Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
223 Cards in this Set
- Front
- Back
What is the rationale for data protection? |
The 1970s rise in the use of computers to process personal information gave rise to concerns about the impact on privacy of the individual. Coupled with automated storage of personal data and cross border trade, there was a call to allow individuals to exercise control over their personal information whilst allowing the free international flow of information. |
|
What law underlies the data protection laws? |
The Human Rights Law. The right to private life and associated freedoms are considered to be fundamental human rights. |
|
When was the Declaration of Human Rights adopted and why? |
10 December 1948 by the General Assembly of the United Nations in recognition of the attrocities of WWII. |
|
What is Article 12 of the Human Rights Declaration (HRD) about? |
The right to private life and associated freedoms |
|
What is article 19 about of the HRD |
Freedom of opinion and expression |
|
What happens if article 12 is in conflict with article 19 |
A balance must be struck/reconciled per article 29(2) |
|
What is the European Convention on Human Rights (ECHR) and when did it come into force. |
An international treaty to protect human rights. Effective 03.09.1953 applies to all member states |
|
When was the European Court of Human Rights formed? |
1 November 1998 |
|
What is article 8 of the ECHR about? |
Respect for private and family life, home and correspondence and no interference by public authority except for matters of the law, national security, public safety and for the protection of health and morals and for the protection of rights and freedoms of others. |
|
What is article 10 of the ECHR about? |
Rights and freedoms of expression right to share information and ideas across national boundaries |
|
What are the Council of Europe Resolutions 73/22 and 74/29 about? |
principles for the protection of personal data in automated databanks in the private and public sectors with the objective of developing national legislations based on the resolutions |
|
What are the key OECD developments with regards to data protection? |
The Guidelines on the Protection of Privacy and Transborder Flows of personal data 1980 Sept 23. developed in conjunction with Council of Europe and the European Community. not legally binding - guidelines only |
|
What is the key development of the Council of Europe with regards to Data Protection? |
The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. |
|
What is Convention 108? |
The Convention for the Protection of Individuals with regard to Automatic Processing of personal data. Minus the Europe bit so it could be adopted by those outside of Europe. The first legally binding international instrument in the area of data protection. |
|
What does Convention 108 consist of? |
Substantive Law Chapter II - basic principles Special rules on transborder data flows Chapter III Mechanisms for mutual assistance Ch. IV Consultation between parties Ch. V |
|
Convention 108 ch II is about what? |
Personal info undergoing automatic processing shall be: obtained and processed fairly stored for specific and legitimate purposes and not used for any other reason adequate, relevant and not excessive accurate and up to date preserved in a form that permits identification of the individual for no longer than required appropriate security measures special categories of data may not be processed right to communication rectification and earsure of the personal data held |
|
Convention 108 Ch III is about what? |
Transborder data flows between signatories shall not impose any prohibitions or require any special authorizations for the purpose of the protection of privacy before such transfers can take place. Derogations include where the exporting country has rules for categories of personal data and automated processing and the importing county does not |
|
What is the Convention 108 additional protocol? |
designed to address where Convention 108 did not address transfers of personal info to countries that were not signatories. Covers an adequate rather than 'equivalent' level of protection of personal info |
|
What is Ch. IV about Mutual Assistance? |
Parties to Convention 108 must appoint a supervisory authority (SA) to oversee compliance with data protection law and to liaise with the SAs of other jurisdictions |
|
What is the Data Protection Directive? |
member states were implementing diverse and fragmented data protection legislation and it was clear that there was a need for a harmonised approached. Directives are a form of legislation but left to national authorities to implement. The culmination of work by the EC was Directive 95/46/EC (Parliament & Council) on the protection of individuals with regard to the processing pf personal data and on the free movement of such data. But member state still didnt interpret the same way, the first report confirmed this 2003. |
|
What is the Charter of Fundamental Rights? |
Signed in Dec 2000 by Presidents of EU Parliament, the Council and the Commission and stemming from CJEU case law, EU member state traditions and ECHR, the charter includes the general principles set out the ECHR but specifically refers to the protection of personal data. The charter was given legally binding effect when the Treaty of Lisbon was signed. |
|
The Treaty of Lisbon was about what? |
Signed December 2007 by member states it amended two core treaties. The Treaty on EU and the Treaty on establish the European Community. Renamed the Treaty on the Functioning of the Europe Union (TFEU). it provisions that all institutions of the EU must protect individuals when processing personal data. |
|
Why was the GDPR formed? |
lack of harmonisation in the approaches to data protection throughout the member states, rapid pace of technology. 2012 the Commission put forward a proposal for a reform of the Directive to impose a single set of rules across the EU. GDPR was born. it took many years to negotiate. Came into force May 2016 and enforceable May 2018 |
|
What are some of the key changes brought into the GDPR |
More rights for individuals data protection by design and by default accountability increased powers for SAs broader applicability of the Reg to anyone targeting EU consumers |
|
What legislation are related to the GDPR? |
The Law Enforcement Data Protection Directive - covers processing of personal data for prevention investigation, detection or prosecution of criminal offences. The ePrivacy Directive - rules for processing personal data across public communications networks. Proposed regulation PECR |
|
List the 7 EU institutions |
The European Parliament European Council The Council European Commission The court of Justice of the EU The European Central Bank The court of Auditors |
|
The Treaty of Lisbon and protection of privacy did what? |
changed other treaties by promoting the Charter of Fundamental Rights of the EU (the Charter) to the same legal status as treaties therefore making it legally binding. |
|
Detail the 3 basic principles of the Charter |
Article 7 Respect for private and family life Article 8 Protection of Personal Data Article 41 Right to good administration (to have access to their records on file) Note: UK and Poland have an extra protocol to state that the charter shall only apply if recognised in the law of either country |
|
Define the European Parliament - the voice of the people |
The European Parliament shall jointly with the Council, exercise legislative and budgetary functions , political control and consultation as laid down in the Treaties. It shall elect the President of the Commission. |
|
The European Parliament has 4 responsibilities one of which is Legislative Development.Describe the 3 procedures by which it may or may not share its powers |
Ordinary procedure - both the Council and the Parliament must assent to the legislation. Consultation procedure - The Council must consult the Parliament but are not bound by their opinion. The Consent Procedure - important decisions the Parliament's consent is required. |
|
The Parliament members are elected by the citizens of the EU. How often are elections and what are the min and max numbers of MEPs. |
Elections every 5 years Representation of citizens shall be degressively proportional, min of six per member state and max of 96. |
|
What are the two main stages of the Parliaments work? |
Prep for the plenary session - Commission proposes legislative text, MEP is appointed Raporteur, prepares report which is then debated and amended before being submitted to parliament. The Plenary Session - examines and votes on proposed legislation and adopts it position. Voting is by simple majority. |
|
What is the European Parliaments role in data protection? |
through its legislative process, it upholds the Treaty of Lisbon's universal right to the protection of personal data and states that legislation shall be adopted under the ordinary procedure. Parliament is a vocal advocate for the right to privacy |
|
European Council - what is its function? |
to provide the union with the necessary impetus for its development and shall define the general political direction and priorities thereof. No legislative function. Heads of state meet twice per year |
|
How does the European Council operate in practice? How are decisions made? Who is at the top? |
generally consensus but can be unanimity or qualified majority. The president is elected for 2.5 years renewable once. |
|
What is the function of the Council of the European Union (not be be confused with European Council) 47 member states |
'The Council' main decision-making body of the EU, established by treaties in the 1950's, has a central role in both legislative and political decisions. Co legislator with the Parliament. Function to carry out policy making and coordinating functions as laid down in the treaties. Promote democracy, protect human rights and the rule of law |
|
What are the 10 Council formations? |
General affairs, foreign affairs, Economic and Political, Justice and Home, Employment, Social Policy, Health and Consumer, Competitiveness, Transport, Telecommunications and Energy, Agriculture and fisheries, Education Youth Culture and sport. |
|
In practice what is the function of the Council? |
Together with Parliament they examine legislation proposed by the Commission by one of the three procedures (ordinary, consultation or consent) The council can amend the proposal before its adopted and concludes them. they can also make regulations, directives, decisions, common actions, recommendations, declarations or reslutions. Main decision making body. |
|
What is the rationale and function of the European Commission? |
Has its foundations in the 1950's a merger of 3 communities, often described as the exec committee of the EU. It implements the EU's decisions and policies, it oversees EU law supported by the Court of Justice of the EU. it has the power to initiate legislation and |
|
What is the function of the Commission in working practice? and in relation to data protection? |
Exec body, initiate legislation, monitor compliance of the institutions, impose fines for failure to comply. Each member state has its own commissioner which must have Parliamentary approval. Through its power, has ability to enforce compliance with the Charter and therefore ensures a high level of protection for the individual's rights of privacy and data protection. |
|
What is the function and rationale of the Court of Justice of the EU? (ECJ) |
The court of the European Community ( set up under the Treaty of Paris 1957). It is the judical body of the EU that makes decisions on law and enforcement of it and what actions to take against member states and individuals. Nothing to do with ECHR. |
|
What is the function of the ECJ in relation to data protection? |
some cases are referred on basis of interpretation of EU law. UK was referred to ECJ for not fully implementing EU rules on confidentiality of electronic communications. Google Spain and the right to be forgotten. ANAF personal data may not be transferred between public admin bodies without the data subject being informed.Shrems case invalidated Commissions decision that Safe Harbor was adequate. |
|
European Court of Human Rights (ECHR) - rationale and function |
Strasbourg 1959, its role is to oversee the convention which protects the fundamental rights of the people lving in the contracting states. Has no legal powers of enforcement. Listens to applications lodged by individuals and makes judgements - binding and countries must comply with them. |
|
What is the function of the ECHR in relation to data protection? |
Article 8 of the Convention protects the rights to respect for private and family life. ECHR has been involved in cases where individuals have been denied access to their personal records, were individuals have had work emails monitored and have upheld the need for criminal activity to be held on record and specifically sex offenders. |
|
What is the objective of the Data Protection Directive of 1995? |
Member states shall protect the fundamental rights and freedoms of natural persons and in particular their right to privacy with respect to the processing of personal data. |
|
What is the content of the data protection directive |
34 articles in 7 chapters 1 General provisions 2 General rules on the lawfulness of processing 3 judicial remedies, liabilities and sanctions 4 Transfers of personal data to third countries 5 codes of conduct 6 Supervisory authority 7 Community implementing measures |
|
What is one major advance of the data protection directive over convention 108? |
Convention 108 does not cover manual processing of personal data i.e. data held in a filing system. The DPD makes the manual processing of data subject to the same obligations as processing of data by automatic means. |
|
What are the 8 key principles of the DPD? |
-processed fairly and lawfully -collect for specified and legitimate purposes and not processed in a manner incompatible -adequate, relevant and not excessive -in accordance of the rights of the individual protected against accidental, unlawful and unauthorised processing by appropriate technical and org measures -transferred to counties outside the EEA only if those countries have their own adequate protections |
|
Who did the DPD apply to? What else did it introduce? |
Data controllers established in an EU member state or where the organisation makes use of the data processing equipment on the territory of. Introduced special categories of data. Mandated the establishment of a nation Data Protection Authority (DPA) and WP29 - independent body of representatives of the DPAs - examine the Directive and give opinions and guidance to the Commission. |
|
The divergence in national measures and practices in implementing the DPD lead to what? |
In 2010 the Commission set out plans for reform and in 2012 published its proposals for two legislative frameworks - the GDPR and the LEDP. |
|
What were the key changes of the reform which lead to GDPR and LEDP? |
single set of rules valid across EU responsibility and accountability for those processing single DPA where orgs have their main establishement explicit consent the right to be forgotten the right to portability ensuring the EU rules apply to those who offer services to EU citizens Strengthened power of DPAs to enforce EU rules at home - fines upto 2% rules for police and judicial cooperation in criminal matters |
|
What are the important dates for GDPR and LEPD? |
GDPR - 24th May 2016 and 25th May 2018 LEPD - 5 May 2016 and 6 May 2018 |
|
What is the structure of the GDPR? |
173 recitals and 99 articles in 11 chapters |
|
What are the objectives of the Directive? |
Better cooperation between law enforcement authorities Better protection of citizens data clear rules for international data flows by law enforcement authorities |
|
What is the ePrivacy Directive? |
Privacy and Electronic Communications Directive covers all electronic communications specifically processing of personal data with publicly available electronic communication services (PEACS) in public communications networks in the EU. |
|
What is the general high level content of the eprivacy directive? |
Providers are require to take appropriate technical measures to safeguard security of their services member states are required to ensure confidentiality of communications unless users give consent to interception and surveillance Digital marketing requires opt-in Users of PEACS have right to itemised billing, line identification, directories, call forwarding and unsolicited calls Location data must be made anonymous Subscribers must be informed before being included in any directory |
|
What were the high level admendments to the eprivacy directive in 2011? |
mandatory notification of data breaches by electronic comms service providers clarification on unsolicited communications (the SPs can stop spammers) Cookies - where data being processed is not intrusive or special category, implied consent can be drawn from an unmistakeable conclusion that consident is given, so long as its given 'freely, specific and informed'. |
|
What is the purpose of the eprivacy reform? |
to replace the Directive with a Regulation to harmonise the framework within the EU and to ensure consistency with the GDPR. |
|
What are the key features of the eprivacy regulation? (not yet in force Sept 2019) |
wider application - mobile, email, voice single set of rules confidetiality of electronic comms consent to process comms content and metadata new business opps - use data for heat maps revised rules on cookies - no consent needed for non privacy intrusive cookies i.e. cookies that count no. of visitors Protection against spam Enforcement - DPAs breaches - consent, directories, unsolicited 2% or 10m€ breaches - confidentiality, time limits for erasure of data 20m€ or 4% |
|
Define Personal Data |
Any information relating to an identified or identifiable natural person. One who can be identifed, directly or indirectly, in particular by reference to an identifier (name, no. location data, online identifieer, physical identifer, genetic, mental, econmic, cultural or social identity of that natural person. |
|
What are the 4 building blocks of personal data |
any information relating to an identified or identifiable natural person |
|
Define 'any information' |
any information about an individuals private life, activity undertaken including professional or public sphere and includes information available in any form. (paper or electronic) |
|
Define 'relating to' |
To be personal data, information must be about an individual one of the following 3 elements must apply content element - info about the individual purpose element - evaluate, consider or analyse info about the individual result element - when processing has an impact on rights and interests |
|
Define 'identified or identifiable' |
Identified - by name directly or indirectly by identification number or ip address identificable - where the individual has not yet been identified by it is possible to do so |
|
What is the difference between anonymisation and pseudonymisation? |
Anonymisation - rendering the personal data anonymous so that the individual can no longer be identified Pseudonymisation - rendering the personal in a manner so that it can no longer identify the individual without the use of additional information, so long as it is kept separately and has appropriate technical and org measures to it. |
|
Define 'natural person' |
The regulation does not define the concept of a natural person but does state in R27 that it does not apply to the deceased. |
|
Define Data Controller |
the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of data |
|
Define the 3 building block of a data controller |
the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data |
|
Define building block 1 natural person, legal person or any other body |
generally consider to be a company or body which acts as such rather than an individual appointed by the company |
|
Define 'alone or jointly with others' |
together with or not alone. joint processing does not need to occur at the same time or be in equal proportion |
|
Define block 3 'determination of the purposes and means of the processing of personal data' |
The entity which determines the purpose and means of the processing. explicit legal competence - appointed by law implicit competence - established legal practice factual influence - assessment of the factual circumstances |
|
Define Data Processor |
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. |
|
What are the obligations of data processors? |
Security, record keeping, notifying controllers of data breaches and ensuring that they comply with restrictions on international data transfers set out in chapter V of the Regulation. To carry out processing as per the instructions of the Controller. |
|
What are the contractual requirements required between a controller and a processor? |
process only on documented instruction from controller ensure persons processing have committed to confidentiality take measures pursuant to Article 32 security of processing respect conditions for enlisting other processor appropriate org & tech measures to fulfil DSARs assist controller in complying with Articles 32-36 Security, breach, comms, DPIA at the request of the controller, return or delete all data make available information to demonstrate compliance with Article 28 Processor |
|
Define Data Processing |
any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructions |
|
To whom does the territorial and materials scope of the GDPR apply? |
- all EU established orgs - extraterritorial to orgs which offer to sell goods or services to or who monitor individuals in the EU |
|
Does the GDPR apply to non-EU established organisations? |
Yes. Where offering of goods or services to such data subjects in the Union or the monitoring of their behaviour as far as their behaviour takes place within the Union |
|
What other factors constitute 'doing business in the EU'? |
the use of an EU language, prices in an EU currency, use of international telephone numbers, use of an EU domain i.e. .de .eu, mentions of international clientele domiciled in member states |
|
How does the regulation apply to entities monitoring the behaviour of EU residents who are non-EU based. |
placing of a cookie or filling out of a form would amount to use of equipment in the EU to process personal data |
|
What matters are considered outside the scope of the regulation? |
operations that concern public security, defence and national security and common foregin and security policy of the EU. And processing of personal data for purely personal means - not used for professional or business activities. (household exemption article 2.2.c) |
|
Why is Article 2.2.c important? |
it provides that the GDPR is not applicable to natural persons processing personal data for purely personal or household activity including social media and domestic purposes |
|
Define competent authority under the LEDP |
any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or execution of penalties including safeguarding against and the prevention of threats to public security or any entity entrusted by a member state to fulfil the above. Police, prosecution authorities, courts and offender support. |
|
Define Lawfulness |
means that personal data must only be processed when data controllers have a legal ground for processing the data. |
|
processing of personal data will be considered lawful only when what legal grounds are met? 6 bases of lawful processing |
Consent - for 1 or more specific purposes Contract performance - data subject is party to a contract with Legal obligation - compliance with a legal obligation to which the DC is subject Vital interests - to protect DS Public interests - perform task carried out in public interest or exercise official authority vest in DC Legitimate interests - pursued by DC 3 part test purpose, necessity, balancing DS rights |
|
What determines that processing is fair? |
Data subjects must be aware that their personal data is being processed, collected, kept and used - they are informed and can make an informed decision. Exceptions - where processor has a legal obligation to process i.e. tax |
|
What is unfair processing of personal data? |
Where processing negatively affects the DS i.e. travel websites that plant a cookie and then detects several visits to the website and increases the price each time. Excludes upholding the law i.e. traffic offences |
|
What does transparency mean to the Data Controller? |
The Data Controller must be open, Honest and clear towards the DS when processing personal data. They must notify the DS except where they have obtained the data directly from the DS |
|
When are controllers exempt from the duty to provide information when personal data is collected from other sources? |
when providing the info will result in disproportionate effort/impossible to protect DS legitimate interests - governed by law to preserver the confidentiality of the info - governed by law |
|
How does the principle of transparency apply to children? |
when processing the personal data of children, the communication of info must be drafted in simple and plain language to allow children to understand it. |
|
How does the principle of transparency apply to adults? |
When the info is obtained and the adult will most likely not understand it i.e. medical examination, the information must be provided in a plain and simple language so that the person can understand it. |
|
How does the principle of transparency apply to privacy notices? |
They should be short and simple to read and understand rather than lengthy legal texts. The regulation promotes the use of icons and symbols as alternatives. |
|
Define the principle of purpose limitation |
Data controllers must only collect and process personal data to accomplish specified, explicit and legitimate purposes and not process personal data beyond such purposes unless further processing is considered compatible with the purposes for which the data was originally collected |
|
What does the regulation say about secondary processing in deciding whether compatible with the original purpose. What things should be taken into account? |
the purpose of further processing the context in which the data was collected the nature of the personal data the consequences of further processing of the personal data on the DS the existence of safeguards to protect the data |
|
When secondary processing is considered incompatible with the original purpose, what can the DC do? |
The DC must inform the DS and either obtain seperate consent in relation to the new purpose or satisfy one of the other available legal criteria to justify the processing. |
|
Define the principle of data minimisation |
The DC must only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed. |
|
What are the two concepts required to apply the principle of data minimisation |
Necessity and proportionality |
|
Define necessity |
The data must be suitable and reasonable to accomplish the specified purposes. Excessive and therefore unnecessary data should be deleted or anonymised. |
|
Define proportionality |
DCs must take into account the amount of data. The save everything approach is in breach of the principle of minimisation. |
|
Define the principle of accuracy |
Data controllers must take reasonable measures to ensure that date is accurate and kept up to date. they need to consider type of data and purpose to maintain the accuracy. When collected for statisitical or historical purposes, the controller only needs to maintain the data originally collected. Inaccurate records can be kept provided they dont blur the facts and are used to explain what happened. |
|
Define storage limitation |
The personal data must be kept in a form which permits identification of the DS for no longer than is necessary for the purposes for which the data was collected i.e. if no longer needed, delete it. excludes archiving in public interest, scientific or historical purposes or statistical |
|
Article 5 states that personal data must be processed to ensure appropriate security (integrity and confidentiality) What measures can be used to achieve this? |
The regulation promotes the use of pseudonymisation and encryption |
|
What are the conditions of consent from a data subject? |
Consent must be freely given, specific, informed and unambiguous indication of the DS wishes and gives a clear affirmative statement or action signifies agreement to the processing relating to him/her. |
|
Define Freely given |
The data subject must have a genuine choice and be able to refuse or withdraw consent. Consent must not be bundled with some other issue like purchasing a service. Obtaining consent to perform a contract is not necessary. |
|
Define the 'legitimate interest' condition |
The processing must be necessary for the purpose The purpose must be a legitimate interest of the controller or third party The legitimate interest cannot be overridden by the DS interests or fundamental rights and freedoms Note: excludes public authorities - they cannot rely on legitimate interests, legistlator must decide legal basis. |
|
What does the regulation say about documenting legitimate criterion? |
criterion must be documented in a privacy notice where they must specify the legal basis for processing and if relying on legitimate interests, must describe the legitimate interests pursued. |
|
What is important about processing under 'legal obligation and the public interest'? |
processing must have a legal basis defined in EU or member state law especially where processing involves freedom of expression, employment, processing for archiving, scientific, historical or statistical purposes. |
|
Define sensitive data as per Article 9 |
where the processing reveals 'racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership in addition to prohibiting the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Some countries criminal convictions is classed as sensitive data. |
|
The processing of sensitive personal data can be by what means? |
explicit consent necessary for the purpose and obligations of the controller or DS in the field of employment, social security or social protection to protect vital interst of DS or another person legitimate activities with approprate safeguards by not for profit, religious trade union etc processing data which is made public establishment, exercise or defence of legal claims In the substantial public interest preventative or occupational medicine or assesment of working caapacity of employee Public health archiving in the public interest, historical research statistical purposes |
|
what data requires a greater level of protection according to Article 10? |
Data on offences and criminal convictions and can only be processed under the control of an official authority |
|
If the DC does not require identification of the DS, what are the DCs obligations? |
The DC is not obliged, maintain or process additional information to be able to identify a DS where the DC does not intend to identify the DS |
|
What does the transparency principle dictate? |
The requirement for the controller to be honest and open about the ways in which personal data is used |
|
Where the DS has been informed about the use of their personal data and consent given, what happens if the information given about its use is inaccurate or incomplete? |
Consent will be invalid |
|
Where the DS has been informed about the use of their personal data and the controller considers processing under legitimate interests, what happens if the information given is inaccurate or incomplete? |
The claim of legitimate interests would be difficult to support given misinformation or incomplete details of the processing of personal data |
|
Article 13(1) relates to obligations to a data subject where personal data is collected from a data subject. What must be provided to the data subject? |
identity and contact of the controller contact details of DPO purposes and legal basis of processing the legitimate interests pursued (where LI is relied on) whether intended to transfer data to a third country and whether adequacy decision exists if basis of safeguards - what they are |
|
Article 13(2) determins that controllers should provide subjects with addtional information such as? and why? |
retention period or criteria used to determine it info about the subjects rights i.e. restriction, rectification, erasure etc where processing relies on consent - the right to withdraw consent the right to lodge a complain with the SA whether the provision of data is staturtory or contractual the existence of automated decision making Why - to ensure processing is fair and transparent |
|
Article 14(1) concerns the obligation to provide information to the subject where the data has not been obtained from the subject. What needs to be provided to the subject? |
The category of data the source from which it originated and if publicly accessible (provide general info if public) |
|
article 14(2) concerns the additional information to be provided - why? |
to ensure that processing is fair and transparent |
|
What situations you would be expect to provide the additional info under Article 14? |
When the subject exercises their rights - particularly objection where the processing involves international data transfers where the controller has a new purpose for processing where there are 2 or more controllers - they must detail their responsibilities |
|
Under Article 13 and 14, When should information be provided to subjects? |
at the time - Article 13 within a reasonable period after obtaining the data - Article 14 and must detail the right to withdraw consent to processing their data before obtaining their consent |
|
What exemptions exist to the obligation to provide info to the DS? |
Where the DS already has this informattion where the info is subject to professional secrecy regulated by the Union or member state law if the provision of info is impossible or disproportionate effort for achiving in the public interest, historical or scientific provided safeguard in Article 89 are in place or if provision of fair processing renders impossible or impairs the objective of processing |
|
Under what circumstances can the regulation be restricted to process data in a fiar and transparent manner? |
National security, defence, public safety, investigation, detection or prosecution of criminal offences or ethics protection of judicial independence the excise of offiical authority the above other matters of general public interests of the union the enforcement of civil law |
|
Are there any other circumstances were fair processing may not be an obligation? |
member states can provide exemptions and derogations for the purposes of journalism or academic artistic or literary expression as per the right of freedom of expression |
|
Treaty
|
A formally concluded and ratified agreement between states
|
|
Convention
|
an agreement between states, less formal than a treaty
|
|
Directive
|
an official or authoritative instruction form of legislation binding on member states
|
|
Regulation
|
binding to member states without needing to transpose into national law. Slight better than a directive
|
|
Declaration
|
form or explicit statement or announcement
|
|
Article
|
Series of rules and stipulations
|
|
Recital
|
The background info preceeding the stipulations of a regulation. Includes what it is about, parties to it, why its important
|
|
Resolution
|
a motion which has been adopted by a delivery body
|
|
Charter
|
a written grant by legislative power by which a bodes rights and privacies are defined
|
|
What is the ePrivacy Directive about? |
The protection of privacy in electronic communications i.e. the use of cookies |
|
What do entities who wish to plant a cookie on a device need to do first? |
give the user info about the sending and purposes of the cookie the user having seen the purpose must consent before a cookie is place on their device |
|
What is the purpose of fair processing notices? |
To inform the data subject of the fair processing and to comply with the transparency aspect of the regulation |
|
Where controllers are providing fair processing information, what should controllers ensure? |
clear, concise and easy to understand genuinely informative and meaningful accurate and up to date provided in an appropriate manner to suit the audience Not misleading Forward looking but realistic meets the requirements of the reg in terms of content and timing |
|
What factors should be taken into account when Controllers consider their fair processing notices |
The level of info already available any elements that the DS would find objectionable or unexpected the consequences of supplying personal info the nature of the personal data collected The method by which data are collected |
|
What are the benefits of a layered fair processing notice |
they recognise that subjects can only take in a certain amount of data short privacy notices are easy to understand layered notices can account for space and time limitations longer notices attract legal terms and jargon that impair readability |
|
Define 'just in time' notices |
the data subject is provided with information only at the point that it is relevant to them i.e. at the point of giving personal data |
|
What are the Data Subjects Rights? |
PORNPEAR Portability, Objection, Restriction, Notification, Profiling, Erasure, Access, Rectification |
|
How long does the controller have to respond to an access request? |
one month of receipt of the request (can be extended by a further 2 months for specific situations or complex requests) |
|
What should happen if the controller is unable to act on a data subject's request? |
The controller must inform the data subject of the reasons and advise them of the opportunity to lodge a complaint with the regulator. |
|
In providing access to the data subject, what must the controller provide? |
purpose of procesing categories of personal data who it has been disclosed to the period for which it will be stored the existence of rectification or erasure the right to lodge a complaine with the SA the source - where not collected from the DS the existence of profiling |
|
What are the exemptions to the RTBF? |
for exercising the right of freedom of expression and information for compliance with a legal obligation or carried out in public interest, archiving, scientific, historical or statistical purposes establishment of, exercise or defence of legal claims |
|
With regards to the RTBF, What if the controller has disclosed personal data to third parties? Are there any exemptions? |
The controller must notify those third parties. The only exemption here is where it would be difficult to comply or require disproportionate effort i.e. where personal data has been shared online |
|
What is meant by the right to portability? |
The data subject has the right to receive their own personal data in a structured, commonly used and machine readable format. The controller can be asked to transmit that data to another controller without hindrance |
|
What are the grounds for exercising the right to object to processing? |
Where the DC justifies the basis for processing as legitimate interests. The DS can object and the DC must cease processing unless it can demonsrate compelling legitimate grounds for processing and must be compelling enough to override the rights and freedoms i.e. to exercise, establish or defend legal claims. |
|
When must the data subject be informed of the right to object? |
At the latest, at the time of first communication |
|
Article 21(6) relates to data processed for scientific and historical purposes. Does the right to object apply here? |
It does but only in so far as it processing is not considered necessary for the performance of a task carried out for the reasons of public interest |
|
Are there any restrictions of the data subject's rights |
yes but these are set out by member states. Generally they pertain to safeguarding interests of national security, defence or public security. |
|
Which articles identify the need for risk assessments? |
Articles 25 and 35 Data protection by design and default Data protection impact assessments |
|
what is the relevance of article 28 (3b) to employees? |
Article 28 determins that employees authorised to process personal data on behalf of the processor are under a statutory obligation of confidentiality i.e. not to misuse data, not to disclose data or make unauthorised copies. |
|
How does article 28 affect the supply chain? |
The controller is limited to using processors who can provide specific guarantees about all the data protection principles as well as appropriate org and tech measures. Article 28 is intended to flow down the security principle to the entire supply chain including sub processors. |
|
What happens if the controller is unable to establish proof of the processors competence with regards to security of personal data? |
Under Article 28, the controller must walk away from the processor or be in breach of article 28 themselves |
|
What happens when a processor deliberately infringes the regulation by determing the purpose of processing |
Article 28 determines that the processor shall be considered controller for that processing. |
|
Define personal data breach - Article 4 |
a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed. |
|
What is important to note about breach notifications to the regulator? Article 33. |
Controller must notify without undue delay and within 72 hours Must keep a record of breaches for the regulator to retrospectively inspect (held in perpetuity) Processors must still report to the controller |
|
What are the exceptions to communicating a data breach to the data subject. Article 34 |
Where the breach does not represent a high risk i.e. name and email address where the data is unintelligble i.e. encrypted where the disclosure would represent disproportionate effort i.e. unable to identify all individuals impacted (press release would be required) |
|
What in context, constitutes 'high' risk to the rights and freedoms of individuals? |
impact to a large number of individuals or large amount of damage to an individual |
|
Define Privacy by default |
Requires the Data Controller to implement appropriate organisational and technical measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed |
|
Define Privacy by design |
Embedding data protection into the design specification for new systems and ongoing operation and management of developments to ensure the entire lifecycle is covered. |
|
What considerations need to be covered to be considered privacy by design and default |
Organisational and technical measures - the state of the art, cost of implementation, nature, scope, context and purpose of processing as well as risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing |
|
What are Binding Corporate Rules? |
A privacy framework implemened by companies to allow personal data to move freely between the various entities of a corporate group worldwide. they require organisations to demostrate their compliance with data protection legislation |
|
How do companies go about drawing up binding corporate rules |
An application must be made to the Supervisory Authority/DPA as they have to approve the rules according to the consitency mechanism. |
|
Transfers of personal data outside of the EEA may only take place s:t the conditions of Ch 5 of the regulation which are? |
the third county ensures and adequate level of protection as determined by the European Commission in the absence of adequate level of protection, the org provides safeguards on condition that enforceable ds rights and effective legal remedies are available In the absence of adequate protection or safeguards , the personal data must fit one of the special derogations |
|
Which 2 conditions are not subject to 'data transfer' rules? |
1) where routing of a packet i.e. email and web pages which involve random transfers of personal data between the computer any servers anywhere in the world 2)where travellers are temporarily located in a place that does not support an adequate level of protection i.e. someone who logs on to their network from an airport outside of the EU |
|
What must the Commission take into account when consider the adequacy of the level of protection |
rule of law, respect for human rights and fundamental freedoms, relevant legislation, public security, defence, national security and criminal law, public authorities access to data, implementation of legislation, data protection rules, rules for transfers of personal data to a third country, effective enforceable data subject rights and judicial redress for the data subjects The existence of a supervisory authority in the third country The commitments the third country has made, legally binding in relation to the protection of personal data |
|
What is the role of the Regulator? |
promote awareness and understanding of data protection handle complaints and investigations support consistent application of GDPR monitor info and communication technologies and commercial practices |
|
What are some of the discrete tasks of the regulator |
Receive and handle complaints from citizens using standardised forms Give guidance on DPIAs and when they should be carried out and when not required Develop codes of conduct, certifications, seals and marks Review on case by case basis requests for authorisation of contractual models keep records of infringment and actions taken charge costs for unfounded or excessive requests make public statemetns about their activities (transparency) |
|
What are the powers of the Regulator? |
Investigatory - access to all necessary evidence including premises, equipment, operational reviews and processing equipment. Corrective - warn controllers about dubious practices and stop business activities where necessary. Authorisation and advisory - setting up codes of conduct, certifications, marks and seals and international transfers of personal data. |
|
Which SA is responsible for an organisation established in multiple territories? |
The one in the location of the main establishment (where the decision making about processing personal data is made). The Lead Authority is required to regulate situations of cross border transfers. Where no cross border transfers take place, the LA rule does not apply. |
|
What is the role of the EDPB? |
EDPB (sucessor to WP2) is a consistency mechanism set up to issue opinions under Article 64 and have a long list of task to do Article 70.DPAs can request opions subject to a timetabled process. EDPB is also involved in the dispute resoltuion process under article 65 where the lead DPA rejects objections to cross border transfer processing |
|
Article 66 allows DPAs to adopt urgency procedure where there isnt time to pursue cooperation or consistency measure to protect rights and freedoms of data subject rights. What happens under these circumstances? |
DPAs can immediately adopt provisional measures lasting 3 months and have to refer them to other DPAs, EDPB and the Commission. After 3 mos they will lapse unless the DPA requsts urgent opinion which direct the process to article 64 and 65. |
|
Which article covers sanctions and penalties |
Article 88 |
|
What factors need to be considered before fines can be imposed? |
Fines must be effective, proportionate and dissuasive, imposed by DPAs. If multiple responses/breaches, each breach must have a quantum assigned to it as it cannot exceed the max specified for a serious breach |
|
What do DPAs need to consider when deciding on the fines? |
Nature, gravity and duration of infringement, intentional or negligant, any mitigation taken, the degree of responsibility between controller and processor, previous infringement, cooperation with the SA, the manner of reporting ie. self reported, compliance with previous measure, codes of conduct, any other aggravating or mitigating factor |
|
As fines are levied for undertakings and non undertakings, what does this actually mean? Article 83 |
An undertaking is define in EU law as an entity engaged in commercial activity. Public authorities are consider to be non-undertakings. |
|
What is the max fine for undertakings? |
€10 or 2 % percent of global turnover per undertaking not per group of undertakings for breaches of articles 8, 25-39 42 and 43 €20 or 4% global turnover for breach of articles 5-7, 9, 12-22, 44-49, 58 |
|
Why shouldnt consent be relied on for processing employee data |
Cos Consent has to be specific, freely given and and informed unambiguous indication of the employees wishes |
|
What are better legal bases for processing employee data? |
Performance of a contract, legal obligation and legitimate interests of the employer |
|
Some countries restrict the processing of personal sensitive data, i.e. Poland and Portugal, what is the best advice for processing |
Always check with the supervisory authority guidance for what can be processed |
|
How long should employee data be stored for? |
Whilst the employee is current, the employer has a legitimate reason to retain data. Once the employee leaves, this is governed by local laws and regulations. For employees who have left, their data should be securely archived |
|
What does the regulation say about employee monitoring? Give an example |
It must be necessary, legitimate, proportionate and transparent. Example DLP Tools |
|
What should employers do before carrying out employee monitoring? |
Full DPIA if monitoring amounts to systematic and extensive evaluation of personal aspects based on automated processing and on which decisions are based that significantly affect the individuals. |
|
When is the monitoring of employees considered to be unlawful? |
When it involves the collection of sensitive personal data unless the employer has obtained prior permission from the DPA for covert surveillance |
|
What implications does SOX have in EU data protection? |
US companies with EU subsidiaries are bound by SOX and GDPR. There is a conflict between the two in that SOX allows for whistleblowing and the GDPR limits the use of personal data in these circumstances due to the potential prejudice to individuals. |
|
What is the guidance on anonymouse whistleblowing and why shouldnt it be allowed? |
The reporter should actually work with the incriminated (no hearsay) the scope must be wrongdoing not bullying or harrasment, the identity of the whistleblower should be confidential but not anonymous because the incriminated person has no right of reply. |
|
What is the importance of a whistleblowing policy in terms of the GDPR |
A whistleblowing policy should set out limitations of individuals rights (rectification, erase, restriction and access) where an individual has been incriminated and where notifying an individual may jeopardise the investigation of the wrongdoing |
|
What is the recommended retention period for whistleblowing reports? |
2 months for substantiated and immediate deletion of unsubstantiated reports. |
|
What does the regulation recommend with regards to BYOD |
establish a policy explaining employee responsibilities be clear that the data belongs to the company ensure that data transferred to the companies servers is done securely Use an MDM to locate and remote wipe a device |
|
Define Surveillance |
observation of an individual or group of individuals, covertly or openly in real time or by stored material |
|
What surveillance activity overrides the data subject rights |
Article 23 restrictions are to act as safeguards to protect states, society and other individuals. National and public security. LEDP Directive |
|
What is the LEPD Directive about |
the protection of natural persons with regardto the proecessingof personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties. |
|
Communications surveillance may involve traditional interception of post/calls or high tech internet activity. What are the two types of data used in communications? |
The content of the communication and the metadata. |
|
What data may be contained in metadata? |
traffic data - type, format, duration, origin and destination, routing, protocol used. Location data - lat, long and altitude - cell mast Subscriber data - name, contact and payment information |
|
CCTV images containing image of people which might be used to identify them maybe classed as biometric data why? |
because they may relate to the physiological, physical, or behavioural characteristics of a natural person |
|
What lawful basis would data controllers rely on for processing cctv images |
Legitimate interests Consent unlikely |
|
When does a DPIA need to be carried out on the use of CCTV |
if surveillance is considered to be high risk systematic monitoring of a publicly accessible area on a large scale if the SA has put it on the list of operations that requires a DPIA |
|
What should the DPIA detail |
the processing to be carried out - what the purposes of processing - why Legitimate interests why its necessary and proportionate to the purposes - zooming, facial recognition, sound recording assessment of risk to rights and freedoms measures to address risks, protect personal data and demonstrate compliance with the regulation |
|
What are some of the other key aspects to be considered when doing a DPIA for CCTV |
type and position of camera, zooming, storage, data retention, image freezing, need to disclose to 3rd parties, combining with other info, surveillance of areas with high privacy expectations, staff training, CCTV policy anbd compliance. |
|
What are the data subject's right in relation to CCTV |
Overt surveillance must still comply with transparency principle, so signs advising of CCTV monitoring, clearly visible, within the monitored area |
|
When is biometric data considered to be a special category under Article 9? |
when the purpose for which data is being processed is to uniquely identify a natural person. If being used to permity access to a location as part of a large group of identifies, then Article 9 does not apply |
|
What types of LBS should be considered under the GDPR? |
Satellite GPS including Gallileo cell based mobile phone network chip card (payment card) generated |
|
What two types of marketing messages are not considered direct marketing |
1) where they are not directed at individuals (no name) 2) where the give a purely service update (status of order) |
|
What are the rules for direct marketing activities? |
Data controllers must have: lawful basis for processing fair processing info appropriate org and tech measures to protect personal data not export outside of EEA satisfy compliance duties |
|
What does the regulation say about the right to opt out? |
Individuals must be informed of their right marketers must allow opt out DCs must honor the opt out in a timely manner and free of charge That personal data be deleted if not s:t retention period by law or exercsie/defence of legal claim profiling data must be removed |
|
Where an individual exercises their opt out, what should DC's do? |
Surpress contact, do not delete in case they are contactd again. Keep a 'preference service/robinson list |
|
Is postal marketing subject to the eprivacy directive? |
No cos its not electronic, is subject to DPA |
|
Is telephone marketing subject to the eprivacy directive? |
Yes. There is no specific consent requirement but individuals must have the option to opt out of direct telephone marketing |
|
What does the regulation say about automated calling systems? |
DC must always get individuals consent to use automated calling for direct marketing. UK and Poland requires that the caller provide both their identity and contact details. |
|
What does the eprivacy directive say about email marketing? |
That DCs must obtain prior, opt in consent from individuals to send them email marketing |
|
What is the opt out exception under the eprivacy directive? |
DCs cans send a mail marketing on an opt out basis where: they must've obtained the individuals contact details in the context of a sale (varies between member states, some require a sale, some allow presales activity) where it sends mail about its own similar products or services where they can offer opt out in a simple and free of charge way |
|
What is important about OBA and the Regulation? |
The regulation counts data collected for OBA purposes as personal data and secondly it considers it as 'profiling' in order to predict what they might want to buy. Tracking cookies enable users to be singled out cos they collect ip address and other info i.e. browser info etc |
|
cookies - is consent required for them? |
according to article 5 (3) yes provided that the user has been provided with clear and comprehensive information |
|
How does a foreign company relate to the Regulation? |
where processing relates to the EU establishment of the controller or the goods and services are targetted at EU individuals the Reg applies. An american company with a hungarian website, bank account, office and repesentatives will be deemed to be a data controller established in the EU and must comply with GDPR. |
|
What about cloud computing in terms of the regulation? |
Where a company is subject to EU data protection laws and engages a cloud service provider, the sp must also comply with data protection obligations. |
|
So a what are the consideration for cloud service provider processors? |
mainly as processor they must consider purpose of processing, nature, duration, type of personal data, confidentiality, appropriate org and tech measures to protect data, that data can be returned or deleted when the contract is expired, to allow for audit |
|
What about transfers of data outside of the EEA from the cloud computing perspective? |
Controllers could ask providers to geographically limit to EEA, choose Privacy Shield certified US suppliers, use EC Standard Contractual Clauses (inflexible), tailored transfer agreements, binding corporate rules, codes of conduct and certification i.e. cloud service provideres, reliance upon a dergoation under Article 49 |
|
when do cookies constitute personal data |
Depends where you are in EU. Treated differently . In the UK where cookes are intented to link a profile to an individual then it is counted as personal data. Where cookies are delivered not to take other data or send then online targetted advertising, then it is not personal data |
|
What about static ip addresses? Personal data? |
The regulation concludes that where a static ip address is used to construct a profile of a user then this is classes as personal data. Where collected from cookies, the collection and analysis amount to processing and are classed as personal data |
|
What data tends to be collected by search engines in relation to personal data? |
User IP address, Cookies to personalise and improve services, user log files - requests made by a user to a server, third party web pages (browsing history). |
|
What specific data protection issues do search engines face? |
Data retention, correlation and further processing for different purposes, where they link data from other sources, this may be regarded as unlawful processing as the user is not informed. They also have an issue with upholding the data subjects rights i.e. to be forgotten, erasure etc |
|
In the case of Social networking sites, who is the data controller? |
The Social Networking Service (SNS) itself as in provding the communications platform, the enablement of publication and exchange of data and the targetted advertising, it determines the purposes and means of processing |
|
What are the 6 principles of Article 5 |
Lawfulness or processing, purpose limitation, data minimisation Accuracy Storage limitation Integrity and confidentiality |