GDPR Core Concepts, Scope, and Principles

A comprehensive set of question-and-answer flashcards covering key GDPR concepts, definitions, principles, roles, lawful bases, territorial scope, special category data, joint controllership, and core compliance requirements.

What is the main purpose of adopting the GDPR as a Regulation instead of a Directive?

To achieve greater harmonisation and reduce fragmentation by providing a single, directly applicable law across the EU.

Which four 'building blocks' define personal data according to WP29 Opinion 4/2007?

'Any information', 'Relating to', 'An identified or identifiable', 'Natural person'.

Give three examples of online identifiers that can constitute personal data under the GDPR.

IP addresses, cookies, RFID tags (also location data, device IDs, etc.).

Under Article 2(1) GDPR, when does manual (non-automated) processing fall within scope?

When the personal data form part of, or are intended to form part of, a filing system.

What are the three WP29 criteria for deciding whether information 'relates to' a person?

Content element, Purpose element, Result element.

What did the CJEU decide in Patrick Breyer v. Bundesrepublik Deutschland regarding dynamic IP addresses?

Dynamic IP addresses can be personal data if a third party holds additional information that can reasonably be used to identify the user.

Explain the concept of 'jigsaw identification'.

Identifying an individual by combining different data pieces, even if some pieces are held by others.

Does pseudonymised data fall inside or outside the GDPR?

Inside; it remains personal data subject to GDPR obligations.

According to Recital 26, when is data considered anonymous for GDPR purposes?

When it is rendered in such a manner that the data subject is not or no longer identifiable, taking account of all means reasonably likely to be used.

Does the GDPR apply to deceased persons’ data?

No, Recital 27 states it does not, though Member States may create national rules.

List five categories classified as special (sensitive) personal data under Article 9(1) GDPR.

Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique ID, health data, sex life or sexual orientation (any five suffice).

Under what general rule is processing of special category data prohibited?

Article 9(1) GDPR prohibits processing unless a specific exception in Article 9(2) applies.

Give two examples of Article 9(2) exceptions that allow processing of sensitive data.

Explicit consent of the data subject; necessity for reasons of substantial public interest (others include employment law obligations, health care, legal claims, etc.).

What are the two core elements of the GDPR definition of a Data Processor (Art.4(8))?

A separate legal entity; processes personal data on behalf of the controller.

Who bears primary responsibility for GDPR compliance, the controller or the processor?

The data controller bears most primary responsibilities.

When can a processor become a controller under Article 28(10)?

If the processor determines the purposes and means of processing, infringing the controller's instructions.

Name the five ‘building blocks’ of the controller definition per EDPB Guidelines 07/2020.

Natural/legal person, Determines, Alone or jointly with others, Purposes and means, Of the processing of personal data.

Provide an example of essential versus non-essential means in data processing.

Essential: deciding what data to collect; Non-essential: choosing the specific software to store it.

What is joint controllership under Article 26 GDPR?

When two or more entities jointly determine the purposes and means of processing.

Which CJEU case found that a website embedding a Facebook 'Like' button was a joint controller with Facebook for data collection?

Fashion ID (C-40/17).

What arrangement must joint controllers have under Article 26(1)?

They must determine their respective responsibilities for GDPR compliance and make the essence of the arrangement available to data subjects.

State the GDPR definition of ‘processing’.

Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, storage, use, disclosure, erasure, etc. (Art.4(2)).

What two conditions bring processing within GDPR material scope under Article 2(1)?

Processing wholly or partly by automated means, OR non-automated processing that forms part of a filing system.

Who is a ‘data subject’ under the GDPR?

An identified or identifiable natural person to whom personal data relate.

Under Article 3(1) GDPR, when does the Regulation apply to non-EU processing?

When the processing is in the context of activities of an establishment of a controller or processor in the EU, regardless of the processing location.

What are the two ‘targeting’ criteria in Article 3(2) for extraterritorial application?

Offering goods or services to individuals in the EU, or monitoring their behaviour within the EU.

Give three factors that indicate 'offering goods or services' to EU data subjects.

Using EU languages/currencies, referencing EU Member States, enabling orders from EU addresses, targeted marketing to EU, EU top-level domain, etc.

Does intention matter for the monitoring limb (Art.3(2)(b))?

No; if behaviour in the EU is monitored, GDPR applies regardless of intention.

Name three examples of activities considered monitoring behaviour.

Behavioural advertising with cookies, geolocation tracking, CCTV aimed at identifying individuals, online device fingerprinting, health status monitoring.

Which GDPR article addresses processing where the controller cannot identify the data subject?

Article 11.

List the six GDPR lawful bases for processing under Article 6(1).

Consent, Contract performance, Legal obligation, Vital interests, Public interest/official authority, Legitimate interests.

What four qualities must consent have under Article 4(11)?

Freely given, specific, informed, and unambiguous.

Why are pre-ticked boxes invalid for consent under GDPR?

Because consent must be a clear affirmative action; silence or inactivity is insufficient (CJEU Planet49).

At what age can children give valid consent for information society services without parental authorisation (default GDPR rule)?

16 years old (Member States may lower to 13).

Explain the ‘necessity’ test common to five Article 6(1) bases.

Processing must be objectively necessary to achieve the stated purpose, not merely convenient or preferable.

When can an organisation rely on legitimate interests as a lawful basis?

When processing is necessary for its legitimate interests and those interests are not overridden by the data subject’s rights and freedoms.

What three-part assessment is used for legitimate interests?

Purpose test, Necessity test, Balancing test.

Give two examples recognised in Recitals as potentially falling under legitimate interests.

Fraud prevention, direct marketing, internal administrative transfers within a corporate group, network and information security.

Which GDPR principle requires data to be ‘adequate, relevant and limited’ for its purpose?

Data minimisation (Art.5(1)(c)).

What is the main requirement of the accuracy principle?

Personal data must be accurate and kept up to date; inaccurate data must be erased or rectified without delay (Art.5(1)(d)).

What does the storage limitation principle dictate?

Data identifying individuals should be kept no longer than necessary for the purpose, unless stored longer for archiving, research, or statistical purposes with safeguards (Art.5(1)(e)).

Name two technical measures promoted by Article 32 GDPR for integrity and confidentiality.

Pseudonymisation and encryption.

Which overarching principle, added by GDPR Article 5(2), requires controllers to prove compliance?

Accountability.

What household exemption is provided by Article 2(2)(c)?

GDPR does not apply to personal data processed by a natural person purely for personal or household activities.

Why did the CJEU in Ryneš hold that home CCTV capturing the public footpath was not exempt?

Because it extended beyond purely personal or household activity into public space monitoring.

Which EU law governs processing by police and other competent authorities for crime prevention?

The Law Enforcement Directive (EU) 2016/680, not the GDPR.

If EU institutions process personal data, which regulation applies instead of GDPR?

Regulation (EU) 2018/1725.

How does Article 95 GDPR describe the relationship between GDPR and the ePrivacy Directive?

GDPR shall not impose additional obligations for matters already specifically covered by the ePrivacy Directive.

What principle requires controllers to state the purposes of processing and not use data incompatibly?

Purpose limitation (Art.5(1)(b)).

List four factors to assess compatibility for further processing under Article 6(4).

Link with original purpose, context/expectations, nature of data, consequences for data subjects, existence of safeguards such as pseudonymisation.

What are the three primary derogations from GDPR material scope listed in Article 2(2)(a)-(d)?

Processing outside Union law (e.g., national security), CFSP activities, purely personal/household activities, and processing by competent authorities for criminal law purposes.

Under Article 28, name three mandatory clauses that must appear in a controller-processor contract.

Process only on documented instructions, implement security measures, assist controller with data subject rights, conditions for sub-processors, return/delete data at end, allow audits, etc.

What must a processor obtain before appointing a sub-processor?

Specific or general written authorisation from the controller (Art.28(2)).

In the employment context, which Article 9(2) ground often justifies processing sensitive data?

Article 9(2)(b) – necessary for obligations or rights in employment and social security law, authorised by Union/Member State law.

When is biometric data treated as special category data?

When processed for the purpose of uniquely identifying a natural person (Art.9(1)).

Can photographs be special category data? Give the governing Recital.

Not systematically, but they can be if processed as biometric data or reveal sensitive traits; see Recital 51.

What is required under Article 26 for the ‘essence of the arrangement’ between joint controllers?

It must be made available to data subjects, explaining how they can exercise their rights.

How does Brexit affect territorial scope obligations under GDPR?

UK controllers/processors may be subject to both EU GDPR and UK GDPR when targeting or monitoring individuals across the respective territories.

What is the threshold test in Recital 26 for deciding identifiability?

All means reasonably likely to be used to identify the person must be considered, accounting for cost, time, technology, and developments.

Which GDPR Article defines pseudonymisation and what is its key feature?

Article 4(5); it separates identifiers so data cannot be attributed to a person without additional information kept separately with safeguards.

Under Article 14(5), name one situation where a controller is exempt from providing information when data is obtained from another source.

When providing the information proves impossible or would involve disproportionate effort.

Which Article requires transparency in clear and plain language?

Article 12 GDPR.

What principle underlies the need for layered, user-friendly privacy notices online?

Transparency, as part of lawfulness, fairness, and transparency principle (Art.5(1)(a)).

Give an example of processing that might rely on Article 6(1)(d) vital interests.

A hospital processing emergency patient data when the patient is unconscious and cannot consent.

What is the key difference between anonymisation and pseudonymisation regarding GDPR scope?

Truly anonymised data falls outside GDPR; pseudonymised data is still within GDPR scope.

Which Recital clarifies that GDPR protection applies regardless of nationality or residence?

Recital 14.

What does Recital 22 say about the concept of 'establishment'?

It implies effective and real exercise of activity through stable arrangements; legal form is not decisive.

Which GDPR principle is reinforced by the need to set data retention periods?

Storage limitation.

Name two international security standards that organisations may use to demonstrate ‘appropriate security’ under Article 32.

ISO/IEC 27001 and NIST frameworks.

Why is the appointment of an EU representative under Article 27 not an establishment?

Because a representative alone does not create stable arrangements constituting an establishment under Article 3(1).

What is the lex specialis regime to GDPR for electronic communications confidentiality and cookies?

The ePrivacy Directive (Directive 2002/58/EC).

Under Article 89(1), what safeguard is most emphasised for research and statistical processing?

Data minimisation, including measures such as pseudonymisation where possible.

Which principle requires controllers to consider fairness even if processing is lawful?

Fairness (part of Art.5(1)(a)).

What does Article 21 grant to data subjects regarding processing based on legitimate interests?

The right to object to such processing, after which the controller must prove compelling legitimate grounds or cease processing.

Can a department within a company act as a processor for another department?

No; processors must be separate legal entities from the controller.