GDPR quotes in one of its principles that personal data should be adequate, relevant and limited to what is necessary in relation to its purpose. What principle is this?
In its Article 5, which deals with the Principles concerning the processing of personal data, paragraph 1, the GDPR describes:
1. Personal data shall be:
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
In the Article 5 all the principles of GDPR for processing personal data are quoted.
The data minimization principle refers to the purpose of the law that only the data that is required for processing should be collected.
This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
A German company wants to enter into a binding contract with a processor in the Netherlands for the processing of sensitive personal data of German data subjects. The Dutch Supervisory Authority is informed of the type of data and the aims of the processing, including the contract describing what data will be processed and what data protection procedures and practices will be in place.
According to the GDPR, what should the Dutch Supervisory Authority do in this scenario?
According to the GDPR, in what situation must data subjects always be notified of a personal data breach?
When personal data is processed at a facility of the processor that is not located within the borders of the EEA. Incorrect. The location where the data is processed is of no significance to the obligation to notify data subjects of personal data breaches.
When personal data is processed by a party that agreed to the draft processing contract but has not yet sign it. Incorrect. Personal data processed by another party than the controller without a valid written contract is considered a personal data breach. In the given situation however, negative consequences for the data subjects are unlikely. Notifying the data subject is not obligatory in that case.
When the system on which the personal data is processed is attacked causing damage to its storage devices. Incorrect. Damage to storage devices will make access to the data difficult or even impossible but does not imply illegal processing.
When there is a significant probability that the breach will lead to a high risk for the privacy of the data subjects. Correct. If there is a significant probability of negative impact on the data subjects, the controller is obliged to notify them of the breach. (Literature: A, Chapter 5)
According to the GDPR, what is the main reason to consider data protection in the initial design phase?
Under what EU legislation is data transfer between the EEA and the U.S.
