Datafication 1

Question 1

Primary law - definition

Answer 1

= constitution prescribing limits & procedures (for secondary law)
= operating system on which secondary law runs

Question 2

Primary law - examples

Answer 2

• Treaty on the EU (TEU)
• Treaty on the Functioning of the EU (TFEU)
• The Charter of Fundamental Rights of EU
• General principles of Union law, e.g. those reflected through case law

Question 3

Secondary law - definition

Answer 3

= written laws
implementation & direct effect

Question 4

Secondary law - examples

Answer 4

1. International agreements
2. Legislation:
   - Regulations (GDPR)
   - Directives
   - Decisions

Question 5

Art. 288 TFEU: secondary law instruments

Answer 5

Regulation, Directive, Decision, Recommendation & Opinions

Question 6

Regulation

Answer 6

• general application
• binding
• directly applicable (in all Member States)

Art. 288 TFEU: secondary law instruments

Question 7

Directive

Answer 7

• binding in result (for each Member State)
• form & method chosen by national authorities

Art. 288 TFEU: secondary law instruments

Question 8

Decision

Answer 8

• binding
• if specifies to whom it is addressed, only binding on them

Art. 288 TFEU: secondary law instruments

Question 9

Recommendation & Opinions

Answer 9

• not binding

Art. 288 TFEU: secondary law instruments

Question 10

Privacy

Answer 10

Claim of individuals, groups, or institutions to determine when, how and to what extent information about them is communicated to others

fundamental right, but not absolute: matter of balancing legitimate interests incl.
- a) public e.g. national security,
- b) other laws &
- c) fundamental rights (necessary in democracy) e.g. freedom of expression &right to information (uncover an affair)

Question 11

Charter of Fundamental Rights of EU

Answer 11

summary of all fundamental rights decided in EU

Question 12

Rights included in Charter of Fundamental Rights of EU related to GDPR

Answer 12

Article 7: Right to respect for a private & family life, home & communications

Article 8: Right of…
- protection of personal data,
- fair processing for specified purposes & on basis of consent or other legitimate basis,
- access to data,
- rectification (control by independent authority)

Question 13

Value of Personal Data

Answer 13

• Personal data = value only if used
• Advertisement = paying for service of consumer (with money), consumer as product fort hem
• Consumer = paying with attention & agency (personal data = abstract, no friction, re-usable)

Question 14

GDPR: relation to Member states & general characteristics

Answer 14

• since 2016 (in force 2018, replaced Data Protection Directive)
• Regulation: general application, binding & directly applicable (in all Member States)
• in Member States: sector regulation in defined areas (e.g. employment law)
• Principle of Priority: GDPR over conflicting national legislation (incl. sector regu.)
• Delegated Acts: EU Commission & EU Data Protection Board adopt delegated & implementing acts in certain areas

Question 15

Pro GDPR

Answer 15

• strengthen individuals fundamental rights
• clarifying rules for companies
• reduce administrative burdens
• eliminate fragmentation in national systems

Question 16

Con GDPR

Answer 16

• compliance complicated & costly
• cookies e.g. people don’t read

Question 17

Principals of GDPR

Answer 17

6 Principals:
- Legitimacy
- Transparency
- Security
- Accountability
- Empowerment
- Proportionality

Question 18

Principal of GDPR: Legitimacy

Answer 18

data controller must pursue a legitimate purpose (considering interest of data subjects, 3rd parties & public) in a fair & careful manner

Question 19

Principal of GDPR: Transparency

Answer 19

data subject must have information about data controller & processing; be able to understand its rights & implementation of processing (information not always = transparency), necessary for accountability & empowerment

Question 20

Principal of GDPR: Security

Answer 20

data controller must implement appropriate technical & organizational measures (e.g. data minimization, storage limitation, anonymization, pseudonymization) to ensure level of security appropriate to the risk (to safeguard against unauthorized or unlawful processing & accidental loss, destruction, or damage)

Question 21

Principal of GDPR: Accountability

Answer 21

Data controller must be able to demonstrate compliance with GDPR (e.g. record of processing activities, carrying out data protection impact assessment, ensuring data protection by design & default)

Question 22

Principal of GDPR: Empowerment

Answer 22

data subject is in control (not absolute) of what data concerning it can lawfully be processed (incl. means of consent, rights of access, rectification, erasure & objection, e.g. consent)

Question 23

Principal of GDPR: Proportionality

Answer 23

protection of personal data including data controllers’ obligations & need of consent is relative to legitimate purpose pursued & impact on data subjects right to privacy (including nature, scope, context & purpose of processing), Art. 5: principals of data minimization & storage limitation