One piece of law, enforced regardless of the

The processing of PD is carried out by a controller or processor established within the EU

sector or business type
The offering of goods and services to
It applies if The processing of PD is carried out by a controller or data subjects living in the EU
processor established outside EU, but the processing
activities are related to: The monitoring of data subjects' behavior
taking place within the Union

PD that concerns the most intimate sphere of

Article 7 of EU Charter of Fundamental Rights Respect for privacy Individuals may be conditioned by these profiles individuals and requires special protection

Ability to collect, store and analyze a mass of personal data The profiles could be wrong Racial and ethnic origin, religious or political convictions or
opinions, adhesion to parties, health status, sexual life
The profiles may reveal some details that individuals prefer to hide
Sensitive data
Features, characteristics, habits, lifestyle, personal relationships, health, economic condition

Body which determines the purposes and

Controller
means of the processing of PD
Technical words
Body which processes PD on behalf of the controller
Actors
Processor
Identification data Names, surnames, personal images
Body in the Union who, designated by the controller or
Race and ethnic origin, religion, health, sexual life,
Traditionally Sensitive data Representative processor, represents them in regard to their
Legal Issues in Marketing Personal Data Data able to identify natural persons philosophical or political opinions, associations
respective obligations under the regulation
(data subjects)
Judicial data Judicial measures, defendant or suspect
Any operation or set of operations performed
Processing
Localization data Frequent places and travel on PD, whether automated or not

More recently Biometric data Fingerprints, topography of the hand, characteristic of handwritten signature Processed lawfully, fairly and in transparent manner

Article 8 of EU Charter of Fundamental Rights
Fair Information Practice Principles
(FIPPs)
OECD Privacy Guidelines of 1980
Protection of personal data
Online data IP or email address, cookies Collected for specified, explicit and legitimate
Omnibus approach (EU) purposes and not further processed
Developed in the late 1970s by the US Federal Trade Commission (FTC)
Adequate, relevant and limited
In response to the growing use of automated data systems Data minimization and purpose of limitation
Personal data shall be to what is necessary
Substantive principles (purpose of limitation and data quality)
Kept in a form that permits identification for no longer than necessary
Mixture of
Served as foundation for self From Directive 95/46 to Regulation 2016/279 -> Mandatory, free, specific, informed
Procedural principles (consent and access) Accurate and up to date
regulation initiatives and laws General Data Protection Regulation (GDPR) Consent is any freely given, specific, informed an Tacit or presumed consent is not
Born on the basis of FIPPs Processed in a manner that ensures security
unambiguous indication in which the DS agrees allowed (Ex: pre checked boxes)
of PD, integrity and confidentiality
Recommended that OECD members consider these principles in internal legislation to the processing of PD (by statement or clear
Revocable, unequivocal (inaction is not
The data subject has given affirmative action)
Do not have a binding nature, only provide a rough outline Either express consent or implied by a contract consent), explicit, demonstrable, valid from 16
consent for specific purposes
years onward (or parental consent)

Contract is sufficient when processing of PD is

Just for that purpose
linked to an activity essential for its fulfillment
The processing is lawful if
The performance of a contract

Main rules For compliance with a legal obligation the controller is subject

Protecting the vital interests of someone

Processing is necessary for
For the performance of a task carried out for public interest
EU gives a lot of importance to some FIPPs such as
The purpose of legitimate interests, except when they are
data minimization, collection limitation and
overridden by fundamental rights (specially of children)
individuals' right to notice, access and correct
Purpose of processing, categories of PD concerned, recipients,
Right of Access envisaged period, rectification or erasure, lodge a complaint, source,
existence of automatic decision making (profiling)

Modify, correct or update PD so it is truthful, not inaccurate

Right of rectification and erasure
and not suitable for altering personal identity

Cancellation of the PD when its not longer necessary or was processed

Some rights of the Data Subjects Right to be forgotten unlawfully, DS revokes consent or opposes the processing

Born as evolution of principle established by Google Spain

Allows DS to receive PD concerning him/her to transfer it to another data

Data portability
controller (if it doesn't affect the right of the original controller)

Rights about automated Decisions with legal effects or

DS can ask a review of the decision
decisions (profiling) significant consequences

No more basic compliance but more accountability of DC

-> be able to explain how PD is being protected

Both use international Accountability Every member has one, it can check complaints, forbid non compliant behaviors, promote
What about national laws?
principles but differently codes of conduct, carry out controls on the DPIA, enforce sanctions
Supervisory Authority that develops rules in data
Many and different rules for different
Sectoral approach (USA) processing and enforces compliance One stop shop principle and Lead Supervisory Authority
industrial and business sectors
GDPR novelties Supervisory Authorities now can apply sanctions and the fines
increased (up to 20 million euros, up to 4% of yearly sales)