GDPR
Personal data
- any data that identifies natural person (physical, genetic, mental, economic, cultural, social identity)
- anonymized data is not considered personal data
- special requirements for sensitive data
Examples:
- Name, ID code
- Geolocation, mobile data
- address, email, phone nr, IP
- banking details, income
- photos, videos,
- behaviour / performance
Sensitive data
Needs consent & legal obligation
- racial / ethnic origin
- political opinions, religions beliefs
Processing
collecting, recording, organisation, structuring, storage, use, disclosure by transmission…
Controller & processor
Example
- Controller = Company, owning data
- Cloud provider (AWS) - processor
- in case of data exposure, responsibility propagates up
Principles of Data Processing
- Purpose limitation
- Data minimisation
- Privacy by design. You should not collect more info as neccessary
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
- Privacy policy
Legal basis for data processing
- Consent
- of sending marketing emails, ability to opt-out of emails
- Performance of a contract
- Legal Obligation. Keep accounting for 7 years
- Vital interest
- Public interest
- Legitimate interest, impact assesment. Video surveilance for security vs privacy of other people.