Samenvatting
Summary Data Science Regulation and Law Cluster 4 & 5.
- Instelling
- Tilburg University (UVT)
Summary of Data Science Regulation & Law Cluster 4 & 5.
[Meer zien]Voorbeeld 3 van de 27 pagina's
Voorbeeld 3 van de 27 pagina's
In winkelwagengesponsord bericht van onze partner
2 beoordelingen
Door: bvdbogaart • 1 jaar geleden
Door: manonvanderlee • 2 jaar geleden
Voorbeeld van de inhoud
Data Science Regulation and Law (Part 2)Privacy and Data Protection (Cluster 4)
Part 1
Practicalities:
Exam will be 1.5 hours long
20 points, case-based exam
Second live session will discuss the exam; and go through an example question
GDPR’s scope, definitions & main actors
GDPR: The General Data Protection Law (main applicable law)
Before the GDPR
Directive from 1995: same objectives for all Member States, but different national laws (domestic law)
GDPR since 25 may 2018
It is a regulative law, no need for different national laws (applicable to all Member States)
Comprehensive law: it covers everything that is related to data processing
o Not like in US: where you have different laws for different branches (specific for financial
institutions, telecommunications etc.)
Composed of articles and recitals: they explain the laws, recitals explain some definitions even
better
Directly applicable in all Member States – limited national differences remaining
Non-binding guidelines from supervisory authorities (not part of GDPR) very useful because they give
even more details and practical examples of how to apply the requirements you can find in the GDPR.
Before we dive in:
Handbook on European Data Protection Law
If you need to clarify a certain point or for additional details, you can check the handbook on European Data
Protection Law (download link in the lecture slide)
Risk-based approach to GDPR compliance
The GDPR is based on the risk-based approach: companies/organizations processing personal data are
encouraged to implement protective measures corresponding to the level of risk of their data processing
activities.
Therefore, the obligations on a company processing a lot of data are more onerous than on a company
processing a small amount of data.
For example:
A company/organization processing a lot of data will need to have better organizational measures in place
than for a company/organization processing a small amount of data.
The nature of the personal data and the impact of the envisaged processing also play a role. Processing a
small amount of data, but which is of a sensitive nature, for example health data, would require implementing
more stringent measures to comply with the GDPR.
In all cases, the principles of data protection must be respected and individuals allowed to exercise their
rights.
Personal Data (when is the GPR applicable?)
Material scope: GDPR, Art. 2(1): this Regulation applies to the processing of personal data wholly or partly by
automated means and to the processing other than by automated means of personal data, which form part of a
filing system or are intended to form a part of a filing system.
Personal data: GDP, Art. 4(1): “personal data” means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person.”
Where personal data is collected or processed, the GDPR applies.
Personal data can be any information, not only intimate information.
It must relate to an identifiable/identified individual.
Examples of personal data: name, home address, purchasing habits, energy consumption, location, professional
email, IP address…
Sensitive data
GDPR, Art. 9(1): “Processing of personal data revealing racial, or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the
purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex
life or sexual orientation shall be prohibited.”
The processing of those data is forbidden by default, but Art. 9(2) lists several exceptions:
o Explicit consent.
1
, o Processing is necessary for carrying out the obligations in the field of employment and social
security and social protection law.
o Processing is necessary to protect the vital interests of the data subject.
o Processing relates to personal data which are manifestly made public by the data subject.
Because of the high risks associated with those data, security needs to be higher and access rights more
restricted (higher measures).
Also prohibited (unless in one of the exceptions):
Personal data relating to criminal convictions and offences – GDPR, Art.10:
Processing of personal data relating to criminal convictions and offences […] shall be carried out only under the
control of official authority or when the processing authorized by Union or Member State law providing for
appropriate safeguards for the rights and freedom of data subjects […]
Anonymization & pseudonymization
Anonymization: GDPR, Recital 26: “GDPR does not apply to anonymous information, namely information
which does not relate to an identified or identifiable natural person or to personal data rendered
anonymous in such a manner that the data subject is not or no longer identifiable.”
Pseudonymization: GDPR, Art. 4(5): “pseudonymization” means the processing of personal data in such a
manner that the personal data can no longer be attributed to a specific data subject without the use of
additional information, provided that such additional information is kept separately and is subject to technical
and organizational measures to ensure that the personal data are not attributed to an identified or identifiable
natural person.”
Anonymized information is not in the GDPR’s scope anymore, but difficult to achieve in practice and still
needs monitoring.
GDPR still applies to pseudonymized information, which can be one of the security measures in place.
Data Processing
GDPR, Art. 4(2): ‘processing’ means any operation or set of operations which is performed on personal data or
on sets of personal data, whether or not by automated means, such as collection, recording, organization,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Creating, reading, updating and deleting data are all processing, mere storage also is.
Manual or automated means
The household exception: GDPR does not apply to the processing of personal data by a natural person in
the course of a purely personal or household activity.
Examples: creating a list of prospects, aggregating data, all personal data flows, etc. (badging to get into a
building is processing of data, sending in your cv for a job is also processing of data)
Data Subject
GDPR, Recital 14: “The protection afforded by this Regulation should apply to natural persons, whatever their
nationality or place of residence, in relation to the processing of their personal data. This regulation does not
cover the processing of personal data which concerns legal persons […]”
The data subject is the bearer of rights.
Does not have to be an EU citizen or resident.
Legal persons, such as companies, are not data subjects under the GDPR.
Data Controller: Definition (one that makes sure there is compliance to GDPR)
Controllers & Processors: the most important consequence of being a controller or processor is legal
responsibility for complying with the respective obligations under data protection law.
GDPR, Art 4(7): ”’controller’ means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal data;[…]”
If a company/organization decides ‘why’ and ‘how’ the personal data should be processed is a data
controller.
Managing director or board of directors take the decisions, but they do so on behalf of the company, which is
the controller.
Controllers make decisions about processing activities. They exercise overall control of the personal data
being processed and are ultimately in charge of and responsible for the processing. What matters is not the
execution of the processing but the decision-making power
Why does the processing take place? Who initiated it? The response to those questions will identify the data
controller.
Ex: company willing to perform a marketing survey and processes personal data the company is responsible
for the information, not the employee processing the information, marketing division either (see underlined part).
Joint controller
An organization is a joint controller when together with one or more organizations it jointly determines ‘why’
and ‘how’ personal data should be processed.
May be difficult to identify in practice, as controllers may not have the same level of power regarding
decision-making.
2
, Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with
the GDPR rules.
Data controller: where? The Extraterritorial Scope of GDPR
Even if a data controller is not in Europe, it still have to comply to the GDPR requirements.
GDPR, Art 3:
1. This Regulation applies to the processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union, regardless of whether the processing
takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a
controller or processor not established in the Union, where the processing activities are related to:
a. The offering of goods or services, irrespective of whether a payment of the data subject is
required, to such data subjects in the Union; or
b. The monitoring of their behavior as far as their behavior takes place within the Union.
Data processing “in the context of the activities of an EU establishment”:
GDPR, Recital 22: “[…] Establishment implies the effective and real exercise of activity through stable
arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal
personality, is not the determining factor in that respect.”
To ensure a high level of protection, the term “establishment” cannot be interpreted restrictively.
Example: a non-EU entity has a bank account, a post office box and a representative in an EU Member State,
serving as a point of contact for customers in this state. Here, the human and material resources of the entity
in the EU suffice to qualify as stable arrangements and therefore as an establishment.
If the establishment does not have a strong presence in Europe, it still has to have to comply with the GDPR
(it is non-restrictive). It is not easy for a company to escape it’s GDPR requirements!
Data Controller (art.3)
Processing of personal data of data subjects in the EU: This requirement means that GDPR affects entities that
targets consumers in the EU. The nationality of those consumers is irrelevant, as long as they are located in the
EU.
How do we assess if a company intends to address European customers?
Whether there is a payment, is irrelevant, services provided can be free
The use of a language used in one or more Member States
The possibility to pay in Euro
Delivery available in the EU
Domain name from the EU (example.fr, example.de, example.com/es)
…
Only one of these may not be sufficient to determine that EU consumers are targeted, but fulfilling several
criteria is more decisive.
Monitoring of EU customers’ behavior: Such as web-tracking. Even when no goods or services are offered, such
processing by a foreign company must comply with the GDPR.
Examples of Data Controllers
A company collects and stores data on its employees for HR purposes (with restricted access).
A US company sells digital services to individuals in the EU.
A company processes itself purchasing data from its clients, etc.
Examples of Joint Controllers
A database run jointly by several credit institutions (controllers) on their defaulting customers is a common
example of joint controllership.
When someone applies for a credit line from a bank that is one of the joint controllers, the banks check the
database to help them make informed decisions about the applicant’s creditworthiness.
Data Processor: Definition
GDPR, Art. 4(8): “’processor’ means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller.”
The processor is a separate legal entity/individual with respect to the controller.
The duties of the processor towards the controller must be specified in a contract or another legal act (GDPR,
Art. 28).
For example, the contract must indicate what happens to the personal data once the contract is terminated.
The controller should make sure the processor respects its obligations, for example through audits.
A typical activity of processors is offering IT solutions, including cloud storage.
The data processor may only sub-contract part of its task to another processor or appoint a joint processor
when it has received prior written authorization from the data controller.
Data Processor: Examples
Example 1
3
Voordelen van het kopen van samenvattingen bij Stuvia op een rij:
Verzekerd van kwaliteit door reviews
Stuvia-klanten hebben meer dan 700.000 samenvattingen beoordeeld. Zo weet je zeker dat je de beste documenten koopt!
Snel en makkelijk kopen
Je betaalt supersnel en eenmalig met iDeal, creditcard of Stuvia-tegoed voor de samenvatting. Zonder lidmaatschap.
Focus op de essentie
Samenvattingen worden geschreven voor en door anderen. Daarom zijn de samenvattingen altijd betrouwbaar en actueel. Zo kom je snel tot de kern!
Veelgestelde vragen
Wat krijg ik als ik dit document koop?
Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.
Tevredenheidsgarantie: hoe werkt dat?
Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.
Van wie koop ik deze samenvatting?
Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper sabrinadegraaf. Stuvia faciliteert de betaling aan de verkoper.
Zit ik meteen vast aan een abonnement?
Nee, je koopt alleen deze samenvatting voor €6,99. Je zit daarna nergens aan vast.
Is Stuvia te vertrouwen?
4,6 sterren op Google & Trustpilot (+1000 reviews)
Afgelopen 30 dagen zijn er 82191 samenvattingen verkocht
Opgericht in 2010, al 14 jaar dé plek om samenvattingen te kopen