Understanding GDPR: Key Principles and Compliance, Study notes of Nursing

Key aspects of the general data protection regulation (gdpr) are highlighted, focusing on conditions for processing personal data, data subject rights, controller-processor contracts, and the roles of data controllers and processors. It covers topics such as lawfulness of processing, territorial scope, data erasure, restriction of processing, and information requirements. The document also addresses accountability measures, including the role of the data protection officer (dpo), record-keeping, and cross-border processing, emphasizing compliance and data protection principles. Useful for understanding the gdpr's requirements and implications for organizations handling personal data, it provides a structured overview of the gdpr's key components, making it a valuable resource for legal professionals, data protection officers, and those involved in data processing activities.

Typology: Study notes

2024/2025

Available from 07/31/2025

LicensedExamTutor
LicensedExamTutor 🇺🇸

1

(1)

1.9K documents

1 / 74

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Summary Notes All Modules CIPPE
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a

Partial preview of the text

Download Understanding GDPR: Key Principles and Compliance and more Study notes Nursing in PDF only on Docsity!

Summary Notes All Modules CIPPE

Module 1 – Data protection laws 1.1. Privacy and data protection law > comparing key terms

  • Privacy – respect for private life, family life, home and communications o Broad definition, including information privacy, bodily privacy, territorial privacy and communications privacy.
  • Data protection – Protection of personal data, fair processing, specified purposes, consent or lawful ground and access and rectification. o Narrower definition, including information and communications privacy; o Laws and policies governing the collection and use of personal data.
  • Extended definition of data protection : o Transparency; o Legal basis for processing; o Proportionality; o Data is accurate and current; o Right to correct and object9 o Security; o Export restrictions.
  • Types of privacy: o Information privacy: concerned with establishing rules that govern the collection and handling of personal data. ▪ Financial data, medical data, government records and records of a person9s activities on the internet. o Territorial privacy: concerned with placing limits on the ability to intrude into another individual9s environment. ▪ <Environment= may be the home, the workplace or even public space. ▪ Invasion may take the form of video surveillance, ID checks. o Bodily privacy: focused on a person9s physical being and any invasion thereof. ▪ Genetic testing, drug testing or body cavity searches, birth control, abortion and adoption. o Communications privacy: encompasses protection of the means of correspondence. ▪ Postal mail, telephone conversations, email and other forms of communicative behavior.

▪ Protection of health or morals; ▪ Protection of rights and freedoms of others. Article 8: Protects private life, family life, home, communications and includes the right to data protection (private life). Considered to be the most open-ended provisions of the Convention. 1.4. Comparing European Courts

  • Court of Justice of the EU o Judicial body of the EU; o Decides on issues of EU law and enforces those decisions; o Comprises of the Court of Justice (<ECJ=) and the General Court (renamed: <Court of First Instance= (<CFI=); o Data protection as it relates to cases brought by national courts and the Commission against Member States.
  • European Court of Human Rights o Part of the apparatus of the Council of Europe and thus not part of the EU; o Enforces European Convention on Human Rights and Convention 108; o Judges sit in their individual capacity and do not represent any state; o Data protection as it relates to Article 8. 1.5. Data Protection: Dawn of a new age
  • New opportunities and nee for European data protection law;
  • 1949: establishment of the Council of Europe;
  • 1951: Formal establishment of the European Coal and Steel Community (ECSC), which over time would develop into the European Union (EU);
  • 1960s: Rapid growth of international trade and increasing use of computers and telecommunications;
  • 1970s-80s: Greater conflict between national privacy rights and international free trade
  • 1980s-90s: Rise of data management issues (direct marketing, telemarketing and establishment of the EU (1993).
  • 2000s: identity thefts;
  • 2010s: Social media, cloud computing, online ads, location-based services. 1.6. Right to privacy vs. Freedom of speech
  • Contradiction between two fundamental human rights;
  • Increasing relevance in the information age;
  • Right to withdraw consent;
  • Right to lodge a complaint.
  • Google Spain v AEPD and Mario Costeja Gonzalez: o Mr. Costeja sued Google Spain, google inc. and La vanguardia newspaper because personal data about him was available through a google search in the newspaper9s online archives. The Court of Justice of the EU ruled that Google Spain must remove the links to the article. 1.7. Human rights laws
  • Universal declaration of Human Rights o Adopted on 10 December 1948 by UN GA; after World War II. Recognizes the inherent dignity and the equal and inalienable rights of all members of the human race in the foundation of freedom, justice and peace in the world o Article 12 – Right to private life and associated freedoms: < no one shall be subject to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honor and reputation = o Article 19 – right to freedom of opinion and expression o Article 29(2): < individual rights are not absolute =
  • European Convention on Human rights o Follow up on the Universal declaration and entered into force on 3 September 1953. It only applies to < MS and all council of Europe MS are party to the treaty =. o Rulings of ECtHR are < binding on states and can lead to amendment and change in practice by national government =. The Court may also give advisory opinions at request of Committee of Ministers of the Council of Europe. The ECtHR became a full Court on Human Rights on Nov 1 1998. o Articles relevant to privacy : ▪ Article 8 ECHR similar to Article 12 UDHR
  • Everyone has right to < respect for private and family life, home and correspondence =.
  • Right to privacy not absolute and necessity and proportionality may justify breaching individuals9 privacy rights.

o EU o Successor to the Data Protection Directive (Recital 171, Art 94,99). 1.9. EU institutions

  • European Council: o Head of state or government of all EU countries, European Council president, European Commission president, and high representative for Foreign Affairs and Security Policy. o Formalized as an institution in 2009 upon the entry into force of the Treaty of Lisbon. o Functions : ▪ Is a collegiate body that defines the overall political directions and priorities of the EU.
  • European Commission: o One commissioner per member state who pledges to respect the EU Treaties.

It is the most active EU institution in data protection. o Functions : ▪ Implements EU decision and policies.Has executive competence to propose legislation (right of initiative).

  • Council of the European Union: o One minister from each member state – changes based on the policy issue to be discussed. o Functions : ▪ Legislative decision-making (along with the European Parliament). Legislation generally proposed by the Commission before being examined by the Council of the EU and the EU Parliament. ▪ Exercises < budgetary functions with EU parliament = ▪ < carries out policy making and coordinating functions =.
  • European Parliament: o Only EU institution whose members are directly elected. o Greatest impact on data protection and privacy issues through role in legislative process. o Functions : ▪ Primary responsibilities – legislative development, supervisory oversight of the other institutions and budget development. ▪ Co-decision: process by which Council of the EU and European Parliament agree on legislation. 1.10. Data protection law: ePrivacy Directive and GDPR
  • Processing that triggers the material scope of both o ePrivacy Directive: electronic communications service, electronic communications network, and service and network publicly available and offered in the EU; website operators (e.g., for cookies) or other businesses (e.g., for direct marketing).
  • Interplay o <To particularize= (lex specialis principle): < special provisions prevail over general rules =. o <To compliment=: Several ePrivacy Directive provisions complement GDPR provisions.

Module 2 – Personal data 2.1. Personal data four-step test:

  • Personal data is described under the GDPR as: < any information relating to an identified or identifiable natural person =.
  • Four-step test: o 1) Any information (consider nature, content and format) ▪ Nature:
    1. Any statement about a person both objective (Rita has a JD) and subjective (she is a good worker);
    1. Info does not need to be true to be considered personal data. ▪ Content:
    1. < Includes an individual’s private life= and information regarding any activity taken by the person either in the < professional or public sphere= e.g. phone number at work, home address or personal phone number;
    1. < Includes online identifier= , such as IP addresses, cookie or radio frequency tag used to create a person9s profile and identify them demonstrating breadth of personal data content. ▪ Format:
    1. Includes information in < any form automated and manual = as well if < for part of filing system = e.g. paper in a hospital clinic history, computer memory that records electronic bank records of a person, tape kept by a travel agent customer or even images on recorded CCTV. o 2) Relating to: ▪ for personal data to relate to an individual one of the three elements must apply:
  • Relationship by content element: (e.g. name, job title, address, result of a test)
  • Purpose element: (e.g. whether the information is processed to evaluate, consider or analyze the individual in a certain way).
  • Result element: Impact on someone9s privacy rights ( o 3 An identified: ▪ Name or singling out; ▪ Specific characteristics o Or identifiable: ▪ Indirect

▪ Photographs are covered under this category whereby they are processed through a technical means allowing the unique identification or authentication of a natural person. This means photographs are not always covered under Art 9 but can also be considered as normal <personal data=.

    1. Data concerning health: o Data relating to physical and mental health of natural person including provision of health care services which reveal info about his/her health status. Includes data pertaining to health status of individual which reveal info about past, current, or future physical or mental health of person and includes: ▪ Information about natural person collected in course of registration for or provision of health care services; ▪ A number, symbol, or particular assigned to natural person to uniquely identify natural person for health; ▪ Info derived from testing or examination of a body part of bodily substance including genetic data/biological samples; ▪ Any info on for example, a disease, disability, disease risk, medical history, clinical treatment, physiological or biomedical state of data subject independent of its source for example from a physician or health professional, a hospital, a medical device or in vitro diagnostic test.
    1. Data concerning individual9s sex life or sexual orientation.
    1. Special categories of data concerning children.
  • Other: o Criminal convictions and offences, or for security measures (Art 10) carried out under control of an official authority under lawfulness of processing (Art 6 ); Not considered sensitive data, but a controller must comply with the requirements of the GDPR.

Module 3 – Controllers and processors 3.1. Processing

  • Processing is any operation or sets of operations performed on personal data or on sets of personal data whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination, restriction, erasure or destruction.
  • Conditions for processing of personal data : o Processing must be wholly or partly carried out by automated means or o Where processing is not by automated means, it must concern personal data that forms part of a filing system or is intended to form part of a filing system. ▪ Filing system refers to a structured set of personal data that is accessible according to specific criteria. 3.2. Data controllers and joint controllers
  • Art 4(7): < The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data =.
  • i. Natural or legal person or any other body: o May be a legal or natural person, preference should be given to consider the controller to be the company or body as such rather than individual appointed by company or body. o <Employees appointed by an organization acting on behalf of controller= to ensure compliance with data protection or processing of data are < not considered controllers= because they act on behalf of the legal entity.
  • Ii. Alone or jointly with others: o Different organizations, bodies or natural persons may be data controllers of same personal data, jointly means that < they act together regarding processing of personal data =. o Examples:

or means to itself including substantial questions essential to the core of lawfulness of processing.

  • Iv. Identifying source of control o 1) Control from explicit legal competence : ▪ A) Explicit appointment of controller under national or community law ▪ B) Law establishes task/imposes a duty on someone to collect o 2) Control from implicit legal competence: ▪ A) Control stems from common legal provisions or legal practice (employer with employee data). o 3) Control from Factual influence : ▪ A) Control based on assessment of factual circumstances:
  • Consider degree of actual control exercised by party, impression given to individuals and reasonable expectations of individuals on the basis of this visibility. 3.3. Data processors
  • A person other than employee of controller who processes personal data on behalf of a controller and who does not have authority of allocating responsibility like the controller. o The mechanics of processing may be determined by the service provider who remains processor provided the overall purposes are still determined by its client (data controller ).
  • Definition : o Natural / legal person, public authority, agency or other body that processes personal data on behalf of a controller. o Processor acts on behalf of the controller (Art 4(8) and processes on written instructions only (Art 28). o Provide a service to the controller (Art 28 ) such as: ▪ assist the controllerinforms the controller of GDPR infringements. o Protects personal data (Art 28) such as: ▪ ensuring confidentialityappropriate technical and organizational measures.

o Processor has to demonstrate compliance (Art 30) controller can delegate determination of means of processing to a processor as far as technical or organizational questions are concerned: ▪ Security, recordkeeping, notifying controllers of data breaches and ensuring compliance with restrictions on international data transfers. o Processors have a wide degree of discretion regarding how they carry out duties but these all relate to the how. Obligations relating to purpose such as processing has lawful ground and respecting individual rights are only imposed on data controllers. o A processor who goes beyond their mandate by deciding on purposes of processing or essential means of the processing will be considered a controller in respect of that processing and bear all the responsibilities (This happened in the SWIFT case).

  • Controller-processor contracts o Processor should process personal data only on controller9s instructions and that a contract or binding legal act regulating the relations between the controller and processor should be in writing. ▪ If a controller is engaging a data processor, the controller is obligated to have a documented contract in place that contains (Art 28):
  • Subject matter, duration and nature of the data processing;
  • Types of personal data and categories of data subjects;
  • Obligations and rights of the controller;
  • The processor9s responsibilities.
  • Second processor involvement o A processor may not engage another processor without prior authorization of the data controller. This authorization may be general or specific. If it is general the processor is required to give the controller an opportunity to object to the addition or replacement of other processors. o The contract between the initial processor and its sub-processor must include all the mandatory provisions. Look at Art 28 which sets out further detailed content for the processing contract. o The initial processor remains fully liable to the controller for the performance of its sub-processors. 3.4. Processor Vendor Management
  • Choose reliable processors;

4.2. Data Processing Principles (Art 5)

  • Personal data must only be processed only if a legal ground exists and to the extent the processing is carried out in a fair and transparent manner.
  • 1.1 Lawfulness : Personal data must only be process when data controllers have a legal ground for processing the personal data.
  • Processing lawful under following grounds : o Consent : freely given, specific, informed and unambiguous indication of the data subject9s wishes by which he by a statement or by clear affirmative action signifies agreement to the processing. ▪ Freely given: data subject has genuine choice and must be able or has the freedom to refuse/withdraw consent.
  • Must be distinguishable from other issues otherwise if bundled together it is not binding.
  • Where there is a clear imbalance in power between data controller and subject i.e. public authority consent should not be relied upon.
  • Employer-employee relationship does not show freely given consent where employee cannot withhold consent without suffering prejudice. ▪ Specific: consent must be given specifically for the particular processing operation in question if multiple purposes exist consent must be given for all of them. ▪ Informed: Data subject must be given all necessary details of the processing activity in a language and form they can understand. The data subject needs to be aware of the identity of the controller and purposes of processing. ▪ Unambiguous: There must be no doubt as to the data subject9s intent to give consent. Active indication of consent is required, so pre-ticked box/silence are unacceptable. o Contractual necessity and necessary for the performance of a contract ▪ A close and substantial connection between the processing and the purposes is required. ▪ Only be done when processing is unavoidable (i.e. subject buys a product from the controller and through delivery of product processing is required).

o Legal obligation (which controller is subject too ). ▪ Where controller is required by law (i.e. tax, social or security) (no contractual obligation). o Vital interest of individuals ▪ Refers to circumstances life or death where processing is vital to data subject9s survival. o Processing necessary for the performance of task carried out in public interest or in exercise of official authority vested in controller; ▪ National /EU or MS legislation determine what tasks are carried out in the public interest. o Legitimate interest pursued by controller or third party. ▪ Public authorities will no longer need to rely on this criterion. ▪ For non-public authorities, they will need to satisfy the following factors:

  • Processing must be necessary for the purpose
  • Processing must be a legitimate interest of controller or TP.
  • Interests are balanced against the data subjects (must uphold fundamental rights/freedoms of data subjects). ▪ Legitimate interest includes the following:
  • Processing strictly necessary to prevent fraud
  • Direct marketing purposes
  • Sharing of personal data within a group of undertakings or institutions affiliated to a central body for internal administrative purposes.
  • Necessary and proportionate to ensure network and information security. ▪ Controllers need to provide privacy notice and specify legal basis for processing and if relying on legitimate interest, describe the legitimate interest pursued and proper notification to data subjects.
  • 1.2. Fairness: