GDPR
Who can complain, and who can receive compensation?
A data subject has the right to complain. Any person that has suffered material or non-material damage has the right to receive compensation from the controller or processor for the damage suffered.
What is the Lindqvist case about?
Lindqivst made a website with personal information and a Swedish church linked to it. She mentioned on the website that a co-worker had broken her food. She therefore processed sensitive personal data with no legitimate basis. Furthermore, the decision concluded that putting data online on a website does not constitute transfer of data to a third country.
Give an example of a situation where the GDPR does not apply.
1. An activity which falls outside the scope of EU law 2. Common foreign and security policy 3. A natural person in the course of a purely personal or household activity 4. By competent authorities for the purpose of crime 5. Article 85 regarding journalistic purposes. 6. Anonymized data
What are the fundamental principles of GDPR? (Article 5)
1. Lawfullness, fairness, transparency 2. Purpose limitation 3. Data minimization 4. Accuracy 5. Stoarge limitation 6. Integrity and confidentiality (7. Accountability)
When did GDPR enter into force?
24 May 2018
Explain the google spain case in the light of the right to erasure.
A Spanish resident sought the deletion of information in a Spanish newspaper and on Google's search engine. When his named was googled articles about him articles about him defaulting on social security debt would show up and how his house was put up for foreclosure. CJEU found that since this is 16 years ago and the sensitivity of the matter it should be removed on google. It should be clear that a right of erasure of information that is not inaccurate requires a complex weighing of interest, taking into consideration both the data subject's right to privacy versus the data processor's interest in legitimate processing, and the public's interest in the data in question taking into account he freedom of expression and freedom of information. It should be clear that the 'right to be forgotten' is not an absolute right that the data subject can exercise based solely on his subjective preferences.
What is a GAP analysis?
A company first determines how an ideal compliant system would look like based on a set of questions. Afterwards, they map how their system is currently set up based on the same questions. Comparing the two sets of answers it will be apparent where they will need to improve to be compliant.
What does the European Data Protection Board do?
Advice, legally binding decisions, issue guidelines, recommendation and best practices
Who is the data subject?
An identified or identifiable natural person to whom information relates.
What is the supervisory authority?
An independent public authority which is established by a member state
What does article 85 in the GDPR say?
Balances the freedom of speech with GDPR and makes academics, art and literary expression to some extend exempted from GDPR.
What is the balancing test?
Balancing the legitimate interests of the controller with the interest or fundamental rights of the data subject. The conclusion of the test should be whether the interest are overridden by the interest or fundamental rights and freedoms of the data subject
What is a privacy notice?
Based on the record of processing relevant privacy notices must be developed to inform correctly the data privacy subject of the processing taking place and their rights as laid out in article 13 and 14.
Why were British Airways fined?
Because of a data breach where the supervisory authority found that BA could have had measures in place to mitigate the risk of a data breach such as: · Limiting access to application, data and tools to only that which are required to fulful a user's role · Undertaking rigorous testing, in the form of simulating a cyber-attack on the business' systems · Protecting employee and third party accounts with multi factor authentication
What can a DPO do, and what can he/her not do?
Can: Inform and advise on obligations Monitor compliance Cannot: Inform and advise on solutions Design and operations of solutions Performing processes and controls
What is a code of conduct?
Codes can act as a mechanism to demonstrate compliance with GDPR. To ensure that the codes of conduct comply with the rules established in the GDPR it must be submitted to the competent supervisory authority before being adopted.
Why was Fashion ID and Facebook deemed to be joint data controllers in the Fashion ID case?
Fashion ID: Collected the data by having it on their website. Facebook: Determined the purpose and means for the processing of the data.
According to the unfair commercial practices directive, when is a company conducting unfair business?
For a commercial practices to be unfair following must be true: It is contrary to the requirements of professional diligence and It materially distorts or is likely to materially distort the economic behavior with regard to the product of the average consumer Annex I contains a list of 31 commercial blacklisted practices that shall apply in all members state. To deem if a commercial practice is lawful following steps must be taken: 1. Consult the blacklist 2. Consider whether the practice is misleading and/or aggressive (would the consumer have taken a different transactional decision that he would not have taken otherwise) 3. Consider whether the practice is otherwise contrary to the requirements of professional diligence
Consent must be......
Freely given, specific, informed and unambiguous
Is it legal to use an automated calling and communication system for marketing purposes?
Generally no, but Email: When consent has been given or when a trader wants to promote similar products to a customer who has given them his/her details. Other: No, but depended on national law. In DK it is e.g. legal to use direct marketing to sell union membership.
What is a adequacy decision?
If the European Commission has made a decision which finds that the third country ensure an adequate level of protection. Adequate level of protection = Requires the third country to ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to the guarantees ensured by the law in the EU These countries are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
When does the GDPR apply?
In the processing of personal data wholly or partly by automated means and the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system
What is binding corporate rules in the context of data transfer to a third country?
Internal rules for data transfer within multinational companies and are governed by a code of conduct.
What is appropriate safeguards in the context of data transfer to a third country?
It can be: - Legally Binding and enforceable instrument between public authorities or bodies - Standard data protection clauses adopted by the commission - Standard data protection clauses adopted by a supervisory authority - An approved code of conduct pursuant together with binding and enforceable commitments of the data controller or data processor - An approved certification mechanism
Other than the demise of EN-US privacy shield what was the outcome of Schrems 2?
It was decided that when using standard contractual clauses as basis for transferring data to a third party country the data controller or processor must ensure essentially equivalence (with the EU) in all transfers. This is also the case for binding corporate rules.
What is the right to erasure?
Known as the right to be forgotten. The right to have your data deleted.
What is the usual legitimate basis used for marketing activities?
Legitimate basis will normally be consent or balancing test for marketing purposes. Recital 47: The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Direct marketing usually requires consent, but can be changed in national law.
Does joint data controllers necessarily have to have the same amount of responsibilities?
Nah, they need to transparently determine their responsibilities for compliance.
Mention specific circumstances where a Data Protection Impact Assessment (DPIA) must be carried out.
Processing meeting the two criteria from this list would require a DPIA: · Evaluation or Scoring (e.g. KYC, AML) · Automated decision making with legal effect · Systematic monitoring: Processing used to observe, monitor or control data subject · Sensitive data or data of highly personal nature · Personal data processed on a larger scale · Matching or combining datasets · Data concerning vulnerable data subjects · Innovative use or applying new technological or organizational solution · When processing in itself prevents data subjects from exercising a right or service or a contract
What is the purpose of recitals?
Recitals provide the reasons for the main provisions and is used to understand the background/purpose of the law.
Is GDPR primary or secondary legislation?
Secondary, and should be understood in the light of charter of fundamental rights.
Mention a element that records of processing activites must contain.
See Jacob note's haha, page 18
Why was Wirtschaftakademie Schleswig-Holsten deemed to be a joint data controller with Facebook?
Since they could determine the purpose and means of the processing of personal data by getting e.g. demographic information about their followers.
What is the Tele 2 Sverige case about?
Tele 2 was processing a bunch of data and the data retention directive was invalidated. The main conclusion is that the E-privacy directive precludes national law.
What is Max Schrems general compliant against Safe Habour and the EN-US Privacy Shield?
That the laws of the US, regarding NSA (Snowden stuff), is against the fundamental rights and freedoms of the EU citizens. Snowden stuff = US can see data without "lovhjemmel"
What is the right to object?
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances: E.g. · A task carried out in the public interest · The exercise of official authority vested in you · Your legitimate interests
What is the right to rectification?
The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. Personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
What is an imperative exercise when using legitimate interest as legal basis?
The balancing test
What/who governs the relationships between the data controller and the data processor?
The contract
What is security by design?
The data controller and data processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (article 32).
What is a data processor?
The data processor is a natural or legal body which processes personal data on behalf of the data.
What is the right to access?
The data subject has to right to obtain confirmation from the controller as too whether or not personal data concerning him or her are being processed and where that is the case access to the personal data and more.
What does the right to information entail?
The data subject must be aware of the processing taking place, what the processing entails and of his rights.
What is a data controller?
The one who determines the purposes and means of the processing of personal data.
What is data protection by design?
The principles entail that the data processor must implement appropriate technical and organizational measures that are designed to implement data-protection principles such as data minimization
What is data protection by default?
The principles entail that the data processor must implement appropriate technical and organizational measures that ensures that by default only personal data which are necessary for each specific purpose of the processing are processed.
What is the right to data portability?
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services however only when: · Your lawful basis for processing this information is consent or for performance of a contract · You are carrying out the processing by automated means
What is explicit consent?
The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent.
Jehovan Todistajat case: Why are they not compliant with the GDPR?
They are using a filing system (which is processing of data) containing personal data which they have no legitimate basis to process.
What is the purpose of the GDPR?
To protect the fundamental rights and freedoms of natural persons with regard to the processing of personal data as well as the free movement of personal data.
When can transfer to third countries be made?
Upon: - Adequacy decision - Appropriate safeguards - Binding corporate rules - Derogations for specific situations
When is a Data Protection Impact Assessment (DPIA) required?
When a type of processing is likely to result in a high risk to personal data and the data subject, the data controller shall prior to the processing carry out a data privacy impact assessment (DPIA) focusing on the impact of the envisaged processing. When deciding on the risk both likelihood and the severity of any impact on individuals should be taken into account from: · What type of personal data will be used: sensitive, confidential or ordinary · How the personal data will be used i.e. by whom and how including IT-system, processes, suppliers, employees, profiling, combining data sets, marketing etc · Where the personal data will be used i.e. within the EU or outside the EU If it is decided that there is not at high risk the DPIA does not have to be carried out.
What does data minimization mean?
o Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. o Personal data should be processed only if the purpose of the processing could not by fulfilled by other means
Mention three legitimate bases for processing (normal) personal data.
· 1a. Consent · 1b. Performance of a contract · 1c. Compliance with legal obligation · 1d. To protect the vital interests of the data subject · 1e. Performance of a task carried out in the public interest or in the exercise of the official authority. · 1f. Legitimate interest.
Does a student have the right to receive his/her answers to an exam?
Yes, this was determined in the case of Peter Nowak.
What is the main point of the Planet 49 case?
A pre-checked box for cookies does not offer legal consent under the GDPR and the eprivacy directive.
What is personal data?
Any information relating to an identifiable/identified natural person
Does the GDPR apply to a webshop from the US?
For controllers and processors not established in the European Union the regulation applies to the processing of personal data or data subjects who are in the European Union if the processing activites are related to : · The offering of good or services · The monitoring of the data subjects In the case they have to be targeting EU citizens, otherwise GDPR does not apply.
Explain the context of the Smaranda Bara case and the judicial repercussions:
Ms Smaranda Bara and numerous other Romanian citizens are self-employed workers. The Romanian tax authority transferred data relating to their declared income to the National Health Insurance Fund, which then required the payment of arrears of contributions to the health insurance regime. In short: There was a transfer between to administrative organisation without the data subjects being informed. Repercussions: EU law precludes the transfer and processing of personal data between two public administrative bodies without the persons concerned (data subjects) having been informed in advance.
What does accountability mean?
Requires data controllers and data processors to actively and continuously implement measures to promote and safeguard compliance with the principles relating to processing of personal data. The data controllers and processors must be able to demonstrate compliance with the principles.
Can two data controllers (within the EEA) transfer personal data to each other without being joint data controllers?
Yes but they need legal basis for the processing and transferring.
Can a data processor use a sub data processor?
Yes, but they need to advise the contract with the data controller and at least get authorization from the controller.
What are derogations for specific situations in the context of data transfer to a third country?
a. If the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfer. b. The transfer is necessary for the performance of a contract between the data subject and the controller c. The transfer is necessary for the conclusion of performance of a contract d. A transfer that only takes place non repetitively and only concerns a limited number of data subjects
Name two items the contract between data controller and processor must contain.
see jacobs notes page 29
When might legitimate interest be used as legal basis?
· Exercise of the right to freedom of expression or information · Conventional direct marketing and other forms of marketing · Unsolicited non-commercial messages · Enforcement of legal claims including debt collection · Prevention of fraud, · Employee monitoring for safety or management purposes · Whistle-blowing schemes · Physical security · Processing for historical, scientific or statistical purposes · Processing for research purposes From WP
Mention three legal bases that can be used to process sensitive personal data.
· Explicit consent · Employment and social security and social protection law · Protection of a vital interest · Processing by a foundation, association or any other not for profit body with a political, philosophical, religious or trade union aim. · Manifestly made public · Legal claims · Public interest · Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
What must a Data Protection Impact Assessment (DPIA) contain?
· Nature, scope, context and purposes of the processing · Necessity, proportionality and relevance · Identification and assessment of risks to data subjects · Identification of any additional measures to mitigate those risks
Mention three types of sensitive personal data.
· Racial or ethnic origin · Political opinion · Religious or philosophical beliefs · Trade union memberships · Genetic data · Biometric data · Data concerning health · Data concerning a natural person's sex life or sexual orientation
Mention three categories of information required when providing an information society service? (e-commerce directive)
· The name of the service provider · The geographic address · The details of the service provider, which includes email · Where the service provider is registered in a trade register or similar public register, the name of the trade register in which the service provider is entered and his registration number · Where the activity is subject to authorization and the details of the relevant supervisory authority · Where the service producer is subject to VAT, and the VAT number
In which cases does the data subject have the right to erasure?
· The personal data is no longer necessary for the purpose which you originally collected or processed for · You are relying on consent as your lawful basis and the individual withdraws consent · you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing · you are processing the personal data for direct marketing purposes and the individual objects to that processing · you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle) · you have to do it to comply with a legal obligation · you have processed the personal data to offer information society services to a child
Name some technical and organizational measures that can be taken to increase security.
· The pseudonymization and encryption of personal data · The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services · The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident · A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing