Data protection terminology Flashcards
(12 cards)
Data protection terminology
- PERSONAL DATA
(Art. 4 No. 1 GDPR)
- Data are personal data if they relate to an identified or identifiable person,
→ the ‘data subject’. - Data subjects, according to the GDPR, are only NATURAL PERSONS (=individuals)
Data protection terminology
- NATURE OF THE DATA
Any kind of information can be personal data provided that it relates to an identified or identifiable person.
Data protection terminology
- ANONYMIZATION
The process of anonymizing data means that:
- all identifying elements are eliminated from a set of personal data so that the data subject is no longer identifiable.
- The removal of the link to the natural person must not be reversible
Data protection terminology
- PSEUDONYMIZATION
(Art. 4 No. 5 GDPR)
Pseudonymization is a technical measure
- by which personal data cannot be attributed to the data subject without additional information, which is kept separately.
- The ‘key’ that enables re-identification of the data subjects must be kept separate and secure.
- Data that have undergone a pseudonymization process remain personal data.
The link between the data and the natural person to whom they refer is still present, but it is hidden (without the ‘key’ the natural person cannot be identified).
Data protection terminology
- SPECIAL CATEGORIES OF PERSONAL DATA
Under EU law,
→ there are special categories of personal data which may pose a risk to the data subjects when processed and need enhanced protection.
Within the framework of the GDPR (Article 9), the following categories are considered sensitive data:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions, religious or other beliefs, including philosophical beliefs;
- personal data revealing trade union membership;
- genetic data and biometric data processed for the purpose of identifying a person;
- personal data concerning health, sexual life or sexual orientation.
GENERAL PROHIBITION TO PROCESS SUCH DATA (9 para. 1) + Some exceptions (art. 9 para 2)
Data protection terminology
- SPECIAL CATEGORIES OF PERSONAL DATA (EXCEPTIONS)
- Personal data relating to criminal convictions and offences (Art. 10 GDPR)
Such data may be processed only
- Under the control of the public authority
OR - when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects (Directive 2016/680/EU).
Any comprehensive register of criminal convictions shall be kept only under the control of official authority
Data protection terminology
- DATA PROCESSING
(Art. 4 No. 2 GDPR)
The concept of personal data processing is comprehensive under EU law:
“‘processing of personal data’ […] shall mean any operation […] such as:
- collection,
- recording,
- organization,
- structuring,
- storage,
- adaptation or alteration,
- retrieval,
- consultation,
- use,
- disclosure by transmission,
- dissemination or otherwise making available,
- alignment or combination,
- restriction,
- erasure or destruction” of personal data
- ‘Data processing’ concerns any operation performed on personal data.
- The term ‘processing’ covers automated and non-automated (manual) processing.
- Under EU law, ‘processing’ also refers to manual processing in structured filing systems.
- The processing of personal data may fall outside the scope of the GDPR if one of the exceptions in Art. 2(2) is met (e.g.: the processing by a natural person in the course of a purely personal or household activity: point c)
Data protection terminology
- CONTROLLER
(Art. 4 No. 7 GDPR)
Whoever determines the means and purposes of processing the personal data of others is a ‘controller’ under data protection law;
→ if several persons take this decision together, they may be ‘joint controllers’.
Data protection terminology
- JOINT CONTROLLERSHIP
(Art. 26 GDPR)
The GDPR provides that where two or more controllers jointly determine the purpose and means of processing, they are considered joint controllers.
Joint controllers must determine:
- their respective responsibilities for compliance with the obligations under the regulation in a specific agreement.
- «The essence of the arrangement shall be made available to the data subject» (Art. 26, para 2, GDPR).
Joint controllership leads to joint responsibility for a processing activity.
- that each controller or processor can be held fully liable for the entire damage caused by processing under joint controllership, to ensure that the data subject is effectively compensated.
Data protection terminology
- PROCESSOR
(Art. 4 No. 8 GDPR)
A ‘processor’ is a natural or legal person that processes personal data on behalf of a controller.
→ A processor becomes a controller if it determines the means and purposes of data processing itself.
→ If a processor not respect the conditions for data processing as prescribed by the controller, the processor will have become a controller at least to the extent of the breach of the controller’s instructions.
- This will most likely make the processor a controller who acts unlawfully.
- the initial controller will have to explain how it was possible for the processor to breach its mandate.
→ The processor must keep records of all categories of processing activities it carries out on behalf of the controller.
→ Processors can delegate certain tasks to additional sub-processors.
→ The initial processor remains fully liable to the controller where a sub-processor fails to fulfil its data protection obligations.
Data protection terminology
- PROCESSOR
(Processor and controller)
→ The details of the relationship between a controller and a processor must be recorded in a written contract.
The contract must include:
- the subject matter,
- nature,
- purpose and
- duration of the processing,
- the type of personal data and
- the categories of data subjects.
- the controller’s and the processor’s obligations and rights, such as requirements regarding confidentiality and security.
→ Controllers and processors also have the possibility of adhering to:
- an approved code of conduct or
- a certification mechanism
to demonstrate their compliance with the GDPR requirements.
→ Appropriate contractual stipulations must be established between the controller and the processor, including:
- whether the controller’s authorization is necessary in every single case or
- whether informing alone is sufficient.
Data protection terminology
- RECIPIENTS AND THIRD PARTIES
(Art. 4, No. 9 and No. 10, GDPR)
Any person to whom personal data are disclosed is a ‘recipient’.
→ A ‘third party’ is a natural or legal person other than:
- the data subject,
- the controller,
- the processor and
- persons who are authorised to process personal data under the direct authority of the controller or processor.
→ The employees of a controller or processor may be recipients of personal data without further legal requirement if they are involved in the processing operations of the controller or processor.
→ A third party, being separate from the controller or processor, is not authorized to use the personal data a controller processes, unless on specific legal grounds in a specific case.
