GDPR: A Comprehensive Overview of Data Protection and Privacy in the EU, Schemes and Mind Maps of Cybercrime, Cybersecurity and Data Privacy

This document offers a thorough exploration of the general data protection regulation (gdpr), covering its definition of personal data, the scope of its application, lawful processing conditions, data subject rights, and the free movement of data within the eu. it also delves into adequacy decisions, international agreements, and the roles of data protection officers (dpos) and data protection authorities. Valuable for understanding the complexities of data protection and privacy within the european union legal framework.

Typology: Schemes and Mind Maps

2023/2024

Available from 04/18/2025

celina-nick
celina-nick 🇳🇱

11 documents

1 / 23

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PRIVACY EXAM PREP
WEEK 1 – Introduction to Privacy and Data Protection
Sociological approach to privacy
- privacy arises from societal interactions
obecause individuals live in proximity and social systems, needing to separate public
and private spheres
- privacy balances two aspects:
(i) social persona (‘Me’)
(ii) spontaneous individual (‘I’)
Privacy and secrecy:
- NOT the same
- Privacy = encompasses the control over personal information and context in which it is shared
oE.g., maintaining personal journal: might not be a secret that you have a journal
(because your family and friends know about it) but it is private (and hence not to be
read by others)
ORIGIN RIGHT TO PRIVACY
Origin of the right to life
= introduced as the right to ‘be let alone’
Thomas Cooley (introduced the right to privacy)
- Privacy was rooted in the notion of ‘Inviolate personality’
= individual’s personal life was not to be open for public scrutiny without consent
oPrivacy as a necessity for personal freedom; allowing for maintenance of
human dignity and individual autonomy
Warren and Brandeis reading
recognition of distinct right to privacy was derived from common law principles
Definition of privacy
= right to be let alone which protects individuals from unwarrented intrusions into their personal lives
Development of the right to privacy:
- Historical context
oConcept was evolved with changes in society and technology
oProtections were focused on physical interference and property rights
- Expansion of common law
oCommon law expanded to protect more intangible interests
E.g., protection of defamation and appriopriation of one’s likeness
- Technological advancements
oPhotography and increasing power of press created new threats to personal privacy
Highlighted the inadequacies of existing legal protections and presented
necessity for reevaluation of privacy rights
- Recognition of personal autonomy
oThey argue for the recognition of personal autonomy and dignity
Law should protect the indivdual’s right to be let alone
oPrivacy as essential for personal development and happiness
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17

Partial preview of the text

Download GDPR: A Comprehensive Overview of Data Protection and Privacy in the EU and more Schemes and Mind Maps Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!

PRIVACY EXAM PREP

WEEK 1 – Introduction to Privacy and Data Protection Sociological approach to privacy

  • privacy arises from societal interactions o because individuals live in proximity and social systems, needing to separate public and private spheres
  • privacy balances two aspects: (i) social persona (‘Me’) (ii) spontaneous individual (‘I’) Privacy and secrecy:
  • NOT the same
  • Privacy = encompasses the control over personal information and context in which it is shared o E.g., maintaining personal journal: might not be a secret that you have a journal (because your family and friends know about it) but it is private (and hence not to be read by others) ORIGIN RIGHT TO PRIVACY Origin of the right to life = introduced as the right to ‘be let alone’  Thomas Cooley (introduced the right to privacy)
  • Privacy was rooted in the notion of ‘ Inviolate personality’ = individual’s personal life was not to be open for public scrutiny without consent o Privacy as a necessity for personal freedom; allowing for maintenance of human dignity and individual autonomy Warren and Brandeis reading  recognition of distinct right to privacy was derived from common law principles Definition of privacy = right to be let alone which protects individuals from unwarrented intrusions into their personal lives Development of the right to privacy:
  • Historical context o Concept was evolved with changes in society and technology o Protections were focused on physical interference and property rights
  • Expansion of common law o Common law expanded to protect more intangible interests  E.g., protection of defamation and appriopriation of one’s likeness
  • Technological advancements o Photography and increasing power of press created new threats to personal privacy  Highlighted the inadequacies of existing legal protections and presented necessity for reevaluation of privacy rights
  • Recognition of personal autonomy o They argue for the recognition of personal autonomy and dignity  Law should protect the indivdual’s right to be let alone o Privacy as essential for personal development and happiness
  • Legal precedent and principles o Doctrine of contract and trust = establish the expectations and obligations between parties – ensuring that personal information shared in confidence should not be misused or disclosed without permission o Inviolate personality = idea that each individual has an inherent right to personal autonomy and dignity  Encompasses protection of one’s private life from public exposure and unwarrented intrusion  Law should explicitly recognize and protect the inviolate personality  Essential for safeguarding personal freedoms and ensuring that individuals can develop and flourish without interference o Interrelationship between the two principles  Expectation of trust in personal relationships implied individuals have a right to control their personal information and prevent its unauthorized dissemination  By applying the contract and trust doctrine Warren and Brandeis argue that the law should safeguard inviolate personality  To maintain their autonomy and dignity Inadequacy of existing remedies because:
  • Limited scope of tort law o Tort law was moreso designed to damage reputation and NOT unauthorized exporsure of private life
  • Inadequate compensation for emotional distress o Existing compensation regimes were created to compensate physical invasions of privacy rather than psychological ones – difficult to find suitable regime for compensation of emotional distress
  • Technological advancements o Photography and newspapers make it easier to invade private lives and spread information quickly
  • Gaps in contract law o Difficult because they rely exclusively on parties agreements, but privacy invasions often occur without any contractual relationship
  • Lack of preventative measures o Remedies are more reactrive than preventative o Need for measures that protect individuals proactively Limitations to the right to privacy:
  • Does not prohibit any publication of matter which is of public and general interest
  • Does not prohibit the communication of any matter, when publication is made under circumstances which would render it a privileged communication according to the law of slander and libel
  • Law would not grant any redress for the invasion of privacy by oral publication in absence of special damage
  • Right to privacy ceases upon publication of the facts by the individual, or with his consent
  • Truth of matter published does not afford a defense
  • Absence of malice in publisher does not afford a defense

Element 3:identified or identifiable natural person’  para. 31 Nowak  excludes legal persons (e.g., organizations)

  • Identified = when identification is possible via e.g., an identification card
  • Identifiable = when identifiable by reason of e.g., characteristics; a professor who teaches privacy at maastricht university  for inaccurate information – the facts that it is not correct is irrelevant – personal data is still protected Limitations to personal data  under EU law = data protection benefits natural persons  under ECtHR ruling (Bernh Larsen Holding AS v Norway) = also legal persons can rely on privacy under Art. 8 ECHR Amann v SwitzerlandECtHR held that the scope of personal data goes beyond the private sphere, even data not immediately sensitive or private could be protected by privacy rights YS v Minister voor Immigratie  CJEU ruled that legal analysis with draft decisions by authorities although containing personal data NOT personal data themselves
  • Shows complexity of distinguishing between personal data and other types of information in legal documents
  • What personal data is – determined on case-by-case basis DATA PROTECTION Development of data protection law:
  • Began with foundational principles laid out in e.g., ECHR o Right to privacy = human right
  • Transformation of data protection with GDPR in 2016 GDPR: = landmark piece of legislation that not only protects personal data and harmonize data protection laws across EU member states
  • And provide uniform and stringest standard for data processing and rights of individuals Thomas Streinz reading:  contributed to understanding of evolution of European data law
  • Encompasses but also goes beyond the sphere of data protection
  • Importance of EU’s Charter of fundamental rights in recognizing data protection and privacy o Unique role played by independent data protection authoruties in Europe

WEEK 2 – The Application of GDPR GDPR SCOPE MATERIAL SCOPE (What is being covered?)  the GDPR applies to personal data which is processed, having in mind the exemption (1) Personal data ( Art. 4 (1) GDPR ) ‘any information relating to an identified or identifiable person’ o Personal data (normal) = e.g., date of birth, etc. o Sensitive data ( Art. 9 GDPR )= data that can be more damaging to a person e.g., DNA (2) Processing ( Art. 4 (2) GDPR )  can be automated or manual if: (a) Personal data, and (b) Filing system (Art. 4 (6) GDPR) a. Automated = by default a filing system exists b. Manual = there can also be a filing system in cases of manual processing (3) Exemption  household exemption from the Rynes case o ‘ household ’ must be narrowly construed and interpreted  Processing carried out ‘purely’ personal or household activity  NOT within the household exemption: CCTV surveillance which covers both public and private space PERSONAL SCOPE (Who needs to comply with the GDPR?)

 the GDPR must be complied with by controller, processor and joint controllers

(a) Controller = determines the purpose and means of the processing data (b) Processor = implements controllers requests with regard to the data (c) Joint controllership = determines the purpose and means together TERRITORIAL SCOPE (how?)  two main ways of what authoirties will be captured by the GDPR (1) Establishment ( Art. 3 (1) GDPR ) = data processing is done in the context of an entity’s activity within the EU o Includes any entity with an effective and real exercise of activity through stable arrangements in EU o Establishment = e.g., office, branch, subsidiary or presence of a single employee or agent with a sufficient part of an entity

a. Relationship between a data controller or processor outside the Union and its local establishment in the Union  Where there is an inextricable (impossible to separate) link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data b. Revenue raising in the Union  Inextricable link = fulfilled where activities are considered to be revenue-raising in the EU by local establishment  where there is absence of an establishment in the Union – scope of the GDPR can still apply with targeting criterion

  • But then CANNOT benefit from one-stop-shop mechanism provided for in Art. 56 GDPR Steps for targeting criterion – Art. 3 (2) GDPR (i) Personal data of data subjects who are in the Union o Targeting criterion is not limited by citizenship , residence or other type of legal status of the data subject  recital 14 GDPR – protection afforded by the GDPR applies to natural persons – whatever their nationality or place of residence o Persons presence in the Union must be assessed at moment when relevant trigger takes place  E.g., moment when the offering of the goods takes place, or behavior is monitored (ii) Types of activities that trigger the application of Art. 3 (2) GDPR a. Offering of goods and services , irrespective of whether a payment of the data subject is required, to data subjects in the Union  Also applies where the offer is directed at persons in the Union b. Monitoring of data subjects’ behavior  Behavior monitored must relate to a data subject in the Union  Monitored behavior takes plaitory of the Union c. Processor not established in the Union  Determine whether the processing activities ‘ are related’ to targeting activities of the controller  data controllers and representatives must designate a representative in the Union Art. 3 (3) processing in a place where member state law applies by virtue of public international law
  • Recital 25 – MS law applies by virtue of public international law o Applies to controller not established in Union e.g., in MS’S diplomatic mission or consular post

WEEK 3 – Principles for Processing Data and Data Subjects’ Rights SIX CORE PRINCIPLES  The six core principles provide the foundation upon which all subequent provisions of the regulations are built. OVERVIEW Six core principles (i) Lawfulness, Fairness and Transparency (Art. 5 (1) (a) GDPR) = personal data shall be processed lawfully, fairly and in a transparent manner o Art. 6 (1) GDPR – lawfulness of processing  must be fair and transparent, providing all necessary information to data subjects about the processing activities (ii) Purpose Limitation (Art. 5 (1) (b) GDPR) = Data collected for a specific purpose should not be repurposed, unless new use is compatible with original purpose or additional consent is obtained  ensures transparency and predictability, enhancing legal certainty for data subjects o To determine whether the processing is compatible – things that need to be taken into consideration (a) Link between those purposes and the purposes of the intended processing (b) Context in which personal data is collected – reasonable expectation of data subjects based on their relationship with controller on its further use (c) Nature of personal data (d) Consequences of the intended further processing (e) Existence of appropriate safeguards (iii) Data Minimization (Art. 5 (1) (c) GDPR) = only data that is necessary for the specified processing purposes should be collected  supports privacy by ensuring that excessive data is not retained o Data must be limited to what is necessary to fulfil a legitimate purpose o Processing of personal data should only take place when the purpose of the processing cannot be reasonably fulfilled by other means o Processing may not disproportionate interfere with the interests, rights and freedoms at stake (iv) Accuracy (Art. 5 (1) (d) GDPR) = data must be accurate and up to date o Incorrect data should be rectified or deleted without delay o Must be implemented by the controller in all processing operations o Data may need to be checked regularly and kept up to date to secure accuracy  to ensure that decisions based on personal data made using the most current and correct information available (v) Storage Limitation (Art. 5 (1) (e) GDPR)

Ensuring Transparency and Fair Processing  transparency is essential in data processing

  • Data controllers are obligated to ensure that procesisng activities are transparent to data subjects o Using clear and plain language to communicate how and why data is processed (Arts. 12-14 GDPR) CONSENT CONSENT as legal basis for processing personal data must be: (i) Freely given (ii) Informed (iii) Specific (iv) Unambigious indication of wishes by clear affirmative act signifying agreement to processing  only valid where these requirements are fulfilled Data subject has right to withdraw consent at any time DATA SUBJECT’s RIGHTS (GDPR) OVERVIEW DATA SUBJECT’s RIGHTS: (i) Right to be informed (Art. 12) (ii) Right to access (Art. 15) (iii) Right to rectification (Art. 16) (iv) Right to erasure (Art. 17) (v) Right to restriction of processing (Art. 18) (vi) Right to data portability (Art. 20) (vii) Right to object (Art. 21) Right to be informed (Art. 12 GDPR) = data controller must provide information to data subjects about how their data is being processed
  • Transparency = cornerstone of GDPR – ensuring data subject is fully confirmed about processing activities involving their data Right to access (Art. 15 GDPR) = right to access their personal data held by data controllers
  • Includes: right to obtain copies of personal data and other details Right to rectification (Art. 16 GDPR) = individuals can have inaccurate personal data corrected
  • Crucial in maintaining the accuracy of personal data in databases Right to erasure (Art. 17 GDPR)

= ‘ right to be forgotton’ allows data subjects to request the deletion of their data, when: (i) no longer necessary for original purposes (ii) consent is withdrawn, or (iii) processing is unlawful

  • exercised in Google Spain – highlighted the balance between data subject’s privacy rights and public interest Right to restriction of processing (Art. 18 GDPR) = data subjects can request the restriction of processing of their personal data
  • applicable in cases where accuracy of data is contested or processing is deemed unlawful Right to data portability (Art. 20 GDPR) = allows individuals to receive their personal data in the structured, commonly used and maschine-readable format and to transmit those data to another controller  enhances control that individuals have over their data – facilitating easuer movement between service providers Right to object (Art. 21 GDPR) = right to object to the processing of their personal data based on legitimate interests or direct marketing WEEK 4 – Data Transfers

 can be reviewed

  • European Parliament and Council of the European Union can request the EC to maintain, amend or withdraw the adequacy decision o Where they deem the decision to exceed the Commission’s implementing powers under GDPR Examples of elements that should be taken into consideration: (Art. 45 (2) GDPR) (a) Rule of law, respect for human rights and fundamental freedoms, relevant legislation, general and sectoral e.g., public security, defence, national security and criminal law (b) Existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organization is subject (c) International commitments third country or international organization has entered into Case law:
  • Schrems 1: adequate decision refers to essentially equivalent as to what is considered under EU standards (para. 73) o Not word by word but that it is present but maybe limited in a way
  • Schrems 2: national data protection authorities have the power to challenge the adequacy decision APPROPRIATE SAFEGUARDS  Art. 46 GDPR – controller or processor may still transfer personal data to a third country or an international organization provided that they have implemented appropriate safeguards Appropriate safeguards A. Standard contractual clauses (SCC’s) = apply standardized contractual clauses between the transferrer in the EU and the recipient outside the EU, unique because both parties enter the contract in obligations vis a vis the data subject  Schrems 2: SCC are ways to ensure that companies still have an incentive to comply with the GDPR a. Clauses adopted by the European Commission – must be adhere to during data transfers  clauses are subject to examination procedure (Art. 93 (2) GDPR) b. Clauses adopted by a supervisory authority – once approved by the European Commission they can also be used (approved through Art. 93 (2) GDPR) B. Binding corporate rules (Art. 47 GDPR) = legal basis that allows data blocks to be placed in the same category because of joint economic activity  probably not an option C. Legally binding and enforcable instrument = agreements between public authorities or bodies that are legally binding and enforcable

D. Approved code of conduct = codes of confuct approved pursuant to Art. 40 GDPR + binding and enforceable commitments by the controller or processor in the third country (including data subjects’ rights) E. Approved certification mechanism – approved via Art. 42 GDPR + binding and enforceable commitments by the controller or processor in third country to uphold the appropriate safeguards (including data subjects’ rights) DEROGATIONS (last resort option)  third avenue under the GDPR that allows for the transfer of personal data in certain situations – data can be transferred nased on a derogation listed in Art. 49 GDPR Possible derogations (Art. 49 GDPR)  must be interpreted strictly, ensuring they remain exceptions to the rule that personal data should not be transferred

  • Legal grounds: consent and contractual obligations (similar to lawfulness principle)
  • IMPORTANT: o NOT for massive transfers o NOT repetitive (day-to-day)
  • Derogations are last option , exceptional and need for legal ground and cannot be repetive and not mass transfer of data Art. 49 GDPRtransfer or set of transfer may occur under the following conditions : (i) The transfer is made with the individual’s explicit consent. (ii) The transfer is necessary for the performance of a contract between the individual and the organization or for pre-contractual steps taken at the individual’s request. (iii) The transfer is necessary for the performance of a contract made in the interests of the individual between the data controller and another person. (iv) The transfer is necessary for important reasons of public interest. (v) The transfer is necessary for the establishment , exercise, or defence of legal claims. (vi) The transfer is necessary to protect the vital interests of the individual or other persons, where the individual is physically or legally incapable of giving consent. (vii) The transfer is made from a register that, under the national law of an EEA country or EU law, is intended to provide information to the public and is open to consultation by the public or those with a legitimate interest in inspecting the register.  to assess the necessity of the transfer – apply the necessity test Necessity Test for derogations: ‘Whether the transfer of personal data is genuinely necessary for the specific derogation for the specific purpose of the derogation in question When none of the derogations apply – possible to transfer data for compelling legitimate interests of the data controller

(iii) Tailored as narrowly as possible to minimize the amount of data requested (iv) Does not seek any data related to the Single Euro Payment Area (SEPA)  SWIFT agreements are valid for five years Benefits and limitations of international agreement Benefits Limitations

  • Its an agreement
  • Purpose-focused
  • Need for the legal basis – because that all came after 9/11 different kind of keeping the data – not for themselves o Because it is non-contractual o To receive reports
  • Security purposes
    • Will be specific if it is an international agreement o Most times it concerns things such as Passenger Name records
    • Might be harder to claim remedies and operate in the procedures
    • Rights have to be ensured in a more difficult way
    • Have to comply with international law
    • Time consuming (lots of procedures) o Harder to find common ground WEEK 5 – Data Protection Officer and Data Protection Authorities DATA PROTECTION OFFICERS (DPO)

DPO = officers/individuals which advise organizations on data protection compliance, act as intermediaries between the organization, data subjects, supervisory authroities and facilitate accountability and transparency in data processing activities

  • Art. 37 Designation of data portection officer o Public authority or Body – Art. 37 (1) (a) GDPR o Core Activities Involving Large-Scale Systematic Monitoring - Art. 37 (1) (b) GDPR o Large-Scale Processing of Special Caregories of Data - Art. 37 (1) (c) GDPR
  • Art. 38 Position of data protection officer
  • Art. 39 Tasks of Data protection officer o Informing and advising o Monitoring compliance o Cooperating with Supervisory authorities  maybe not a one person job: – multiple people office DATA PROTECTION AUTHORITY (SUPERVISORY AUTHORITY) DPA = independent public authority responsible for monitoring the application of the GDPR (supervisory authority)
  • Consistency mechanism = authorities shall contribute with each other and if necessary with the European commission in order to achieve the consistency of the application of this regulation (Art. 63 GDPR)
  • DPA powers: (i) Investigative powers a. Information requests b. Data protection audits c. Certification reviews d. Infringement notifications e. Access to data f. Premises access (ii) Corrective powers a. Warnings and reprimands b. Compliance orders c. Breach notifications d. Processing limitations e. Data rectification or erasure f. Certification withdrawal g. Administrative fines h. Data flow suspension (iii) Authorization and advisory powers to support and guide compliance efforts a. Prior consultation advice

LEAD SUPERVISORY AUTHORITY

Determining the lead authority:

  • Purely national situation  no need for cooperation NOT Art. 56 GDPR
  • If cross-border element  Art. 56 (1) or (2) GDPR o Paragraph 1 – affects also other people (in two member states) o Paragraph 2 – affects only people in ONE member state Art. 56 GDPR Supervisory authority of main establishment or single establishment of controller or processor = competent to act as lead authority for cross-border processing carried out by that controller or processor
  • Exercised in line with procedure mentioned in Art. 60 GDPR Art. 56 (1) GDPR cross border processing – main supervisory authority for cross-border processing carried out by controller or processor carried out
  • Supervisory authoirty = competent to lead for cross-border processing
  • Look at BOTH controller and processor
  • Supervisory authority with main establishment or single establishment (requiring)  significant presence and establishment: main establishment in Belgium, employs people on belgium, but Portugal is interested in the case and they also have branches in portugal - Belgium is not automatically lead authority mainly BECAUSE portugal is disputing and wants to be involved o If facts would be different: e.g., if the marketing activities and people are employed in portugal then Belgium would have to rely on the Portugal for collaboration  Because you need collaboration e.g., for language barriers and flying there etc. Art. 56 (2) GDPR cross border element – BUT mainly affecting the people in one MS
  • “If the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.” o Look at whether the breach is predominantly affects persons in one MS o E.g., Ikea and someone goes on with the data of the members does not matter whether Art. 60 GDPR – manner in which cooperation takes place between lead authority and other authority concerned (either one or more other authoritties)
  • Art. 60 (1) - cooperation with aim to achieve consensus (collaboration: there is no dictating of the lead authority but there is an agreement to be reached – makes them equals) – shall exchange all relevant information
  • Art. 60 (2) – powers of the lead authorities: may request at any time assistance or investigative measures What happens if they do not agree? – if both want to be lead authorities

Art. 65 GDPRdispute resolution by the board

  • Board consists of DPA of each MS EXCEPTIONS to when other supervisory authorities can handle complaints or possible infringements (a) Where the matter relates only to establishment in its MS (b) Where the subject matter substantially affects data subjects only in its MS Where exceptions apply
  • supervisory authority must inform lead authority without delay
  • Lead authority has three weeks to decide whether it will handle the case
  • Where lead authority takes the case – procedure in Art. 60 GDPR is applied
  • Where lead authority does not take the case – Art. 61 and 62 of the GDPR Lead authority = sole interlocutor for controller or processor ( for cross-border processing )
  • Centralizes communication and decision-making, providing a streamline and consistent approach to handling cross-border data protection issues Lead authority is determined if:
  • The controller or processor has establishments in several Member States.
  • The processing operations substantially affect data subjects in more than one Member State.
  • The lead supervisory authority acts as the sole interlocutor for the controller or processor and coordinates cooperation with other supervisory authorities.  EDPB is tasked with issuing guidelines on application of GDPR
  • Includes criteria to determine whether processing substantially affects data subjects in more than one MS and constitutes a relevant and reasoned objection WEEK 6 – Enforcement and Remedies REMEDIES Remedies available to data subjects