Chapter 6 (Data Processing Principles)

Question 1

What are the 6 data protection principles listed in Article 5 of the GDPR?

Answer 1

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and Confidentiality

Question 2

What does the concept of lawfulness re data processing mean within the context of the GDPR?

Answer 2

Personal data must only be processed when data controllers have a legal ground for processing the data.

Question 3

What are the 6 legal grounds for processing data under the GDPR?

Answer 3

1. Consent from data subject
2. Contract Performance: including steps requested by data subject prior to entering contract
3. Legal obligation
4. Vital interest of individuals: re data subject or another natural person
5. Public interest
6. Legitimate interest: of the controller or by a third party

Question 4

Can the legal ground of legitimate interest be overridden?

Answer 4

Yes, by the interests or fundamental rights and freedoms of data subject which require protection of personal data, in particular where the data subject is a child.

Question 5

Can the legitimate interest legal ground apply to processing carried out by public authorities in the performance of their tasks?

Answer 5

No.

Question 6

Does the GDPR grant member states the right to determine more specific legal requirements to ensure lawful and fair processing of personal data in specific processing situations? What are the processing situations?

Answer 6

Yes.

1. In relation to employer-employee relationships
2. To define age of minors
3. To protect genetic or biometric data
4. Statistical, historical, or scientific purposes

Question 7

What does the concept of fairness re data processing mean within the context of the GDPR?

Answer 7

That data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept, and used.

Question 8

What does the concept of transparency re data processing mean within the context of the GDPR?

Answer 8

Means a controller must be open and clear towards data subjects when processing personal data and provide info in a timely manner.

Question 9

Does the GDPR exempt data controllers from the duty to inform in cases when the data were obtained directly from the data subject?

Answer 9

Yes.

Question 10

The GDPR frees data controllers from the obligation to provide info when personal data are collected from other sources in what 3 cases?

Answer 10

1. When providing the info will involve disproportionate effort or can be considered impossible.
2. To protect the data subject’s legit interest, in which case, the disclosure is expressly governed by applicable law.
3. To preserve the confidentiality of the info, also regulated by the laws to which the data controller is subject.

Question 11

In order to provide clear and easily accessible info what must controllers consider?

Answer 11

1. The most convenient tools or methods to make info available to data subjects
2. The type of data to be processed
3. The manner in which the personal data will be collected
4. Whether the info is obtained directly from the data subject or from another source

Question 12

Does the GDPR promote the use of visual and standardized icons or symbols as alternative means to inform individuals in a concise and clear way?

Answer 12

Yes.

Question 13

What does the concept of purpose limitation re data processing mean within the context of the GDPR?

Answer 13

Means that data controllers must only collect and process personal data compatible with specified, explicit, and legit purposes.

Question 14

May a controller process personal data beyond its explicitly stated purpose(s)?

Answer 14

Only if further processing is considered compatible with the purpose for which the personal data was originally collected.

Question 15

What are the 5 things a controller should consider when assessing whether the further processing is compatible with the original purpose(s)?

Answer 15

1. Any link b/w those purposes and the purposes of the intended further processing
2. The context in which the personal data has been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use.
3. The nature of the personal data
4. The consequences of the intended further processing of data subjects
5. The existence of appropriate safeguards in both the original and intended further processing operations.

Question 16

When a controller’s secondary purpose is incompatible with the original one the controller is required to do what?

Answer 16

1. Properly inform the data subjects
2. And, either obtain separate consent in relation to the new purpose or satisfy one of the other available legal criteria to justify the processing

Question 17

What does the concept of data minimization re data processing mean within the context of the GDPR?

Answer 17

Means data controllers must only collect and process personal data that are relevant, necessary, and adequate to accomplish the purposes for which it is processed.

Question 18

What 2 concepts apply in order to implement data minimization?

Answer 18

1. Necessity
2. Proportionality

Question 19

How can controllers comply with the GDPR’s accuracy principle?

Answer 19

A controller must:
1. Implement reasonable measures to ensure data are collected from reliable sources
2. Take necessary care to ensure the data preserves its accuracy during the process of integrating and combining sets of personal data from multiple sources
3. Updating info when necessary

Question 20

What are the implications of the GDPR’s storage limitation?

Answer 20

Means personal data must not be kept for longer than necessary for the purposes for which the personal data is processed.

Question 21

How can controllers satisfy its duties under the GDPR’s storage limitation principle?

Answer 21

By defining a data retention policy.

Question 22

What does the concept of integrity and confidentiality re data processing mean within the context of the GDPR?

Answer 22

That personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destructions, or damage using appropriate technical or organizational measures.