Please enable JavaScript.
Coggle requires JavaScript to display documents.
Session 3 - The right of the data subjects to a lawful processing - Coggle…
Session 3 - The right of the data subjects to a lawful processing
Privacy
By design
= from the very beginning you must verify if everything is GDPR compliant
Article 25.1 GDPR
7 principles
Privacy Embedded into Design
Respect for User Privacy
Visibility & Transparency
Full Functionality-Positive-Sum, not Zero-Sum
End-to-End Security - Full Life-Cycle Protection
Privacy as the Default Setting
Proactive not Reactive; Preventive not Remedial
Article 25.2 GDPR
- The controller must implement measures to ensure that, by default, only necessary PD for a specific purpose of the processing are processed. That obligation applies to the amount of PD collected, the extent of their processing, the period of their storage & their accessibility.
Ex: when you download an app on your phone , you are asked for your consent to give access to your pictures & videos
Incorporating technical & organizational measures to protect data throughout its lifecycle. Examples include
encryption
,
pseudonymization
(replacing personal identifiers)
, &
data minimization
(collecting only essential data)
.
By default
= settings will ensure anything you do is GDPR compliant
While users should have the option to adjust settings, privacy-friendly options should be the default to avoid needing users to manually configure them.
Cannot keep useless data => when data is delivered, we should deleted !
Imagine a new social media app. Privacy by design would mean the app is built with strong security features & avoids collecting unnecessary data. Privacy by default would set user profiles to private & limit data sharing by default, with options to open them up if users choose.
Data controller's obligations
Lawfulness, fairness & transparency in the processing
Article 6
- Lawfulness of processing
Limitation (purpose, data, storage)
Security of the data (CIA)
Accountability
DS has
7 rights
over their data under the GDPR
Right of
Access
(Article 15)
Right to
Rectification
(Article 16)
Right to
Erasure
or to be forgotten
(Article 17)
Right to
Restriction of Processing
(Article 18)
Right to
Data Portability
(Article 20)
Right to
Object
(Article 21)
Right to
Withdraw Consent
(Article 7(3))
Data Processing
Article 6
-
Conditions
Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the DS has given
consent to the processing
of his or her personal data for one or more specific purposes;
b) processing is necessary for the
performance of a contract
to which the DS is party or in order to take steps at the request of the DS prior to entering into a contract;
c) processing is necessary for
compliance
with a legal obligation to which the controller is subject;
d) processing is necessary in order to
protect the vital interests
of the DS or of another natural person;
e) processing is necessary for the
performance of a task carried out in the public interest or in the exercise of official authority
vested in the controller;
f) processing is necessary for the
purposes of the legitimate interests
pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Conditions to the lawful of data processing
Article 7
Where processing is based on
consent
, the controller shall be able to demonstrate that the DS has consented to processing of his or her PD.
If the DS's consent is given in the context of a
written declaration
which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible & easily accessible form, using clear & plain language.
The DS shall have the right to withdraw his or her
consent
at any time.
Consent shall be
:
Freely given
: the person must not be pressured into giving consent or suffer any detriment if they refuse
Specific
: the person must be asked to consent to individual types of data processing
Informed
: the person must be told what they're consenting to
Unambiguous
: language must be clear & simple
Clear affirmative action
: the person must expressly give his consent by doing or saying something
If you're missing any one of these 5 elements, you don't have consentunder the GDPR.
Enlighted/Express consent
The DS can be asked to give consent by
: 1. Filing a form; 2. Ticking a box on a website; 3. Phone/ face-to-face conversation
Pre-ticked boxes are NOT allowed under the GDPR, but are allowed in some other countries outside the EU.
Implicit consent is not allowed as a method to get (cookie) consent.
Ex: ‘if you continue using this website, we will register that as your consent’
Pre-checked boxes, even on a cookie bar settings page, are not allowed
All consent to advertising or personalisation related cookies needs to be acquired through an explicit action, like checking a box or actively clicking an ‘I accept’ button or both.
Minor's consent
Processing the PD of a child based on consent
: 1. To process the PD of a child based on consent,
parental authorization
is required; 2. The
threshold ages
vary between 13 and 16 amongst diff. member States; 3. To be sure, it is necessary to check the
national laws
.
Minimum age consent in France
Article 45 of the LIL
(Loi Informatique et Liberté): Pursuant to
Article 8.1 of Regulation (EU) 2016/679 of April 27, 2016
, a minor may consent alone to the processing of PD w/regard to the direct offer of services by the company information from the age of fifteen.
When the minor is
under the age of 15
, the processing is lawful only if the consent is given jointly by the minor concerned and the holder(s) of parental authority over this minor.
The
data controller
writes in clear & simple terms, easily understood by the minor, the information & communications relating to the processing which concerns him.
Examples
Legitimate interest
: A bank gives a loan to a client. After some time the client stop making payments to the bank. The bank tries but cannot locate the client, she has moved and did not inform the bank the new address. The bank hires a debt collection agency to find the client and seek repayment of the debt. To this end, the bank discloses to the agency the client’s personal data. The client has not consented to this disclosure, however it’s lawful as the bank pursues a legitimate interest, to recover the debt.
Real Case
- Swedish supervisory authority fined a Swedish school €18,630 for its trial in using facial recognition to monitor student’s attendance in August 2019
22 students, 3 weeks
Consent was obtained from parents, but was not possible to refuse
Data was stored in computer hard drive locked in cabinet – School did not carry out DPIA
Breach of Article 5
– purpose limitation