2 - Data Protection Concepts

Question 1

What is the leading document cited for the definition of personal data?

Answer 1

Article 29, Working Party Opinion 4/2007

Question 2

What is defined in Article 29 Working Party Opinion 4/2007?

Answer 2

The definition of personal data.

Question 3

What is the definition of personal data?

Answer 3

1. Any information,
2. relating to,
3. an identified or identifiable
4. Natural Person

Question 4

What 3 factors should you examine to determine whether information is considered personal data?

Answer 4

1. Nature = objective and subjective
2. Content = wide interpretation
3. Format = includes any information

Question 5

What factors should you examine to determine whether personal data RELATES TO an individual?

Answer 5

Content, purpose and result

Question 6

True or False: Personal data identifies a natural person when it can be combined with other pieces of information that will allow the individual to be distinguished from others?

Answer 6

True.

Key factor for meeting identifiable component of definition of personal data.

Personal data = any information, relating to an identified or identifiable natural person.

Question 7

True or False: If a data controller has information that when viewed collectively may point to a natural person, but the costs and time required to make this connection are extensive – this qualifies as meeting the definition of identifiable under the GDPR?

Answer 7

FALSE.

Test for meeting the definition of identifiable does weigh objective factors, including the costs, time and technology required to make such connection.

Connection must be reasonably likely.

Question 8

True or False: The GDPR recognizes that when the possibility of singling out an individual does not exist or is negligible, the person should not be considered as identifiable.

Answer 8

True. In such case the information is not considered personal data under the GDPR.

Question 9

True or False: Do dynamic IP addresses constitute personal data?

Answer 9

True. On grounds that person could be “identically identified” if combined with data held by internet services providers.

Dynamic IP address - temporary address to devices connect to a network that continually changes over time

Question 10

Does the GDPR apply to anonymous information?

Answer 10

No. Such information does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Question 11

True or False: Complete anonymization is a manageable task for a single organization

Answer 11

False - it is difficult

Question 12

What is the definition of pseudonymisation?

Answer 12

processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such information is kept separate and subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Question 13

True or False: Aggregated data of statistical purposes is considered personal data.

Answer 13

Likely False. But take care.

Question 14

Are there limiting factors on definition of “natural person?

Answer 14

Generally no. Applies regardless of country of residence, subject to territorial scope of GDPR.

Question 15

What are the special categories of sensitive personal data.

Answer 15

1. Racial or ethnic origin
2. Political opinion
3. Religious or philosophical beliefs
4. Trade union membership
5. Genetic data
6. health data
7. Sexual orientation

Question 16

What qualifies as “health data” in terms of the special categories of personal data?

Answer 16

Personal data related to the mental health or physical health of a natural person.

Including the provision of health care services, such as:

• Information collected in the course of registration for
• Unique

Question 17

What is the definition of a data controller?

Answer 17

Natural or legal person, public authority or agency which alone or jointly, determines the purpose and means of processing personal data.

Question 18

What is the term for entity that determines the purpose and means of processing personal data?

Answer 18

Data Controller

Question 19

True or False: The Data Controller is the key decision make with regards to personal data.

Answer 19

True

Question 20

What are the definition components for the Data Controller?

Answer 20

1. Natural or legal person, authority, agency or other body
2. Which alone or jointly with others,
3. Determines the purpose and means of processing personal data

Question 21

True or False: A travel agent that forwards information to a hotel for booking are considered joint data controllers?

Answer 21

False. Travel agent and hotel may hold identical data, but separately for distinct purposes.

Question 22

True or False: A travel agent sets up a shared website with a hotel for booking deals = example of joint data controlelrs?

Answer 22

True.

Question 23

True or False: Article 28(1) of the GDPR prohibits processors from determining the purposes of processing.

Answer 23

True. If they infringe they will be considered a data controller.

Question 24

What is the definition of a Data Processor?

Answer 24

Entity or natural person involved in the processing of personal data but does not have the authority to allocate responsibility that a controller has.

Question 25

What are the two building blocks of the definition of the Data Processor?

Answer 25

1. Person is a separate legal entity from the data controller, and
2. Person processors personal data on behalf of the controller.

Question 26

True or False: The GDPR extends to legal entities and natural persons?

Answer 26

False. Natural persons only!