Wybrane aspekty prawne dotyczące przetwarzania danych biometrycznych pracowników

<p>Given the growing popularity of biometrics, doubts about the conditions for biometric data processing can be noticed in practice. These inaccuracies take place in various areas of law, including labour law. This article provides a theoretical discussion on the processing of special categories of data. It aims to point to the need for appropriate legal regulations to ensure the security of the processing of biometric data of employees and candidate employees. The article starts with clarifying the concept of biometric data and discusses the practical aspects of the use of biometric tools. Further on, the author analyses the legal regulations concerning the processing of biometric data in the relations between the employer as the personal data controller and the employee as the data subject. As a result of the studies carried out, a position was presented which indicates that the employer who processes biometric data of employees and candidates for employment should always find out whether he has legal justification to process the data in question. This article is one of the few studies on the processing of biometric data in Polish literature on the subject. The main purpose hereof is to present situations under the current legislation, in which the employer can process biometric data of its employees. The article is a form of universal presentation of the problem and may be of interest especially to legal practitioners.</p>

Download Full-text

Article 9 Processing of special categories of personal data

The EU General Data Protection Regulation (GDPR) ◽

10.1093/oso/9780198826491.003.0038 ◽

2020 ◽

Author(s):

Ludmila Georgieva ◽

Christopher Kuner

Keyword(s):

Decision Making ◽

Data Protection ◽

Personal Data ◽

Genetic Data ◽

Biometric Data ◽

Individual Decision Making ◽

Vital Interest ◽

Data Portability ◽

Definition Of ◽

Data Subject

Article 4(1) (Definition of personal data); Article 4(2) (Definition of processing); Article 4(11) (Definition of consent); Article 4(13) (Definition of genetic data, see also recital 34); Article 4(14) (Definition of biometric data); Article 4(15) (Definition of data concerning health, see also recital 35); Article 6(4)(c) (Lawfulness of processing, compatibility test) (see too recital 46 on vital interest); Article 13(2)(c) (Information to be provided where personal data are collected from the data subject); Article 17(1)(b), (3)(c) (Right to erasure (‘right to be forgotten’)); Article 20(1)(a) (Right to data portability); Article 22(4) (Automated individual decision-making, including profiling); Article 27(2)(a) (Representatives of controllers or processors not established in the Union); Article 30(5) (Records of processing activities); Article 35(3)(b) (Data protection impact assessment) (see too recital 91); Article 37(1)(c) (Designation of the data protection officer) (see too recital 97); Article 83(5)(a) (General conditions for imposing administrative fines).

Download Full-text

Right of Access under GDPR and Copyright

Masaryk University Journal of Law and Technology ◽

10.5817/mujlt2018-2-5 ◽

2018 ◽

Vol 12 (2) ◽

pp. 221-246

Author(s):

Angela Sobolčiaková

Keyword(s):

Data Protection ◽

Personal Data ◽

Case Law ◽

Main Question ◽

The Subject ◽

The Right ◽

Access Right ◽

Right Of Access ◽

Data Subject

The paper discusses the right to obtain a copy of personal data based on the access right guaranteed in Articles 15 (3) and limited in 15 (4) of the GDPR. Main question is to what extent, the access right provided to data subject under the data protection rules is compatible with copyright. We argue that the subject matter of Article 15 (3) of the GDPR - copy of personal data – may infringe copyright protection of third parties but not a copyright protection attributed to the data controllers.Firstly, because the right of access and copyright may be in certain circumstances incompatible. Secondly, the data controllers are primarily responsible for balancing conflicting rights and neutral balancing exercise could only be applied by the Data Protection Authorities. Thirdly, the case law of the CJEU regarding this issue will need to be developed because the copy as a result of access right may be considered as a new element in data protection law.

Download Full-text

FORENSIC DATABASES IN POLAND. LEGAL ISSUES RELATED TO RIGHT TO THE PROTECTION OF PERSONAL DATA AND RIGHT TO PRIVACY

Criminalistics and Forensics ◽

10.33994/kndise.2021.66.23 ◽

2021 ◽

pp. 285-305

Author(s):

Dariusz Wilk

Keyword(s):

Personal Data ◽

The European Union ◽

Right To Privacy ◽

Biometric Data ◽

General Data Protection Regulation ◽

Law And Policy ◽

Detection And Identification ◽

Criminal Justice Systems ◽

General Data ◽

Data Subject

Forensic databases are crucial resources in criminal justice systems, which allow for detection and identification of offenders. General Data Protection Regulation and Police Directive about processing of personal data were enacted in the European Union in 2016, which implied changes in national law and policy in processing genetic and biometric data by law enforcements. Therefore, current development of DNA and fingerprint databases in Poland were revealed and compared to other European countries. Changes in the law related to processing of genetic and biometric data were analysed. Issues related to the distinction between different categories of data subject and retention time of personal data were especially commented in the view of right to the protection of personal data and right to privacy.

Download Full-text

Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

Applied Sciences ◽

10.3390/app112210574 ◽

2021 ◽

Vol 11 (22) ◽

pp. 10574

Author(s):

Sung-Soo Jung ◽

Sang-Joon Lee ◽

Ieck-Chae Euom

Keyword(s):

Data Processing ◽

Data Protection ◽

Data Privacy ◽

Personal Data ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Compliance Audit ◽

General Data ◽

Data Controller ◽

Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

Download Full-text

Testing the GDPR in Relation to Biobanking

Protecting Genetic Privacy in Biobanking through Data Protection Law ◽

10.1093/oso/9780192896476.003.0008 ◽

2021 ◽

pp. 148-158

Author(s):

Dara Hallinan

Keyword(s):

Classification System ◽

Personal Data ◽

Data Classification ◽

Genetic Data ◽

Classification Systems ◽

General Data Protection Regulation ◽

Data Processor ◽

General Data ◽

Data Controller ◽

Data Subject

This chapter addresses how the biobanking process—in the instances in which it falls within the scope of the General Data Protection Regulation (GDPR)—is classified under the GDPR's classification systems. These classification systems do not, themselves, constitute substantive provisions; they do not consist of rights or obligations. They are, however, key in determining the types of actors to whom substantive provisions apply and the way in which substantive provisions apply. The chapter begins with a detailed elaboration of the GDPR's two key classification systems: the actor classification system and the personal data classification system. It then describes how the actor classification system applies to actors involved in the biobanking process, focusing on the applicability of the concepts of ‘data subject’, ‘data controller’, and ‘data processor’. Finally, the chapter considers how the personal data classification system applies to personal data processed in biobanking, looking, in particular, at the applicability of the concepts of ‘genetic data’ and ‘data concerning health’.

Download Full-text

Informacja handlowa i marketing bezpośredni bez uprzedniej wyraźnej zgody – wybrane zagadnienia

Radca Prawny ◽

10.4467/23921943rp.21.017.14210 ◽

2021 ◽

pp. 165-190

Author(s):

Piotr Kantorowski

Keyword(s):

Electronic Communication ◽

Direct Marketing ◽

Personal Data ◽

Marketing Communication ◽

Legal Regulations ◽

Legal Norms ◽

Explicit Consent ◽

Provision Of Services ◽

Marketing Activities ◽

The Subject

Commercial information and direct marketing without prior and explicit consent – selected issues The aim of the article is to examine legal regulations in the context of answering the question whether – and if so, then under which circumstances – marketing activities performed via means of electronic communication are legal when the party conducting these activities does not have the prior and explicit consent to perform them. In particular, the article will analyze the provisions of Article 10 of the Act on provision of services by electronic means and Article 172 of the Act – telecommunication law, which are the key legislative provisions to resolve this issue. To answer the question posed in the article, the subject and object scopes of both legal norms in particular will be compared. Such a comparison is necessary to determine whether – and if so, then what kind of – marketing communication can be made without prior and explicit consent. On the other hand, the author will not discuss more broadly the issues concerning the processing of personal data, although he will draw attention to the conditions that must occur in order for the personal data held by the controller to be used for the purposes identified above.

Download Full-text

EDUCATIONAL INSTITUTION AS A DATA CONTROLLER: PROBLEMS AND CHALLENGES

SOCIETY INTEGRATION EDUCATION Proceedings of the International Scientific Conference ◽

10.17770/sie2020vol1.5041 ◽

2020 ◽

Vol 1 ◽

Author(s):

Marta Kive

Keyword(s):

Educational Institution ◽

Personal Data ◽

Transition Process ◽

Educational Institutions ◽

School Year ◽

Data Portability ◽

The Right ◽

Data Controller ◽

The Relationship ◽

Data Subject

The right to data portability applies only to personal data provided to the controller by the data subject himself, and only if the processing was initially based on the consent of the user or on the basis of a contract. Most cases when students or their parents submits their personal data to educational institution are cases covered by this right, moreover, in most cases, those are sensitive personal data.In the context of the right to data portability, data subjects directly transmit data from one data controller to another where technically possible. The regulation does not specify what is meant by “technically feasible”. The wording indicates that this should be addressed on a case-by-case basis and a dynamic interpretation of the term "technically feasible" should be ensured. This is limited because the Regulation does not oblige data controllers to accept or maintain compatible processing systems. In case with educational institutions and students’ opportunities to change the study place including mid-school year it’s important to identify problems with data portability and facilitate the transition process to get student into the new study environment and system faster and more effective.For this purpose, the author identifies main problems and challenges that educational institutions can face when they act as a data controllers. The subject of the research is the relationship between the data subject (students) and the data controller (educational institution), implementing the right to data portability.

Download Full-text

Selling Personal Data

Personal Data Protection and Legal Developments in the European Union - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-5225-9489-5.ch003 ◽

2020 ◽

pp. 34-59

Author(s):

Konstantina Samara

Keyword(s):

Legal System ◽

Personal Data ◽

The Core ◽

Human Value ◽

The Subject ◽

Data Controller

The prevalent and currently unanimous European legal system regarding personal data comprises a set of protective rules, enshrining, amongst others, the prerequisites for lawful processing. The venture of the ensuing aims to examine, under the scope of both constitutional rules and the ius cogens provisions of the Regulation (EU) 2016/679, the validity of a transaction pertaining to the processing of personal data. The objective of the herein argumentation specifically focuses on the juridical act of selling personal data, in accordance with the principle of contractual freedom and its compatibility with the core of constitutional provisions, which safeguard human value. The correlations examined below are referred to the contractual interaction between the subject of the personal data and the data controller under the scope of a double facet approach of GDPR, as a legal system both personal and property oriented.

Download Full-text

Article 29 Processing under the authority of the controller or processor

The EU General Data Protection Regulation (GDPR) ◽

10.1093/oso/9780198826491.003.0064 ◽

2020 ◽

Author(s):

Christopher Millard ◽

Dimitra Kamarinou

Keyword(s):

Member State ◽

Subject Matter ◽

Expert Knowledge ◽

Code Of Conduct ◽

Personal Data ◽

State Law ◽

The Subject ◽

Data Subject

To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.

Download Full-text

PROBLEMS OF APPLICATION OF THE RIGHT TO DATA PORTABILITY

Acta Prosperitatis ◽

10.37804/1691-6077-2020-11-116-127 ◽

2020 ◽

pp. 116-127

Author(s):

Marta Kive

Keyword(s):

Personal Data ◽

Legal Framework ◽

The European Union ◽

General Data Protection Regulation ◽

Advantages And Disadvantages ◽

Data Portability ◽

The Right ◽

Data Controller ◽

Machine Readable ◽

Data Subject

The aim of the publication is to analyze the advantages and disadvantages of the right to data portability, as well as to look at them in the context of development of a legal framework for the protection of personal data. The General Data Protection Regulation entered into force on 25 May 2018 and introduced a new legal framework for the protection of personal data in the European Union, and also included several new rights, including the right to data portability. These are rights of the data subject to receive personal data concerning himself, which he has provided to the controller, in a structured, widely used and machine‐readable format, and transmit this information to another controller, if it is possible. The right to data portability applies only to personal data provided by the controller to the data subject himself, and only if the processing was initially based on the consent of the user or on the basis of a contract. This means that the right to data portability is not feasible when data processing is based on another legal basis. In the context of the right to data portability, data subjects directly transmit data from one data controller to another where technically possible. The regulation does not specify what is meant by “technically feasible”. The wording indicates that this should be addressed on a case‐by‐case basis and a dynamic interpretation of the term “technically feasible” should be ensured. This is limited because the Regulation does not oblige data controllers to accept or maintain compatible processing systems.

Download Full-text