Basic concepts of the GDPR Flashcards

1
Q

What is considered “Processing” under the GDPR?

A

Basically, anything with the exception of “thinking about data” is considered processing within the definition of the GDPR.

GDPR definition:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Related:
Article 4(2)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Wat is considered “personal data” under the GDPR?

A

Personal data means “any information relating to an identified or identifiable natural person”.

So, the GDPR is only applicable to living people. Next to that, information that directly or indirectlly can identify a person, is considered to be personal data and is subject to the GDPR.

Related:
Article 4(1)
Recitals 27, 158, 160

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Wat is considered the “data subject” under the GDPR?

A

The data subject is the living, natural person who can be identified with the personal data. As such, the data subject is he or she about whom the data states something.

Related:
Article 4(1)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When are you considered the “Controller” under the GDPR?

A

The controller is the entity (natural or legal person) who determines the purpose and means of processing.

GDPR definition:
“ ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”

Related:
Articles 4(7), 24
Recital 79

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When are you considered the “Processor” under the GDPR?

A

The processor is the entity (natural or legal person) who processes data by order of the Controller. The processor therefor does not decide on means and purpose of the processing of the personal data.

GDPR definition:
“ ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

Related:
Article 4(8), 28
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In 1980, the Organisation of Economic Cooperation and Development (OECD) designed 8 principles with regards to good practice in information processing.

The GDPR presents 7 principles, which show near-similar resemblance.

What are the 8 OECD principles and the 7 GDPR principles, and how strongly are they related to each other?

A

OECD Principles:

  1. Collection limitation principle
  2. Data accuracy
  3. Purpose specification principle
  4. Use limitation principle
  5. Security safeguards principle
  6. Openness principle
  7. Individual Participation principle
  8. Accountability principle

GDPR Principles:

a. Lawfulness, fairness and transparency
b. Purpose limitation
c. Data minimisation
d. Accuracy
e. Storage Limitation
f. Integrity and Confidentiality
g. Accountability

Related:
Article 5
Recitals 39, 50, 58, 60

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The GDPR states 6 lawful grounds on which you can base the processing of data. Which 6?

A

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. Consent;
  2. Performance of a contract;
  3. Necessity to comply with a legal obligation;
  4. Protect the vital interest of the data subject;
  5. Necessity for the performance of a task carried out in the public interest;
  6. Necessity for the purposes of the legitimate interests pursued by the controller or by a third party.

Related:
Articles 6, 7
Recitals 39, 40, 41

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Processing based on consent is allowed, but there are certain conditions that must be met. What conditions are described in the GDPR for lawful consent?

A
  1. Consent has to be given by a clear, affirmative action;
  2. Consent has to be freely given;
  3. Consent has to be specific to the purpose of processing;
  4. Consent has to be informed and unambiguous

Related:
Articles 4(11), 7, 8
Recitals 32, 42, 43.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The GDPR statess 8 different types of “special categories of personal data”. Name them all?

A

Special categories of personal data are data concerning:
1. Racial or ethnic origin;
2. political opinions;
3. religious or philosophical beliefs;
4. trade union membership;
5. genetic data;
6. biometric data for the purpose of uniquely identifying a natural person;
7. health, or;
8. a natural person’s sex life or sexual orientation.
In the basis, the processing of these categories of data is prohibited.

The special categories are often referred to as ‘sensitive data’. However, they are not the same. Sensitive data in Europe does not hold a legal definition, as for example in Australia. Sensitive data is then more a social value, and should be treated as such.

Related:
Articles 9, 10
Recitals 51 - 56

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When processing is based on consent, who must be able to prove consent has or has not been given?

And what needs to be proven?

A

De burden of proof is with the Controller, which is the entity who decides means and purposes of processing.

This burden of proof is rather encompassing as well. The controller will need to be able to prove that a lawful consent has been given, ergo: prove there was an active and affirmative action, freely given, with purpose specific and unambiguous information.

Related:
Articles 9, 10
Recitals 51 - 56

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The GDPR is directly applicable in the EEA.

What is the EEA, and how is it different from the EU?

A

The EEA is an abbreviation for the European Economic Area. The EEA consists of all EU member states, and also includes Norway, Iceland, and Liechtenstein.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is considered a “third country” under the GDPR?

A

A third country means any country outside the EEA. It therefore has a different meaning than a “third country” in a socio-economic context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a Supervisory Authority (SA)?

And how is an SA different from a Data Protection Authority (DPA)?

What are some tasks of SAs under the GDPR?

A

A Supervisory Authority (SA) is an independent public authority which is established by a member state. For example, France has the CNIL, the UK has the ICO, the Netherlands has the AP.

A Data Protection Authority (DPA) is the same as a Supervisory Authority, and is a word more often used in e.g. articles.

A SA / DPA under the GDPR has an array of tasks, such as:

  • Monitoring and enforcing the GDPR;
  • Promote awareness of Controllers, Processors, and Data subjects;
  • Advise organisations and individuals on the application of the GDPR;
  • Handle complaints in relation to privacy and data protection;
  • Conduct investigations where deemed necessary;
  • And administer fines or other corrective powers.

Related:
Articles 4(21), 4(22), 51, 57
Recitals 36, 91, 124

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the difference between “a transfer” of personal data and “cross-border processing” of personal data?

A

A transfer occurs when data is processed from within the EEA to outside the EEA. Whether only “eyes on glass” from outside the EEA to data in the EEA is considered a transfer, remains to be seen. Strict application of the law at the moment states it does.

With cross-border processing, the data remains in the EEA. It is the processing of personal data in more than one member state, OR when processing takes place in one member state but is (likely to) substantially affect data subjects in more than one member state.

Related:
Article 23
Recitals 5, 53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Non-compliance with the GDPR can have some significant effects on your organisation.

What are the four most important negative effects the GDPR can have on your organisation?

A

Non-compliance with the GDPR can have some significant effects on your organisation.

  1. A Data Protection Authority (DPA) can induce a temporary or permanent ban on your processing activities (your clients will not appreciate you not coming through on your work);
  2. Fines from DPAs of significant amounts, with a maximum of €20million, or 4% of the total worldwide annual turnover as the highest tier;
  3. Legal claims from data subjects that have experienced an infringement of their privacy due to your processing activities;
  4. All of the above can result in (significant) reputational damage to your organisation, both in a B2C environment as in a B2B environment.

Related:
Article 58
Recital 129

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The GDPR brings opportunities as well.

What are the most important positive effects with becoming compliant with the GDPR can have on your organisation?

A

Becoming compliant with the GDPR brings opportunities as well, even though they are pushed by legislation.

Benefits are considered:

  1. The development of a Privacy Strategy which will become more important with the coming years;
  2. Being able to start or continue to do business in and with Europe;
  3. Increase efficiency of data use, driven by the lawful obligation of proportional processing with a specific purpose;
  4. Become better equipped to continue your daily business in case of a breach or a cyber-attack;
  5. Improved privacy awareness within the organisation;
  6. Show accountability with regards to different legislation, such as GDPR (EEA) and Australian Privacy Principles and Notifiable Data Breach Scheme (Australia), towards Supervisory Authorities, customers, and other third parties;
  7. Distinguish yourself from other organisations as a trusted party in an increasingly privacy-aware market.
17
Q

The GDPR brings more rights for individual to the table. 8 rights can be distinguished. Which 8?

A
  1. Right to be informed
  2. Right of access
  3. Right to rectification
  4. Right to erasure and to be forgotten
  5. Right to restrict
  6. Right to data portability
  7. Right to object
  8. Right not to be subject to decision making solely based on automatic processing.

Related:
Articles 12 - 22
Recitals 58 - 72, 73, 91