Introduction to Data Protection Terminology

Intro

 

The aim of this material is to provide essential guidance and explanation on key issues in data protection. It also focuses on the most crucial requirements deriving from the GDPR regarding data processing and provide practical guidance on how lawful processing may be accomplished.

The material covers in particular the following aspects: key GDPR definitions, principles and legal bases for lawful processing as well as information on data subject rights.

At the end of the study, the reader is expected to:

  • Familiarize with the key data protection terms.
  • Be able to distinguish the difference between the two of the main factors in data protection: data controller and processor.
  • Have knowledge of the obligations deriving from the GDPR regarding data processing and, in particular, the required principles for a lawful processing.
  • Be aware of the specific grounds that a processing should be based on in order to be lawful.
  • Be aware of the obligations, preconditions and time limitations when handling a data subject request.

 

Key GDPR Definitions

 

This material provides analytical explanation of the key data protection terms not only on theoretical basis, but also through practical examples.

Key Messages

  • If you undertake any of the following operations (processing) including collection, recording, organising, storing, altering, using, and transmitting any information relating to an natural person (personal data) and you also define the purpose and the means of these operations, then you are a data controller.
  • If you undertake the above mentioned operations on behalf of a data controller, then you are a processor.
  • If you process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, then you process special categories data and you need to be aware of specific demands stated in art. 9 par. 2 GDPR.

See relevant slides

 

Data Protection Principles

 

This material’s main purpose is to present and explain the seven principles governing the processing of personal data. Taken into account that data controllers are responsible for complying with these principles and are also accountable for their processing and must demonstrate their compliance, this material offers a very brief and comprehensive guide on compliance with these principles. All the above are presented in a rather practical manner, through practical guidance and examples.

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

Key Messages

  • Have the right information: process only the personal data you need for a certain/specified purpose.
  • Define the purpose of the processing.
  • Identify valid grounds (lawful basis) for your processing.
  • Keep the data updated and ensure their accuracy.
  • Check and delete if you have more data than needed for your processing.
  • Put time limitations on the storage of data: think and justify how long you need the data.
  • Protect the personal data: take sufficient technical and organizational security measures.
  • Keep records to be able to demonstrate all the above.
See relevant slides

 

Legal bases

 

The purpose of this material is to present in a comprehensive and understandable manner the essence of the lawful processing: the legal bases. The lawful reasons for processing personal data are presented one by one interspersed with many practical examples and case studies.

Key Messages

  • Define the reasons you need to process personal data.
  • Think and define the purpose of the processing.
  • Check the necessity of the processing for the relevant purpose.
  • Find and determine a lawful basis applicable for the processing according to GDPR.
  • Identify a condition for processing special category data or criminal offence data.
See relevant slides

 

Data subjects rights

 

This material aims to provide not only a comprehensive analysis on the data subject rights, but also a guidance on the obligations and the procedures that should be taken in the case of a data subject request.

Key Messages

  • Inform the data subject: check whether the information provided about the processing is easy to find and understandable for the data subject.
  • Establish clear procedures and plans for the handling of data subject requests.
  • Create records for verbal requests.
  • Respond without delay and within one month of receipt of the request (check the conditions for a two month extension).
  • Delete the data once the purpose has been fulfilled.
  • Establish appropriate methods for the erasure of data.
  • Establish secure methods for the transfer of personal data (from one IT environment to another).
  • Inform data subjects about the profiling and automated decision-making you carry out, what information you use to create the profiles and where you get this information from.
See relevant slides

 

General References

 

 


Λογότυπο byDesign toolkit & Europe

This online toolkit was funded by the European Union’s Rights, Equality and Citizenship Programme (2014-2020).

Disclaimer: The content of this online toolkit represents the views of the authors only and is their sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.