Module 4 - Processing Personal Data Flashcards
(6 cards)
What is meant by processing of personal data?
Any operation performed upon personal data.
What are the data processing principles prescribed by article 5, GDPR?
- Lawfulness (LAWFUL BASIS), fairness (HONEST PRACTICES) and tranparency (EXPLANATION TO DATA SUBJECT) of processing.
- Data minimisation - RETAINING DATA ONLY AS RELEVANT AND NECESSARY FOR PURPOSE.
- Purpose limitation - SPECIFIC USAGE / CLOSELY-LINKED PURPOSES.
- Storage limitation - NO MORE DATA COLLECTED AND STORED THAN NECESSARY.
- Accountability - RESPONSIBLE DATA PROCESSING, DEMONSTRATING COMPLIANCE WITH PREVAILING REQUIREMENTS.
- Data quality and accuracy - PROCESSING COMPLETE AND UPDATED DATA.
- Integrity and confidentiality - ENSURING SECURE PROCESSING.
What is the territorial scope of GDPR (article 3)?
Applicable to controllers and processors:
- From establishments within the EU (EDPB - processor establishment not determined by processor status alone).
- In relation to the promotion of product and services to subjects (e.g. - localised website), or the monitoring of the behaviour of subjects within the EU (EDPB - must be TARGETING of EU data subjects; consider digital tracking, ubiquitous and concerted practices - not any collection of data).
- Controllers active in a territory that is subject to a MS by public international law.
What is the material scope of GDPR (article 2)?
Data must be:
- Wholly or partly processed by automated means (DIGITAL); or
- Data forming part of a structured filing system (e.g. archives); or
- UK ONLY: Non-structured physical data held by public authority.
Exceptions (narrowly construed):
- Data processed as part of household or personal activities.
- Law enforcement- or public security-related processing.
- Processing relating to activities outside the scope of EU law (e.g. national defence).
What are the grounds for lawful processing of non-special category personal data?
- Consent (CLEAR AND FREELY GIVEN; PARENTAL CONSENT NEEDED FOR CHILDREN BELOW 13-16 (MS-DETERMINED)).
- Vital interests.
- Legitimate interests of the controller or third party (SHOULD NOT OVERRIDE OR POSE DISPROPORTIONATE RISK TO DS’S RIGHTS AND INTERESTS; DS CANNOT WITHDRAW LIKE CONSENT BUT CAN OBJECT; LIA PERFORMED TO BALANCE LI WITH DS RIGHTS AND OBLIGATIONS).
- Performance of a contract (DS IS PARTY TO).
- Fulfilment of a (EEA) legal obligation.
- Public interest (EXERCISED BY CONTROLLER).
What are the grounds for lawful processing of special category personal data?
- Explicit consent (UNAMBIGUOUS, INFORMED AND FREELY GIVEN).
- Employment context (pursuant to employment law) (DS MUST BE CANDIDATE, CONTRACTOR OR EMPLOYEE).
- Vital interests (CONSENT MUST NOT BE POSSIBLE).
- Sensitive data manifestly made public (DISCLOSED BY DS OR THROUGH SOCIAL MEDIA).
- Political, philosophical and religious purposes (BY RELEVANT ORGANISATIONS RE. MEMBER OR AFFILIATE WHO IS DS; SUITABLE SAFEGUARDS MUST EXIST; DISCLOSURE BEYOND ORGANISATION NOT ALLOWED).
- Establishment, exercise or defence of legal claims (MUST BE NECESSITY; CLOSE CONNECTION BETWEEN PROCESSING AND PURPOSE).
- Substantial public interest (BALANCED AGAINST DS RIGHTS; SUITABLE SAFEGUARDS REQUIRED; MS MAY STATE PI GROUNDS).
- Medicine and social healthcare (E.G. ASSESSING EMPLOYEE WORKING CAPACITY; MAKING DIAGNOSIS; PROVIDING TREATMENT / REASON MAY BE BASED ON EU OR MS LAW OR BE PURSUANT TO CONTRACT).
- Public health (BAED UPON EU OR MS LAW (E.G. PROTECTION AGAINST CROSS-BORDER THREATS TO HEALTH).
- Public archives, scientific or historical research, or statistics (BASED ON MS LAW; MUST BE PROPORTIONATE TO PURPOSE; SUITABLE SAFEGUARDS REQUIRED).
