GDPR

Personal data

• any data that identifies natural person (physical, genetic, mental, economic, cultural, social identity)

• anonymized data is not considered personal data

• special requirements for sensitive data

Examples:

• Name, ID code

• Geolocation, mobile data

• address, email, phone nr, IP

• banking details, income

• photos, videos,

• behaviour / performance

Sensitive data

Needs consent & legal obligation

• racial / ethnic origin

• political opinions, religions beliefs

Processing

collecting, recording, organisation, structuring, storage, use, disclosure by transmission…

Controller & processor

Example

• Controller = Company, owning data

• Cloud provider (AWS) - processor
  • in case of data exposure, responsibility propagates up

Principles of Data Processing

• Purpose limitation

• Data minimisation
  • Privacy by design. You should not collect more info as neccessary

• Accuracy

• Storage limitation

• Integrity and confidentiality

• Accountability
  • Privacy policy

Legal basis for data processing

• Consent
  • of sending marketing emails, ability to opt-out of emails

• Performance of a contract

• Legal Obligation. Keep accounting for 7 years

• Vital interest

• Public interest

• Legitimate interest, impact assesment. Video surveilance for security vs privacy of other people.