Summary
Summary Data Science Regulation & Law part 2
- Course
- Institution
Summary Data Science Regulation & Law part 2: all information given in the lectures + notes
[Show more]
Seller
Follow
adata
Reviews received
Content preview
Lecture 1. The introduction to privacy and dataprotection (law)
Privacy and data protection are not
the same!
Privacy has a longer history in
legislation.
We got from privacy to data
protection through the technology.
There was a need to introduce a
specific rule of processing the data.
Informational self-determination.
Rules and procedures for the
processing of personal data.
EU – charter of fundamental rights of the European Union
Article 7 – respect for private and family life: everyone has the right to respect for his
or her private and family life, home and communications.
Article 8 – Protection of personal data: everyone has the right to the protection of
personal data concerning him or her.
The fundamental right to respect for private life is separate from the fundamental right to
the protection of personal data. Although in practice disentangling the substance of these
two concepts is often difficult.
The EU data protection legal framework is composed of several legal instruments, including
the GDPR. Regulation from 2016/679. General Data Protection Regulation
Data protection directive (protection of the individuals) and free movement (objective of
the industry).
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data by
competent authorities for the purposes of the prevention, investigation, detection, or
prosecution of criminal offences or the execution of criminal penalties, and on the free
movement of such data, and repealing Council Framework Decision 2008/977/JHA, (2016)
OJ L 119/89 - “Police Directive”.
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October
2018 on the protection of natural persons with regard to the processing of personal data by
the Union institutions, bodies, offices and agencies and on the free movement of such data,
and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic
communications, OJ L 201 (Directive on privacy and electronic communications or e-Privacy
Directive). – e-privacy directive.
0
,GDPR consists of 173 recitals and 99 articles (are binding you can get a fine)
For guidelines and opinions you should have a look at:
Article 29 Data Protection Working Party (WP29) (prior to the GDPR)
European Data Protection Supervisor (EDPS)
European Data Protection Board (EDPB) (replaced WP29)
National data protection supervisory authorities:
- NL: Autoriteit Persoonsgegevens (AP)
- BE: Autorité de protection des données (APD)/
Gegevensbeschermingsautoriteit (GBA)
- FR: Commission nationale de l'informatique et des libertés (CNIL)
- UK: Information Commissioner's Office (ICO)
Case law:
- Court Justice Of the European Union (CJEU)
- European Court of Human Rights (ECHR)
- National Courts
When data protection law is applicable
Article 2 GDPR
Material scope
1. This Regulation [GDPR] applies to the processing of personal data wholly or partly by
automated means and to the processing other than by automated means of personal data
which form part of a filing system or are intended to form part of a filing system.
Processing
Of personal data
By automated means
Other than by automated means (manual processing), but only if the data forms or
intends to form a filing system (see Art. 4 point (6) GDPR)
Article 4
Definitions
(1) ‘personal data’ means any information relating to an identified or identifiable natural
person (‘data subject’); an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person;
1
,Examples of personal data Examples of non-personal data
a name and surname • a company registration number
National identifier (e.g. BSN) • an email address such as
passport number info@company.com
a home address
an email address such
as name.surname@company.
an Internet Protocol (IP) address
image recorded by a camera
location data
a cookie ID
Personal data Non-personal data
Pseudonymized data (number instead name) Anonymized data (no GDPR)
Personal data can no longer be attributed to Information which does not relate to an
a specific data subject without the use of identified or identifiable natural person or
additional information to personal data rendered anonymous in
such a manner that the data subject is not
or no longer identifiable.
There are special categories of personal data, which are, by their nature, particularly
sensitive in relation to fundamental rights and freedoms. These categories of data merit
specific protection as the context of their processing could create significant risks to the
fundamental rights and freedoms (“sensitive data”)
Article 9
Processing of special categories of personal data
1.Processing of personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, and the processing of genetic data,
biometric data for the purpose of uniquely identifying a natural person, data concerning
health or data concerning a natural person's sex life or sexual orientation shall be
prohibited.
2
, Article 4
Definitions
(2) ‘processing’ means any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction;
When GDPR does not apply?
c) by a natural person in the course of a purely personal or household activity (not done by
the company, personal household activity simple example will be making a list of guests for
your birthday party with computer, prepare the addresses and sent the invitation via email)
Article 3 GDPR
Territorial scope (to whom, when and how)
1. This Regulation [GDPR] applies to the processing of personal data in the context of the
activities of an establishment of a controller or a processor in the Union, regardless of
whether the processing takes place in the Union or not.
There is no definition of the “establishment” in the GDPR, but according to Recital 22:
“Establishment implies the effective and real exercise of activity through stable
arrangements. The legal form of such arrangements, whether through a branch or a
subsidiary with a legal personality, is not the determining factor in that respect.”
2. This Regulation [GDPR] applies to the processing of personal data of data subjects who
are in the Union by a controller or processor not established in the Union, where the
processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is
required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place
within the Union.
In the EU, the right to the protection of personal data is a fundamental right. Therefore,
the scope of protection under the GDPR is very broad.
The protection is not limited to EU citizens
The obligations are not limited to the EU companies
Data Protection Actors
1. We should speak about the data subject which is personal data or a person that we
are referring to, so not the company!
2. Data controller means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes and means of the
processing of personal data; where the purposes and means of such processing are
determined by Union or Member State law, the controller or the specific criteria for
its nomination may be provided for by Union or Member State law;
Note: there is no limitation as to the type of entity that may assume the role of a controller
but in practice it is usually the organisation as such, and not an individual within the
3
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller adata. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.47. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
73314 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now