Accountability and International Data Transfers

Question 1

What is accountability with respect to the GDPR?

Answer 1

Accountability – different obligations with which an organisation must comply with in order to show and evidence their compliance with the data protection framework.

Question 2

What are the six principles that govern the data controller’s accountability under the GDPR?

Answer 2

Lawfulness, fairness, transparency,
Purpose limitation
Data minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality

Question 3

Whose responsibility is it to demonstrate compliance with accountability principles under the GDPR?

Answer 3

Data Controller.

Data controller must comply with the six principles and also must be able to DEMONSTRATE COMPLIANCE with the principles of data processing.

Question 4

What are the six principles of data processing?

Answer 4

1. Transparency (lawfulness and fairness)
2. Purpose Limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and COnfidentiality.

Question 5

What are 3 areas the data controller could consider utilizing to comply with implementing appropriate data protection policies?

Answer 5

Three areas the data controller could consider to comply with the requirement to implement appropriate data protection policies:
1. Internal policies
2. Internal allocation of responsibilities
3. Training

Question 6

What is privacy by design?

Answer 6

Privacy by Design, consider in planning and execution states, but also create products with built in ability to manage and fulfil data protection controls.

Question 7

What is privacy by default?

Answer 7

Privacy by Default, requirement that companies implement appropriate technical and organisation measures to ensure that by default, only personal data necessary for each specific purpose of the processing is processed.

Question 8

What is a DPIA?

Answer 8

DPIA is process by which companies can systematically assess and identify the privacy and data protection impacts of any products.

Data Protection Impact Assessment;

Question 9

When is a DPIA used?

Answer 9

Use by companies to identify and address any data protection issues that may arise when developing new products and services.

Question 10

When is DPO required?

Answer 10

Data Protection Officer; DPO is required where:
(a) Processing is carried out by public authority
(b) If core activities of the controller/processor consists of regular and systematic monitoring of individuals on a large scale,
(c) Care activities of processing includes special categories of personal data on a large scale.

Question 11

True or False. DPO is required when processing involves processing special categories of personal data on large scale.

Answer 11

True.

Question 12

True or False. Public authority based processing does not require DPO.

Answer 12

False.

Question 13

True or False. Processing that involves regular and systematic monitoring of individuals on a large scale does not require a DPO.

Answer 13

False.

Question 14

True or False: Transfers of personal data to any country outside of EEA may only take place subject to the conditions of Chapter 5 of the GDPR.

Answer 14

True.

Question 15

What are the methods to allow international data transfers under Article 5 of the GDPR?

Answer 15

1. Adequacy Decision
2. Appropriate Safeguards
3. Derogations

Question 16

Define this concept: Adequacy Decision

Answer 16

Decision that third party country law provides an adequacy level of protection.

Question 17

Name current countries with adequacy decisions:

Answer 17

1. Canada
2. Uruguay
3. Isle of Man
4. Switzerland
5. Israel
6. South Korea
7. Japan
8. New Zealand

Question 18

Define this concept: Appropriate Safeguard

Answer 18

May be used to transfer internationally, these are legal tools design to ensure recipients of personal data are bound to GDPR like standard.

Question 19

What are some examples of appropriate safeguards?

Answer 19

1. Binding Corporate Rules
2. Standard Contractual Clauses
3. Approved Codes of Conduct or Certification Mechanisms

Question 20

Define this concept: Derogations and Restrictions

Answer 20

Derogration and restrictions may be used as a method of last resort to transfer data internationally. They have specified restrictions.

Question 21

What are the factors required to transfer data internationally under a derogration?

Answer 21

One of the following

1. Explicit Consent (with knowledge of risk of international transfer)
2. Necessity for Contract Performance
3. Public Interest
4. Establishment of Legal Claim
5. Protection of Vital Interest