3. GDPR Flashcards
What are the material scope of GDPR?
- Processing personal data wholly or partly by automated means?
- Personal data that forms part of a filing system, even if the processing is not conducted by automated means
What are the territorial scope of GDPR?
- When a controller or processor is established in the EU.
- Of data subjects int he EU and related to offering goods or services or monitoring behavior 3
- By a controller in a place where member state law applies
What are the 6 legal basis for transferring personal data outside of EU?
- Adequacy decisions
- Ad hoc contracts
3 Standard contractual clauses (SCCs) - Binding corporate rules (BCRs)
- Codes of conduct and/or self-certification mechanisms
- Derogations
Under the 6 legal basis for transferring personal data, what does adequacy mean?
“Adequacy” means that the European Commission of the EU has deemed another country’s data protection laws “adequate” to safeguard its own data. See Article 45 of the GDPR for more information.
Under the 6 legal basis for transferring personal data, what does Ad hoc contracts mean?
Ad hoc contractual clauses may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus may be a less attractive option for controllers.
Under the 6 legal basis for transferring personal data, what does standard contractual clauses mean?
A standard contractual clause, also known as a model clause (language written into a contract), may be a way for organizations to facilitate international data transfers
Under the 6 legal basis for transferring personal data, what does Binding corporate rules mean?
BCRs are legally binding internal corporate privacy rules for transferring personal information within a corporate group. They are typically used by corporations that operate in multiple jurisdictions. Under the GDPR, BCRs require approval from a
supervisory authority. At a minimum, BCRs must include structure and contact details for the concerned group, information about the data and transfer processes, how the rules apply to general data protection principles, complaint procedures and compliance mechanisms
Under the 6 legal basis for transferring personal data, what does code of conduct/self-certification mean?
Under the GDPR, codes of conduct resemble the self-regulatory programs used elsewhere to demonstrate to regulators and consumers that a company adheres to
certain information privacy standards. Like codes of conduct, certification is available to controllers and processors outside the EU, provided they demonstrate, by contractual or other legally binding instruments, their willingness to adhere to the mandated data protection safeguards.
Under the 6 legal basis for transferring personal data, what does derogations mean?
If no adequacy decision or appropriate safeguards exist, derogations may be used as a last resort in limited circumstances to allow organizations to transfer personal data across borders under specific conditions.
What is a Controller?
Controllers determine the purpose and the means of processing data
What is a processor?
Process personal data on behalf of a controller.
