Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

European Data Protection CIPP E > Accountability (10) > Flashcards

Accountability (10) Flashcards

1
Q

What does accountability mean?

A

The ability to demonstrate that a data protection program has been implemented and run in compliance with the law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the responsibility of the controller?

Article 24: Responsibiity of the Controller

A

implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is in accordance with GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What instruments are used to practice accountability?

A

Data protection by design/default
DPIAs
ROPAs
DPO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What in general is requireed by Article 25: data protection by design and data protection by default?

A
  1. implement technical and organizational measures and integrate necessary safeguards
  2. minimum and limited personal data use and maximum security settings are the default
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When should the SA be consulted for a DPIA?

A

prior to processing commencing processing

(if DPIA indicates high risk)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are best practices for designing a data protection policy?

A

GDPR does not specify required contents.

  1. Language - that speaks to recipients
  2. Contents - what to do, what not to do and consequences, principles
  3. Goals - how metrics will demonstrate results, ensure tasks are achievable, realistic, relevant, timely
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When is an organization required to maintain records of processing activities?

A

if the organization has 250 employees or more –> always

if the organization has less than 250 employees, when processing:
- likely to result in risks to rights and freedoms of data subjects
- not occasional
- special category data or criminal convictions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What 7 pieces of information must be in controller records?

Article 30

A

1) name and contact of controller and DPO
2) purposes
3) categories of data subjects and personal data
4) technical and organizational security measures
5) recipients
6) international data transfers and safeguards
7) time limits for erasure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What 4 pieces of information must processor records contain?

Article 30

A

1) name and contact info of processor and controller
2) categories of processing
3) international data transfers and safeguards
4) technical and organizational security measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are 4 elements required in controller records that are NOT required in processor records?

A

1) purpose of processing
2) categories of data subjects and personal data
3) recipients
4) time limits for erasure

decisions that a controller makes: determines means and purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can a DPO be external to the organization?

A

Yes

can be internal staff or externally contracted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When is a DPO legally required?

A

When the core activities of the controller include:

  • regular and systematic monitoring on a large scale
  • processing sensitive data on a large scale
  • processing by public bodies, other than courts acting in judicial capacity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the major tasks and responsibilities of the DPO?

A

monitor compliance with GDPR, and other data protection laws
inform and advise controllers, processors and employees
manage risk
cooperate with SA
communicate with data subjects and SA
exercise professional secrecy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Is the DPO responsible or legally liable for compliance?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are controller and processor obligations to the DPO?

A
  1. communicate
  2. provide access to personal data and processing
  3. provide resources
  4. enable DPO to perform independently
  5. report to highest level of management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Who is responsible for data protection by design and default?

controllers or processors?

A

controllers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Who is responsible for DPIAs?

controllers or processors?

A

controllers

(processors have duty to assist)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Who is responsible for record-keeping and security?

controllers or processors?

A

both

19
Q

Who is responsible for data breach reporting?

controllers or processors

A

Controller –> to SA and data subject

Processor –> to controller

20
Q

What must controllers or processors do if they’re not established in the EU, but they are offering goods or services or monitoring behavior in the EU?

A

Establish a designated representative in that member state

21
Q

What did Article 5 of GDPR introduce regarding accountability?

A

data controller is responsible for complying with the 6 principles of Article 5 AND must be able to demonstrate compliance

22
Q

How does Article 24 codify the accountability obligation?

A

requires data controllers to implement appropriate technical and organizational measures to ensure and be able to demonstrate data processing is performance in compliance with GDPR, and review/update where necessary

23
Q

According to Article 24, what should organization and technical measures consider?

A

scope, context, purposes of processing and risks to rights and freedoms

where higher risk to individuals, need to adopt greater measures to protect against risk

24
Q

What are examples of high-risk processing laid out in Recital 75?

A

processing which gives rise to:

  • discrimination
  • identity theft, fraud or financial loss
  • damage to reputation
  • loss of confidentiality of data protected by professional secrecy
  • unauthorized reversal of pseudonymization
  • significant economic or social disadvantage
  • deprive of rights and freedoms
  • special category data, children, or convictions
25
Q

What are 3 areas to consider for controllers to fulfill their obligation to implement appropriate data protection policies, and ensure compliance?

A
  1. internal policies
  2. internal allocation of responsibility
  3. training
26
Q

What are 6 things organizations can do to ensure compliance with Article 25 (data protection by design and default)?

A
  1. ensure personal data mapped, classified, labelled, stored and accessible to allow it to be searched and collated in case of data subject request
  2. ensure systems for automated deletion of personal data
  3. ensure data collection (forms, paper, etc) to not collect excessive personal data
  4. pseudonmyized personal data, where possible
  5. personal data can be singled out to allow for deletion requests
  6. personal data structured in machine readable common format
27
Q

What changed for data controllers between the Directive and GDPR regarding notification of data processing activities?

A

Directive: had to notify relevant DPA

GDPR: do not have to notify, but must keep detailed processing records

28
Q

What 7 pieces of information must be kept in the records of data controllers?

Article 30

A
  1. controller name and contact, and joint controllers and DPOs
  2. purpose of processing
  3. data subjects and personal data
  4. categories of recipients
  5. transfers to 3rd countries and safeguards
  6. retention periods
  7. organizational and technical measures

in bold, those that are exclusive to controller records of processing ac

29
Q

Who is exempt from keeping records of processing activities?

A

Companies that employ fewer than 250 people

30
Q

When does the 250-employee exemption NOT apply for keeping records of processing activities?

A
  1. processing likely to result in high risk to rights and freedoms
  2. processing is frequent, not occasional
  3. processing involves special category or criminal offense data
31
Q

What is a DPIA?

A

process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide and actions to prevent or minimize risk

32
Q

In what case is it mandatory to undertake a DPIA per the GDPR?

A

where a type of processing in particular using new technologies and considering the nature, scope, context and purposes of processing is likely to result in high risk to the rights and freedoms of natural persons

33
Q

What are 3 types of activities considered to be risky and warrant a DPIA?

A
  1. systematic and extensive profiling that produces legal effects or significantly affects individuals
  2. processing special category data on a large scale
  3. systematic monitoring of publicly accessible area on a large scale (CCTV, drones, video surveillance in public areas)
34
Q

What 4 things must a DPIA contain?

Article 35(7)

A
  1. systematic description of processing and purposes, including legitimate means
  2. assessment of necessity and proportionality
  3. assessment of risks to rights and freedoms
  4. measures adopted to address risks, safeguards, security and mechanisms
35
Q

When is a controller required to consult with DPA before commencing processing?

A

when the processing poses high risk and there are no sufficient measures capable of mitigating the risk

36
Q

How much time is given to DPAs when considering a referral by a data controller (for insufficient measures to control risk)?

A

8 weeks

option to extend 6 more weeks and suspend timetable if waiting on info from controller

37
Q

What are the 3 circumstances in which a company must designate a DPO?

A
  1. processing carried out by public authority
  2. core activities consist of regular and systematic monitoring of individuals on a large scale
  3. core activities consist of processing special categories of personal data on a large scale
38
Q

What are “core activities” per WP29?

A

key operations necessary to achieve the controller’s or processor’s goals

data processing is an inextricable part of the controller/processor’s activity

39
Q

What does “large scale” refer to in the requirements to designate a DPO?

A

number of data subjects
volume of data or range of different data
duration of processing
geographical extent of processing

(not # of employees)

40
Q

What does “regular” refer to in the requirements to designate a DPO?

A

ongoing or particular intervals for a particular period

recurring or repeated at fixed times

constantly or periodically taking place

41
Q

What does “systematic” refer to in the requirements to designate a DPO?

A

occurring according to a system
prearranged, organized, methodical
taking place as part of general plan for data collection
carried out as part of strategy

42
Q

Per what other type of legislation might a DPO be mandatory?

A

member state law

(Germany: companies that employ >20 people doing automated processing)

43
Q

Can a group of undertakings appoint a single DPO?

A

Yes

Provided DPO is easily accessible to each undertaking

European Data Protection CIPP E (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions