This book is a legal practice guide for the collection, storage and analysis of personal and other data in Big Data applications. It contains numerous guidelines and graphic illustrations/graphics to offer well-founded, practice-oriented support.
The book illuminates the legal scope of Big Data and at the same time closes a gap in the legal literature on the subject. Its content goes beyond the purely data protection law view and combines questions in the Big Data environment, among others, from the legal sources, the protection of industrial property rights and data protection.
In addition to personal data, the book also looks at non-personal data (technical data or anonymous data), which is often mixed together for Big Data analyses. These different types of data may originate from different rightholders, may be subject to different national laws, may require different legal bases and/or may be used for different analysis purposes.
Table Of Contents
A. Introductory remarks
I. Why Big Data
II. Why must a party not established in the EU comply with GDPR with respect to Big Data applications?
III. Which data are affected?
IV. What are the differences between the data types?
V. Which verification steps need to be considered for a Big Data application?
B. Types of data
I. Personal data
II. Non-personal data
III. Databases and collections
IV. Protection as business or trade secret
V. Householder's right with regard to the collection of factual data
VI. Virtual householder's right
VII. Factual data linked to IP addresses or other identifying characteristics
VIII. No data ownership
C. The controller
I. Processor
II. Joint controllers, Art. 26 GDPR
III. Dynamic matrix structures
IV. Cloud computing
D. Specific requirements and tasks of the data protection officer with regard to Big Data applications
I. Specialist knowledge
II. Organizational and operational involvement of the data protection officer
III. Communication with data subjects
IV. Information and monitoring obligations
V. Cooperation and control obligations
VI. Internal procedure in the event of a data protection violation
E. Lawful ground for data processing (collection, acquisition, transmission, evaluation and commercialization)
I. Statutory lawful grounds for personal data
II. Processing of non-personal factual data
F. Data processing and data cycle (level of data purpose)
I. Data processing
II. Life cycle of data
III. Collection of personal data for purposes other than their use in Big Data applications – a change of purpose
G. Third country transfer/Applicable law (Level of applicable law)
H. Development of a Big Data application
I. Collection of data
II. Obtaining and acquiring data from data service providers
III. Combination of data
IV. Extending the range: anonymization/pseudonymization of data stored in a Big Data database
V. Transmission of data from several controllers to a central Big Data application
VI. Evaluation and analysis of data
VII. Continuation of personal reference even after evaluation and analysis of data
I. Erasure obligations
I. Development of an erasure concept
II. Implementation of a data erasure concept
III. Necessary elements of a data erasure concept?
IV. Start times of retention and erasure obligations
V. Assignment of data types to erasure classes
VI. Resolution of conflicts when using one data type in different databases
VII. What does “erasure” of data mean in contrast to its “blocking”, “masking”, “pseudonymization” or “anonymization
VIII. Obligation to erase personal data regarding a data subject
IX. Erasure obligations towards licensors, data suppliers etc. independent of the data content
X. Uniform erasure period for all documents and data
XI. Erasure obligations for cross-border data processing
XII. Storage locations and erasure obligations
J. Relevant rights of data subjects in Big Data applications according to the GDPR
I. Information obligations according to Art. 13, 14 GDPR
II. Rights of data subjects pursuant to Art. 15 et seq. GDPR
III. Records of processing activities according to Art. 30 GDPR
IV. Implementation of technical and organizational measures to protect personal data from unauthorized access
V. General principles for the processing of personal data in Art. 5 GDPR
K. Data protection impact assessment
L. System data protection when operating Big Data applications
I. System data protection for personal data
II. System data protection for non-personal data only in a Big Data Application
M. Protection of Big Data applications
I. Technical and organizational measures
II. Protection of the algorithms underlying the Big Data application
III. Compliance management system
IV. Aspects of copyright contract law in the database management system
N. Legal consequences of non-compliance with the legal requirements set out in this guide
I. Sanctions in case of violation of data protection regulations
II. Legal consequences of infringement of copyrights in collective works or database protection rights
III. Violation of virtual householder's rights
IV. Sanctions for infringing business or trade secrets pursuant to the German Trade Secrets Act
V. Contractual claims
O. Big Data Applications as a service
P. Recommended Actions
