Appendix B. Definitions
of corporate data protection malpractices
Category/ Subcategory |
Definition
(Organizations violate the GDPR WHEN they…) |
Breaches of data protection obligations
(A) |
|
Inadequate information obligations (A1) |
Fail to provide necessary information
about data controller or processer as well as the collection, processing,
transfer and protection of personal data |
Inadequate data risk assessment
obligations (A2) |
Lack sufficient assessment of the data
risks before and during data handling practices |
Inadequate corporate oversight
obligations (A3) |
Lack the data protection officer who can
independently manage and oversee internal data protection practices |
Inadequate cooperation obligations (A4) |
Lack cooperation with the supervisory
authority |
Inadequate notification obligations (A5) |
Fail to notify the data subject and data
protection authority of a data breach, the appointment of a data protection
officer and any data or data processing changes in time |
Data harvesting (B) |
|
Unauthorized data harvesting (B1) |
Harvest personal data without knowledge
and consent of the data subjects |
Excessive data harvesting (B2) |
Harvest more personal data than
necessary in relation to the claimed purposes |
Forced Consent (B3) |
Force data subjects to give consent to
the harvesting and processing of personal data |
Improper procedure for informed consent
(B4) |
Request for consent in an improper way |
Unfulfilled request for consent
revocation (B5) |
Fail to follow up data subjects’
requests for revoking consent |
Data fraud (B6) |
Forge personal data for some purposes |
Data storage (C) |
|
Unauthorized access to personal data (C1) |
Access or grant third party access to
stored personal data without knowledge and consent of the data subjects |
Excessive access to personal data (C2) |
Grant much access to personal data than
necessary in relation to the claimed purposes |
Unfulfilled request for data access (C3) |
Fail to follow up data subjects’
requests for access to the stored personal data |
Unfulfilled request for data
rectification (C4) |
Fail to follow up data subjects’
requests for rectification of the stored personal data |
Unfulfilled request for data deletion (C5) |
Fail to follow up data subjects’
requests for deletion of the stored personal data |
Insecure data storage (C6) |
Store personal data without sufficient
security measures |
Excessive data storage (C7) |
Store personal data longer than
necessary in relation to the claimed purposes |
Data processing (D) |
|
Secondary use of personal data (D1) |
Use personal data for purposes other
than the original claimed purpose |
Unauthorized data processing (D2) |
Process personal data without knowledge
and consent of the data subjects |
Excessive data processing (D3) |
Process more personal data than what is
necessary in relation to the processing purposes |
Unfulfilled request for objection to
data processing (D4) |
Fail to follow up data subjects'
requests for objection to data processing |
Insecure data processing (D5) |
Process personal data without sufficient
security measures |
Erroneous data processing (D6) |
Process personal data in an inaccurate
way |
Data transfer (E) |
|
Unauthorized data transfer (E1) |
Transfer personal data without knowledge
and consent of the data subjects |
Insecure data transfer (E2) |
Transfer personal data without
sufficient security measures |
Data selling (E3) |
Sell personal data to third parties |
Data disposal (F) |
|
Insecure data disposal (F1) |
Dispose documents containing personal
data without sufficient security measures |