Datafication 5 Flashcards
Responsibility of dc Art. 24 & 5
- dc must ensure & demonstrate processing in accordance with GDPR
- by implementing technical & organizational measures appropriate to risk
List of Technical & Organizational Measures
1) Privacy by design & default
2) DPO
3) records & documentation related to processing
4) privacy / risk impact assessment
5) performing audits
6) code of conduct
Data Protection by Design
- dc & dp must implement appropriate technical & organizational measures that
- are designed to implement data-protection principles of processing such as data minimization (during planning & performance)
- Take into consideration a) State of the art & cost, b) Nature, scope, context & purpose of processing, c) risk for np rights & freedoms
Data Protection by Design - example measures
- pseudonymization
- transparency to functions & processing to enable ds to monitor processing
Data Protection by default
- dc & dp must implement appropriate technical & organizational measures that
- ensure that by default only pd necessary for each specific purpose processed
Data Protection by default - applies to
- Amounts & types of data
- Extent of processing
- Period of storage
- Accessibility
Data Protection by default - example measures
Website: data collection “set to off” by default
Role of Data processor Art. 28
- Requires written contract (to understand responsibilities & liabilities) incl.
a) information of processing (e.g. duration, purpose)
b) procedures to comply obligations &
c) level of guarantees & security (dc needs to assess expert knowledge, reliability & resources) - dc are liable for GDPR compliance
- Requires risk assessment prior to implementation
Role of Joint Controllers Art. 26
- Requires written agreement on responsibility (“who does what” = mapping of processing activities & of responsibilities for compliance)
- Essence made available to ds
- Ds can exercise rights against each dc
- Requires risk assessment prior to implementation
Role of Data controller to data controller
- 2 dc transfer pd without jointly determining purposes & means
- Need of legal basis for transferring pd
Transparency Art. 30 - registry
- dc & dp must document processing in detail in written & electronic register (basis for measures) including:
- Information on dc
- Purpose(s) of processing
- Categories of registered person (e.g. consumers, representatives, employees, customer)
- Categories of personal information
- Categories of recipients of personal information
- recipients when transferring outside EU/EEA
- Deletion (retention deadline)
- description of technical & organizational measures
Transparency Art. 30 - exception
employer < 250 employees & processing a) not risk to rights & freedoms of ds, b) occasional or c) doesn’t include sensitive or criminal data (a & b almost never)
Codes of Conduct
- voluntary sets of rules that assist members
- to ensure compliance with rules
- have to be first approved by competent SA
Data Protection Officer (DPO) Art. 37 - When?
DPO required where processing
- by public authority / body
- regular & systematic monitoring of ds on larger scale
- sensitive data or criminal pd on large scale
Data Protection Officer (DPO) Art. 37 - role, how chosen?
- chosen based on professional qualities (knowledge of data protection law & practices)
- employee of dc or dp or service contract (e.g. consultant)
- no one who determines means & purposes
- not senior management position
