















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This document offers a thorough exploration of the general data protection regulation (gdpr), covering its definition of personal data, the scope of its application, lawful processing conditions, data subject rights, and the free movement of data within the eu. it also delves into adequacy decisions, international agreements, and the roles of data protection officers (dpos) and data protection authorities. Valuable for understanding the complexities of data protection and privacy within the european union legal framework.
Typology: Schemes and Mind Maps
1 / 23
This page cannot be seen from the preview
Don't miss anything!
















WEEK 1 – Introduction to Privacy and Data Protection Sociological approach to privacy
Element 3: ‘ identified or identifiable natural person’ para. 31 Nowak excludes legal persons (e.g., organizations)
WEEK 2 – The Application of GDPR GDPR SCOPE MATERIAL SCOPE (What is being covered?) the GDPR applies to personal data which is processed, having in mind the exemption (1) Personal data ( Art. 4 (1) GDPR ) ‘any information relating to an identified or identifiable person’ o Personal data (normal) = e.g., date of birth, etc. o Sensitive data ( Art. 9 GDPR )= data that can be more damaging to a person e.g., DNA (2) Processing ( Art. 4 (2) GDPR ) can be automated or manual if: (a) Personal data, and (b) Filing system (Art. 4 (6) GDPR) a. Automated = by default a filing system exists b. Manual = there can also be a filing system in cases of manual processing (3) Exemption household exemption from the Rynes case o ‘ household ’ must be narrowly construed and interpreted Processing carried out ‘purely’ personal or household activity NOT within the household exemption: CCTV surveillance which covers both public and private space PERSONAL SCOPE (Who needs to comply with the GDPR?)
(a) Controller = determines the purpose and means of the processing data (b) Processor = implements controllers requests with regard to the data (c) Joint controllership = determines the purpose and means together TERRITORIAL SCOPE (how?) two main ways of what authoirties will be captured by the GDPR (1) Establishment ( Art. 3 (1) GDPR ) = data processing is done in the context of an entity’s activity within the EU o Includes any entity with an effective and real exercise of activity through stable arrangements in EU o Establishment = e.g., office, branch, subsidiary or presence of a single employee or agent with a sufficient part of an entity
a. Relationship between a data controller or processor outside the Union and its local establishment in the Union Where there is an inextricable (impossible to separate) link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data b. Revenue raising in the Union Inextricable link = fulfilled where activities are considered to be revenue-raising in the EU by local establishment where there is absence of an establishment in the Union – scope of the GDPR can still apply with targeting criterion
WEEK 3 – Principles for Processing Data and Data Subjects’ Rights SIX CORE PRINCIPLES The six core principles provide the foundation upon which all subequent provisions of the regulations are built. OVERVIEW Six core principles (i) Lawfulness, Fairness and Transparency (Art. 5 (1) (a) GDPR) = personal data shall be processed lawfully, fairly and in a transparent manner o Art. 6 (1) GDPR – lawfulness of processing must be fair and transparent, providing all necessary information to data subjects about the processing activities (ii) Purpose Limitation (Art. 5 (1) (b) GDPR) = Data collected for a specific purpose should not be repurposed, unless new use is compatible with original purpose or additional consent is obtained ensures transparency and predictability, enhancing legal certainty for data subjects o To determine whether the processing is compatible – things that need to be taken into consideration (a) Link between those purposes and the purposes of the intended processing (b) Context in which personal data is collected – reasonable expectation of data subjects based on their relationship with controller on its further use (c) Nature of personal data (d) Consequences of the intended further processing (e) Existence of appropriate safeguards (iii) Data Minimization (Art. 5 (1) (c) GDPR) = only data that is necessary for the specified processing purposes should be collected supports privacy by ensuring that excessive data is not retained o Data must be limited to what is necessary to fulfil a legitimate purpose o Processing of personal data should only take place when the purpose of the processing cannot be reasonably fulfilled by other means o Processing may not disproportionate interfere with the interests, rights and freedoms at stake (iv) Accuracy (Art. 5 (1) (d) GDPR) = data must be accurate and up to date o Incorrect data should be rectified or deleted without delay o Must be implemented by the controller in all processing operations o Data may need to be checked regularly and kept up to date to secure accuracy to ensure that decisions based on personal data made using the most current and correct information available (v) Storage Limitation (Art. 5 (1) (e) GDPR)
Ensuring Transparency and Fair Processing transparency is essential in data processing
= ‘ right to be forgotton’ allows data subjects to request the deletion of their data, when: (i) no longer necessary for original purposes (ii) consent is withdrawn, or (iii) processing is unlawful
can be reviewed
D. Approved code of conduct = codes of confuct approved pursuant to Art. 40 GDPR + binding and enforceable commitments by the controller or processor in the third country (including data subjects’ rights) E. Approved certification mechanism – approved via Art. 42 GDPR + binding and enforceable commitments by the controller or processor in third country to uphold the appropriate safeguards (including data subjects’ rights) DEROGATIONS (last resort option) third avenue under the GDPR that allows for the transfer of personal data in certain situations – data can be transferred nased on a derogation listed in Art. 49 GDPR Possible derogations (Art. 49 GDPR) must be interpreted strictly, ensuring they remain exceptions to the rule that personal data should not be transferred
(iii) Tailored as narrowly as possible to minimize the amount of data requested (iv) Does not seek any data related to the Single Euro Payment Area (SEPA) SWIFT agreements are valid for five years Benefits and limitations of international agreement Benefits Limitations
DPO = officers/individuals which advise organizations on data protection compliance, act as intermediaries between the organization, data subjects, supervisory authroities and facilitate accountability and transparency in data processing activities
Determining the lead authority:
Art. 65 GDPR – dispute resolution by the board