Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Data Privacy & Law > Reading week 3 > Flashcards

Reading week 3 Flashcards

1
Q

What are the 5 principles of article 5 of GDPR governing the processing of personal data?

A

lawfulness, fairness and transparency;
* purpose limitation;
* data minimisation;
* data accuracy;
* storage limitation;
* integrity and confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the conditions that must be fulfilled?

A

Any exemptions from and restrictions to these key principles may be provided for at EU or national level;267
they must be provided for by law, pursue a legiti-
mate aim and be necessary and proportionate measures in a democratic society. 268
All three conditions must be fulfilled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does lawfulness of processing mean?

A

EU and CoE data protection laws require personal data to be processed ­lawfully. Lawful processing requires the consent of the data subject or another legitimate ground provided in the data protection legislation.270 Article 6 (1) of the GDPR includes five lawful grounds for processing, in addition to consent, i.e. when processing personal data is necessary for the performance of a contract, for the performance of a task carried out in the exercise of public authority, for compliance with a legal obligation, for the purpose of the legitimate interests of the controller or third
parties, or if necessary to protect the vital interests of the data subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does fairness of processing data mean?

A

The principle of fair processing governs primarily the
relationship between the controller and the data subject.

Controllers should notify data subjects and the general public that they will process data in a lawful and transparent manner and must be able to demonstrate the compliance of processing operations with the GDPR. Processing operations must not be performed in secret and data subjects should be aware of potential risks. Furthermore, controllers, so far as possible, must act in a way which promptly complies with the wishes of the data subject, especially where his or her consent forms the legal
basis for the data processing.

the principle of fairness goes beyond transparency obligations and could also be linked to processing personal data in an ethical manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does transparency of processing mean?

A

U and CoE data protection laws require personal data processing to be done “in a transparent manner in relation to the data subject”.

This principle establishes an obligation for the controller to take any ­appropriate measure in order to keep the data subjects – who may be users, customers or clients – informed about how their data are being used.274
Transparency may refer to the information given to the individual before the processing starts,275 the information that should be readily accessible to data subjects during the processing,276 but
also to the information given to data subjects following a request of access to their
own data.

The transparency of processing requires that clear and plain language be used.280 It must be clear to
the people concerned what are the risks, rules, safeguards and rights regarding the
processing of their personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the principle of purpose limitation?

A

The principle requires that any processing of personal data must be done for a specific, well-defined purpose and only for additional purposes that are compatible with the original purpose.288
The processing of personal data for undefined and/or unlim-
ited purposes is thus unlawful. The processing of personal data without a certain purpose, just based on the consideration they may be useful sometime in the future, is also not lawful. The legitimacy of processing personal data will depend on the pur-
pose of the processing, which must be explicit, specified and legitimate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What happens when a new purpose for processing data is implemented?

A

Every new purpose for processing data which is not compatible with the original one must have its own particular legal basis and cannot rely on the fact that the data were initially acquired or processed for another legitimate purpose. In turn, legitimate processing is limited to its initially specified purpose and any new purpose of processing will require a separate new legal basis.

For instance, disclosure of personal data to third parties for a new purpose will have to be carefully considered, as such disclosure
will likely need an additional legal basis, distinct from the one for collecting the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How to assess whether the further processing is to be considered compatible, what should the controller take into account?

A

“any link between those purposes and the purposes of the intended further processing;

  • the context in which the personal data have been collected, in particular concerning the reasonable expectations of data subjects based on their relationship
    with the controller on its further use;

the nature of the personal data;

  • the consequences of the intended further processing for data subjects; and
  • the existence of appropriate safeguards in both the original and intended further processing operations.”290
    This could be done, for instance, through encryption or
    pseudonymisation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is considered a a priori compatible initial purpose?

A

The General Data Protection Regulation and Modernised Convention 108 declare that the “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” is a priori considered compatible with the initial purpose.291
However, appropriate safeguards such as the anonymisa-
tion, encryption or pseudonymisation of the data, and restriction of access to the
data, must be put in place when further processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the data minimisation principle?

A

Only such data shall be processed as are “adequate, relevant and not excessive in relation to the purpose for which they are collected and/or further processed”.295 The categories of data chosen for processing must be necessary in order to achieve the declared overall aim of the processing operations, and a controller should strictly limit collection of data to such information as is directly relevant for the specific pur-
pose pursued by the processing.

Furthermore, by making use of special privacy-enhancing technology, it is sometimes possible to avoid using personal data at all, or to use measures to reduce the ability to attribute data to a data subject (for instance, through pseudonymisation),
which results in a privacy-friendly solution.

Article 5 (1) of Modernised Convention 108 contains a proportionality requirement for processing personal data in relation to the legitimate purpose pursued. There must be a fair balance between all interests concerned at all stages of the processing. This means that “[p]ersonal data which is adequate and relevant but would entail a disproportionate interference in the fundamental rights and freedoms at
stake should be considered as excessive”.298

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the data accuracy principle?

A

A controller holding personal information shall not use that information without taking steps to ensure with reasonable certainty that the data are accurate and up to date.299
The obligation to ensure accuracy of data must be seen in the context of the pur-
pose of data processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the two sides about the necessity to update the accuracy of the data?

A

There may also be cases where updating stored data is legally prohibited, because the purpose of storing the data is principally to document events as a historical
‘snap-shot’.

On the other hand, there are situations where it is absolute necessity to update and regularly check the accuracy of data, due to the potential damage which might be
caused to the data subject if data were to remain inaccurate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the storage limitation principle?

A

Article 5 (1) (e) of the GDPR and, likewise, Article 5 (4) (e) of Modernised Convention 108 require personal data to be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data” are processed. The data must therefore be erased or anonymised when those purposes have been served. To this end, “time limits should be established by the controller for erasure or for a periodic review” to make sure that the data are kept for no
longer than is necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When does time limitation for storing personal data apply?

A

The time limitation for storing personal data only applies to data kept in a form which permits identification of data subjects. Lawful storage of data which are no longer needed could, therefore, be achieved by anonymising data.
Archiving data for public interest, scientific or historical purposes, or for statistical
use, may be stored for longer periods, providing such data will be used solely for the above purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the principle of data security?

A

The principle of data security requires that appropriate technical or organisational measures are implemented when processing personal data to protect the data against accidental, unauthorised or unlawful access, use, modification, disclosure, loss, destruction or damage. 310
The GDPR states that the controller and the proces-
sor should take into account “the state of the art, the costs of implementation and the nature, scope, context and purpose of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” when imple-
menting such measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are measures that ensure the principle of data security?

A

Depending on the specific circumstances of each case,
appropriate technical and organisational measures could include, for example, pseudonymising and encrypting personal data and/or regularly testing and evaluating the effectiveness of the measures to ensure the data processing is secure.312
As explained in Section 2.1.1, pseudonymising data means replacing the attributes in personal data – which make it possible to identify the data subject – with a pseudonym, and keeping those attributes separate, under technical or organisational measures. The process of pseudonymisation must not be confused with the process of
anonymisation, where all links to identifying the person are broken.

17
Q

What do the GDPR and Modernised Convention 108 require the data controller to do in terms of a personal data breach?

A

In cases where a personal data breach takes place, both Modernised Convention 108 and the GDPR require the controller to notify the competent supervisory authority of the breach with risks for rights and freedoms of individuals without undue delay.318
A similar communication obligation to the data subject exists when the personal data breach is likely to result in a high risk to his or her rights and freedoms.319 Communication of such breaches to the data subjects must be in clear and plain language.320
If the processor becomes aware of a personal data breach, the
c ­ontroller must be notified immediately.3

18
Q

What are some exceptions of the notification obligation to apply?

A

If the processor becomes aware of a personal data breach, the c ­ontroller must be notified immediately.321 In certain situations, exceptions to the
notification obligation may apply. For instance, the controller is not required to notify the supervisory authority when “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.322
Nor is it necessary to notify
the data subject when implemented security measures render the data unintelligible for non-authorised persons or when subsequent measures ensure that the high risk is no longer likely to materialise.323
If communication of a personal breach to the data
subjects would involve disproportionate effort on behalf of the controller, a public communication or similar measure can ensure that “the data subjects are informed
in an equally effective manner”.

19
Q

What is the accountability principle?

A

The GDPR and Modernised Convention 108 set out that the controller is responsible for, and must be able to demonstrate compliance with, the personal data processing principles described in this chapter.325
To this end, the controller must implement appropriate technical and organisational measures.326 Even though the accountabil-
ity principle in Article 5 (2) of the GDPR is only directed towards controllers, processors are also expected to be accountable, given that they have to comply with sev-
eral obligations and that they are closely connected to accountability.

EU and CoE data protection laws also determine that the controller is responsible for, and should be able to ensure, compliance with the data protection principles dis-
cussed in Sections 3.1 to 3.6

20
Q

What is the essence of accountability according to Article 29 Working Party’s opinion?

A

According to the Article 29 Working Party’s opinion,340 is the controller’s obligation to:
the essence of accountability
* put in place measures which would – under normal circumstances – guarantee that data protection rules are adhered to in the context of processing operations; and

  • have documentation ready which demonstrates to data subjects and to supervisory authorities the measures that have been taken to achieve compliance with the data protection rules.

The principle of accountability thus requires controllers to actively demonstrate compliance and not merely wait for data subjects or supervisory authorities to point
out shortcomings.

21
Q

Why are there rights given to individuals?

A

To mitigate power imbalances between data subjects and controllers, individuals have been given certain rights
to exercise greater control over the processing of their personal information.

22
Q

What is the right to be informed?

A

According to CoE law as well as EU law, controllers of processing operations are obliged to inform the data subject at the time when personal data are collected about their intended processing. This obligation does not depend on a request from the data subject, rather the controller must proactively comply with the obligation,
regardless of whether the data subject shows interest in the information or not.

23
Q

What does article 12, 13, 14 of GDPR establish?

A

Article 12 of the GDPR thus establishes a broad comprehensive obligation for controllers in providing transparent information and/or communicating how data subjects can exercise their rights.528
The information must be concise, transparent, intel-
ligible and easily accessible, using clear and plain language. It must be provided in written form, including electronically where appropriate, and it may even be provided orally at the data subject’s request and if his or her identity is proven beyond doubt. The information shall be provided without excessive delay or expense.529

Article 13 and Article 14 of the GDPR deal with the right of data subjects to be informed, either in situations where personal data were collected directly from
them, or in situations where the data were not obtained from them, respectively.

24
Q

Under the GDPR, when personal data are collected from the data subject, the controller is obliged to provide the following information to the data subject at the time
the personal data are obtained:

A

the controller’s identity and contact details, including the DPO’s details, if any;

  • the purpose and legal basis for the processing, i.e. a contract or legal obligation;
  • the data controller’s legitimate interest, if this provides the basis for processing;
  • the personal data’s eventual recipients or categories of recipients;
  • whether the data will be transferred to a third country or international organisation, and whether this is based on an adequacy decision or relies upon appropriate safeguards;
  • the period for which the personal data will be stored, and if establishing that period is not possible, the criteria used to determine the data storage period;
  • the data subjects’ rights regarding processing, such as the rights of access, rectification, erasure, and to restrict or object to processing;
  • whether the provision of personal data is required by law or a contract, whether the data subject is obliged to provide his or her personal data, as well as the consequences in case of failure to provide the personal data;
  • the existence of automated decision-making, including profiling;
  • the right to lodge a complaint with a supervisory authority;
  • the existence of the right to withdraw consent.
25
What must be done when personal data is not obtained from the data subject directly?
In cases where the personal data is not obtained from the data subject directly, the data controller must notify the individual about the origin of the personal data. In any case, the controller must, among other things, inform data subjects about the existence of automated decision-making, including profiling.
26
What must a DC do when the initial purpose changed?
Finally, if a controller intends to process personal data for a purpose other than that originally stated to the data subject, the principles of purpose limitation and transparency require that the controller provide the data subject with information about this new purpose. Controllers must provide information prior to any further processing. In other terms, in cases where the data subject provided consent for the personal data processing, the controller must receive the data subject’s renewed consent if the data process- ing purpose changes or if further purposes are added.
27
What distinction does the GDPR make between 2 scenarios and two points in time at which DC must provide data to the DS?
1. Where the personal data is obtained directly from the data subject, the controller must notify the data subject about all of his or her related information and rights under the GDPR at the time the data are obtained. If the controller intends to further process the personal data for a different purpose, the controller shall provide all the relevant information prior to the processing taking place. 2. Where the personal data has not been obtained from the data subject directly, the controller is obliged to provide the information about the processing to the data subject “within a reasonable period after obtaining the personal data, but at the latest within one month”, or before data are disclosed to a third party.
28
How must the data be provided?
Under both CoE and EU law, the information the controller must provide to data subjects must be concise, transparent, intelligible and easily accessible. It must be in writing, or by other means, including electronic means, using clear, plain and easily understandable language. When providing information, the controller can use standardised icons to provide the information in an easily visible and intelligible manner. Data subjects can request to have the information provided by oral means. Information must be free of charge, unless the data subject’s requests are manifestly unfounded or excessive (i.e. of a repetitive nature).538 Easy access to the information provided is paramount to the data subject’s ability to exercise his or her rights provided under EU data protection law.
29
What does the fair processing principle require?
The fair processing principle requires that information be easily understandable to data subjects. Language must be used which is appropriate for the addressees. The level and type of language used would need to be different depending on whether the intended audience is, for example, an adult or a child, the general public or an academic expert.
30
What is the right to lodge a complaint?
The GDPR requires the controller to inform data subjects about enforcement m ­echanisms under national and EU law for cases of personal data breaches. The controller must inform data subjects about their right to lodge a complaint about a p ­ersonal data breach with a supervisory authority and, if necessary, with a national court.540 CoE law also prescribes the right of data subjects to be informed of the means of exercising their rights, including the right to have a remedy laid down in Article 9 (1) (f)
31
What are the exemptions from the obligations to inform/
The GDPR provides exception to the obligation to inform. Under Article 13 (4) and Article 14 (5) of the GDPR, the obligation to inform data subjects does not apply if the data subject already has all of the relevant information.541 In addition, where the personal data have not been obtained from the data subject, the obligation to inform will not apply if the provision of information is impossible or disproportionate, in particular where the personal data is processed for archiving purposes in the pub- lic interest, scientific or historical research purposes or statistical purposes. Furthermore, Member States enjoy a margin of discretion under the GDPR to restrict obligations and rights provided to individuals under the regulation if this is a necessary and proportionate measure in a democratic society, for instance, to safe- guard national and public security, defence, protection of judicial investigations and proceedings, or the protection of economic and financial interests, as well as private interests which are more compelling than data protection interests.
32
What is the right of access to an individual's own data under EU law?
Under EU law, the right to access one’s own data is explicitly acknowledged in Article 15 of the GDPR and it is also set out as an element of the fundamental right to the protection of personal data in Article 8 (2) of the EU Charter of Fundamental Rights.550 The GDPR provides that every data subject has the right to access his or her personal data and certain information about the processing, which the controllers must provide.552 In particular, every data subject has a right to obtain (from the controller) confirmation as to whether or not data relating to him or her are being processed, and information about at least the following: * processing purposes; * categories of data concerned; * recipients or categories of recipients to whom the data are disclosed; * period for which the data is intended to be stored, or, if not possible, the criteria used to determine that period; * existence of rights to rectify or to erase personal data, or to restrict personal data processing; * right to lodge a complaint with the supervisory authority * any available information about the source of the data undergoing processing if the data are not collected from the data subject; *in the case of automated decisions, the logic involved in any automated process- ing of data.
33
What is the right to rectification?
Under EU law and CoE Law, data subjects have the right to have their personal data rectified. The accuracy of personal data is essential to ensure a high level of data protection for data subjects. In some cases, it will be sufficient for the data subject to simply request rectification of, for example, the spelling of a name, a change of address or a telephone number. According to EU law and CoE law, inaccurate personal data must be rectified without undue or excessive delay.558 If, however, such requests are linked to legally significant matters, such as the data subject’s legal identity, or the correct place of residence for the delivery of legal documents, requests for rectification may not be enough and the controller may be entitled to demand proof of the alleged inaccuracy.
34
What is the right to erasure?
Providing data subjects with a right to have their own data erased is particularly important for the effective application of data protection principles, and notably the principle of data minimisation (personal data must be limited to what is necessary for the purposes for which those data are processed). A right to erasure is therefore found in both the CoE and EU legal instruments.
35
When does the right to have one's personal data be erased without undue delay apply in the GDPR?
Under EU law, Article 17 of the GDPR gives effect to data subjects’ requests to have data erased or deleted. The right to have one’s personal data erased without undue delay applies where: * the personal data are no longer necessary regarding the purposes for which they were collected or otherwise processed; * the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing; * the data subject objects to the processing and there are no overriding legitimate grounds for the processing; * the personal data have been unlawfully processed; * the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; * the personal data have been collected concerning the offer of information society services to children pursuant to Article 8 of the GDPR.
36
When does the GDPR define exceptions to the right to be forgotten, including where the processing of personal data is necessary for?
* exercising the right of freedom of expression and information; * compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; * reasons of public interest in the area of public health; * archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; * the establishment, exercise or defence of legal claims.

Data Privacy & Law (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions