UNIT 2 DATA PROTECTION REQUIREMENTS ACCORDING TO GDPR Flashcards
(36 cards)
Lawfulness, Fairness, and Transparency
Under GDPR, data processing must have a lawful basis such as the data subject’s clear and informed consent. It must also be transparent, providing individuals with clear information on how their data is used, and fair, ensuring data use aligns with the individual’s expectations and benefits, such as enhancing online shopping experiences.
The term of Consent
Although consent is the
most prevalent (and visible) legal basis on which
personal data are processed, it is not the only
one. It is permitted to
process personal data
without consent if one of
the other five legal bases
applies.
Purpose Limitation
The principle of purpose limitation requires that data be collected for specific, legitimate reasons which are clearly communicated to data subjects. If the purpose changes, data subjects must be informed, as any use of data beyond the originally stated purpose requires a new legal basis and explicit communication. For example, if an e-commerce site initially collects data for processing purchases but later wants to use that data for marketing new products, it must obtain new consent or establish a new legitimate reason, and inform the customers accordingly.
Data Minimization
Personal data should be adequate, relevant, and limited to what is needed for the
intended processing purposes. This principle dictates that an organization should identify
and collect only the minimum amount of personal data necessary to achieve the specific
purposes communicated to the data subject. As part of the data minimization principle, it
is important to consider whether the objectives could still be accomplished if some of the
data were anonymized. For instance, a ride-sharing app in Italy might reasonably ask for
payment card details on registration, but probably does not need to know the user’s fiscal
or tax code and it would contravene the principle of data minimization to request it.
The term of Anonymization
The process of transforming personal data in such
a way that they can no
longer be attributed to a
specific individual. True
anonymization is irreversible and makes it nearly
impossible to identify a
natural person.
Accuracy
Reasonable measures need to be taken to ensure that the personal data collected are
accurate and kept up to date throughout its processing. This is difficult to achieve in practice, but at a minimum an organization should put in place processes to ensure the datas’
accuracy, not only during the collection process but throughout all stages of processing.
For example, an online healthcare provider might regularly verify a patient’s allergies by
implementing an app dialogue that presents a list of known allergies on login, and obliges
the user to confirm that the list is accurate before proceeding to use the app.
Storage Limitation
Personal data should only be kept if they are required to achieve the goals for which they
were collected, and the information should be securely erased or anonymized once the
intended use has been achieved. The GDPR further clarifies that data that have been anonymized can be retained indefinitely, as anonymous data are no longer considered personal data and are not subject to this principle. Once a student completes a language course, their performance records become irrelevant and should be securely erased or anonymized for research purposes.
What does the security principle in data protection entail?
The security principle requires that personal data be treated securely, with safeguards against unauthorized processing and protections against loss, destruction, or damage.
How might a financial institution implement the security principle for international payments?
A bank might use two-factor authentication (2FA) and encryption for payment messages, and partner with an IT provider like IBM for a secondary backup system behind a separate firewall.
What is the GDPR’s accountability requirement as stated in Article 5(2)?
Article 5(2) mandates that data controllers demonstrate compliance with the core data protection principles, possibly through comprehensive contracts or clear procedures on data handling.
What does GDPR Article 25 specify about data protection?
Article 25 requires data protection “by design and by default,” ensuring data protection principles are embedded throughout the data processing life cycle.
How might a university ensure data protection by design when creating a student feedback survey?
The university might minimize personal data collection (e.g., asking for age range instead of birthdate), ensure anonymity by default with an opt-in for providing names, and require secure login protocols.
What are examples of data protection by default in the design of a survey?
Designers might include technical settings such as disabling location services by default on mobile platforms, ensuring responses are anonymous unless explicitly opted otherwise.
What is the purpose of data protection principles according to the text?
Data protection principles aim to establish a solid foundation for data protection practices, ensuring the privacy, security, and rights of individuals are respected throughout the data processing lifecycle.
Layered privacy notice
This is a privacy policy
format that presents
essential information in a
concise initial notice,
while offering more comprehensive details
through expandable sections or by way of new
tabs or hyperlinks.
What inspired the foundation of the GDPR?
The GDPR is rooted in the European Convention on Human Rights (ECHR), which underlined the right to privacy as a fundamental right for all European citizens, especially in the context of rising digital interactions.
What significant regulation did the EU introduce in 1995 to address online privacy?
In 1995, the EU introduced the Data Protection Directive to set minimum standards and rules for safeguarding privacy online, though its implementation varied across member states.
What prompted the replacement of the Data Protection Directive with the GDPR?
The rapid growth of industries based on the collection and sharing of personal data highlighted the need for a harmonized regulation across all member states, leading to the enactment of the GDPR.
What are some major impacts of the GDPR since its implementation?
Since its implementation, the GDPR has led to over 1,700 enforcement actions, more than four billion euros in fines, and influenced 32 rulings by the Court of Justice of the EU, significantly shaping global privacy practices and data protection measures.
Describe the scope of the GDPR.
The GDPR applies broadly to any processing of personal data, affecting entities outside the EU if they handle the personal data of EU citizens, as seen in its application to an American SaaS provider processing data from EU citizens.
invisible processing,”
Transparency is equally important when an organization collects personal data from
another source and there is no direct relationship with the data subject. In such cases,
often referred to as “invisible processing,” individuals may be unaware that their data are
being collected and used, hindering their ability to assert their data protection rights. To
be compliant with the transparency principle, organizations must ensure that they provide accessible and comprehensible information using plain language to inform individuals about their data processing activities
Just-in-time notices
Just-in-time notices are alerts that provide privacy
information when a user is about to provide personal data. Icons can be used in combination with standardized privacy information to give an easily visible and intelligible overview of the intended processing. These techniques ensure transparency and help users
better understand how their data are processed.
What does GDPR Article 12 require of controllers in terms of communicating with data subjects?
GDPR Article 12 requires controllers to develop clear, straightforward, and understandable communication that is easily accessible, using simple language. Controllers can employ layered privacy notices to effectively customize and clarify their information strategies.
What is the concept of layered privacy design and how does it relate to Creative Commons (CC) license layers?
Layered privacy design involves structuring privacy notices in multiple layers to enhance understanding and accessibility, similar to Creative Commons license layers. The first layer is a legal version for court validity, the second is a human-readable version using plain language, and the third is a machine-readable version that facilitates digital interpretation by search engines and software. This approach ensures that the license or privacy terms are implemented accurately and comprehensively understood by users.
