| ID | 1.5.4 |
| Title | Legal requirements Privacy - Rights of the Data Subject and Obligantions to the Data Controller |
| Expert | Serge Gutwirth (VUB) Christoph Schnabel (UOK) |
| Priority | mandatory |
| Description | The data subject has the following indispensable rights: - In case of collection of data, the data controller must always provide the data subject with the identity of the data controller or his representative and the purpose(s) of the processing for which the data is intended. - The data subject can obtain information from the data controller whether data relating to him/her is being processed at all, the purpose of the processing, the source of the data and the recipients to whom data is disclosed. - The Right of Rectification: The data subject can ask for rectification, erasure or blocking of data that is not complete or inaccurate and the data subject can ask for notification to third parties to whom the data has been disclosed unless this is impossible or involves a disproportionate effort. - The Right of Objection: The data subject can object to processing of data related to him/her, if the controller anticipates to use the data for means of direct marketing or if the processing of the personal data is only legitimate, because it is necessary for the purposes of the legitimate interests pursued by the controller. In the latter case the data subject has to justify his/her objection by naming compelling legitimate grounds relating to his/her particular situation. SPICE must be developed in a way that its End-Users will technically be able to make use of the above mentioned rights. There are also certain obligations to the data controller: The data controller must take appropriate technical and organizational measures to ensure an appropriate level of confidentiality and security. Appropriateness must be defined by taking into account the state of the art and the costs of their implementation in relation to the nature of the data to be protected and the risk represented by the processing. The responsible supervisory authority must be notified about: - Name and address of the data controller - The purpose(s) of the processing - The categories of data processed and data subjects - The categories of recipients to whom the data might be disclosed - A general description of security measures taken to allow an assessment of the appropriateness - Proposed transfers of data to third countries The data controller must also respect the rights of the data subject and enable the data subject to make use of the rights (see above). SPICE must fulfill these obligations to avoid being fined by supervisory authorities. |
| Rationale | Relevant to assess the lawfulness of operation of SPICE |
| Type | non-functional |
| Depends on | 1.5.0 - General Legal requirement-completeness and comprehensiveness of regulatory requirement is impossible. |
| Child dependencies | 1.4.1 - User's Privacy rules (Open market) 1.4.3 - Portability of user profile 3.1.1 - Communication Model building and notification of its updates 3.1.3 - User rules 3.1.4 - Terminal Synchronization 4.1.5 - Management and Provision of Service and Situation-dependent User Data 4.2.1 - Discovery and Exchange of Distributed Context Information; subscription and polling 4.2.2 - Gathering, Aggregation and Interpretation from Multiple Distributed Context Sources, derivation of knowledge 4.2.3 - Context Queries based on Semantic Context Schema and QoC 4.2.10 - Access, Storage, Processing and Distribution Rights 6.3.2 - Privacy rules for special cases 7.3.1 - User Policies and Provider Policies 8.1.1 - Restricted and parametrizable access to user profile/ data 8.1.5 - No user location tracking w/o user's explicit consent |
| Environment | |
| Other_info | |
| Category | regulatory |
| Subcategory | Privacy |
| Subcategory2 | |
| Scenario_scene | |
| SPICE_value | |
| Demo | |
| Keywords | privacy;data protection |
| Home |