What does Article 5 cover?
Principles relating to the processing of personal data
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (protecting the data)
- Accountability
What does article 6 cover?
Lawfulness of processing (processing only lawful if one of these applies)
- Consent
- Performance of a contract
- Necessary for compliance with a legal obligation
- Necessary to protect vital integrates of data subject or other natural person
- Public interest or exercise of official authority
- Legitimate interest (except where overridden by rights of data subject)
What does article 7 relate to?
Conditions for consent
- Need to demonstrate that data subject has consented
- If given in context of written declaration, must be separate from other matters (e.g. T&Cs) and in clear and plain language
- Right to withdraw consent at any time (and as easy to withdraw as to give)
- When assessing whether consent is freely given - account should be taken of whether provision of the service is conditional on consent to processing of data that is not necessary for performance of the contract (ref FB?)
Which article lists the minimum requirements of binding corporate rules (BCRs)
BCRs are a form of adequacy decision.
Article 47 lists the minimum requirements of BCRs
Note there are different versions for controllers and processors
Which article of the GDPR deals with codes of conduct?
Article 40 (and article 41 deals with oversight of these by an approved independent monitoring body)
CoC are a tool for appropriate safeguards
Which articles cover certification mechanisms?
Articles 42 and 43
Article 42.7 says that certifications are issued only to data controllers and data processors (not to people/individuals)
Also unlikely that a company’s whole operation would be certified. Certification is more likely to focus on discrete processing operations
Which article covers derogations?
Article 49
Last resort option for international transfers when there are no adequacy decisions or appropriate safeguards
What does Article 37 require?
It requires certain organisations to appoint a DPO
- If you’re a public authority or body
- If you conduct regular and systemic monitoring of data subjects on a large scale
- If core activities consist of large scale processing of special categories of data or personal data relating to criminal cases
- If you’re required to do so by member state law
What does Article 32 focus on?
Security of processing
What are the key principles outlined in Article 5
Article 5 deals with the principles relating to processing of personal data
- 1.a - Lawfulness, fairness and transparency
- 1.b - Purpose limitation
- 1.c - Data minimisation
- 1.d - Accuracy
- 1.e - Storage limitation
- 1.f - Integrity and confidentiality
- Accountability
