Introduction to Data Protection Terminology
Intro
At the end of the study, the reader is expected to:
Familiarize with the key data protection terms
Be able to distinguish the difference between the two of the main factors in data protection: data controller and processor
Have knowledge of the obligations deriving from the GDPR regarding data processing and, in particular, the required principles for a lawful processing
Be aware of the specific grounds that a processing should be based on in order to be lawful
Be aware of the obligations, preconditions and time limitations when handling a data subject request
1. Key GDPR Definitions
This material provides analytical explanation of the key data protection terms not only on theoretical basis, but also through practical examples.
Key Messages
If you undertake any of the following operations (processing) including collection, recording, organising, storing, altering, using, and transmitting any information relating to an natural person (personal data) and you also define the purpose and the means of these operations, then you are a data controller.
If you undertake the above mentioned operations on behalf of a data controller, then you are a processor.
If you process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, then you process special categories data and you need to be aware of specific demands stated in art. 9 par. 2 GDPR.
2. Data Protection Principles
This material’s main purpose is to present and explain the seven principles governing the processing of personal data. Taken into account that data controllers are responsible for complying with these principles and are also accountable for their processing and must demonstrate their compliance, this material offers a very brief and comprehensive guide on compliance with these principles. All the above are presented in a rather practical manner, through practical guidance and examples.
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
Key Messages
Have the right information: process only the personal data you need for a certain/specified purpose
Define the purpose of the processing
Identify valid grounds (lawful basis) for your processing
Keep the data updated and ensure their accuracy
Check and delete if you have more data than needed for your processing
Put time limitations on the storage of data: think and justify how long you need the data
Protect the personal data: take sufficient technical and organizational security measures
Keep records to be able to demonstrate all the above
3. Legal bases
The purpose of this material is to present in a comprehensive and understandable manner the essence of the lawful processing: the legal bases. The lawful reasons for processing personal data are presented one by one interspersed with many practical examples and case studies.
Key Messages
Define the reasons you need to process personal data
Think and define the purpose of the processing
Check the necessity of the processing for the relevant purpose
Find and determine a lawful basis applicable for the processing according to GDPR
Identify a condition for processing special category data or criminal offence data
4. Data subjects rights
This material aims to provide not only a comprehensive analysis on the data subject rights, but also a guidance on the obligations and the procedures that should be taken in the case of a data subject request.
Key Messages
Inform the data subject: check whether the information provided about the processing is easy to find and understandable for the data subject
Establish clear procedures and plans for the handling of data subject requests.
Create records for verbal requests
Respond without delay and within one month of receipt of the request (check the conditions for a two month extension)
Delete the data once the purpose has been fulfilled
Establish appropriate methods for the erasure of data
Establish secure methods for the transfer of personal data (from one IT environment to another)
Inform data subjects about the profiling and automated decision-making you carry out, what information you use to create the profiles and where you get this information from