Personal Data After the Death of the Data Subject—Exploring Possible Features of a Holistic Approach

2018 ◽  
pp. 273-302
Author(s):  
Mark-Oliver Mackenrodt
Keyword(s):  
Personal Data ◽  
Holistic Approach ◽  
Data Subject

scholarly journals When Data Protection by Design and Data Subject Rights Clash

2018 ◽  
Author(s):  
Michael Veale ◽  
Reuben Binns ◽  
Jef Ausloos
Keyword(s):  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
Large Data ◽  
Holistic Approach ◽  
Privacy By Design ◽  
Privacy Law ◽  
Ex Post ◽  
Trade Offs ◽  
Data Subject

Cite as: Michael Veale, Reuben Binns and Jef Ausloos (2018) When Data Protection by Design and Data Subject Rights Clash. International Data Privacy Law (2018) doi:10.1093/idpl/ipy002. [Note: An earlier draft was entitled "We Can't Find Your Data, But A Hacker Could: How 'Privacy by Design' Trades-Off Data Protection Rights"]Abstract➔Data Protection by Design (DPbD), a holistic approach to embedding principles in technical and organisational measures undertaken by data controllers, building on the notion of Privacy by Design, is now a qualified duty in the GDPR.➔Practitioners have seen DPbD less holistically, instead framing it through the confidentiality-focussed lens of Privacy Enhancing Technologies (PETs).➔While focussing primarily on confidentiality risk, we show that some DPbD strategies deployed by large data controllers result in personal data which, despite remaining clearly reidentifiable by a capable adversary, make it difficult for the controller to grant data subjects rights (eg access, erasure, objection) over for the purposes of managing this risk.➔Informed by case studies of Apple's Siri voice assistant and Transport for London's Wi-Fi analytics, we suggest three main ways to make deployed DPbD more accountable and data subject-centric: building parallel systems to fulfil rights, including dealing with volunteered data; making inevitable trade-offs more explicit and transparent through Data Protection Impact Assessments; and through ex ante and ex post information rights (arts 13-15), which we argue may require the provision of information concerning DPbD trade-offs.➔Despite steep technical hurdles, we call both for researchers in PETs to develop rigorous techniques to balance privacy-as-control with privacy-as-confidentiality, and for DPAs to consider tailoring guidance and future frameworks to better oversee the trade-offs being made by primarily well-intentioned data controllers employing DPbD.

Article 30 Records of processing activities

2020 ◽  
Author(s):  
Waltraut Kotschy
Keyword(s):  
Impact Assessment ◽  
Data Protection ◽  
Personal Data ◽  
Data Flows ◽  
Right Of Access ◽  
Data Subject ◽  
General Conditions

Article 13 (Information to be provided where personal data are collected from the data subject); Article 14 (Information to be provided where personal data have not been obtained from the data subject); Article 15 (Right of access by the data subject); Article 24 (Responsibility of the controller); Article 32 (Security of processing); Article 35 (Data protection impact assessment); Article 37 (Designation of a data protection officer); Article 49 (Derogations for specific situations concerning transborder data flows); Article 83 (General conditions for imposing administrative fines)

Article 9 Processing of special categories of personal data

2020 ◽  
Author(s):  
Ludmila Georgieva ◽  
Christopher Kuner
Keyword(s):  
Decision Making ◽  
Data Protection ◽  
Personal Data ◽  
Genetic Data ◽  
Biometric Data ◽  
Individual Decision Making ◽  
Vital Interest ◽  
Data Portability ◽  
Definition Of ◽  
Data Subject

Article 4(1) (Definition of personal data); Article 4(2) (Definition of processing); Article 4(11) (Definition of consent); Article 4(13) (Definition of genetic data, see also recital 34); Article 4(14) (Definition of biometric data); Article 4(15) (Definition of data concerning health, see also recital 35); Article 6(4)(c) (Lawfulness of processing, compatibility test) (see too recital 46 on vital interest); Article 13(2)(c) (Information to be provided where personal data are collected from the data subject); Article 17(1)(b), (3)(c) (Right to erasure (‘right to be forgotten’)); Article 20(1)(a) (Right to data portability); Article 22(4) (Automated individual decision-making, including profiling); Article 27(2)(a) (Representatives of controllers or processors not established in the Union); Article 30(5) (Records of processing activities); Article 35(3)(b) (Data protection impact assessment) (see too recital 91); Article 37(1)(c) (Designation of the data protection officer) (see too recital 97); Article 83(5)(a) (General conditions for imposing administrative fines).

Article 4(11). Consent

2020 ◽  
Author(s):  
Lee A. Bygrave ◽  
Luca Tosoni
Keyword(s):  
Decision Making ◽  
Information Society ◽  
Personal Data ◽  
Individual Decision ◽  
Individual Decision Making ◽  
Article 9 ◽  
Data Portability ◽  
Article 5 ◽  
Data Subject

Article 5 (Principles relating to processing of personal data) (see also recitals 33, 39 and 50); Article 6(1)(a) (Lawfulness of processing on basis of consent) (see too recital 40); Article 7 (Conditions for consent) (see also recital 42); Article 8 (Conditions applicable to child’s consent in relation to information society services) (see too recital 38); Article 9(2)(a) (Processing of special categories of personal data on basis of consent) (see too recital 51); Article 13 (Information to be provided where personal data are collected from the data subject) (see too recitals 60–62); Article 14 (Information to be provided where personal data have not been obtained from the data subject); Article 17 (Right to erasure) (see too recital 65); Article 20 (Right to data portability) (see too recital 68); Article 22 (Automated individual decision-making, including profiling) (see too recital 71); Article 49(1)(a) (Transfer of personal data to third country or international organisation on basis of consent) (see too recitals 111–112).

Conclusions: Striving for Data Subject Control within and beyond Data Subject Rights

2021 ◽  
pp. 215-236
Author(s):  
Helena U. Vrabec
Keyword(s):  
Data Protection ◽  
Holistic Approach ◽  
Control Rights ◽  
Data Protection Law ◽  
Article 5 ◽  
Data Subject

Chapter 9 is a concluding section of the book. It takes a look at the rights from the perspective of effectiveness and analyses them in a more structured manner by utilising a framework of data protection principles from Article 5 of the GDPR. The analysis shows that data subjects’ control rights are sometimes ineffective. However, this part of data protection law must be, nonetheless, maintained, because it not only serves the objective of control but has other objectives too. To mitigate the ineffectiveness, some alterative measures are considered, for example technological solutions and legal mechanisms outside of data protection law. The chapter refers to these alternatives as ‘a holistic approach to control’.

Conditions of the Right to Erasure

2020 ◽  
pp. 196-274
Author(s):  
Jef Ausloos
Keyword(s):  
Public Interest ◽  
Freedom Of Expression ◽  
Personal Data ◽  
Historical Research ◽  
Legal Obligation ◽  
The Public ◽  
The Third ◽  
Legal Provisions ◽  
The Right ◽  
Data Subject

This chapter zooms in on Article 17 GDPR, on the right to erasure (‘right to be forgotten’). It meticulously dissects the three paragraphs of this provision. The first paragraph lists six rights-to-erasure triggers which can be summarized as: (a) purpose expiration; (b) withdrawal of consent; (c) right to object; (d) unlawful processing; (e) legal obligation; and (f) withdrawal of consent by minors in the online environment. The second paragraph comprises an odd extension of the right to erasure, enabling data subjects to request that controllers who have made the personal data public, communicate potential erasure to anyone else processing that same personal data. The third paragraph lists five exemptions to the right to erasure, summarized as: (a) freedom of expression and information; (b) legal obligation or task carried out in the public interest or official authority; (c) public interest in the area of public health; (d) public interest archiving, scientific and historical research, or statistical purposes; and (e) legal claims. What becomes clear right away is how both the right-to-erasure’s triggers and exemptions all refer to other legal provisions in and outside the GDPR. As such, the right to erasure can be seen as a central hub in the GDPR, bringing together key data protection principles from the perspective of data subject empowerment.

Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing

2020 ◽  
Author(s):  
Gloria González Fuster
Keyword(s):  
Public Interest ◽  
Personal Data ◽  
Historical Research ◽  
Information Communication ◽  
The Public ◽  
Right To Be Forgotten ◽  
Definition Of ◽  
Data Subject

Article 4(9) (Definition of ‘recipient’); Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject); Article 16 (Right to rectification), Article 17(1) (Right to erasure (‘right to be forgotten’)); Article 18 (Right to restriction of processing); Article 58(2)(g) (Powers of supervisory authorities); Article 89(3) (Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).

22. Data Protection and Data Exclusivity

2019 ◽  
pp. 497-512
Author(s):  
Justine Pila ◽  
Paul L.C. Torremans
Keyword(s):  
Data Protection ◽  
Patent Protection ◽  
Personal Data ◽  
Pharmaceutical Sector ◽  
Data Exclusivity ◽  
The Law ◽  
Data Subject

This chapter examines the law on data protection and data exclusivity. It focuses on the new GDPR Regulation. It covers rules on lawful processing of personal data, on the security of the processing, on the transparency of the processing, and on promoting compliance. It also discusses the rights of the data subject, the transfer of personal data to third countries, and the period of data exclusivity granted to the pharmaceutical sector independent of any form of patent protection.

Introducing a Holistic Approach to Personal Data

2018 ◽  
pp. 1-4
Author(s):  
Mor Bakhoum ◽  
Beatriz Conde Gallego ◽  
Mark-Oliver Mackenrodt ◽  
Gintarė Surblytė-Namavičienė
Keyword(s):  
Personal Data ◽  
Holistic Approach
Sign in / Sign up

Export Citation Format

Share Document