Introduction to Data Protection Terminology

Intro

The aim of this material is to provide essential guidance and explanation on key issues in data protection. It also focuses on the most crucial requirements deriving from the GDPR regarding data processing and provide practical guidance on how lawful processing may be accomplished.
The material covers in particular the following aspects: key GDPR definitions, principles and legal bases for lawful processing as well as information on data subject rights.

At the end of the study, the reader is expected to:

  • Familiarize with the key data protection terms

  • Be able to distinguish the difference between the two of the main factors in data protection: data controller and processor

  • Have knowledge of the obligations deriving from the GDPR regarding data processing and, in particular, the required principles for a lawful processing

  • Be aware of the specific grounds that a processing should be based on in order to be lawful

  • Be aware of the obligations, preconditions and time limitations when handling a data subject request

1. Key GDPR Definitions

This material provides analytical explanation of the key data protection terms not only on theoretical basis, but also through practical examples.

Key Messages

  • If you undertake any of the following operations (processing) including collection, recording, organising, storing, altering, using, and transmitting any information relating to an natural person (personal data) and you also define the purpose and the means of these operations, then you are a data controller.

  • If you undertake the above mentioned operations on behalf of a data controller, then you are a processor.

  • If you process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, then you process special categories data and you need to be aware of specific demands stated in art. 9 par. 2 GDPR.

See relevant slides

2. Data Protection Principles

This material’s main purpose is to present and explain the seven principles governing the processing of personal data. Taken into account that data controllers are responsible for complying with these principles and are also accountable for their processing and must demonstrate their compliance, this material offers a very brief and comprehensive guide on compliance with these principles. All the above are presented in a rather practical manner, through practical guidance and examples.

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality (security)

  • Accountability

Key Messages

  • Have the right information: process only the personal data you need for a certain/specified purpose

  • Define the purpose of the processing

  • Identify valid grounds (lawful basis) for your processing

  • Keep the data updated and ensure their accuracy

  • Check and delete if you have more data than needed for your processing

  • Put time limitations on the storage of data: think and justify how long you need the data

  • Protect the personal data: take sufficient technical and organizational security measures

  • Keep records to be able to demonstrate all the above

See relevant slides

4. Data subjects rights

This material aims to provide not only a comprehensive analysis on the data subject rights, but also a guidance on the obligations and the procedures that should be taken in the case of a data subject request.

Key Messages

  • Inform the data subject: check whether the information provided about the processing is easy to find and understandable for the data subject

  • Establish clear procedures and plans for the handling of data subject requests.

  • Create records for verbal requests

  • Respond without delay and within one month of receipt of the request (check the conditions for a two month extension)

  • Delete the data once the purpose has been fulfilled

  • Establish appropriate methods for the erasure of data

  • Establish secure methods for the transfer of personal data (from one IT environment to another)

  • Inform data subjects about the profiling and automated decision-making you carry out, what information you use to create the profiles and where you get this information from

See relevant slides

General References

  1. Opinion 4/2007 on the concept of personal data

  2. Opinion 05/2014 on Anonymisation Techniques

  3. Guidelines 7/2020 on the concepts of controller processor

  4. Guidelines on the right to data portability

  5. Guidelines 01/2022 on data subject rights - Right of access

  6. Guidelines 10/2020 on restrictions under Article 23 GDPR

  7. Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions

  8. Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679

  9. Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications

  10. Guidelines 05/2020 on consent under Regulation 2016/679

  11. Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak

  12. Handbook on European data protection law