Chapter 6 Data processing principles Flashcards
What are the DP principles under GDPR?
Lawfulness, Fairness, Transparency
Data minimisation
Purpose limitation
Storage limitation
Accuracy
Integrity&Confidentiality
Accountability
Duty of controllers to demonstrate compliance with the principles
Explain the meaning of Lawfulness, Fairness, Transparency
Legal ground for processing must exist
to the extent the processing is carried out in a fair and transparent manner towards the DS
What does it mean for the controllers to have a legal ground for processing?
Processing must be allowed by and carried out within the limits of the applicable laws depending on the particular case (DP, employment, health, tax…)
What are legal grounds for processing under GDPR?
Consent - specific purposes
Contract performance - DS is the party to the contract or steps taken upon request of the DS prior to entering into the contract
Legal obligation - compliance with legal obligation to which the C is the subject
Vital interests of the individuals - to protect vital interests of the DS or another natural person
Public interest - performance of a task carried out in public interest or in the exercise of official authority vested in the controller
Legitimate interest - pursued by the controller or a third party; except where such interests are overridden by the INTERESTS OR FUNDAMENTAL RIGHTS OR FREEDOMS OF A DS THAT REQUIRE PROTECTION OF PD (especially children).
Public authorities can not rely on legitimate interests when performing their task!
Do MS have the right to determine more specific legal requirements to ensure lawful and fair processing of PD in specific processing situations?
Yes, in relation to employer-employee relationship, to define the age of minors, to protect genetic or biometric data; for statistical, historical or scientific purposes
What is the idea behind the fairness principle?
DS must be aware of the fact that their PD will be processed, how PD will be collected, stored and used to allow them to make an informed decision about whether they agree with processing and can exercise their rights - Exception in case the processing is permitted by law and is deemed fair regardless of DS’s knowledge or preference (e.g. the employer provides details of DS’s salary to tax authorities)
How does processing affect DS:
- unjustified negative impact - unfair processing (travel agency increases price based on the DS’s preferences extracted from the cookies)
- justified negative impact - fair processing (processing by the police leads to the fine for speeding)
What is the meaning of the transparency principle?
C must be clear towards DS when processing their data
Inform DS of how their PD is processed
GDPR prescribes minimum information depending on if the information is collected directly from the DS or other sources
When is the C free from the obligation to provide information to DS?
1) data is obtained directly from the DS who is already aware of the information
2) data is obtained from other sources:
- disproportionate effort or is considered impossible
- protect DS’s legitimate interests, disclosure is directly governed by applicable law
- preserve confidentiality of the information regulated by laws to which C is the subject
When must the information be provided?
Data collected from the DS - at the time of collection
Other sources - different periods
What are requirements for the information
clear, concise and easy to understand
easily accessible
Explain purpose limitation
C must only collect and process PD to accomplish specified, explicit and legitimate purposes and are not allowed to process PD beyond such purposes unless secondary processing is compatible with the original processing
When is the secondary processing lawful?
compatible with the original purpose for which the data was collected
- statistical purposes, public interest, or scientific or historical research purposes is considered compatible if it takes place WITHIN THE LIMITS SET OUT BY THE EU OR MEMBER STATE’S LAW THAT GOVERNS PARTICULAR PROCESSING
- in other cases the C must make assessment:
- - link btw original and secondary purposes
- -context in which PD was collected and what are DS’s reasonable expectations based on their relationship with the C
- - nature of PD
- - consequences of the further processing for DSs
- - existence of appropriate safeguards for original and secondary processing
ALL CONDITIONS MUST BE MET!
IF COMPATIBLE - NO OTHER LEGAL BASIS SEPARATE FROM THE ORIGINAL WILL BE REQUIRED
IF INCOMPATIBLE - A SEPARATE LEGAL GROUND WILL BE REQUIRED. c WILL HAVE TO INFORM THE DS AND EITHER (1) OBTAIN CONSENT OR (2) SATISFY OTHER AVAILABLE LEGAL CRITERIA TO JUSTIFY THE PROCESSING
Explain data minimisation
relevant, necessary and adequate to accomplish the purposes for which it is processed
What are 2 principles in connection to data minimisation?
NECESSITY
must be suitable and reasonable to accomplish the specific purposes
suitable - of a nature necessary to attain the purpose
adequate - the nature and the amount are proportionate in relation to the purpose
Anonymous or anonymised (striped of all unique identifiers) data
PROPORTIONALITY - is the amount of data adequate in relation to the purpose
adverse impact of the means of processing - are there altrenative means with less intrusive processing (e.g. use of other means of verification instead of fingerprint recognition )
Explain accuracy
C must take reasonable measures to ensure the data are accurate and where necessary kept up to date.
Data collection process - implement processes to prevent inaccuracies (ie. verifying data are accurate, complete and not misleading). Verify the authenticity and how reliable is the source.
Additional steps if potential inaccuracy could have adverse implication for the individual.
Ongoing data processing: in relation to the specific use; the C must consider type of data and the specific purpose to maintain the accuracy of PD in relation to the purpose
Data from multiple sources
Updating the information, depending on the specific purpose
DSRs to correct records - must be responded!
