Module 4 - Processing Personal Data

Question 1

What is meant by processing of personal data?

Answer 1

Any operation performed upon personal data.

Question 2

What are the data processing principles prescribed by article 5, GDPR?

Answer 2

• Lawfulness (LAWFUL BASIS), fairness (HONEST PRACTICES) and tranparency (EXPLANATION TO DATA SUBJECT) of processing.
• Data minimisation - RETAINING DATA ONLY AS RELEVANT AND NECESSARY FOR PURPOSE.
• Purpose limitation - SPECIFIC USAGE / CLOSELY-LINKED PURPOSES.
• Storage limitation - NO MORE DATA COLLECTED AND STORED THAN NECESSARY.
• Accountability - RESPONSIBLE DATA PROCESSING, DEMONSTRATING COMPLIANCE WITH PREVAILING REQUIREMENTS.
• Data quality and accuracy - PROCESSING COMPLETE AND UPDATED DATA.
• Integrity and confidentiality - ENSURING SECURE PROCESSING.

Question 3

What is the territorial scope of GDPR (article 3)?

Answer 3

Applicable to controllers and processors:
- From establishments within the EU (EDPB - processor establishment not determined by processor status alone).
- In relation to the promotion of product and services to subjects (e.g. - localised website), or the monitoring of the behaviour of subjects within the EU (EDPB - must be TARGETING of EU data subjects; consider digital tracking, ubiquitous and concerted practices - not any collection of data).
- Controllers active in a territory that is subject to a MS by public international law.

Question 4

What is the material scope of GDPR (article 2)?

Answer 4

Data must be:
- Wholly or partly processed by automated means (DIGITAL); or
- Data forming part of a structured filing system (e.g. archives); or
- UK ONLY: Non-structured physical data held by public authority.

Exceptions (narrowly construed):
- Data processed as part of household or personal activities.
- Law enforcement- or public security-related processing.
- Processing relating to activities outside the scope of EU law (e.g. national defence).

Question 5

What are the grounds for lawful processing of non-special category personal data?

Answer 5

• Consent (CLEAR AND FREELY GIVEN; PARENTAL CONSENT NEEDED FOR CHILDREN BELOW 13-16 (MS-DETERMINED)).
• Vital interests.
• Legitimate interests of the controller or third party (SHOULD NOT OVERRIDE OR POSE DISPROPORTIONATE RISK TO DS’S RIGHTS AND INTERESTS; DS CANNOT WITHDRAW LIKE CONSENT BUT CAN OBJECT; LIA PERFORMED TO BALANCE LI WITH DS RIGHTS AND OBLIGATIONS).
• Performance of a contract (DS IS PARTY TO).
• Fulfilment of a (EEA) legal obligation.
• Public interest (EXERCISED BY CONTROLLER).

Question 6

What are the grounds for lawful processing of special category personal data?

Answer 6

• Explicit consent (UNAMBIGUOUS, INFORMED AND FREELY GIVEN).
• Employment context (pursuant to employment law) (DS MUST BE CANDIDATE, CONTRACTOR OR EMPLOYEE).
• Vital interests (CONSENT MUST NOT BE POSSIBLE).
• Sensitive data manifestly made public (DISCLOSED BY DS OR THROUGH SOCIAL MEDIA).
• Political, philosophical and religious purposes (BY RELEVANT ORGANISATIONS RE. MEMBER OR AFFILIATE WHO IS DS; SUITABLE SAFEGUARDS MUST EXIST; DISCLOSURE BEYOND ORGANISATION NOT ALLOWED).
• Establishment, exercise or defence of legal claims (MUST BE NECESSITY; CLOSE CONNECTION BETWEEN PROCESSING AND PURPOSE).
• Substantial public interest (BALANCED AGAINST DS RIGHTS; SUITABLE SAFEGUARDS REQUIRED; MS MAY STATE PI GROUNDS).
• Medicine and social healthcare (E.G. ASSESSING EMPLOYEE WORKING CAPACITY; MAKING DIAGNOSIS; PROVIDING TREATMENT / REASON MAY BE BASED ON EU OR MS LAW OR BE PURSUANT TO CONTRACT).
• Public health (BAED UPON EU OR MS LAW (E.G. PROTECTION AGAINST CROSS-BORDER THREATS TO HEALTH).
• Public archives, scientific or historical research, or statistics (BASED ON MS LAW; MUST BE PROPORTIONATE TO PURPOSE; SUITABLE SAFEGUARDS REQUIRED).