Law & Data Course Overview 2024/2025

Questions and Answers

What is the principle of proportionality in the context of limitations on rights?

• Limitations can be imposed without any justification.
• Limitations may only be made if they genuinely meet objectives of general interest. (correct)
• Limitations should only protect the interests of the state.
• Limitations must be reasonable and necessary to achieve explicit objectives.

Which of the following is NOT a general principle of EU law?

• Legal certainty
• Primacy of EU Law
• Protection of fundamental rights
• Direct applicability of international agreements (correct)

What does Article 6(3) TEU emphasize regarding fundamental rights?

• They are exclusively determined by national laws.
• They are solely based on EU legislation.
• They can be overridden for state security purposes.
• They are guaranteed by the European Convention and constitutional traditions. (correct)

In what context can the European Union conclude international agreements?

When provided for in Treaties or legally binding acts. (B)

Which principle emphasizes the expectation that actions by the EU will be consistent?

Legitimate expectation (A)

What is meant by 'primacy of EU Law'?

EU law takes precedence over conflicting national laws. (B)

Which of the following best describes the development of legal principles in EU law?

They are subject to constant development from constitutional traditions. (D)

Which statement about limitations on rights is accurate?

Limitations must be proportionate to the legitimate aim pursued. (C)

What article outlines the process for a European state to apply for EU membership?

Article 49 TEU (A)

Which of the following is NOT mentioned as a common value that applicant states must respect?

Economic stability (C)

What must happen after an application for EU membership is submitted?

The Council must act unanimously after consulting the Commission. (C)

Which body is responsible for notifying the European Parliament of a new membership application?

The Council (D)

What condition must an applicant state fulfill to be considered for EU membership?

Undertake to promote the common values of the Union. (A)

Which statement about ratification of the agreement is TRUE?

It must be ratified by all contracting states according to their constitutional requirements. (A)

Which aspect is LEAST important in the assessment of an applicant state’s eligibility for EU membership?

Commitment to military cooperation (B)

What role does the European Parliament play in the membership application process?

It must be consulted and must give consent by a majority. (B)

What is considered the most comprehensive of rights valued by civilized men?

Right to be let alone (B)

Which of the following is NOT explicitly mentioned as part of the right to privacy?

Right to public speech (B)

According to the provided content, what is a primary distinction in the legal traditions concerning privacy?

Common law focuses on individual liberty while civil law emphasizes dignity. (B)

What does personal data refer to in the context provided?

Information that can identify a natural person directly or indirectly (A)

Which article of the UN Universal Declaration of Human Rights addresses privacy?

Article 12 (D)

Which statement best describes the relationship between the right to privacy and personal data?

They are intertwined and sometimes overlap. (D)

In the common law tradition, which right primarily relates to freedom from interference?

Right to liberty (A)

Which of the following best defines 'personhood' in the context of privacy rights?

Protection of identity and dignity (C)

What does the term 'non-interference' imply in terms of privacy rights?

Freedom from unwarranted intrusion (C)

What does Article 8(1) of the CFR emphasize regarding personal data?

The right to protect personal data (B)

Which principle from the OECD Privacy Guidelines focuses on ensuring the quality of collected data?

Data Quality Principle (C)

What is CoE Convention 108 significant for?

It is the first legally binding instrument on data protection. (A)

Which of the following principles is NOT included in CoE Convention 108?

Right to deletion without reason (D)

The Openness Principle under the OECD guidelines primarily relates to which aspect?

Transparency of data processing practices (C)

What does the Purpose Specification Principle require?

Data must be collected for specific, legitimate purposes. (B)

Which article of the Treaty on European Union (TEU) relates specifically to data protection?

Article 39 (C)

In CoE Convention 108, which of the following is a fundamental right for individuals concerning their personal data?

Right to know what information is stored (A)

The Accountability Principle in the OECD guidelines emphasizes which of the following?

Organizations must be accountable for their data practices. (D)

Which principle from CoE Convention 108 emphasizes the necessity for legitimate and fair data processing?

Legitimate purposes (C)

What does the Security Safeguards Principle require organizations to implement?

Strong security measures for data protection (C)

What is the main responsibility of the data controller?

To determine the purposes and means of processing personal data (C)

Which of the following is NOT a right of the data subject under GDPR?

Right to privacy without request (C)

Which directive emphasizes the need for consent when processing personal data?

General Data Protection Regulation (GDPR) (C)

What is the purpose of the Data Protection Management System (DPMS)?

To ensure compliance with legal regulations (B)

What must processors do according to their obligations under GDPR?

Act upon instructions of the controller (C)

Which of the following is a component of the Data Protection by Design principle?

Implementing pseudonymization techniques (B)

What does the right to be forgotten entail?

The data subject can request erasure of personal data (A)

Under the GDPR, who is required to appoint a Data Protection Officer?

Organizations involved in large-scale data processing (C)

What is the significance of the principle of data minimization?

To process only data necessary for the specified purpose (C)

Which of the following best describes the role of a Data Protection Officer?

To monitor compliance with data protection laws (C)

According to GDPR, what is one of the obligations of the data processor?

Design and implement secure data systems (A)

What should a data controller maintain as part of their obligations under GDPR?

Record of processing activities (D)

What is the primary goal of the European Electronic Communications Code?

To promote connectivity across the EU (B)

What does 'processing' of personal data encompass?

Any operation performed on personal data (D)

What is the primary purpose of the General Data Protection Regulation (GDPR)?

To ensure the protection of personal data and the rights of data subjects (B)

Which of the following is classified as sensitive data under GDPR?

Racial or ethnic origin (A)

Which condition must be met for processing sensitive data according to GDPR?

Explicit consent must be obtained (A)

What is a Data Protection Impact Assessment (DPIA)?

An assessment of the impact of processing operations on data protection (B)

Under GDPR, what does the term 'data minimization' refer to?

Ensuring data is relevant and limited to what is necessary (A)

Which of the following is NOT a principle outlined by GDPR?

Data retention (A)

What is required for personal data to be considered accurate under GDPR?

It must reflect the truth of the situation (C)

What does GDPR state regarding the accessibility of personal data?

It should only be accessed with the individual's intervention (C)

Which entity is primarily responsible for ensuring compliance with data protection rules?

The Data Protection Officer (DPO) (D)

What is NOT an exception for processing sensitive data under GDPR?

Data for marketing purposes (A)

Which of the following best defines personal data?

Information relating to an identified or identifiable natural person (A)

Which of the following conditions is NOT a legal basis for data processing under GDPR?

Spontaneous consent by third parties (A)

What does transparency in data processing imply according to GDPR?

Data controllers must inform data subjects about data processing activities (B)

Which of the following is NOT included in the content of a Data Protection Impact Assessment (DPIA)?

Assessment of data subject complaints (B)

Flashcards

EU Membership Application

The process by which a European state can officially join the European Union.

EU Common Values

The fundamental values that a state must respect to be eligible for EU membership.

What are the EU Common Values?

These values include human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities.

Article 49 TEU

The specific article in the Treaty on European Union (TEU) outlining the process of EU membership.

EU Membership Application Procedure

A state applying to the EU must formally address its application to the Council of the European Union.

EU Membership Approval Process

The Council, acting unanimously, must consult the European Commission and receive consent from the European Parliament.

Parliamentary Consent

The European Parliament must vote by majority to approve the application.

Eligibility Conditions

The conditions for eligibility agreed upon by the European Council will be taken into account during the membership application process.

Proportionality Principle

The principle states that limitations on fundamental rights must be proportionate, meaning necessary and genuinely meeting objectives of general interest or protecting the rights and freedoms of others.

EU Legal Principles Origin

EU law is derived from the constitutional traditions of its member states, and these traditions are reflected in the EU's legal principles.

International Agreements (EU)

The EU can conclude agreements with other countries or international organizations when the Treaties allow it or when it's needed to achieve EU policy objectives.

Legal Certainty

A legal principle that ensures clarity and predictability in the law, making it possible for individuals and businesses to understand and comply with legal rules.

Legitimate Expectation

The EU takes its legal obligations seriously and ensures that everyone involved is treated fairly and consistently.

Primacy of EU Law

EU law takes precedence over national laws when the two conflict, ensuring uniform application of EU rules across member states.

Direct Effect of EU Law

Individuals can directly rely on EU law before national courts, meaning they can claim their rights under EU law.

Protection of Fundamental Rights (EU)

Fundamental rights are protected in EU law, drawing upon the European Convention of Human Rights and the constitutional traditions of member states.

Right to Privacy

The right to privacy, also known as the right to be let alone, encompasses personal freedoms and autonomy over one's private life. It protects individuals from unwanted intrusion into their personal affairs, including their reputation, honour, image, family life, and personal information.

Common Law Origin of Privacy

Privacy rights are rooted in the common law tradition, which emphasizes individual liberties and the right to be free from unreasonable interference. This tradition acknowledges the inherent value of autonomy and self-determination.

Civil Law Tradition of Privacy

The right to privacy in civil law traditions is often grounded in the right to dignity. This concept emphasizes the inherent worth and respect due to every individual.

What is Personal Data?

Personal data refers to any information related to an identifiable person, including name, identification numbers, location data, online identifiers, or factors revealing physical, physiological, genetic, mental, economic, cultural, or social identity. It is essentially any information that can be used to identify someone personally.

Right to Protect Personal Data

Personal data, according to the GDPR, is subject to the right to protection. This means individuals have rights over their personal data, including the right to access, correct, and erase their data.

Privacy & Personal Data: Same but Different

The right to privacy and the right to personal data protection are distinct but interconnected. They both aim to protect individuals' autonomy and control over their personal sphere, but focus on different aspects: privacy on a broader personal life, personal data on specific information.

Human Rights

Human rights are fundamental rights inherent to all individuals, regardless of their background or status. They are universal, inalienable, and indivisible, and they encompass a broad range of rights, including the right to life, liberty, and security of person.

UDHR and Privacy

The Universal Declaration of Human Rights (UDHR), adopted in 1948, articulates the fundamental rights of every human being. Article 12 of the UDHR specifically addresses the right to privacy, stating that no one shall be subjected to arbitrary interference with their privacy, family, home, or correspondence, or attacks upon their honor and reputation.

Brandeis Definition of Privacy

The Brandeis definition of privacy emphasizes the right to be let alone, considering it a comprehensive and highly valued human right.

Aspects of Privacy

The right to privacy encompasses various facets, including the right to reputation, honor, image, private and family life, non-interference, personal identity and dignity, and control over personal information, all aiming to protect individuals' autonomy and personal space.

OECD Privacy Guidelines

OECD Privacy Guidelines were established in 1980 and set the foundation for universal data protection standards.

Collection Limitation Principle (OECD)

The Collection Limitation Principle (OECD) states that personal data should only be collected for specified, explicit, and legitimate purposes.

Data Quality Principle (OECD)

The Data Quality Principle (OECD) ensures data is accurate, complete, and up-to-date.

Purpose Specification Principle (OECD)

The Purpose Specification Principle (OECD) dictates that personal data can only be processed for the purposes stated at collection.

Use Limitation Principle (OECD)

The Use Limitation Principle (OECD) restricts the use of personal data to the specified purposes and prohibits further processing without consent.

Security Safeguards Principle (OECD)

The Security Safeguards Principle (OECD) mandates reasonable technical and organizational security measures to protect personal data from unauthorized access, processing, or disclosure.

Openness Principle (OECD)

The Openness Principle (OECD) requires clear and accessible information about data processing practices.

Individual Participation Principle (OECD)

The Individual Participation Principle (OECD) grants individuals the right to access, rectify, or erase their personal data.

Accountability Principle (OECD)

The Accountability Principle (OECD) holds data controllers accountable for complying with privacy principles.

CoE Convention 108

The CoE Convention 108, adopted in 1981, is the first legally binding international instrument addressing data protection, including the right to personal data protection.

What is the goal of the European Electronic Communications Code (Recast)?

The European Electronic Communications Code (Recast) aims to create a harmonized framework for regulating electronic communications networks, services, and equipment within the EU.

What is the purpose of the Data Protection Law Enforcement Directive (Directive 2016/680/EU)?

The Directive 2016/680/EU provides data protection guidelines for law enforcement agencies, ensuring their compliance with the General Data Protection Regulation (GDPR) and establishing procedures for processing personal data in police and judicial cooperation.

What are the key regulations governing data protection in the EU?

The GDPR (General Data Protection Regulation) and Regulation 2018/1725/EU establish rules for processing personal data within the EU, ensuring data protection for individuals and organizations.

Who is a data subject in GDPR?

A data subject is any individual who is identifiable or can be identified from information processed by a controller or processor.

What is the role of a data controller in the GDPR?

The data controller is responsible for deciding how and why personal data is processed, making key decisions about how that data is used.

What is the function of a data processor in the GDPR?

A data processor is a party that processes personal data on behalf of the data controller, following their instructions.

What are the main data subject rights under the GDPR?

Data subjects have the right to access, rectify, erase, restrict, and object to the processing of their personal data. They also have the right to data portability. This means they can request a copy of their personal data in a portable format.

What are the main obligations of the data controller under the GDPR?

The GDPR mandates that controllers adopt technical and organizational measures (TOMs) to protect personal data, including security policies and procedures.

What is a data protection management system (DPMS)?

A data protection management system (DPMS) is a risk-based compliance system that helps organizations implement and monitor their data protection measures.

What are the main obligations of the data processor under the GDPR?

The data processor must process personal data according to the data controller's instructions, implement appropriate technical and organizational measures (TOMs), and maintain a record of processing activities.

What is the role of a data protection officer (DPO)?

A data protection officer (DPO) acts as an independent expert, advising and monitoring controllers and processors on data protection compliance.

What are the key principles of the GDPR for processing personal data?

The GDPR outlines several principles for processing personal data, including lawfulness, fairness, and transparency. These principles ensure that personal data is handled ethically and responsibly.

What is the role of transparency in personal data processing under the GDPR?

The GDPR requires controllers to provide data subjects with clear information about their personal data processing practices and choices.

What is the importance of recordkeeping under the GDPR?

Controllers and processors need to maintain records of their processing activities, detailing the data involved, purposes, recipients, and any transfers to third countries.

What is the right to erasure under the GDPR?

The GDPR grants data subjects the right to erase their personal data, known as the "right to be forgotten," under certain circumstances.

What is "processing" of personal data?

Any operation performed on personal data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.

What is the GDPR?

A legal document that outlines the rules for processing personal data, focusing on safeguarding individuals' rights.

What is sensitive data?

Special categories of personal data, such as racial origin, political opinions, religious beliefs, health information, and sexual orientation.

What is the "purpose" of data processing?

A statement that explicitly outlines the purpose for which personal data will be collected and processed.

What is a valid consent for data processing?

A freely given, specific, informed, and unambiguous indication of a data subject's consent to the processing of their personal data. This can be expressed through a statement or a clear affirmative action.

What is a DPO (Data Protection Officer)?

A person who advises organizations on data protection compliance and ensures their data processing activities adhere to GDPR regulations.

What is a DPIA (Data Protection Impact Assessment)?

An assessment of the risks to individuals' rights and freedoms posed by the processing of personal data. This includes identifying and mitigating potential risks.

What is "data minimisation"?

The principle requires that personal data be relevant and limited to what is necessary for the stated purposes of processing. It emphasizes proportionality and avoiding excessive data collection.

What is the principle of "accuracy"?

This principle ensures that personal data is accurate and kept up-to-date. If inaccurate, the data should be corrected or erased.

What is the principle of "storage limitation"?

Personal data should be kept only for as long as necessary for the stated purposes of processing. This minimizes the storage period and helps protect privacy.

What are the "main principles for personal data processing"?

This comprises a set of principles crucial to data protection. These principles establish guidelines for processing personal data and safeguard individuals' rights.

What is "accountability" in data protection?

The principle of "accountability" outlines the responsibility of both the controller and the processor in ensuring compliance with data protection laws.

What is a "privacy policy"?

A document that provides information about how personal data will be collected, processed, and stored.

Study Notes

Course Information

• Course title: Law & Data
• Academic year: 2024/2025
• University: University of Padova
• Instructor: Fiorella Dal Monte, PhD
• Date of presentation: October 2, 2024 (and October 4, 9, 11, 16, 18, 23, 27, 6, 8, 13, 15, 18, 20)

Course Outline

• Target audience
• Syllabus and Contents
• Reference materials
• Exams
• Students' meetings

Main Contents

• Legal Systems (EU Legal System, Basics of EU Law, Sources of EU Law)
• EU Privacy and Personal Data Protection (General Principles, Enforcement, Protection of Other Data, Case studies/workshops)
• EU Digital Strategy
• AI Act
• References to different legal systems and comparisons

Basic Legal Notions

• Notion of Law
• Basic legal notions
• Legal systems to be considered
• International Law
• European Union Law

What is Law?

• Definition as a binding custom or practice of a community
• Enforced by a controlling authority
• Courts uphold, interpret, and apply law

What is Law? (cont.)

• Control brought about by existence or enforcement of law
• Action of laws as means of redressing wrongs
• Rule or order that's advisable or obligatory to observe (e.g., self-preservation)
• Something compatible with and enforceable by established law
• The act of the law as upheld authority

Additional Topics

• a rule of construction or procedure
• whole body of laws relating to one subject (e.g., criminal, probate)
• rule made by government to order society's behavior
• modern separation of powers (legislative, executive, judicial)
• legal certainty, impartiality, equality before law
• branches of law (public, private)
• types of state legal systems (civil, common law)
• sources of law (hard, soft law), examples (treaties/conventions, legislation, case law, public/private policy, doctrine, fundamental principles, customary law)
• hierarchy of sources of law
• the European Union (what is it?, differences between the Council of Europe, European Free Trade Association, and European Economic Area, EU member states, application for EU membership, Copenhagen criteria)
• checks and balances
• EU secondary law (regulations, directives, decisions, opinions, recommendations, atypical acts—communications, resolutions, white papers, green papers)
• differences between regulations, directives and decisions
• examples of EU secondary legislation on data (e.g., Data Protection Directive, GDPR, Data Protection Law Enforcement Directive, E-communications Directive)
• institutions of the EU (European Parliament, European Council, Council of the European Union, European Commission, Court of Justice of the EU, European Central Bank, Court of Auditors)
• European Parliament (functions, structure, etc.)
• European Council (functions, structure, etc.)
• European Commission (functions, structure, etc.)
• European Court of Justice (functions, structure, etc.)
• Bodies of EU (European Data Protection Supervisor, European Data Protection Board, Agencies of the European Commission)
• What is privacy? (negative, positive, common law, civil law origins, right to be let alone)
• history of right to privacy (UN universal declaration, international covenant, EU charter)
• OECD Privacy Guidelines
• CoE Convention 108
• Applicable EU legislation
• GDPR (main subjects, data subject rights, controller obligations, processor obligations, processing of personal data, data protection impact assessment, main principles of PD processing, cases of legal permission, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity & confidentiality, accountability, privacy policy templates)

Description

Explore the foundational aspects of Law & Data in this comprehensive overview for the academic year 2024/2025 at the University of Padova. Topics include EU legal systems, privacy laws, AI regulations, and general legal principles. Perfect for students keen on understanding the interplay between law and digital innovations.