimate interests of the controller or a third party, if not overridden by the interests and rights of the data subject
• Fair:* As much as possible, controllers should act in compliance with the wishes of the data subject. Especially if the basis of processing is consent. Can be linked to ethical behavior.
• Transparency:* Customers must be aware of and really understand what is happening with their data, and its risks. Linked with Fairness. Can refer to the information given to the individual before processing starts, during processing, or the information given once the data subject requests access.

Question 12

Explain GDPR principle 2: Puprose limitation

Answer 12

Purpose limitation: Personal data shall be: “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”

Every new purpose, incompatible with the original, requires a new legal basis.

Question 13

Explain GDPR principle 3: Data minimization

Answer 13

Data Minimization: personal data shall be ” adequate_, relevant and limited_ to what is necessary in relation to the purposes for which they are processed.”

Question 14

Explain GDPR principle 4: Data Accuracy

Answer 14

Data Accuracy: Personal data shall be “accurate and, where necessary, kept up to date”.

“Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay.”

Question 15

Explain GDPR principle 5: Storage limitations

Answer 15

Storage Limitations: Personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.

Question 16

Explain GDPR principle 6: Integrity and confidentiality

Answer 16

Integrity and Confidentiality: Personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

Question 17

Explain GDPR principle 7: Accountability

Answer 17

Accountability: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1.”

Art. 29 Working Party’s Opinion, 3/2010: Accountability requires controllers to:

• Put into place measures that would normally guarantee data protection and compliance
• Have documentation ready to demonstrate that these measures have been taken.

Question 18

What is a Data protection officer (DPO) and when is a DPO mandatory?

Answer 18

DPO is an expert knowledge of data protection law and practices. And is mandatory when:

• “The processing is carried out by a public authority or body, except for Courts acting in a judicial capacity
• The core activities of the controller or processor… require regular and systematic monitoring of data subjects on a large scale
• The core activities of the controller or processor consist of processing large scale of special categories of data… or data relating to criminal convictions…”

Question 19

Explain data breach notification

Answer 19

Whenever data is accessed without authorization the data controller shall notify the Supervisory Authority without undue delay and where feasible:

• not later than 72 hours
• after having become aware of it,
• notify the personal data breach to the supervisory authority competent in accordance with Article 55,
• unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons…”

Question 20

Explain Data Protection Impact Assessment

Answer 20

• Required when a type of processing, due to new technology or other factors, is likely to result in high risk to the rights of natural persons.
• Aimed at assessing the impact of the envisaged processing on the protection of personal data.
• As per DPO’s advice, if possible.
• If the assessment finds that there is a high risk, controller must consult the supervisory authority prior to engaging in the activity.