IAPP CIPP/E – General Data Protection Regulation (GDPR) Part 2

6. Data minimization and Accuracy

Data minimization and accuracy. Hello, everyone. Welcome to the lecture where we will learn the data minimization and accuracy concepts. The principle of data minimization means that controllers must only collect and process personal data that is relevant, necessary, and adequate to accomplish the purposes for which it is processed.

The practical implementation of this principle required applying two concepts necessity and proportionality. Controllers must assess if the data is necessary to accomplish the purpose of processing or is there any other way of doing it. Controllers must also evaluate if the same purpose can be achieved with anonymized data or not.

In terms of proportionality, the controllers should also consider the amount and degree of data to be collected. Therefore, Save everything approach will likely be considered as a breach of data minimization. An example of disproportionate processing can be using biometric data for entering to a building instead of using identity cards.

Controllers also have the responsibility to keep the data accurate. Controllers must take reasonable measures to ensure the data is accurate and, where necessary, kept up when the data is collected. For statistical or historical purposes, the controller only needs to maintain the personal data as originally collected. In the next lecture, we will cover two principles. In one lecture, we will study storage limitation and also integrity and confidentiality.

7. Storage limitation, Integrity, Confidentiality

Storage limitation. Integrity, confidentiality, storage limitation means personal Data must not be kept for longer than necessary for the purposes. In other words, once the information is no longer needed, personal Data must be securely deleted. Article five of the regulations states that Personal Data may be stored for longer periods if if the data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. Otherwise, data controllers may keep Personal Data for an unlimited period only when the data becomes irreversibly.

Anonymized controllers have to determine retention periods for each personal data they keep and inform the user about this. Controllers are also suggested to have a data retention policy accessible to all employees. Integrity and Confidentiality principle comes from article five of the Regulation as processed in a manner that ensures appropriate security of the personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. Using appropriate technical and organizational measures to protect personal data promotes the use of techniques such as pseudonymization and encryption to preserve the integrity, confidentiality, availability and resilience of the data.

Controllers must assign sufficient resources to develop and implement an information security policy framework. The best way to ensure this is to use a holistic approach on security, which we will study in further lectures. That’s why we are not getting into details for this principle for now. This was the last lecture dedicated to the principles. In the next lecture, we will start learning about data subject rights and how to respond to data subject requests.

8. Data Subject Rights

Data subject Rights hello, everyone. You have finished almost half of the course already. I know there is too much information to keep in mind and it might be difficult for those who haven’t studied law before. A big thanks for coming to this end and I am sure after investing so much in the course, you will finish it. Let’s kick off with our lecture and study the data. Subject Rights under GDPR GDPR gives data subjects the following rights article twelve to 14 right of transparent communication and information. Article 15 right of access. Article 16 right to rectification. Article 17 right to Erasia.

Article 18 right to restriction of processing. Article 20 right to data portability article 21 right to object. Article 22 right not to be subject to automated decision making or profiling. In the next lecture, we will start learning the right of transparent communication and information.

9. Right of transparent communication and information

Route of transparent communication and information. Individuals have the right to be informed about the collection and use of their Personal Data. This is a key transparency requirement under the GDPR. You must provide individuals with information, including your purposes for processing their Personal Data, your retention periods for that Personal Data and who it will be shared with.

We call the this privacy information. You must provide privacy Information to individuals at the time you collect their Personal Data from them. If you obtain Personal Data from other sources, you must provide individuals with Privacy Information within a reasonable period of obtaining the data and no later than one month. There are circumstances where you do not need to provide people with privacy Information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

The privacy information should include the following information the name and contact details of your organization the name and contact details of your representative the contact details of your data protection officer the purposes of the processing, the lawful basis for the processing, the legitimate interests for the processing, the categories of personal data obtained, the recipients or categories of recipients of the personal data, the details of transfers of the personal data to any third countries or international organizations.

The retention periods for the personal data, the rights available to individuals in respect of the processing, the right to withdraw consent, the right to logic and the supervisory authority the source of the personal Data the details of whether individuals are under a statutory or contractual obligation to provide the personal data the details of the existence of automated decision making, including profiling.

If you are obtaining data indirectly, you have to also inform the source of data. When obtaining Personal Data from other sources, you do not need to provide individuals with Privacy Information if the individual already has the information, providing the information to the individual would be impossible. Providing the information to the individual would involve a disproportionate effort.

Providing the information to the individual would render impossible or serious impair the achievement of the objectives of the processing. You are required by law to obtain or disclose the Personal Data, or you are subject to an obligation of professional secrecy regulated by law that covers the Personal Data. Lecture we will study right of access in detail and give a brief description for rectification as well.

10. Right of Access and Right of Rectification

Right of access and right of rectification The Right of Access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal Data as well as other supplementary information. It helps individuals to understand how and why you are using their data and check you are doing it lawfully. Individuals can make a subject access request verbally or in in writing. You have one month to respond to a request. You can extend the time to respond by a further two months.

If the request is complex or you have received a number of requests from the individual, you must let the individual know within one month of receiving their request and explain why the extension is necessary. The new thing in GDPR is that you cannot charge a fee to deal with a request in most circumstances.

However, where the request is manifestly unfounded or excessive, you may charge a reasonable fee for the administrative cost of complying with the request. You can also charge a reasonable fee if an individual requests further copies of their data. Following a request, you must base the fee on the administrative costs of providing further copies.

In addition to a copy of their personal data, you also have to provide individuals with the following information the purposes of your processing, the categories of personal data concerned, the recipients or categories of recipient you disclose the personal data to your retention period for storing the personal data or where this is not possible, your criteria for determining how long you will store it. The existence of their right to request rectification, Eurasia or restriction, or to object to such processing.

The right to lodge a complaint with the ICO or another supervisory authority. Information about the source of the data where it was not obtained directly from the individual the existence of automated decision making, including proding profiling and the safeguards you provide if you transfer Personal Data to a third country or international organization. Responding to a Subject access request may involve providing information that relates both to the individual making the request and to another individual. The DPA 2018 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information. This obligation to provide data subjects with access right lies with the controller and not the processor. Processors are only obliged to assist the controller with the requests if needed. The scope of right of rectification is largely unchanged from the directive.

In summary, data subjects have the right to rectification of inaccurate personal Data. It is also complex if the data in question records an opinion. Opinions are, by their very nature subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is. It may be difficult to say that it is inaccurate and needs to be rectified. In such a scenario, you can reject the request by informing the user about the foundations of the opinion. If you consider that a request is manifestly unfounded or excessive, you can request a reasonable fee to deal with the request or refuse to deal with the request. In the next lecture, we will study the most popular data subject right to AirAsia.

11. Right of Erasure

To Erasia. Under Article 17 of the GDPR, individuals have the right to have Personal Data erased. This is also known as the right to be forgotten. The right is not absolute and only applies in certain circumstances. Individuals have the right to have their Personal Data erased if the Personal Data is no longer necessary for the purpose which you originally collected or processed it for, you are relying on consent as your lawful basis for holding the data and the individual withdraws their consent. You are relying on legitimate interests as your basis for processing.

The individual objects to the processing of their data and there is no overriding legitimate interest to continue this processing. You are processing the Personal Data for direct marketing purposes and the individual objects to that processing. You have processed the Personal Data unlawfully I. E. In breach of the lawfulness requirement of the first principal. You have to do it to comply with a legal obligation, or you have processed the Personal Data to offer Information Society services to a child.

The GDPR specifies two circumstances where you should tell other organizations about the erasure of Personal Data the Personal Data has been disclosed to others, or the Personal Data has been made public in an online environment, for example, on social networks, forums or websites. Where Personal Data has been made public in an online environment, reasonable steps should be taken to inform other controllers who are processing the Personal Data to erase links to copies or replication of that data.

When deciding what steps are reasonable, you should take into account available technology and the cost of implementation. The right to erasure sure does not apply if processing is necessary for one of the following reasons to exercise the right of freedom of expression and information to comply with a legal obligation for the performance of a task carried out in the Public Interest or in the exercise of official authority for archiving purposes in the Public Interest scientific research, historical research or statistical purposes where AirAsia is likely to render impossible or seriously impair the achievement of that processing or for the establishment, exercise or defense of legal claims.

The GDPR also specifies two circumstances where the right to rear rate will not apply to special category data if the processing is necessary for public health purposes in the public interest, for example, protecting against serious cross border threats to health. Or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. If the processing is necessary for the purposes of preventative or occupational medicine, for example, where the processing is necessary for the working capacity of an employee for medical diagnosis, for the provision of health or social care or for the management of health or social care systems or services. This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy. We will now get to our next lecture which is right to restriction of processing.

• Category: Uncategorized