Personal data
Jakub Klodwig


Personal data
…means any information relating to an identified or identifiable natural person; an identifiable
natural person is one who can be identified, directly or indirectly.
Sex, Date of Birth, ZIP cod - 87% of US citizens

Personal data
•name, permanent address, delivery address, gender, age, date of birth, place of birth, birth
number, personal status, Medical disadvantage, photographic record, video record, audio record,
e-mail address, telephone number - private and work, identification number, VAT number, identity
card number, driving license number, passport number, education, employment income (wage, salary)
data on racial or ethnic origin (nationality), religion, philosophical belief, trade union
membership, health status - data on physical or mental health, provision of health services, sexual
orientation, criminal offenses, final convictions, DNA, RNA, blood group , Rh blood factor, facial
image, fingerprint, iris image, retina image, signature, voice (color)

“It is common ground, first, that the injunction requiring installation of the contested filtering
system would involve a systematic analysis of all content and the collection and identification of
users’ IP addresses from which unlawful content on the network is sent. Those addresses are
protected personal data because they allow those users to be precisely identified.“
Scarlet Extended SA case (CJEU) C-70/10

Disproportionate efford

It is not personal data “if the identification of the data subject was prohibited by law or
practically impossible on account of the fact that it requires a disproportionate effort in terms
of time, cost and man-power, so that the risk of identification appears in reality to be
insignificant.”
Breyer case (CJEU) C-582/14

Disproportionate efford

Anonymisation
•Pseudonymisation
Personal data
The principles of data protection should therefore not apply to anonymous information, namely
information which does not relate to an identified or identifiable natural person or to personal
data rendered anonymous in such a manner that
the data subject is not or no
longer identifiable. This Regulation does not therefore concern the processing of such anonymous
information, including for
statistical or research
purposes.
The application of pseudonymisation to personal data can reduce the risks to the data subjects
concerned and help controllers and processors to meet their data-protection obligations. […]
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data
can no longer be attributed to a specific data subject without the use of additional information,
provided that such additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are not attributed to an identified or
identifiable natural person
Identified or identifiable

De-anonymiation?
Removal of direct identifiers, Lowering of granularity, Aggregation, Dataexchange

Why?

Internet never forgets (collective memory), past made present, Streissant effect, Long past
misconduct, The value of data changes in time!

Purpose of Personal data protection law
•„the protection of natural persons with regard to the processing of personal data and on the free
movement of such data“
•
•To protect natural persons data
•To enable free movement of personal data

“Recent inventions and business methods call attention to the next step which must be taken for the
protection of the person, and for securing to the individual … the right ‘to be let alone’ …
Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the
closet shall be proclaimed from the house-tops.”
> Obsah obrázku text, snímek obrazovky Popis byl vytvořen automaticky

Privacy protection
Information self determination
Personal data protection
1983 –Germany, Census case
One of basic premises of personal data protection
•Accent on consent
•Right to be forgotten
•Right to object the processing

Personal data protection
Scope of protection
(Legal person, dead person)
   public X private
preventive X restrictive
    DPA X court
•
•
Privacy protection
    non-distributive X distributive

History of personal data protection
•2020
•
•
•1950 - European Convention on Human Rights
•
•1980 - OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
•
•1981 - Council of Europe Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data (Convention 108)
•
•1995 - Directive 95/46/EC
•
•2018 - General Data Protection Regulation (2016/679)
•

Effective legislation
•
In European Union
General Data Protection Regulation (2016/679)
•personal or household aktivity
•activities which fall outside the scope of Union law
•activities which fall within the scope of Common foreign and security policy
•Processing of personal data by Union institutions
•This Regulation shall be without prejudice to the application of Directive 2000/31/EC (eCommerce
Directive)
•
•
Police Directive (2016/680)
•purposes of the prevention, investigation, detection or prosecution of criminal offences
•
•
In Czechia
Act No. 110/2019 Sb., on personal data processing act

E.g. Ryneš Case(C-212/13); Lindqvist Case (C-101/01)

Charter of Fundamental Rights of the European Union
Article 8 - Protection of personal data
1.Everyone has the right to the protection of personal data concerning him or her.
1.Such data must be processed fairly for specified purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid down by law. Everyone has the right of access
to data which has been collected concerning him or her, and the right to have it rectified.
2.
2.Compliance with these rules shall be subject to control by an independent authority.

Territorial scope
This Regulation applies to the processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union, regardless of whether the processing
takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by
a controller or processor not established in the Union, where the processing activities are related
to:
• the offering of goods or services, irrespective of whether a payment of the data subject is
required, to such data subjects in the Union; or
• the monitoring of their behaviour as far as their behaviour takes place within the Union.

Personal data
CONTROLLER
= natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data
Personal data
PROCESSOR
= natural or legal person, public authority, agency or other body which processes personal data on
behalf of the controller

Contract, joint controllers

Personal data processing
•‘processing’ means any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction
•

Principles of processing Personal data
•
•Principle of lawfulness, fairnessand transparency
•processed lawfully, fairly and in a transparent manner in relation to the data subject
•Principle of purpose limitation
•Principle of data minimalization
•Principle of accuracy
•Principle of storage limitation
•Principle of integrity and confidentiality
•Principle of accountability
•The controller shall be responsible for, and be able to demonstrate compliance with rules
•

Legal grounds for processing
1.
1.Processing is necessary for the performance of a contract to which tha data subject is party
2.Processing is necessary for compliance with a legal obligation to which the controller is subject
3.Processing is necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller
4.Processing is necessary in order to protect the vital interests of the data subject or of another
natural person
5.Processing is necessary for the purposes of the legitimate interests pursued by the controller
6.Consent of the data subject
7.
7.
7.
7.

Legitimate interest
•
•processing is necessary for the purposes of the legitimate interests pursued by the controller or
by a third party, except where such interests are overridden by the interests or fundamental rights
and freedoms of the data subject which require protection of personal data, in particular where the
data subject is a child
•
Examples:
•Google Spain, IP Addresses in CySec
•Open Data Applications
Balancing test!
5. Processing is necessary for the purposes of the legitimate interests pursued by the controller

Consent
•Controller should be able to demonstrate that the data subject has given consent to the processing
operation
•Consent should not be regarded as freely given if the data subject has no genuine or free choice
or is unable to refuse or withdraw consent without detriment.
•For consent to be informed, the data subject should be aware at least of the identity of the
controller and the purposes of the processing for which the personal data are intended
•Data subject can withdraw at any time
•
6. Consent of the data subject
1.Freely given
2.Specific
3.Informed
4.Unambiguous

Rights of the data subjects
•the right to be informed about processing (13,14)
•the right of access by data subject (15)
•the right to rectification (16)
•the right to erasure (17)
•the right to restrict processing (18)
•the right to data portability (20)
•the right to object to processing (21)
•the rights in relation to automated decision making and profiling (22)
•

Right to information about processing
•Basic information about processing:
•Who, how, why (purpose), why (legal ground), how long, where…
•Art. 14 para. 5 – exception. Information duty not apply when:
•the data subject already has the information
•the provision of such information proves impossible or would involve a disproportionate effort, in
particular for processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes … In such cases the controller shall take appropriate
measures to protect the data subject's rights and freedoms and legitimate interests, including
making the information publicly available
•obtaining or disclosure is expressly laid down by Union or Member State law to which the
controller is subject and which provides appropriate measures to protect the data subject's
legitimate interests
•where the personal data must remain confidential subject to an obligation of professional secrecy
regulated by Union or MemberState law, including a statutory obligation of secrecy
•

Right to access
•Data subject can actively ask for:
•Basic information about processing:
•Who, how, why (purpose), why (legal ground), how long, where…
•Para 3: The controller shall provide a copy of the personal data undergoing processing. For any
further copies requested by the data subject, the controller may charge a reasonable fee based on
administrative costs. Where the data subject makes the request by electronic means, and unless
otherwise requested by the data subject, the information shall be provided in a commonly used
electronic form.

Right to erasure (Right to be Forgotten)
•Google Spain Case
•The data subject shall have the right to obtain from the controller the erasure of personal data
concerning him or her without undue delay and the controller shall have the obligation to erase
personal data without undue delay, when:
•the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed
•the data subject withdraws consent on which the processing is based
•the data subject objects to the processing pursuant to Article 21(1) (legitimate or public
interest) and there are no overriding legitimate grounds for the processing
•the personal data have been unlawfully processed
•the personal data have to be erased for compliance with a legal obligation
•Children consent
•

Right to erasure (Right to be Forgotten)
•Exceptions (Art. 17 Para. 3) -Processing is necessary for:
•exercising the right of freedom of expression and information
•compliance with a legal obligation or for the performance of a task carried out in the public
interest
•reasons of public interest in the area of public health
•archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1)
•the establishment, exercise or defenceof legal claims
•

Right to restriction of processing
•The data subject shall have the right to obtain from the controller restriction of processing
when:
•the accuracy of the personal data is contested by the data subject, for a period enabling the
controller to verify the accuracy of the personal data
•the processing is unlawful and the data subject opposes the erasure of the personal data and
requests the restriction of their use instead
•the controller no longer needs the personal data for the purposes of the processing, but they are
required by the data subject for the establishment, exercise or defenceof legal claims
•the data subject has objected to processing pursuant to Article21(1) pending the verification
whether the legitimate grounds of the controller override those of the data subject
•

Duties of controller
1.
•
1.Responsibility of the controller (Art. 24)
•Controller must implement appropriate technical and organisational measures to ensure and to be
able to demonstrate that processing is performed in accordance with this Regulation
2.Data protection by design and by default (Art. 25)
3.Records of processing activities (Art.30)
•Files and documents
4.Cooperation with the supervisory authority (Art. 31)
5.Security of processing(Art. 32)
6.Notification of a personal data breach to the supervisory authority (Art. 33)
7.Data protection impact assessment (Arts. 35)
8.Data protection officer (Arts. 37 –39)
9.
9.
9.
9.

International data transfer
Why do we care?
•Different regimes in different countries – different levels of protection
•Possible loophole – exported data might not be protected enough
•Data Transfers Rules – ensuring data are protected even when transferred abroad
•
Approaches:
•Teritorial = based on specific territory
•Organisational = only for specific organization

Data transfers under GDPR
•Free flows in the EU/EEA
•
•Transfers to „third countries“
•Adequacy decision (Israel, Japan, Canada …) X USA
•Appropriate safeguards
•Binding Corporate Rules (47)
•Standard Contractual Clauses (28/8)
•Codes of Conduct (40)
•Certifications (42)
•Derogations (49)

Data transfers to USA
•Safe Harbour
•Adequacy decision for USA
•Not whole country, but only certified companies
•Edward Snowden and PRISM affair
•Schremes C-362/14
•
•Privacy shield
•Schremes II C-311/18
•Standard Contractual Clauses
•
•

Questions?
MS Teams /
434044@mail.muni.cz