PDPF Privacy and Data Protection Foundation Questions and Answers

Besides to what many persons think, the GDPR does not apply only to the EU, but to all member countries of the European Economic Area (EEA) that includes, in addition to the EU member countries, Iceland, Liechtenstein and Norway.

Companies have tax obligations to be fulfilled, so financial data cannot be deleted.

The data subject has several rights under the GDPR, however there are limitations. These rights cannot run counter to other specific legislation. In this case, the holder can exercise the right of Opposition instead of Exclusion. In the Right of Opposition, he requests the Controller to cease the processing of his data for non- consented purposes. An example of Opposition: in Brazil there was the website naomeperturbe.com.br, where millions of Brazilians could oppose the inconvenient calls made by the telecommunication service providers.

A very repeated phrase is: “It is possible to have security without privacy, but it is not possible to have privacy without security”.

Privacy is a right that should be protected, and Data Protection are the measures that will be used to achieve this protection.

In its Article 35 the GDPR legislates on the Impact assessment on data protection.

7)The assessment shall contain at least:

a)a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

b)an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

c)an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

d)the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

The deadline for companies to adapt and comply with GDPR was May 25, 2018. This is an important date and should be memorized. It is common to have this question in this exam.

Article 99 of GDPR

1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.It shall apply from 25 May 2018.

For archiving purposes in the public interest. Incorrect. With the safeguards in place, further processing is

allowed for archiving purposes in the public interest.

For direct marketing and commercial purposes. Correct. This is not a purpose that is allowed, if it is not the original legitimate purpose of the processing. (Literature: A, Chapter 2)

For generalized statistical purposes. Incorrect. With the safeguards in place, further processing is allowed for generalized statistical purposes.

For scientific or historical research purposes. Incorrect. With the safeguards in place, further processing is allowed for research purposes.

Data access. Incorrect. The data have not been accessed.

Personal data breach. Incorrect. No personal data has been processed unauthorized yet, so it is not a breach.

Security incident. Incorrect. Processing has yet to begin, there is no reason to assume an incident has taken place.

Security vulnerability. Correct. Confidentiality of the data cannot be guaranteed if employees leave their workstation without locking the computer. (Literature: A, Chapter 2; GDPR Article 5(1)(f))

Article 30 in its first paragraph legislates:

1. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

Recital 82 mentions:

In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

This is a question that has the most doubts: “Who needs to adapt?". For example: 1 - If you have a company in Brazil and sell products or services and process personal data from residents in the EU, in this case your company must conform to the GDPR. 2- If you have a company located in the EU and handle personal data.

Transcribing here part of Article 3 of the GDPR:

1.This Regulation applies to the processing of personal data carried out in the context of the activities of an establishment of a controller or a subcontractor located in the territory of the Union, regardless of whether the processing takes place inside or outside the Union.

2.This Regulation applies to the processing of personal data of holders residing in the territory of the Union, carried out by a controller or processor not established in the Union, when the processing activities are related to:

a)The provision of goods or services to such data subjects in the Union, regardless of the requirement for data subjects to make a payment;

b)Control of their behavior, provided that such behavior takes place in the Union.

Section: (none)

Explanation

Article 22 provides for this type of damage to the data subject and legislates on “Automated individual decisions, including profiling”:

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.

Data protection and privacy complement each other, but they are not the same.

A well-known phrase is: “You can have security without privacy, but you cannot have privacy without security”.

Recital 4 of the GDPR says:

The processing of personal data should be designed to serve individuals. The right to protection of personal data is not absolute; it must be considered in relation to its role in society and balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedom and principles recognized in the Charter, enshrined in the Treaties, namely respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom of business, the right to action and an impartial tribunal, and cultural, religious and linguistic diversity.

Recital 170 mentions “Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by

the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union

level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.”

Proportionality says that personal data should be collected according to the purpose of processing, that is, proportional, and data that will not be used for the purpose should not be collected.

Subsidiarity is a principle that says that personal data can only be processed if there are no other means to achieve the objective. Therefore, the less personal data used, the less the possibilities of violating privacy.

In its Article 5, which deals with the Principles concerning the processing of personal data, paragraph 1, the GDPR describes:

1. Personal data shall be:

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed («data minimisation»);

In the Article 5 all the principles of GDPR for processing personal data are quoted.

The data minimization principle refers to the purpose of the law that only the data that is required for processing should be collected.

This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease.

GDPR uses the term data breach.

Article 4 paragraph 12

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Article 4 dealing with the GDPR Definitions says in its paragraph 8:

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.