INFO5301 T utorial 8
Data Privacy and General Data Protection Regulation
The goal of this tutorial is to provide you an opportunity to study the General Data Protection Reg-
ulation 2016/679 (GDPR), a regulation in EU law on data protection and privacy in the European
Union and the European Economic Area, and to analyse a real data privacy breach.
Exercise 1: Individual exercise. Duration: 20 minutes
Exercise 2: Group exercise. Duration: 30 minutes and 10 minutes discussion.
Exercise 1:
The European Data Protection Regulation is applicable as of May 25th, 2018 in all member
states to harmonize data privacy laws across Europe.
Reference: General Data Protection Regulation
Task: based on the GDPR documentation provided in the above reference, answer following
questions.
1.1 Which of the following is the best description of how the GDPR defines ‘personal
data’? (Hint: Chapter 1)
1. Your IP addresses and all personal online information
2. Any information relating to an identified or identifiable natural person.
3. Your bank details and postal address
Answer: (2) ’Personal data’ is defined as any information relating to an identified or iden-
tifiable natural person (referred to as the ’data subject’). An ’identifiable natural person’
is defined as a natural person who can be identified, directly or indirectly, in particular by
reference to an identifier, such as a name, identification number, location data, online identi-
fier, or to one or more elements specific to his physical, physiological, genetic, psychological,
economic, cultural or social identity.
1.2 How does GDPR define "data controller", "data processor", and "personal data breach"?
Answer:
• ‘controller’ means the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the process-
ing of personal data; where the purposes and means of such processing are determined
1