GDPR Compliance: Key Principles and Data Protection Practices, Study notes of Information Technology

A structured overview of the general data protection regulation (gdpr) and its key principles. It covers topics such as the competence of data protection authorities, the definition of personal data, conditions for processing personal data, data subject rights, and the role of data protection officers (dpos). The document also addresses specific aspects like processing employee personal data, implementing byod policies, and ensuring data security. It serves as a concise guide for understanding and implementing gdpr compliance measures, making it a valuable resource for professionals and students in the field of data protection and privacy.

Typology: Study notes

2025/2026

Available from 09/03/2025

LicensedExamTutor
LicensedExamTutor 🇺🇸

1

(1)

1.9K documents

1 / 65

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cippe Summary
all modules
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41

Partial preview of the text

Download GDPR Compliance: Key Principles and Data Protection Practices and more Study notes Information Technology in PDF only on Docsity!

Cippe Summary

all modules

Module 1 – Data protection laws 1.1. Privacy and data protection law > comparing key terms

  • Privacy – respect for private life, family life, home and communications o Broad definition, including information privacy, bodily privacy, territorial privacy and communications privacy.
  • Data protection – Protection of personal data, fair processing, specified purposes, consent or lawful ground and access and rectification. o Narrower definition, including information and communications privacy; o Laws and policies governing the collection and use of personal data.
  • Extended definition of data protection : o Transparency; o Legal basis for processing; o Proportionality; o Data is accurate and current; o Right to correct and object9 o Security; o Export restrictions.
  • Types of privacy: o Information privacy: concerned with establishing rules that govern the collection and handling of personal data.  Financial data, medical data, government records and records of a person9s activities on the internet. o Territorial privacy: concerned with placing limits on the ability to intrude into another individual9s environment.  <Environment= may be the home, the workplace or even public space.  Invasion may take the form of video surveillance, ID checks. o Bodily privacy: focused on a person9s physical being and any invasion thereof.  Genetic testing, drug testing or body cavity searches, birth control, abortion and adoption. o Communications privacy: encompasses protection of the means of correspondence.  Postal mail, telephone conversations, email and other forms of communicative behavior.
  • Court of Justice of the EU o Judicial body of the EU; o Decides on issues of EU law and enforces those decisions; o Comprises of the Court of Justice (<ECJ=) and the General Court (renamed: <Court of First Instance= (<CFI=); o Data protection as it relates to cases brought by national courts and the Commission against Member States.
  • European Court of Human Rights o Part of the apparatus of the Council of Europe and thus not part of the EU; o Enforces European Convention on Human Rights and Convention 108; o Judges sit in their individual capacity and do not represent any state; o Data protection as it relates to Article 8. 1.5. Data Protection: Dawn of a new age
  • New opportunities and nee for European data protection law;
  • 1949: establishment of the Council of Europe;
  • 1951: Formal establishment of the European Coal and Steel Community (ECSC), which over time would develop into the European Union (EU);
  • 1960s: Rapid growth of international trade and increasing use of computers and telecommunications;
  • 1970s-80s: Greater conflict between national privacy rights and international free trade
  • 1980s-90s: Rise of data management issues (direct marketing, telemarketing and establishment of the EU (1993).
  • 2000s: identity thefts;
  • 2010s: Social media, cloud computing, online ads, location-based services. 1.6. Right to privacy vs. Freedom of speech
  • Contradiction between two fundamental human rights;
  • Increasing relevance in the information age;
  • Right to withdraw consent;
  • Right to lodge a complaint.
  • Google Spain v AEPD and Mario Costeja Gonzalez: o Mr. Costeja sued Google Spain, google inc. and La vanguardia newspaper because personal data about him was available through a google search in the newspaper9s online archives. The Court of Justice of the EU ruled that Google Spain must remove the links to the article. 1.7. Human rights laws
  • Universal declaration of Human Rights o Adopted on 10 December 1948 by UN GA; after World War II. Recognizes the inherent dignity and the equal and inalienable rights

of all members of the human race in the foundation of freedom, justice and peace in the world o Article 12 – Right to private life and associated freedoms: < no one shall be subject to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honor and reputation = o Article 19 – right to freedom of opinion and expression o Article 29(2): < individual rights are not absolute =

  • European Convention on Human rights o Follow up on the Universal declaration and entered into force on 3 September 1953. It only applies to < MS and all council of Europe MS are party to the treaty =. o Rulings of ECtHR are < binding on states and can lead to amendment and change in practice by national government =. The Court may also give advisory opinions at request of Committee of Ministers of the Council of Europe. The ECtHR became a full Court on Human Rights on Nov 1 1998. o Articles relevant to privacy :  Article 8 ECHR similar to Article 12 UDHR
  • Everyone has right to < respect for private and family life, home and correspondence =.
  • Right to privacy not absolute and necessity and proportionality may justify breaching individuals9 privacy rights. 1.8. Data protection laws – an evolving harmonized approach
  • 1980: OECD Guidelines o Non-binding; o Protection of personal data in global economy; o Principles on collection and use; o 2013 revision.
  • 1981: Convention 108 o Reaffirms Resolution 1973 and 1974; < first legally binding treaty = of member states (also open to non-members) of the Council of Europe. Differs from guidelines since < signatories have to apply the principles through their domestic legislation =. o Protection of data subject privacy; o Automatically processed personal data (Does not include non-automatically processed personal data).
  • 1995: The EU Data Protection Directive Directives are binding on MS but implementation left to discretion of MS.
  • 2000: Charter of Fundamental Rights of the EU
  • 2000: The E-Commerce Directive of 2000 (Directive 2000/31/EC) o This Directive is an EU Directive of the European parliament and of the Council of the European Union from 8 June 2000. It < regulates certain legal aspects of information society services in the internal market, in particular electronic commerce and mere conduit =. o Issues related to processing personal data excluded from its scope.

It is the most active EU institution in data protection. o Functions :  Implements EU decision and policies.Has executive competence to propose legislation (right of initiative).

  • Council of the European Union: o One minister from each member state – changes based on the policy issue to be discussed. o Functions :  Legislative decision-making (along with the European Parliament). Legislation generally proposed by the Commission before being examined by the Council of the EU and the EU Parliament.  Exercises < budgetary functions with EU parliament =  < carries out policy making and coordinating functions =.
  • European Parliament: o Only EU institution whose members are directly elected. o Greatest impact on data protection and privacy issues through role in legislative process. o Functions :  Primary responsibilities – legislative development, supervisory oversight of the other institutions and budget development.  Co-decision: process by which Council of the EU and European Parliament agree on legislation. 1.10. Data protection law: ePrivacy Directive and GDPR
  • Processing that triggers the material scope of both o ePrivacy Directive: electronic communications service, electronic communications network, and service and network publicly available and offered in the EU; website operators (e.g., for cookies) or other businesses (e.g., for direct marketing).
  • Interplay o <To particularize= (lex specialis principle): < special provisions prevail over general rules =. o <To compliment=: Several ePrivacy Directive provisions complement GDPR provisions. o Art 95 GDPR: The aim is <to avoid the imposition of unnecessary administrative burdens upon controllers who would otherwise be subject to similar but not quite identical administrative burdens=. o Co-existence: in cases where lex specialis does not apply, the general rule will apply (lex generalis).
  • Competence, tasks and powers of data protection authorities :

When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinize the data processing operations which are governed by national ePrivacy rules only if national law confers this competence on them , and such scrutiny must happen within the supervisory powers assigned to the authority by the national law transposing the ePrivacy Directive.

o 3 An identified:  Name or singling out;  Specific characteristics o Or identifiable:  Indirect

 Taking into account all the < means reasonably likely to be used either by the controller or by another person to identify the natural person =. o 4) Natural person:  Someone who lives (Not applicable to personal data of deceased persons or organizational data).

  • CJEU Case Patrick Brever v Brundesrepublic Deutschland: o Is the collection and use of device dynamic IP addresses to allow data on a website to be transferred to the correct recipient considered personal data? Why or why not?  < Dynamic IP addresses are capable of being personal data if the person could be indirectly identified if IP addresses are combined with data held by internet service providers such as time of connection and pages visited by websites = (where TP holds info likely to be used to identify website user when put together when put together with dynamic IP addresses held by provider of website, those IP addresses are personal data).
  • Anonymous data: o Not related to an identified or identifiable natural person; o Rendered unidentifiable; o Not considered personal data under the GDPR.
  • Pseudonymous data: o Not fully anonymous; o A process that detaches the aspects of the data attributed to a specific individual; o A Security measure that makes the use of the data less risky; o Considered by GDPR as important safeguard to achieve data minimization for privacy and thus subject under to data protection law. 2.2. Special categories of personal data (<sensitive data=)
  • Sensitive personal data includes special categories of data that merit specific protection since by the nature of their processing, they could significant risks to individuals9 fundamental rights and freedoms. This includes personal data revealing: o 1) Racial or ethnic origin o 2) political opinions o 3) religious or philosophical beliefs o 4) trade-union membership. o 5) Processing of genetic data;  Personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result in particular from an analysis of a biological sample from the natural person in question.
  • Processing is any operation or sets of operations performed on personal data or on sets of personal data whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination, restriction, erasure or destruction.
  • Conditions for processing of personal data : o Processing must be wholly or partly carried out by automated means or o Where processing is not by automated means, it must concern personal data that forms part of a filing system or is intended to form part of a filing system.  Filing system refers to a structured set of personal data that is accessible according to specific criteria. 3.2. Data controllers and joint controllers
  • Art 4(7): < The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data =.
  • i. Natural or legal person or any other body: o May be a legal or natural person, preference should be given to consider the controller to be the company or body as such rather than individual appointed by company or body. o <Employees appointed by an organization acting on behalf of controller= to ensure compliance with data protection or processing of data are < not considered controllers= because they act on behalf of the legal entity.
  • Ii. Alone or jointly with others: o Different organizations, bodies or natural persons may be data controllers of same personal data, jointly means that < they act together regarding processing of personal data =. o Examples:  Airline and hotel may set up a shared website with travel agent where holiday bookings are entered into shared database and parties carry out integrated market activities.
  • < Not joint controller = whereby < identical data is held separately and for distinct purposes =.  Parent company may provide centralized IT services to its subsidiaries including centralized databases for employee or consumer records and conduct independent operations on data to compare employee turnover across group.
  • In this case each subsidiary remains a controller and if the parent conducts its own independent operations on the data it may become a joint controller.

o Art 26: <Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers =. o In a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation.  Data subjects9 rights;  Data subject access requests;  Contact point for data subjects;  Essence of the arrangement available to data subjects o Data subjects may exercise their rights against either controller, < irrespective of the terms of the arrangement =.

  • Iii. Determines the purposes and means of processing: o Factual elements or circumstances regarding processing may be decisive in determining controller even though contractual designation says otherwise.  A) Processor who determines the purposes and means of processing will be considered a controller. o 1) Controller determines why data is collected and how it will be processed including the purposes and means of processing. o 2) Means of processing:  Which data to be processed;  Which TP shall have access to data;  When data shall be deleted. o 3) Controller may delegate decisions about technical and organizational aspects of the processing to processor provided it reserves the most important determinations of purposes or means to itself including substantial questions essential to the core of lawfulness of processing.
  • Iv. Identifying source of control o 1) Control from explicit legal competence :  A) Explicit appointment of controller under national or community law  B) Law establishes task/imposes a duty on someone to collect o 2) Control from implicit legal competence:  A) Control stems from common legal provisions or legal practice (employer with employee data). o 3) Control from Factual influence :  A) Control based on assessment of factual circumstances:
  • Consider degree of actual control exercised by party, impression given to individuals and reasonable expectations of individuals on the basis of this visibility.
  • Types of personal data and categories of data subjects;
  • Obligations and rights of the controller;
  • The processor9s responsibilities.
  • Second processor involvement o A processor may not engage another processor without prior authorization of the data controller. This authorization may be general or specific. If it is general the processor is required to give the controller an opportunity to object to the addition or replacement of other processors. o The contract between the initial processor and its sub-processor must include all the mandatory provisions. Look at Art 28 which sets out further detailed content for the processing contract. o The initial processor remains fully liable to the controller for the performance of its sub-processors. 3.4. Processor Vendor Management
  • Choose reliable processors;
  • Maintain quality control and compliance throughout the duration of the arrangement;
  • Frame the relationship in a contract or other legally binding act.
  • Translating its requirements into practical action points may be challenging for the following reasons: o Determining the extent to which the controller can rely upon the processor to attest and monitor its own reliability; o Determining the extent to which the controller needs to evaluate third parties before and after contracting, including conducting audits; o Complex contractual provisions; o Negotiating contracts between two parties of unequal bargaining power or from EU and non-EU jurisdictions; o Situations that involve cloud computing; difficulties knowing the precise nature of data processing operations at any given moment in time.
  • Pre-contractual due diligence o To ensure processors provide appropriate security, controllers should exercise pre-contractual due-diligence through methods such as RFIs/RFQs, site visits and audit observations. Considerations may include:  Processor9s data protection knowledge;  Recent high-profile breaches;  Under investigation?  Accreditation?  Processor9s policy framework;  Sub-processors;

Module 4 – Processing personal data 4.1. Processing

  • <Any operation performed upon personal data (Art 4[2])=. o Examples: Collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 4.2. Data Processing Principles (Art 5)
  • Personal data must only be processed only if a legal ground exists and to the extent the processing is carried out in a fair and transparent manner.
  • 1.1 Lawfulness : Personal data must only be process when data controllers have a legal ground for processing the personal data.
  • Processing lawful under following grounds : o Consent : freely given, specific, informed and unambiguous indication of the data subject9s wishes by which he by a statement or by clear affirmative action signifies agreement to the processing.  Freely given: data subject has genuine choice and must be able or has the freedom to refuse/withdraw consent.
  • Must be distinguishable from other issues otherwise if bundled together it is not binding.
  • Where there is a clear imbalance in power between data controller and subject i.e. public authority consent should not be relied upon.
  • Employer-employee relationship does not show freely given consent where employee cannot withhold consent without suffering prejudice.  Specific: consent must be given specifically for the particular processing operation in question if multiple purposes exist consent must be given for all of them.  Informed: Data subject must be given all necessary details of the processing activity in a language and form they can understand. The data subject needs to be aware of the identity of the controller and purposes of processing.  Unambiguous: There must be no doubt as to the data subject9s intent to give consent. Active indication of consent is required, so pre-ticked box/silence are unacceptable. o Contractual necessity and necessary for the performance of a contract  A close and substantial connection between the processing and the purposes is required.

processing and enable them to exercise their data protection rights. o Processing automatically permitted by law is deemed fair even though data subject might not be aware of the fact that their personal is being processed.

Fairness also requires assessing how processing will affect data subject and if it negatively affects individuals and such detriment is not justified then processing is unfair.

  • 1.3. Transparency o A data controller must be open and clear toward data subjects when processing personal data. o Information to data subjects to be provided in a timely manner:  When info is collected from data subjects directly - then relevant info must be available at the time of collection ;  When data is collected from different sources – different period is provided for providing that info. o Data subjects should be notified regarding how their personal data is processed:  1) No need for notification where data was obtained directly from the data subject and was already aware of the information ;  2) No need to provide information when data was collected from other sources:
  • A) When info will involve a disproportionate effort or impossible;
  • B) Protect data subject9s legitimate interest in which case, disclosure is governed by applicable law;
  • C) Preserve confidentiality of info, also regulated by laws to which data controller is subject. o Information should be clear, concise and easy to understand and be provided in an accessible manner. o GDPR eliminates the need for controllers to notify data protection authorities of processing of personal data since it did not contribute to protection.
  • 2.0. Purpose limitation o Controllers must only collect and process personal data to accomplish specified, explicit and legitimate purposes and not process personal data beyond such purposes unless the further processing is considered compatible with the original purpose.  Compatibility test for further processing : link between purposes, nature of the data, method of collecting, consequences of secondary uses and safeguards.