Appendix B. Definitions
of corporate data protection malpractices
|
Category/ Subcategory |
Definition
(Organizations violate the GDPR WHEN they…) |
|
Breaches of data protection obligations
(A) |
|
|
Inadequate information obligations (A1) |
Fail to provide necessary information
about data controller or processer as well as the collection, processing,
transfer and protection of personal data |
|
Inadequate data risk assessment
obligations (A2) |
Lack sufficient assessment of the data
risks before and during data handling practices |
|
Inadequate corporate oversight
obligations (A3) |
Lack the data protection officer who can
independently manage and oversee internal data protection practices |
|
Inadequate cooperation obligations (A4) |
Lack cooperation with the supervisory
authority |
|
Inadequate notification obligations (A5) |
Fail to notify the data subject and data
protection authority of a data breach, the appointment of a data protection
officer and any data or data processing changes in time |
|
Data harvesting (B) |
|
|
Unauthorized data harvesting (B1) |
Harvest personal data without knowledge
and consent of the data subjects |
|
Excessive data harvesting (B2) |
Harvest more personal data than
necessary in relation to the claimed purposes |
|
Forced Consent (B3) |
Force data subjects to give consent to
the harvesting and processing of personal data |
|
Improper procedure for informed consent
(B4) |
Request for consent in an improper way |
|
Unfulfilled request for consent
revocation (B5) |
Fail to follow up data subjects’
requests for revoking consent |
|
Data fraud (B6) |
Forge personal data for some purposes |
|
Data storage (C) |
|
|
Unauthorized access to personal data (C1) |
Access or grant third party access to
stored personal data without knowledge and consent of the data subjects |
|
Excessive access to personal data (C2) |
Grant much access to personal data than
necessary in relation to the claimed purposes |
|
Unfulfilled request for data access (C3) |
Fail to follow up data subjects’
requests for access to the stored personal data |
|
Unfulfilled request for data
rectification (C4) |
Fail to follow up data subjects’
requests for rectification of the stored personal data |
|
Unfulfilled request for data deletion (C5) |
Fail to follow up data subjects’
requests for deletion of the stored personal data |
|
Insecure data storage (C6) |
Store personal data without sufficient
security measures |
|
Excessive data storage (C7) |
Store personal data longer than
necessary in relation to the claimed purposes |
|
Data processing (D) |
|
|
Secondary use of personal data (D1) |
Use personal data for purposes other
than the original claimed purpose |
|
Unauthorized data processing (D2) |
Process personal data without knowledge
and consent of the data subjects |
|
Excessive data processing (D3) |
Process more personal data than what is
necessary in relation to the processing purposes |
|
Unfulfilled request for objection to
data processing (D4) |
Fail to follow up data subjects'
requests for objection to data processing |
|
Insecure data processing (D5) |
Process personal data without sufficient
security measures |
|
Erroneous data processing (D6) |
Process personal data in an inaccurate
way |
|
Data transfer (E) |
|
|
Unauthorized data transfer (E1) |
Transfer personal data without knowledge
and consent of the data subjects |
|
Insecure data transfer (E2) |
Transfer personal data without
sufficient security measures |
|
Data selling (E3) |
Sell personal data to third parties |
|
Data disposal (F) |
|
|
Insecure data disposal (F1) |
Dispose documents containing personal
data without sufficient security measures |