Professional Documents
Culture Documents
w5 WG Tech Law RUG
w5 WG Tech Law RUG
Read the privacy notice of an App that you normally use or of a Webpage that you often
visit. Find in the privacy notice any information about the type of personal data collected
and present this information in class.
In case you would have been reading the privacy notice before consenting to the use of
the App or before the visiting of the webpage, would your consent have qualified as freely
given, specific, informed and unambiguous?
https://www.bbc.co.uk/programmes/articles/3VpmkXtXNhkRpQCq0zsWT7T/privacy-notice
What BBC will collect and how we will use it?
The BBC will collect and process the personal information that you have provided to us
about yourself.
The BBC will collect and process the following personal information about you, where you
have chosen to provide them:
Your name
Your email address
This information will be processed securely for the purpose of contacting you for further
information about your thoughts on the BBC Account homepage. Please note that we
cannot guarantee we will contact every person that provides their contact details.
The BBC will retain your information for up to one year from the date of the survey, after
which it will be deleted. Your data will be stored within the EEA.
https://www.bbc.co.uk/usingthebbc/privacy/privacy-notice-bbc-account-survey/
We use your personal information to make the BBC better for you and for everyone. That
includes doing things like:
Recommending things we think you’ll enjoy, like TV and radio programmes
Notifying you about things you’ve told us you like, for example a new series of your
favourite TV show
Personalising parts of the BBC to your tastes, including emails, radio, news, iPlayer
and music
We also use it for business, regulatory and legal purposes, like:
Dealing with any requests you make or content you submit
Getting in touch if we need to tell you about something, like a change to our policies
or issues with a service. Or to tell you if your BBC account hasn’t been used in a long
time and to ask if you’d still like to use it
Identifying where you are and giving you the right version of the BBC for this area
We will always explain clearly what data we’re collecting about you and why. We will only
collect data we need to:
give you a better experience
improve our services
fulfil our responsibilities as a public service.
c. The data subject shall have the right to withdraw his or her consent at any time and
it shall be as easy to withdraw as to give consent.
d. When assessing whether consent is freely given, utmost account shall be taken of
whether, inter alia, the performance of a contract, including the provision of a
service, is conditional on consent to the processing of personal data that is not
necessary for the performance of that contract.
In order for Rosa to be able to legally process the fellow student’s data she must comply
with the conditions for consent set out in Article 7 GDPR.
Article 7 (1) is fulfilled because Rosa can demonstrate that the student agreed with
processing of his or her data. The students were warned/informed that she assumes
consent when one sends her the questionnaire with the data back. Thus, she can
prove the consent by showing the email conversation.
o We can argue about whether Rosa's assumption was sufficient, or whether it
would have been preferable to have, for example, a small square that could
be clicked on to express agreement...
o Two ways to argue:
There should be a check box on the questionnaire that you can click to
make sure that the person has actually consented to allow Rosa to
process their personal data.
By sending it back to her, they agreed, otherwise they wouldn't have
sent it to her. Thus, it was sufficient.
Article 7 (2) is fulfilled because she used plain language to describe how to consent
and this way of giving consent can be distinguish from other matters. Usually, she
does not receive emails with personal information from other students.
o However, it could be argued that it was only mentioned on the last line,
which could lead to people overlooking it, which is insufficient - I would argue
rather that it was sufficiently distinguished.
With Article 7 (3) it is not clear whether it is fulfilled or not. Depending on the
number of answers and the program she is using, she might be able to remove the
information. There is nothing in the hypothetical that would mention this issue.
Thus, I assume that if a student emails her back, she would be able to change the
information in her master thesis. However, this could be complicated for her.
o Not mentioned. Thus, difficult to establish consent.
With regards to Article 7 (4), the information she is asking for is necessary for her to
complete her master thesis.
Furthermore, it is worth to mention that since Rosa is also analysing political leanings, her
research must comply with Article 9 GDPR. => 9 (2) situation in this article must exist. In this
sub-section, the explicit consent is much higher than other form of consent. Information
about political learning needs EXPLICIT CONSENT. It must be very clear that the person
consented. Sending back the questionnaire is not enough. (For Article 7 we could argue that
that is enough, but for Article 9 this is not enough – there must be in addition to that action
by other affirmative action).
One day, upon seeing a picture of a baby sea otter and learning that sea otters are also
endangered, Rosa decides to start a fundraiser (“Help the sea otter!”) using the results of
her research.
She goes through the data she has collected, and sends fundraising emails to every
participant who studies marine biology and to every participant who votes for the Green
Party. These people, Rosa figures, will surely support her cause. She also decides that
she’ll need to keep her research data after graduation, because she’ll need to raise funds
until the sea otters are saved.
2. Which general principle(s) of data protection are relevant to these decisions of
Rosa? Is she complying with these principles? Please substantiate your answer
by referring to the applicable legal provisions and/or case law.
Article 5: general principles relating to processing the personal data.
Lawfulness, fairness and transparency (5 (1) (a)): Rosa is not collecting the
information lawfully and fairly. People who participated in her research were not
informed that the data will be used for the fundraiser. More precisely, they were not
informed at all about Rosa’s plan. Thus, she has no lawful basis for processing the
data mentioned in Article 6 GDPR.
o Article 6 GDPR:
Consent – The previous consent does not count because now she is
using the data for different purpose.
Necessary for the performance
Necessary for compliance with a legal obligation
Necessary form compliance with a vital interest
Necessary for the performance of a task carried out in the public
interest
Processing is necessary for the purposes of the legitimate interests
o “The data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or her are
being processed.” If this is the case the person can access the data.
16 GDPR: right to rectification: remove the errors from the data
17 GDPR: right to erasure:
18 GDPR: right to restriction of processing: Pascal, according to Article 18 GDPR, has
right to obtain from the controller restriction of processing for one or more reasons
listed in para. 1 of this provision. In his case there was a problem with accuracy of
the data, processing was unlawful and the controller (Rosa) did not need the data for
the agreed processing anymore.
Task 3 - GDPR
Tootle, a company that provides cloud services, among its many clients lists also a local
insurance company. The insurance company stores in the Tootle cloud several files,
including the one with all their customers’ personal data. Recently, the account of one of
the insurance company top managers was hacked after he had incidentally forgotten to
strictly follow the company’s internal security procedures. Personal data of a large group
of customers were made public deliberately by Kaos Hackers, the group that claimed the
hacking of the account. Please, answer the following questions about this scenario.
Who qualifies as data subject, data controller and data processor in the
previous scenario? Why?
Data subject is found in article 4 (1) GDPR and is an identified or an identifiable person who
can be identified either directly or indirectly. The information contained in the data relates
to this natural person. In present case, the data subjects are the clients of the insurance
company because their data are being stored and base on this data, they can be likely
identified.
Identifiable natural person
Data controller is defined in Article 4 (7) GDPR and it concerns natural or legal person,
public authority, agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data. In our case this is the insurance
company. The purpose to store the data is the functionality of the service that they are
providing for their customers and the means of the processing are also decided by the
insurance company.
Insurance company
Data processor is defined in Article 4 (8) GDPR and it is a natural or legal person, public
authority, agency or other body which processes personal data on behalf of the controller.
Tootle provides cloud services to the insurance company. To some extent both Tootle and
the insurance company (people who are appointed by the insurance company for this
purpose) can process the personal data on behalf of the insurance company.
According to the GDPR, who is responsible for the damage caused to the
data subjects as a result of the publication of their personal data?
The GDPR is concerned with the duties and responsibilities of data processor or data
controller.
The responsibilities of the controller are found in Article 24 (1) which states that the
controller shall implement appropriate technical and organisational measures to ensure and
to be able to demonstrate that processing is performed in accordance with this Regulation.
More importantly, para. 2 states that “the implementation of appropriate data protection”
shall be done by the controller.
Furthermore, Article 28(1): Outlines the requirements for data controllers to use only
processors that provide sufficient guarantees to implement appropriate technical and
organizational measures and protect individuals' rights.
Article 24 GDPR serves as a general provision for the responsibility of the controller.
Suppose that the insurance company has already been warned by the national
supervisory authority that its top managers lacked sufficient security training. Suppose
that the insurance company was ordered to suspend any data processing activities for half
a month, so that the top managers can learn and demonstrate their sufficient knowledge
to comply with the internal security procedures. But the company did not follow such
orders strictly and carried out data processing to avoid any economic and reputation loss.
Which range of administrative fines would you advise the national
supervisory authority to impose on the insurance company in such a
situation?
The insurance company was asked to suspend its action until it complied with the conditions
of the national supervisory authority. Those conditions were not met, and thus the
insurance company has to pay the fine which was laid down in Article 83(5)(e), or similarly
defined in Article 83(6). These provisions provide that: “Non-compliance with an order by
the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2
of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an
undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial
year, whichever is higher.” (Art. 82 – the controller, insurance company, infringed the
Regulation by damage caused by processing).
Already been told to stop but did not follow the order. => 83 (5) (E) OR 83 (6)
According to Article 83 (2) the fines should depend on the circumstances of each case.
Fines should be effective, proportionate and dissuasive
Factors:
o the nature, gravity and duration of the infringement
o its intentional or negligent character
o any action taken to mitigate the damage suffered by individuals
o the degree of cooperation of the organisation, etc.
Furthermore, the territorial scope can be found in Article 3 GDPR. Paragraph 1 of this Article
states that “This Regulation applies to the processing of personal data in the context of the
activities of an establishment of a controller or a processor in the Union, regardless of
whether the processing takes place in the Union or not. (Not relevant for this case)” Article
3 (2): the processing of the data can take place in China (the data are “safely stored in
China) without the company being established in the EU when “offering of goods or
services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union.” Or when monitoring a behaviour that takes place within the Union.
Thus, because of Article 3 (2), Lalieri, despite not being established in EU, is subject to
GDPR because the company uses the data of EU citizens.
No, Special personal data Article 9 (1) GDPR => It requires specific explicit consent.
Is the general privacy policy general enough? => Article 7 for examining whether the
consent was sufficient.
Article 49 lists derogations for specific situation. In the absence of an adequacy decision
pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including
binding corporate rules, a transfer or a set of transfers of personal data to a third country or
an international organisation shall take place in accordance with the conditions set out in
this article.
Schrems II => what are the risks of transferring the data to third countries where
adequacy decisions exist
New adequacy decisions
When we are dealing with different states with different idea of data
protection it is a high bar to meet the adequacy decisions.
Read the book => the reasoning is very important
The US law did not comply with the requirement of GDPR. They did not meet the
standards of data transfer.
Similar situation happened in a Czech case Ryneš, where Mr. Ryneš had installed CCTV
camera on the exterior of his house, which recorded movements not only of his private
property, but also the public footpath outside. He said that he installed the camera to
protect his family and his property, as there has been previous vandalism to his property.
After the installation the cameras were broken once more. The CCTV footage was used to
identify two individuals. One of the suspects questioned the legality of the video recording
and Mr Rynes was found to have infringed Law No. 101/2000 with respect to the protection
of personal data. The problem was the fact that the persons moving on the street and
people living in the opposite hose did not consent to the camera system collecting the
information. The matters were referred to CJEU.
The data collected could not have been defined as “purely” personal or household activity
as they covered information about other people without having their consent.
Article 6 GDPR (1) provides us with situations in which the processing shall be lawful.
a) Consent
b) Necessary for performance of a contract
c) Legal obligation – Quite after certain hour? (Municipal laws)
d) Vital interest
e) Public interest – Public interest because of complaining neighbours.
f) Legitimate interest – This is the most likely to argue.
g) Legitimate interest C-708/18. => there was a legitimate interest. This would
likely repeat again in this case.
a. Only the one outcome. Only know that it exists. CCTV can be installed
without consent if there is a legitimate interest.
b.
The owner can argue that he had a legitimate interest.
However, if the camera captured sensitive data article 9 GDPR is concerned => E.g.,
legitimate interest is in 9 (2) (d).
There is still a legitimate ground: It was necessary to worked out who was causing the
damage. It was not possible to avoid the sensitive data. The problem would be if he stored
the data for long unnecessary data.
3. When discussing with the landlord, Rossella and her friends were told that he will
keep the recordings for as long as there will be space on his server. Are any of the
general principles of lawful data processing relevant to this situation? Please
motivate your answer.
The general principles of lawful data processing are mentioned in Article 5 GDPR. For the
present situation, Article 5 (1) (e) is relevant. This provision states that personal data shall
be kept in a “form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed”. It was nor necessary
to keep the data as long as there will be space on the server. If the information. Is irrelevant
of the purpose that the processing is sought to achieve the data should be removed.
Storage limitation have been violated => ne longer than necessary => unreasonable to keep
the data longer.
4. Some of the recordings from a Friday night party were deliberately published in a
public students’ Facebook group. One of the students living in the house hacked
the server of the landlord and thought it would be a nice surprise and a great laugh
for the other co-habitants of the house to find their video online. Since everyone,
including the landlord, was quick in finding out who was responsible, Rossella
wonders what range of fines would apply to her (not anymore) friend according to
the GDPR. Please motivate your answer.
Remember what the purposes of GDPR are => this applies to controllers and processors.
Hacking does not fall under GDPR. It applies to ADMINSTRATIVE offences, but not to
criminal offences. In this case, the student would be prosecuted under national criminal law.