Task 1 – Disruptive innovation

Read the privacy notice of an App that you normally use or of a Webpage that you often
visit. Find in the privacy notice any information about the type of personal data collected
and present this information in class.
In case you would have been reading the privacy notice before consenting to the use of
the App or before the visiting of the webpage, would your consent have qualified as freely
given, specific, informed and unambiguous?

https://www.bbc.co.uk/programmes/articles/3VpmkXtXNhkRpQCq0zsWT7T/privacy-notice
What BBC will collect and how we will use it?
The BBC will collect and process the personal information that you have provided to us
about yourself.
The BBC will collect and process the following personal information about you, where you
have chosen to provide them:
 Your name
 Your email address
This information will be processed securely for the purpose of contacting you for further
information about your thoughts on the BBC Account homepage. Please note that we
cannot guarantee we will contact every person that provides their contact details.
The BBC will retain your information for up to one year from the date of the survey, after
which it will be deleted. Your data will be stored within the EEA.

https://www.bbc.co.uk/usingthebbc/privacy/privacy-notice-bbc-account-survey/

We use your personal information to make the BBC better for you and for everyone. That
includes doing things like:
 Recommending things we think you’ll enjoy, like TV and radio programmes
 Notifying you about things you’ve told us you like, for example a new series of your
favourite TV show
 Personalising parts of the BBC to your tastes, including emails, radio, news, iPlayer
and music
We also use it for business, regulatory and legal purposes, like:
 Dealing with any requests you make or content you submit
 Getting in touch if we need to tell you about something, like a change to our policies
or issues with a service. Or to tell you if your BBC account hasn’t been used in a long
time and to ask if you’d still like to use it
 Identifying where you are and giving you the right version of the BBC for this area
We will always explain clearly what data we’re collecting about you and why. We will only
collect data we need to:
give you a better experience
improve our services
fulfil our responsibilities as a public service.

Who do you share information about me with?

We use other companies to help us deliver our services and sometimes we ask them to
process information about you for us. For example, we need to make sure that the creations
we publish are safe and suitable so we use a company called Dentsu X to check your
creations. We always make sure that information about you is looked after as if we were
handling it ourselves. We carefully choose the companies, only share with them the
information about you that they need to do the work, and we make sure they keep your
info safe.

Task 2 – Help the sea otter![*]

Rosa is student of Psychology at the University of Groningen. For her Master thesis, she
wants to research how willing her fellow students are to protest for the preservation of
endangered animals, and to what extent factors such as age, gender, study program, or
political leanings affect this.
She drafts a questionnaire that covers all of the above and emails it to fellow students
from her study year. On the final page of the questionnaire, it explains that this
information is going to be used for her research and how she plans to analyze it. The very
last line reads: “By filling out this questionnaire and sending it back to me, I will assume
that you consent to the processing of your personal data in order for me to write my
Master’s thesis.”
1. What standard(s) for consent from the General Data Protection Regulation
applies to Rosa’s research? Does she comply to that standard? Please
substantiate your answer by referring to the applicable legal provisions and/or
case law.
In order for the processing of personal data to be lawful, you need to have at least one of
the grounds form Article 6 of the GDPR.
Article 6 (1) (a) GDPR provides that consent is one of the possible ways one ca process
someone else’s data lawfully.
In Article 4 (11) defines consent:
 “‘consent’ of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her;”

Article 7 GDPR lists the conditions for consent:

a. The controller shall be able to demonstrate that the data subject has consented to
processing of his or her personal data.
b. Consent shall be presented in a manner which is clearly distinguishable from the
other matters, in an intelligible and easily accessible form, using clear and plain
language

c. The data subject shall have the right to withdraw his or her consent at any time and
it shall be as easy to withdraw as to give consent.

d. When assessing whether consent is freely given, utmost account shall be taken of
whether, inter alia, the performance of a contract, including the provision of a
service, is conditional on consent to the processing of personal data that is not
necessary for the performance of that contract.

In order for Rosa to be able to legally process the fellow student’s data she must comply
with the conditions for consent set out in Article 7 GDPR.
  Article 7 (1) is fulfilled because Rosa can demonstrate that the student agreed with
processing of his or her data. The students were warned/informed that she assumes
consent when one sends her the questionnaire with the data back. Thus, she can
prove the consent by showing the email conversation.
o We can argue about whether Rosa's assumption was sufficient, or whether it
would have been preferable to have, for example, a small square that could
be clicked on to express agreement...
o Two ways to argue:
 There should be a check box on the questionnaire that you can click to
make sure that the person has actually consented to allow Rosa to
process their personal data.
 By sending it back to her, they agreed, otherwise they wouldn't have
sent it to her. Thus, it was sufficient.
 Article 7 (2) is fulfilled because she used plain language to describe how to consent
and this way of giving consent can be distinguish from other matters. Usually, she
does not receive emails with personal information from other students.
o However, it could be argued that it was only mentioned on the last line,
which could lead to people overlooking it, which is insufficient - I would argue
rather that it was sufficiently distinguished.
 With Article 7 (3) it is not clear whether it is fulfilled or not. Depending on the
number of answers and the program she is using, she might be able to remove the
information. There is nothing in the hypothetical that would mention this issue.
Thus, I assume that if a student emails her back, she would be able to change the
information in her master thesis. However, this could be complicated for her.
o Not mentioned. Thus, difficult to establish consent.
 With regards to Article 7 (4), the information she is asking for is necessary for her to
complete her master thesis.

Furthermore, it is worth to mention that since Rosa is also analysing political leanings, her
research must comply with Article 9 GDPR. => 9 (2) situation in this article must exist. In this
sub-section, the explicit consent is much higher than other form of consent. Information
about political learning needs EXPLICIT CONSENT. It must be very clear that the person
consented. Sending back the questionnaire is not enough. (For Article 7 we could argue that
that is enough, but for Article 9 this is not enough – there must be in addition to that action
by other affirmative action).
One day, upon seeing a picture of a baby sea otter and learning that sea otters are also
endangered, Rosa decides to start a fundraiser (“Help the sea otter!”) using the results of
her research.
She goes through the data she has collected, and sends fundraising emails to every
participant who studies marine biology and to every participant who votes for the Green
Party. These people, Rosa figures, will surely support her cause. She also decides that
she’ll need to keep her research data after graduation, because she’ll need to raise funds
until the sea otters are saved.
2. Which general principle(s) of data protection are relevant to these decisions of
Rosa? Is she complying with these principles? Please substantiate your answer
by referring to the applicable legal provisions and/or case law.
Article 5: general principles relating to processing the personal data.
 Lawfulness, fairness and transparency (5 (1) (a)): Rosa is not collecting the
information lawfully and fairly. People who participated in her research were not
informed that the data will be used for the fundraiser. More precisely, they were not
informed at all about Rosa’s plan. Thus, she has no lawful basis for processing the
data mentioned in Article 6 GDPR.
o Article 6 GDPR:
 Consent – The previous consent does not count because now she is
using the data for different purpose.
 Necessary for the performance
 Necessary for compliance with a legal obligation
 Necessary form compliance with a vital interest
 Necessary for the performance of a task carried out in the public
interest
 Processing is necessary for the purposes of the legitimate interests

 None of this applies, thus there is a problem with lawfulness.

o Furthermore, there is also a problem with transparency. She was not
transparent with the participants about where the information will be used.
 Purpose limitation (5 (1) (b)) – She had collected the data for one purpose, but used
it for another. Now, she is not using the data for her master thesis, but for
fundraising. This manner is incompatible with the initial purpose.
 Data minimisation
 Accuracy
 Storage limitation (5 (1) (E)): She wants to keep the data forever. She can only keep
the data for as long as necessary. The data were only necessary to keep while writing
the master thesis.
 Integrity and confidentiality
 Accountability
One participant who received this fundraising email, Pascal, is very confused. He does not
study marine biology nor vote for the Greens, yet received the email nonetheless. He is
unsure of exactly what information he provided on the questionnaire and worries some of
it may be incorrectly registered.
3. Which relevant data subject right(s) from the GDPR could Pascal invoke in this
case?
The Chapter III, the right of the data subject, is relevant
Pascal could invoke the following Articles of GDPR:
 Article 16 GDPR, right to rectification (to correct by removing errors). Pascal has the
right to obtain from the controller (Rosa) without undue delay the rectification of
inaccurate personal data concerning him. In this case, those are incorrect data about
his studies and political interests.
o These errors need to be corrected
 Article 17 GDPR, right to erase the data based on the grounds described in this
article. But not sure which article. We can make argument based on any sub-section.
o No longer necessary: The purpose was to write a master thesis and the data
were only allowed to be used for this purpose. It was no longer necessary for
Rosa to keep the data after she wrote her master thesis.
o Withdraws consent: Pascal has right to withdraw consent according to
Article 7 (3) at any time. He can decide to do so.
o No longer have legal grounds: Rosa does not have any legal grounds
mentioned in Article 6 GDPR.
o Unlawfully processed: The use of the information was not lawful. Again, no
legal ground from Article 6 GDPR.
 This is also mentioned in Article 5 (d), principles relation to processing of personal
data: accurate and, where necessary, kept up to date; every reasonable step must be
taken to ensure that personal data that are inaccurate, having regard to the
purposes for which they are processed, are erased or rectified without delay
(‘accuracy’); => NOT NECESSARY TO MENTION. It is better to focus on Chapter III
(right of accessed by the data subjected)
o If he does not want her to have his data, he has right to ask her to erase
these data.

We could argue the following articles:

 7 (3) GDPR: He has right to withdraw consent at any time, which would mean that
Rosa can no longer use his data.
 15 GDPR – right to access by the data subject

o “The data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or her are
being processed.” If this is the case the person can access the data.
 16 GDPR: right to rectification: remove the errors from the data
 17 GDPR: right to erasure:
 18 GDPR: right to restriction of processing: Pascal, according to Article 18 GDPR, has
right to obtain from the controller restriction of processing for one or more reasons
 listed in para. 1 of this provision. In his case there was a problem with accuracy of
the data, processing was unlawful and the controller (Rosa) did not need the data for
the agreed processing anymore.

Task 3 - GDPR
Tootle, a company that provides cloud services, among its many clients lists also a local
insurance company. The insurance company stores in the Tootle cloud several files,
including the one with all their customers’ personal data. Recently, the account of one of
the insurance company top managers was hacked after he had incidentally forgotten to
strictly follow the company’s internal security procedures. Personal data of a large group
of customers were made public deliberately by Kaos Hackers, the group that claimed the
hacking of the account. Please, answer the following questions about this scenario.
 Who qualifies as data subject, data controller and data processor in the
previous scenario? Why?
Data subject is found in article 4 (1) GDPR and is an identified or an identifiable person who
can be identified either directly or indirectly. The information contained in the data relates
to this natural person. In present case, the data subjects are the clients of the insurance
company because their data are being stored and base on this data, they can be likely
identified.
 Identifiable natural person

Data controller is defined in Article 4 (7) GDPR and it concerns natural or legal person,
public authority, agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data. In our case this is the insurance
company. The purpose to store the data is the functionality of the service that they are
providing for their customers and the means of the processing are also decided by the
insurance company.

 Insurance company

Data processor is defined in Article 4 (8) GDPR and it is a natural or legal person, public
authority, agency or other body which processes personal data on behalf of the controller.
Tootle provides cloud services to the insurance company. To some extent both Tootle and
the insurance company (people who are appointed by the insurance company for this
purpose) can process the personal data on behalf of the insurance company.

 Tootle and the insurance company

 According to the GDPR, who is responsible for the damage caused to the
data subjects as a result of the publication of their personal data?

The GDPR is concerned with the duties and responsibilities of data processor or data
controller.

 The definitions are found in Article 4 (7) and 4 (8).

The responsibilities of the controller are found in Article 24 (1) which states that the
controller shall implement appropriate technical and organisational measures to ensure and
to be able to demonstrate that processing is performed in accordance with this Regulation.
More importantly, para. 2 states that “the implementation of appropriate data protection”
shall be done by the controller.

Maybe this can be used as well:

Furthermore, Article 28(1): Outlines the requirements for data controllers to use only
processors that provide sufficient guarantees to implement appropriate technical and
organizational measures and protect individuals' rights.

Article 24 GDPR serves as a general provision for the responsibility of the controller.

Suppose that the insurance company has already been warned by the national
supervisory authority that its top managers lacked sufficient security training. Suppose
that the insurance company was ordered to suspend any data processing activities for half
a month, so that the top managers can learn and demonstrate their sufficient knowledge
to comply with the internal security procedures. But the company did not follow such
orders strictly and carried out data processing to avoid any economic and reputation loss.
 Which range of administrative fines would you advise the national
supervisory authority to impose on the insurance company in such a
situation?

The insurance company was asked to suspend its action until it complied with the conditions
of the national supervisory authority. Those conditions were not met, and thus the
insurance company has to pay the fine which was laid down in Article 83(5)(e), or similarly
defined in Article 83(6). These provisions provide that: “Non-compliance with an order by
the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2
of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an
undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial
year, whichever is higher.” (Art. 82 – the controller, insurance company, infringed the
Regulation by damage caused by processing).

Already been told to stop but did not follow the order. => 83 (5) (E) OR 83 (6)

According to Article 83 (2) the fines should depend on the circumstances of each case.
 Fines should be effective, proportionate and dissuasive
 Factors:
o the nature, gravity and duration of the infringement
o its intentional or negligent character
o any action taken to mitigate the damage suffered by individuals
o the degree of cooperation of the organisation, etc.

Task 4 – Pay with a SMILE J[†]

Lalieri is a Chinese multinational company which focuses on e-Commerce. It is the second
largest online market place in the world and has a large share of the EU market for buying
goods online.
Recently, Lalipay, their online payment platform has introduced an app that allows the
users to activate a face-payment function based on facial recognition technology. No more
worries in case you do not have your credit card data at hands, no more need to ask the
device/platform to remember the data for the next time you will visit (which, by the way,
is not safe) - from now on, you can pay with a smile. The biometric data of the users of the
app are safely stored in Hangzhou (China).
Living and studying in the Netherlands you would like to use Lalieri, but given your recent
interest in Data Protection law, you would like to address the following doubts first:
1. Does the GDPR apply to the activities of Lalieri? Substantiate your answer.
The material scope of GDPR can be found in Article 2 (1) GDPR: “This Regulation applies to
the processing of personal data wholly or partly by automated means and to the processing
other than by automated means of personal data which form part of a filing system or are
intended to form part of a filing system.”

Furthermore, the territorial scope can be found in Article 3 GDPR. Paragraph 1 of this Article
states that “This Regulation applies to the processing of personal data in the context of the
activities of an establishment of a controller or a processor in the Union, regardless of
whether the processing takes place in the Union or not. (Not relevant for this case)” Article
3 (2): the processing of the data can take place in China (the data are “safely stored in
China) without the company being established in the EU when “offering of goods or
services, irrespective of whether a payment of the data subject is required, to such data
subjects in the Union.” Or when monitoring a behaviour that takes place within the Union.
Thus, because of Article 3 (2), Lalieri, despite not being established in EU, is subject to
GDPR because the company uses the data of EU citizens.

2. Is 'consent' to the privacy policy of an app a legitimate ground for processing

your biometric data? Substantiate your answer.

No, Special personal data Article 9 (1) GDPR => It requires specific explicit consent.

Biometric data 4 (14) => definition

 “Biometric data’ means personal data resulting from specific technical processing relating to
the physical, physiological or behavioural characteristics of a natural person, which allow or
confirm the unique identification of that natural person, such as facial images or
dactyloscopic data”

Is the general privacy policy general enough? => Article 7 for examining whether the
consent was sufficient.

3. Is 'consent' to the privacy policy of an app a legitimate ground for transferring

your biometric data to China? Substantiate your answer.
Ireland v. Facebook case => if it is going to be used for commercial use it is not ok

Chapter V: rules regarding transfer of data to third states

Article 45: Is there an adequacy decision? Whether there is adequate safeguard in the
national legislation => 46 GDPR
49 => specific derogations are mentioned in this article
 Explicit consent is one of the ways
  These can only be used in a specific situation => list of following conditions
 Every extensive requirement than normal requirements we have with regard to
other Articles

According to Article 45 (1), a transfer of personal data to a third country or international

organisation may take place when it can be presumed that the organisation in question
ensures and adequate level of protection. Para. 2 of this provision list relevant elements
that should be taken into account. Furthermore, Article 46 lists appropriate safeguards and
provides that: “…a controller or processor may transfer personal data to a third country or
an international organisation only if the controller or processor has provided appropriate
safeguards, and on condition that enforceable data subject rights and effective legal
remedies for data subjects are available.”

Article 49 lists derogations for specific situation. In the absence of an adequacy decision
pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including
binding corporate rules, a transfer or a set of transfers of personal data to a third country or
an international organisation shall take place in accordance with the conditions set out in
this article.

Schrems II => what are the risks of transferring the data to third countries where
adequacy decisions exist
 New adequacy decisions
 When we are dealing with different states with different idea of data
protection it is a high bar to meet the adequacy decisions.
Read the book => the reasoning is very important
The US law did not comply with the requirement of GDPR. They did not meet the
standards of data transfer.

Task 5 – Landlord is watching you[‡]

Rossella is a very bright Italian student in Groningen. She is happy to rent a house
together with other students, but lately they are having some troubles. The landlord is
often called by neighbours at various times of day and night. They all complain about loud
noises coming from the students’ house. Some have even threatened to call the law
enforcement authorities.
After being unable to establish who is the troublemaker and sadly noticing that some
common utensils are missing from the kitchen, the landlord decided to install CCTV
cameras, active 24/7, looking over all the communal areas of the house. The recordings,
have already captured some very interesting activities in the house, such as whose turn it
is to throw out the rubbish, who cleans the house, and who went to the newest movie
show at the Groninger Forum. It has even recorded vivid discussions between the
students on the national politics of various countries. Despite all this, the CCTV has not yet
discovered the troublemaker.
The students learned about the installation of CCTV cameras in their house only when
they saw the workers installing them. They were not asked to consent to such a measure
and the landlord did not want to accommodate their complains. “You can complain
wherever you please. I don’t need to ask you on what I do in my own home” – was his
reaction. You can imagine that Rossella and the other co-habitants are very angry.
Gathering at the stairs of the Academy Building, they vividly discuss different ways to get
the CCTV cameras removed from their house. Since Rossella aspires to become a lawyer in
the future, she tries to direct the course of action towards a legal one. Please assist
Rossella by answering the following questions:
1. Does the GDPR provide for a legal ground that justifies the installation of CCTV in
the students’ house in the absence of their consent? Please motivate your answer.

Similar situation happened in a Czech case Ryneš, where Mr. Ryneš had installed CCTV
camera on the exterior of his house, which recorded movements not only of his private
property, but also the public footpath outside. He said that he installed the camera to
protect his family and his property, as there has been previous vandalism to his property.
After the installation the cameras were broken once more. The CCTV footage was used to
identify two individuals. One of the suspects questioned the legality of the video recording
and Mr Rynes was found to have infringed Law No. 101/2000 with respect to the protection
of personal data. The problem was the fact that the persons moving on the street and
people living in the opposite hose did not consent to the camera system collecting the
information. The matters were referred to CJEU.
The data collected could not have been defined as “purely” personal or household activity
as they covered information about other people without having their consent.

In Asociaţia de Proprietari bloc M5A-ScaraA/Romanian case, the cameras were installed in a

shared spaces within one building without approval of all inhabitants. However, there was a
legitimate interest which justified the interference.

Article 6 GDPR (1) provides us with situations in which the processing shall be lawful.
a) Consent
b) Necessary for performance of a contract
c) Legal obligation – Quite after certain hour? (Municipal laws)
d) Vital interest
e) Public interest – Public interest because of complaining neighbours.
f) Legitimate interest – This is the most likely to argue.
g) Legitimate interest C-708/18. => there was a legitimate interest. This would
likely repeat again in this case.
a. Only the one outcome. Only know that it exists. CCTV can be installed
without consent if there is a legitimate interest.
b.
The owner can argue that he had a legitimate interest.

However, if the camera captured sensitive data article 9 GDPR is concerned => E.g.,
legitimate interest is in 9 (2) (d).

2. Do you think the landlord is engaged in processing special categories of personal

data? If so, would this change your answer to the previous question? Please
motivate your answer.
The landlord so far obtained information about “interesting activities in the house, such as
whose turn it is to throw out the rubbish, who cleans the house, and who went to the
newest movie show at the Groninger Forum. However, the camera has recorded vivid
discussions between the students on the national politics of various countries”. I believe
that Article 9 GDPR is applicable because political opinions fall under protection of this
article. Processing such data is prohibited unless the processor complies with one of the
conditions set out in Article 9 (2).

There is still a legitimate ground: It was necessary to worked out who was causing the
damage. It was not possible to avoid the sensitive data. The problem would be if he stored
the data for long unnecessary data.

3. When discussing with the landlord, Rossella and her friends were told that he will
keep the recordings for as long as there will be space on his server. Are any of the
general principles of lawful data processing relevant to this situation? Please
motivate your answer.
The general principles of lawful data processing are mentioned in Article 5 GDPR. For the
present situation, Article 5 (1) (e) is relevant. This provision states that personal data shall
be kept in a “form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed”. It was nor necessary
to keep the data as long as there will be space on the server. If the information. Is irrelevant
of the purpose that the processing is sought to achieve the data should be removed.

Storage limitation have been violated => ne longer than necessary => unreasonable to keep
the data longer.

4. Some of the recordings from a Friday night party were deliberately published in a
public students’ Facebook group. One of the students living in the house hacked
the server of the landlord and thought it would be a nice surprise and a great laugh
for the other co-habitants of the house to find their video online. Since everyone,
including the landlord, was quick in finding out who was responsible, Rossella
wonders what range of fines would apply to her (not anymore) friend according to
the GDPR. Please motivate your answer.

Remember what the purposes of GDPR are => this applies to controllers and processors.
Hacking does not fall under GDPR. It applies to ADMINSTRATIVE offences, but not to
criminal offences. In this case, the student would be prosecuted under national criminal law.