Personal Data & Controller-Processor Relationship

Question 1

What is joint controllership?

Answer 1

When two or more entities jointly determine the purposes and means of processing.

Question 2

What is a converging decision in joint controllership?

Answer 2

Independent but complementary decisions that are inextricably linked and necessary for the processing.

Question 3

What is the significance of the Fashion ID case?

Answer 3

It demonstrated joint controllership.

Concerned the integration of a social media plug-in where both retailer and platform influenced data processing.

Question 4

What factors determine joint controllership?

Answer 4

• Joint decisions on purposes and means
• Factual influence
• Type of participation
• Decisive influence
• Allocation of duties

Question 5

What is a best practice for identifying joint controllership?

Answer 5

• Identify project stages
• Determine which stages require joint determinations
• Clarify responsibility allocations

Question 6

What is the definition of personal data under the GDPR?

Answer 6

Any information relating to an identified or identifiable natural person.

Question 7

What are the 4 parts of the definition of personal data according to WP29 Opinion 4/2007?

Answer 7

1. Any information
2. Relating to
3. An identified or identifiable
4. Natural person

Question 8

What are the 3 features used to determine if information is personal data?

Answer 8

1. Nature
2. Content
3. Format

Question 9

What types of statements fall under ‘Nature’ in personal data analysis?

Answer 9

1. Objective
2. Subjective

Objective: e.g., education, experience

Subjective: e.g., work quality, collegiality

Question 10

What types of information constitute ‘Content’ in the context of personal data?

Answer 10

Private life and public/professional activities

Question 11

What does ‘Format’ include under the definition of personal data?

Answer 11

Any form, whether processed by automated means or manually in a filing system.

Question 12

What qualifies as ‘automated means’ in data processing?

Answer 12

Systems that operate automatically without human intervention.

Question 13

What is a ‘filing system’ under GDPR?

Answer 13

A structured set of personal data accessible by specific criteria, such as alphabetical or numeric order.

Examples: employee files, medical records, customer orders, student records

Question 14

What does ‘relating to’ mean in the context of personal data?

Answer 14

It involves linkability between the data and the individual based on context.

Question 15

According to WP29 Opinion 4/2007, what are the 3 ways data can relate to a person?

Answer 15

1. Content
2. Purpose
3. Result

Question 16

What does the ‘Content’ criterion mean?

Answer 16

Data is inherently about or describes an individual.

E.g., medical report or passport

Question 17

What does the ‘Purpose’ criterion mean?

Answer 17

Data is used or intended to evaluate, treat, or affect a person, even if not inherently about them.

Question 18

What does the ‘Result’ criterion mean?

Answer 18

Processing affects a person’s rights, interests, or status.

E.g., through fleet tracking or surveillance

Question 19

Does the GDPR apply to anonymized data?

Answer 19

No, as long as all personal identifiers have been removed.

Question 20

Does the GDPR apply to pseudonymized data?

Answer 20

Yes, even though direct identifiers are removed.

Question 21

What is pseudonymization?

Answer 21

A process that removes direct identifiers and keeps them separate to prevent re-identification.

Question 22

What is aggregation in the context of data?

Answer 22

Combining and summarizing data from multiple sources into a high-level format.

Question 23

Does the GDPR define the term ‘natural person’?

Answer 23

No, the definition is left to member states.

Question 24

According to Recital 27, does the GDPR apply to deceased persons?

Answer 24

No

Question 25

What types of personal data are considered **sensitive** under GDPR?

Answer 25

* Race * Ethnicity * Political opinions * Religious or philosophical beliefs * Trade union membership * Genetic data * Biometric data * Health data * Sexuality

Question 26

What is **genetic data**?

Answer 26

Data related to **inherited or acquired genetic characteristics** that provide unique information about a person’s physiology or health.

Question 27

What is **health data** under the GDPR?

Answer 27

Data **related to physical or mental health**, including medical history, health care services, and health status across time.

Question 28

What is **biometric data**?

Answer 28

Data resulting from **technical processing** of **physical, physiological, or behavioral characteristics** using technology. ## Footnote Examples: fingerprints, facial geometry, iris scans, voiceprints, typing rhythm, gait, signature

Question 29

What is the **role** of a **data controller**?

Answer 29

**Determines the purpose and means** of processing and is responsible for GDPR compliance.

Question 30

Who can be a **data controller**?

Answer 30

1. A natural or legal person 2. Public authority 3. Agency, or other body

Question 31

What are some **obligations** of a **data controller**?

Answer 31

* Inform data subjects of data processing activities * Determine legal basis for processing * Honor data subject rights * Conduct DPIAs * Ensure security * Notify relevant parties after a breach

Question 32

What is a **data processor**?

Answer 32

An entity that processes personal data **on behalf of a controller**.

Question 33

Who is the primary **target for enforcement** under GDPR?

Answer 33

The data controller

Question 34

What are the **5 parts** of the **controller definition**?

Answer 34

1. Natural or legal person, public authority, agency, or other body 2. Determines 3. Alone or jointly 4. The purposes and means 5. Of processing data

Question 35

What distinguishes a **natural person** from a **legal person**?

Answer 35

* A natural person is a **human** * A legal person is an **organization**

Question 36

What does '**determines**' mean in the controller context?

Answer 36

**Having the ultimate say** in why and how personal data is processed, regardless of contracts.

Question 37

Can a processor **become** a controller?

Answer 37

**Yes**, if they **independently decide** why and how data is processed.

Question 38

Can **multiple entities** act as controllers?

Answer 38

**Yes**, if they make decisions collectively, they are **joint controllers**.

Question 39

What does '**purpose**' refer to in data processing?

Answer 39

The intended **goal of processing**. ## Footnote E.g., billing, legal services, shipping

Question 40

What does '**means**' refer to in data processing?

Answer 40

The **methods and operations performed** on personal data throughout its lifecycle.

Question 41

What are **essential means** in processing?

Answer 41

Decisions **closely linked to purpose and scope** of processing. ## Footnote E.g., type of data collected, duration of collection, recipients of collected data

Question 42

What are **non-essential** means in processing?

Answer 42

Practical/technical decisions ## Footnote E.g., software choice, internal staff assignments, security tools

Question 43

**Who decides** essential vs. non-essential means?

Answer 43

* Controllers decide essential means * Processors may determine non-essential means if not contradictory

Question 44

Can processing involve **multiple parties**?

Answer 44

**Yes**, different operators may be involved at different stages and activities.

Question 45

What are the **2 key features** of a data processor?

Answer 45

* Be a **distinct legal entity** from the controller and * Process data **on behalf** of the controller

Question 46

What entities are **not considered processors**?

Answer 46

* Departments within a controller * Individuals under direct authority

Question 47

Is the processor vs. controller distinction **organization-wide**?

Answer 47

No ## Footnote It is **activity-specific** and **context-specific**.

Question 48

Can an entity be **both** a processor and a controller?

Answer 48

**Yes**, for different processing activities and data sets.

Question 49

When does a processor **become a controller**?

Answer 49

When it **uses data for its own purposes**. ## Footnote Example: marketing its services using controller-provided data

Question 50

What must controller-processor relationships **be based on**?

Answer 50

A **contract** or other binding legal document.

Question 51

What must be **explicitly stated** in a controller-processor **contract**?

Answer 51

* Nature and purpose of processing * Types of personal data * Categories of data subjects

Question 52

What must **processors** do at the **end of the contract**?

Answer 52

**Delete or return** all personal data to the controller.

Question 53

What are general vs. specific **subcontracting authorizations**?

Answer 53

* **General**: controller may object and set selection criteria * **Specific**: individual approval for each subcontractor

Question 54

What is the definition of **processing** under GDPR?

Answer 54

**Any operation** performed on personal data. ## Footnote E.g., collection, recording, storage, use, disclosure, erasure, etc., whether or not by automated means

Question 55

According to Recital 14, **who does the GDPR apply to**?

Answer 55

Any natural person **regardless of** nationality or place of residence.