9. Operations: Data Subject Rights Flashcards
Who are data subjects?
Identified or identifiable individuals whose PI is being processed by an organization
What are data subject rights?
Vary across juridictions and include:
- Right to know how PI will be used
- Right to opt out of certain processing activities
Who can place a data subject request (DSR)?
Data subject, their agent, or (under some laws and circumstances) organizations may need to assist customers with fulfilling DSRs
Do organizations need to inform data subjects about privacy practices?
Yes. transparency is a critical requirement under most privacy laws
What is a privacy notice?
An external statement directed at data subjects, it is a tool used to describe the organization’s privacy practices.
What is a privacy policy?
An internal document directed at employees or contractors that describe how the organization will process their PI.
What is a common feature of a privacy notice and policy?
Both describe how personal information will be collected, used, shared, and stored.
Does a privacy notice provide blanket protection from privacy litigation?
No. A privacy notice is a promise and if the organization breaks the promise or fails to adequately describe data processing activities, it can face litigation or regulatory action.
Against which companies did the FTC initiate enforcement actions for deceptive privacy practices?
Google and its subsidiaries, YouTube, Facebook and Snapchat.
What are common elements of privacy notices?
- Who the organization is and contact information (privacy office or DPO)
- What information is being collected (directly or indirectly)
- How the organization will use the information
- With whom the organization will share the information
- An overview of applicable data subject rights and the process for exercising those rights
- How the information is protected and processed securely
- Under what circumstances the organization acts as a processor for other organizations
- How the behaviours of the website users are monitored
What is a just-in-time notice?
A layered approach provided immediately before the data is collected.
E.g., when a mobile application asks to track location.
When is a just-in-time notice a WP29 and a CCPA requirement?
WP29: When providing information at various points throughout the process of data collection
CCPA: When a business collects PI from customer’s mobile device for a purpose that the customer would not reasonably expect.
What is a layered approach to notice?
A high-level summary of the various sections of the privacy notice.
*The EDPB states in guidance that “layered and granular information can be an appropriate way to deal with the two-fold obligation of being precise on one hand and understandable on the other.
When are QR codes useful in privacy notices?
When there is limited space to provide privacy notice (e.g. an internet of things device or mobile screens).
What is a privacy dashboard?
It offers a summary of privacy-related information and metrics and is easy to access and navigate.
What does a privacy dashboard ensure according to WP29?
That access and use of the dashboard is intuitive and helps to encourage users to engage with information.
Do privacy notices solicit or imply consent?
No.
What must be done when relying on consent?
Keep legally admissible record that establishes what the individual consented to, the date it was completed, and establishes that the individual agreed to the consent.
Under the GDPR, other than consent, what other lawful basis are available to organizations for processing PI?
- Contract
- Legal obligations
- Vital interests
- Public interest
- Legitimate interest
What are dark patterns?
Any interface designed to substantially subvert an end-user’s autonomy.
Should consents be regularly reviewed?
Yes, and refreshed if necessary.
What are the two central concepts of choice?
Opt-in - active, affirmative indication of choice
AND
Opt-out - affirmative action by hitting an ‘unsubscribe’ link
What is Age Appropriate Design?
An ICO code that implements GDPR principles “in the context of children using digital services”.
What rules does the ICO code for age-appropriate design establish?
- Not sharing geolocation data by default
AND
- Differentiating an offering based on child-users’ age