Module 4 - Processing Personal Data Flashcards
What is meant by processing of personal data?
Any operation performed upon personal data.
What are the data processing principles prescribed by article 5, GDPR?
- Lawfulness (LAWFUL BASIS), fairness (HONEST PRACTICES) and tranparency (EXPLANATION TO DATA SUBJECT) of processing.
- Data minimisation - RETAINING DATA ONLY AS RELEVANT AND NECESSARY FOR PURPOSE.
- Purpose limitation - SPECIFIC USAGE / CLOSELY-LINKED PURPOSES.
- Storage limitation - NO MORE DATA COLLECTED AND STORED THAN NECESSARY.
- Accountability - RESPONSIBLE DATA PROCESSING, DEMONSTRATING COMPLIANCE WITH PREVAILING REQUIREMENTS.
- Data quality and accuracy - PROCESSING COMPLETE AND UPDATED DATA.
- Integrity and confidentiality - ENSURING SECURE PROCESSING.
What is the territorial scope of GDPR (article 3)?
Applicable to controllers and processors:
- From establishments within the EU (EDPB - processor establishment not determined by processor status alone).
- In relation to the promotion of product and services to subjects (e.g. - localised website), or the monitoring of the behaviour of subjects within the EU (EDPB - must be TARGETING of EU data subjects; consider digital tracking, ubiquitous and concerted practices - not any collection of data).
- Controllers active in a territory that is subject to a MS by public international law.
What is the material scope of GDPR (article 2)?
Data must be:
- Wholly or partly processed by automated means (DIGITAL); or
- Data forming part of a structured filing system (e.g. archives); or
- UK ONLY: Non-structured physical data held by public authority.
Exceptions (narrowly construed):
- Data processed as part of household or personal activities.
- Law enforcement- or public security-related processing.
- Processing relating to activities outside the scope of EU law (e.g. national defence).
What are the grounds for lawful processing of non-special category personal data?
- Consent (CLEAR AND FREELY GIVEN; PARENTAL CONSENT NEEDED FOR CHILDREN BELOW 13-16 (MS-DETERMINED)).
- Vital interests.
- Legitimate interests of the controller or third party (SHOULD NOT OVERRIDE OR POSE DISPROPORTIONATE RISK TO DS’S RIGHTS AND INTERESTS; DS CANNOT WITHDRAW LIKE CONSENT BUT CAN OBJECT; LIA PERFORMED TO BALANCE LI WITH DS RIGHTS AND OBLIGATIONS).
- Performance of a contract (DS IS PARTY TO).
- Fulfilment of a (EEA) legal obligation.
- Public interest (EXERCISED BY CONTROLLER).
What are the grounds for lawful processing of special category personal data?
- Explicit consent (UNAMBIGUOUS, INFORMED AND FREELY GIVEN).
- Employment context (pursuant to employment law) (DS MUST BE CANDIDATE, CONTRACTOR OR EMPLOYEE).
- Vital interests (CONSENT MUST NOT BE POSSIBLE).
- Sensitive data manifestly made public (DISCLOSED BY DS OR THROUGH SOCIAL MEDIA).
- Political, philosophical and religious purposes (BY RELEVANT ORGANISATIONS RE. MEMBER OR AFFILIATE WHO IS DS; SUITABLE SAFEGUARDS MUST EXIST; DISCLOSURE BEYOND ORGANISATION NOT ALLOWED).
- Establishment, exercise or defence of legal claims (MUST BE NECESSITY; CLOSE CONNECTION BETWEEN PROCESSING AND PURPOSE).
- Substantial public interest (BALANCED AGAINST DS RIGHTS; SUITABLE SAFEGUARDS REQUIRED; MS MAY STATE PI GROUNDS).
- Medicine and social healthcare (E.G. ASSESSING EMPLOYEE WORKING CAPACITY; MAKING DIAGNOSIS; PROVIDING TREATMENT / REASON MAY BE BASED ON EU OR MS LAW OR BE PURSUANT TO CONTRACT).
- Public health (BAED UPON EU OR MS LAW (E.G. PROTECTION AGAINST CROSS-BORDER THREATS TO HEALTH).
- Public archives, scientific or historical research, or statistics (BASED ON MS LAW; MUST BE PROPORTIONATE TO PURPOSE; SUITABLE SAFEGUARDS REQUIRED).
