Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/E > Accountability > Flashcards

Accountability Flashcards

1
Q

What does the GDPR mandate for accountability (include article)?

A

Article 24(1)

A data protection program. Only names controllers, but processors must keep records and assist controllers with meeting their requirements.

May result in:

  • data protection by design and by default
  • data protection impact assessments
  • data processing records
  • a data protection officer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Data Protection by Design (Article?)

A

Article 25

Begins prior to processing and incorporates data protection considerations into the planning phase

Organizations should build data protection into their products throughout their lifecycles–specifically at the time of planning the means and type of processing and during the processing itself.

The GDPR specifically highlights data minimization and pseudonymization as privacy-enhancing tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data Protection by Default (Article?)

A

Article 25

Sustains data privacy by design into the data processing phase by limiting the collection, processing, storage and accessibility of personal data

Where a product or service provides users with multiple setting options, the most data protective settings should be the default.

Users should have to option to any setting that presents greater risks. By default, a product or service processes only the personal data that is necessary.

Considerations include: purpose of processing, amount of personal data collected, extent of processing, storage period, accessibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the values of a data protection impact assessment (DPIA)?

A

1) Help with incorporating data protection considerations into organizational planning
2) Demonstrate compliance to supervisory authorities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When is a DPIA required?

A

Article 35(1)

Required if the processing is ‘likely to entail a high risk to the rights and freedoms of natural persons’

When determining whether a DPIA is required, the nature, scope, context, purpose, type of processing, and use of new technologies should be required

Examples of when a DPIA is required:

  • conducting a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person
  • conducting processing on a large scale of special categories of data or of personal data relating to criminal convictions and offenses
  • conducting a systematic monitoring of a publicly accessible area on a large scale
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the purpose of a data protection policy?

A

To explain to employees what can and cannot be done with the data they are handling and to outline consequences of a breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the GDPR state about data protection polices (include article)?

A

Article 24(2)

Data protection policies are not required for all situations, but should be used where proportionate in relation to processing activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are best practices for data protection policies?

A

Should use concise and understandable language that speaks to recipients (including translating it into local languages)

Consider metrics to demonstrate results

Ensure tasks are achievable, realistic, relevant, and timely

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are controller obligations for record keeping under GDPR (include article)?

A

Article 30

Controllers must record:
Name and contact info of the controller and DPO

Purposes of processing

Categories of data subjects, personal data and recipients of that data

International data transfers being made and the measures put in place to ensure they are lawful

How long the personal data is being retained and the timeline for deleting that data

A general description of technical and organizational security measures that have been implemented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are processor obligations for record keeping under GDPR (include article)?

A

Article 30

Processors must record:
Name and contact info of the processor, controller, and DPO

Categories of processing carried out on behalf of the controller

International data transfers being made and the measures in place to ensure they are lawful

A general description of technical and organizational security measures that have been implemented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the triggers for recording obligation under GDPR?

A

Circumstances that trigger the obligation:

Processing for organizations of 250 or more employees

Or, regardless of the organization’s size, controllers and processors are obligated to keep records if the processing is likely to result in a risk to the rights and freedoms of data subjects, is not occasional, or includes special categories of data relating to criminal convictions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the role of the Data Protection Officer (DPO) (include article) and what are three cases when the position is required?

A

Article 37

Staff member or contractor appointed by the controller or processor to ensure or demonstrate compliance with data protection law. Must be an expert in the law and practices.

A required position for three cases:

1) if the controller is a public authority
2) if the core activities of the controller or processor include regular and systematic monitoring on a large scale
3) core activities of the controller or processor consist of large scale processing of special categories of data

Allow member states to specify additional circumstances that may require a DPO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the tasks and responsibilities of the DPO?

A

Ensure compliance with the GDPR

Advise the controller and processors

Manage risk

Be a point of contact

Communicate

Monitor DPIAs

Exercise professional secrecy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the controller and processor obligations to the DPO?

A

Provide:

  • support to the DPO, including resources, to help carry out tasks
  • access to personal data and processing operations

Help the DPO maintain expert knowledge of topics and issues related to personal data protection

Ensure the DPO:

  • acts completely independently and does not receive instructions from anyone except the supervisory authority
  • is not dismissed or penalized for performing their tasks
  • is not put in a situation of a conflict of interest, such as a position that requires determining the means and purposes of processing personal data
  • Ensure the DPO reports to highest levels of management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Obligation to designate a representative in the EU (include article)

A

Article 27

Requires controllers and processors who process personal data within territorial scope of article 3(2) to designate a representative within the member states of the data subjects to whom the processing applies

Controller or processor must have the representative addressed in addition to or instead of the controller or processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CIPP/E (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions