1. Material scope GDPR?
1.1. Automated personal data processing
1.1.1. information
1.1.2. relating to
1.1.3. identified/-iable
1.1.4. natural person
1.2. Part of paper filing system
1.3. NOT nat.sec., border check etc
1.4. NOT household activity
1.5. NOT law enforcement + public sec.
2. GDPR territory?
2.1. controller in EU?
2.1.1. EEA 28 countries +3 EFTA countries Iceland/Liechtenstein/Norway
2.1.2. main decision making HQ in EU
2.2. OR processor in EU?
2.2.1. main processing location
2.3. OR offering goods to d.s. in EU?
2.3.1. website directed at relevant jurisdiction
2.3.2. monitoring/dig.tracking
3. Controller?
3.1. Controller: determines why + how + what + where + how long + by whom
3.2. Processor may also determine where + by whom (with prior approval)
4. Legitimate base for processing?
4.1. Contract
4.2. Legal obligation
4.3. Vital interest
4.4. Public interest + official authority
4.5. Legitimate interest (NOT public auth.)
4.5.1. necessary for contractor/3d party
4.5.2. balanced against d.s.' interests
4.5.3. use limitation
4.5.4. transparancy
4.5.5. adequate safeguards
4.5.6. e.g. direct marketing, fraude prevention
4.6. Consent
4.6.1. when
4.6.1.1. profiling
4.6.1.1.1. fully automated
4.6.1.1.2. decision
4.6.1.1.3. legal or similar important impact on d.s.
4.6.1.2. explicit consent for special data
4.6.1.3. parent consent for kids in some cases
4.6.2. how
4.6.2.1. freely given
4.6.2.1.1. not conditional for service
4.6.2.1.2. no clear unbalance (employer-employee; government)
4.6.2.1.3. as easy to withdraw
4.6.2.2. specific
4.6.2.3. informed
4.6.2.3.1. clearly distinguisable
4.6.2.3.2. clear language
4.6.2.3.3. understandable
4.6.2.3.4. compatible with original purpose
4.6.2.4. unambiguous
4.6.2.5. indication of wishes
4.6.2.5.1. affirmative action
4.6.2.5.2. not silent, pre-ticket, inactivity
4.6.2.5.3. implied through provision of data
4.6.2.6. for kids