Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/E > Certification Exam > Flashcards

Certification Exam Flashcards

1
Q

Universal Declaration of Human Rights (Human Rights Declaration)

A

10 December 1948
Adopted by United Nations General Assembly (non-binding)
Specific provisions for the right to a private life and freedom of expression
Influenced European data protection laws/standards
Article 12: Right to a private life
Article 19: Right to freedom of expression
Article 29(2): rights are not absolute and a balance should be struck

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

European Convention on Human Rights (ECHR)

A

Council of Europe
based on Human Rights Declaration
1953
International treaty to protect human rights and fundamental freedoms
Enforced by European Court of Human Rights (Strasbourg)
Article 8: rights of individuals
Article 10: rights of freedom of expression and sharing info and ideas across national boundaries
Article 10(2): promotes balance between 8 and 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data

A

1980
Aimed to facilitate data flows and protect personal data in a global economy
Updated in 2013 - basic data protection principles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Council of Europe Convention (Convention 108)

A

Opened for signatures in 1981
Treaty among MS of the Council of Europe
First data protection instrument for several Council of Europe member states
Requires signatories to apply the principles in their domestic legislation
Late 1980s, only a small number of states had ratified it, and even those had a fragmented approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

EU Data Protection Directive (95/46/EC)

A

European Commission

Set out general data protection principles and obligations, requiring EU member states to implement them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Charter of Fundamental Rights of the EU (European Union Institutions)

A

Comprehensive collection of individuals’ rights, including the fundamental right to the protection of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

EU Directive on Privacy and Electronic Communications (ePrivacy Directive) (adopted 2002, amended 2009)

A

Legally binding on EU member states, requires local implementation
Applies to processing of personal data through public electronic communications services and networks in the EU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Treaty of Lisbon (2009)

A

Aim is to strengthen and improve the core structures of the EU and help it to functional more efficiently.
Gave the Charter of Fundamental Rights of the EU full legal effect in the EU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

European Court of Human Rights (ECHR)

A

Upholds data protection laws through its enforcement of the ECHR and Convention 108
Not part of the EU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Council of Europe v. European Union

A

Two separate institutions
Council of Europe - international organization with 47 member states
EU - economic and political union with 27 member states
All member states of the EU belong to the Council of Europe (though not a prerequisite for membership)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

European Economic Area (EEA)

A

Based on the agreement of the EEA of 1994, which allows members of the European Free Trade Association (EFTA) to participate fully in the EU’s internal market
Composed of 27 EU member states and 3 EFTA member states (Iceland, Liechtenstein and Norway - not EU member states)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

European Parliament

A

Only European institution whose members are directly elected
3 primary responsibilities: legislative development, supervisory oversight of other institutions, and development of the budget

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

European Council

A

Defines the EU’s priorities and sets political direction
Composed of headd of state or government of all EU countries, the European Council President, the European Commission President and the High Representative for Foreign Affairs and Security Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Council of the EU

A

Along with Parliament, focuses on legislative decision-making
Meetings are attended by one minister from each member state (changes based on issue)
Shares legislative power with Parliament
Legislation is proposed by Commission before it is examined by the Council of the EU and Parliament

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

European Commission

A

Implements the EU’s decisions and policies
Exclusive competence to propose legislation
Most active EU institution in the area of data protection
One commissioner per member state who pledges to respect the EU Treaties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Court of Justice of the EU

A

Luxembourg
Judicial body of the EU
Makes decisions on issues of EU law and enforces decisions
Comprises the European Court of Justice (ECJ) and the General Court
Provides clarification of EU law to national courts to assist in upholding EU law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

DP Directive v. GDPR

A

Directive places obligations on MS whose governments then implement the directive into their local law
Regulation is directly applicable and enforceable as law in every EU member state (no need for local imp)
DP Directive was transposed into 28 national laws
GDPR - one set of data protection rules for all EU MS
Despite harmonization of data protection rules, the GDPR allows member states a degree of tailoring (about 50 provisions)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

European Data Protection Board (EDPB)

A

Established by GDPR, replaced Article 29 WP
Independent European body which contributes to the consistent application of data protection rules throughout the EU and promotes cooperation between the EU’s data protection authorities
Composed of reps of the national DPAs and the European Data Protection Supervisor (EDPS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

ePrivacy Directive and GDPR (Interplay)

A

EDPB has issued opinion regarding how the ePrivacy Directive works within the context of the GDPR, relating to processing that triggers the material scope of both ePrivacy Directive and GDPR

Co-existence - in cases where lex specialis does not apply, general rue will apply (lex generalis)

To complement - several ePrivacy Directive provisions complement GDPR provisions

Article 95 of GDPR - aims to avoid imposition of unnecessary admin burdens upon controllers who would otherwise be subject to similar but not quite identical admin burdens

To particularise - (lex specialis principe) special provisions prevail over general rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Personal data

A

Article 4(1) of GDPR - any information relating to an identified or identifiable natural person

Any information: literal - from a name to a location

Relating to: info’s purpose and impact on someone’s privacy rights

Identified: individual person has been named or singled out; identifiable: indirect identification, taking into account all the “means reasonably likely to be used” to identify a person (Recital 26)

Natural person: real human being, distinguished from a corporation (referred to as “data subject”)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Personal data elements

A

Pieces of data that happen to be personal information
Examples: gender, age, DOB, marital status, citizenship, languages spoken, veteran status
May relate to an individual’s employment or association with an organization (address, phone number, email, internal ID #, government based ID #, identify verification info)

Aggregation of data elements can make personal data richer and harder to de-identify.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Cookie

A

Small text file stored on a client machine that may later be retrieved by a web server from the machine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Anonymous data

A

Not related to an identified or identifiable natural person (rendered unidentifiable and not protected by GDPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Pseudonymous data

A

Not fully anonymous (subject to GDPR)
Undergone a process that has detached aspects of the data attributable to a specific individual (like creating an alias), but the personal data is still retrievable
Security measure to make the use of the data less risky

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Special categories of personal data

A

Article 9(1): racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union memberships; genetic data; biometric data; health data; sex life or orientation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Data related to criminal convictions or offenses

A

Article 10: processing of such personal data “shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedom of data subjects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Data Processing Roles

A

Data subject: individual about whom personal data is processed
Data controller: organization or individual that decides how and why personal data is processed
Data processor: organization or individual that processes information on behalf of data controller
Supervisory Authority (SA): data protection authority, entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Controllers v. Processors

A

Controller or processor: may be a natural personal, legal entity, public authority, agency or other body

Controllers and processors: have accountability obligations under GDPR, including keep records that can be provided to SAs; share responsibilities for personal data security and must ensure compliance with int’l data transfer rules; subject to large administrative fines if their obligations are not met and can be subject to compensation claims from individuals.

Distinction: Article 4(7) - controller is the individual or body who “alone or jointly with others determines the purposes and means of the processing of personal data.”

Article 4(8): a processor processes personal data on behalf of the controller; activities must be transparent to the controller, and any decisions that determine where personal data is processed or by whom must relay on approval from controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Data Processing (defnition)

A

Article 4(2) of GDPR: any operation performed upon data, and it comprises the many possible actions in the data lifecycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Data Processing Principles

A

OECD - most widely recognized framework for fair info practices

Collection limitation: limits to collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data quality: personal data should be relevant to the purposes for which they are to be used and should be accurate, complete and up to date.

Purpose specification: purpose should be specified no later than at the time of data collection and subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use limitation: personal data should not be disclosed, made available or otherwise used for purposes other than those specified in according with the purpose specification principle except with consent or authority of law.

Security safeguards: protected by reasonable security safeguards against loss, unauthorized access, destruction, use, modification, disclosure of data

Openness: general policy of openness about developments, practice and policies with respect to personal data.

Individual participation: individual has rights

Accountability: data controller shall be accountable for complying with measures which give effect to the principles stated above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

GDPR Principles

A

Article 5

Lawfulness, fairness and transparency of processing - honest practices relating to processing activities

Purpose limitation - requires collecting and processing for the specified purpose only.

Data minimization - processing only personal data that is relevant and necessary for purpose

Accuracy - processing complete and up to date personal data

Storage limitation - retaining on personal data that is relevant and necessary for purpose

Integrity and confidentiality - ensuring personal data is secure

Accountability - processing personal data responsibly and demonstrating compliance with EU and MS DP laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Application of GDPR

A

Territorial and material scope

Territorial scope (Article 3) - one of these criteria must be met for the GDPR to be applicable:

(1) when a controller or processor is established in the EU (regardless of whether the processing takes place in the EU)
(2) processing personal data of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU (where the controller or processor is NOT established in the EU)
(3) processing by a controller not established in the EU but in a place where MS law applies by virtue of public international law.

Material scope (Article 2): data wholly or partly processed by automated means; any processing operation performed with or without or partly without human intervention; not to be confused with automated decision making; also covers processing, other than by automated means, of personal data that forms part of a filing system

EXCLUSIONS to material scope: activities outside the scope of EU law (national security activities); law enforcement and public security; purely personal or household activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Lawful Processing

A

Six lawful grounds for controllers to rely on to process personal data (Article 6):

(1) consent from data subject
(2) performance of a contract (necessary to perform the contract and data subject is party to the contract, or if data subject requests the processing to enter into a contract
(3) compliance with a legal obligation to which the controller is subject
(4) protection of vital interests of the data subject or another natural person (emergency - no other options)
(5) necessity for public interest or in the exercise of official authority of controller (administration of justice, tax collection, census)
(6) as necessary of legitimate interests of the controller or a third party *unless overridden by interests, rights or freedoms of the data subject (child)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Consent

A

Provides the controller with permission to process the personal data for a specific purpose; must be clearly distinguishable from other matters, intelligible, clear and plain language; must keep records of consent.

FREELY GIVEN; data subjects must be able to choose to have their personal data processed and must be able to withdraw consent at any time (as easily as giving consent)

SPECIFIC: informed of all intended purposes for processing; if another arises, may be required to obtain additional consent

INFORMED: to be legitimate, data subjects must be informed, at least, of the controller’s identity, purpose for processing, and information about how processing may affect data subjects; communicated in understandable language and form

UNAMBIGUOUS: unambiguous indication of wishes (wishes must be absolutely clear); positive, affirmative action (checking opt-in or choosing technical settings); no silence or pre-ticked boxes or inactivity.

CHILDREN: more rigorous; must be given by a parent or guardian when child is under 16 (or under 13 in some MS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Legitimate Interests

A

CONTROLLERS: burden is on the controller to show that data subjects’ fundamental rights and freedoms have not been compromised (legitimate interest exists, processing is necessary for legitimate interest, inform data subjects, balance legitimate interest with rights of data subjects, uphold fundamental rights and freedoms of data subjects

CONTROLLER DATA SUBJECT RELATIONSHIP: fraud prevention, direct marketing, sharing personal data within group for internal administrative purposes, information security

Public authorities may NOT rely on legitimate interest as a grounds for processing personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Processing Special Categories

A

General starting point - processing of personal data is prohibited; number of exceptions to the prohibition; controller must ensure it meets one of the six bases for lawfully processing personal data

Explicit consent: required under Article 9 (differs from Article 6), must be explicit. must still be unambiguous, freely given, specific and informed, but it must be a clear affirmative act by the data subject

In the context of employment: applies when processing of special categories is necessary for controller to comply with legal obligation under employment, SS and social protection laws; relevant when data subjects are candidates, employees and contractors

Vital interests of the individual: similar to Article 6, except controller must be able to demonstrate that it is not possible to obtain consent; controller is expected to attempt to seek consent.

Political, philosophical and religious purposes: covers particular foundations, associations, not for profit bodies and any foundation, association or not for profit body with trade union aim; processing of special categories of data about members of the org, former members or those with regular contact with org; appropriate safeguards

Sensitive data manifestly made public by data subject: interviews, social networking sites

Establishment, exercise or defense of legal claims

Substantial public interest: reason for processing special categories of data in the public interest be balanced with the data subject’s rights to data protection; safeguard data

Medicine and social healthcare

Public health: required for public health reasons

Public archives or scientific historical research or statistical purposes: requires further interpretation from MS law; proportionate to the purpose and respect data subject rights; safeguards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Data access and rectification

A

confirmation of processing (is or was processed); purpose of processing (why); categories of data processed (what); recipients or categories of recipients of data (who); retention period/criteria to determine period (when); information about data subject rights to: rectification, erasure, restriction, object to processing, and lodge complaints; source of personal data (when not collected from data subject); existence of automated decision making (logic, signification and envisaged consequences); appropriate safeguards for data transferred to third country or int’l org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Data portability

A

Right to obtain and reuse data for own purposes; allow data subjects to receive personal data concerning them that they provided to the controller; structured, commonly used, machine readable format; applies when processing is based on prior consent or performance of the contract to which data subject is a party AND data provided by data subject, not data derived from data provided by him AND transferring data does not adversely affect the rights and freedom of others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Erasure

A

Right to be forgotten (Article 17)
Data subjects may, in some circumstances, request that personal data be erased and, therefore, no longer processed.
May be requested under these circumstances: no longer necessary for the purpose for which it was collected; data subject has withdrawn consent (when processing was based on consent); if based on controller’s legitimate interests, data subject objects, and controller is unable to demonstrate that its legitimate interest overrides the interests or fundamental rights and freedoms of data subject; if processing is unlawful; if personal data must be erased for compliance with EU or MS law; if consent was given when data subject was a child, consent may be withdrawn even if the individual is no longer a child

Right to be forgotten also applies when data has been made public by the controller; original controller must take reasonable steps to inform other controllers processing personal data to erase any links to or copies or replications of the personal data.

May prove difficult - determine all of the data’s recipients (when posted on internet, for instance); informing all other controllers; objections from controllers based on fundamental right to freedom of expression and information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Exceptions to Erasure

A

Compliance with EU or MS law for a task public interest or official authority; public health purposes; archiving in public interest, scientific or historical research, or statistical purposes; establishment, exercise or defense of legal claims.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Restriction of Processing

A

Defined in Article 4(3): Marking of stored personal data with the aim of limiting their processing in the future

Set out in Article 18 (new) - differs from erasure because it allows for personal data to continue being stored without being further processed

Provides an alternative to erasure in circumstances where storing the personal data is legally required, ensures the protection of another person’s right, or is in the public interest

Possible methods: making personal data temporarily unavailable; noting restriction; moving data to separate system; temporarily blocking website; using data under narrow conditions

Data subjects may request restriction for: accuracy of data is contested and controller needs time to verify accuracy; processing is unlawful, but data subject prefers restriction to erasure; controller no longer needs personal data but data subject needs it to be saved for the establishment, exercise or defense of legal claims; data subject objects to processing, pending the controller’s attempt to verify legitimate grounds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Right to object

A

Article 21 - right is not absolute; only available if the grounds for data processing falls into one of three categories:

(1) direct marketing - absolute and should cause the controller to cease processing, including profiling
(2) public interest or legitimate interests: based on grounds related ton the individual’s particular situation; controller then has burden to demonstrate that it has compelling legitimate interests for processing that override the subject’s individual interests rights and freedom
(3) research or statistical purposes: on grounds relating to their particular situation; overridden if processing is necessary for the performance of a task carried out in the public interest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Automated processing

A

Article 22: data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects (without human intervention in a way that produces legal or similarly significant effects (strictest for decisions involving children)

Profiling is the automated processing of personal data for the purpose of evaluating, analyzing or predicting personal aspects of a natural person.

Exceptions: authorized by MS or EU law; necessary to enter into or perform a contract between processor and data subject; based on data subject’s explicit consent; certain decisions based on special categories of data.

44
Q

Transparency provision

A

Requires data controllers to communicate with data subjects using an intelligible and easily accessible form (Article 12(1)); clear and plain language; concise communication.

Notice and access to personal data must be free of charge, unless the data subject’s request is unfounded or excessive

45
Q

Privacy notice

A

Also called privacy statement, fair processing statement or privacy policy

Statement made to a data subject that describes how the organization collects, uses, retains and discloses personal data; must contain certain information.

Creative solutions for making privacy notices more concise and easier to navigate: layered privacy notices, just in time notices, standardized icons.

46
Q

Layered privacy notice

A

Contains multiple layers of increasingly detailed notices (up to 3 layers), so long as the sum total meets the legal requirements. Top layer contains the short notice (key elements); second and third layer may contain a condensed notice followed by a full notice, or a full notice followed by FAQs and additional links.

47
Q

Just in time notice

A

Delivered at or right before a user accepts a service or product, helping to facilitate meaningful choice; or given when previously collected data is to be used for a new purpose.

48
Q

Standardized icons

A

Recital 60 endorses the use of standardized icons with privacy notices to communicate required information; challenge - design icons readable by humans and computers that accurate reflect the meaning of abstract, complex messages. Recital 166 delegates decisions about development of standardized icons to the European Commission.

49
Q

Direct v. indirect collection

A

If data is obtained from indirect source (news media or public records), provisions of info (data privacy statement) may happen after collection but prior to processing.

If a controller later wants to process the data for a different purpose, subjects must be provided with all relevant information, including the new purpose, prior to processing

50
Q

Direct collection requirements

A

DS must be provided with the identity and contact details of collection and DPO; purpose and legal basis of processing; recipients of personal data; intention to transfer data to third country or int’l org; legal basis for intended int’l transfer; legitimate interests of controller (if used for legal basis); storage period or criteria used to determine length of storage; subjects’ right to withdraw consent, to request access, to rectification or restriction of processing, and to lodge a complaint; statutory or contractual requirement, as well as obligations to provide the data and consequences of failing to do so; info about use of automated decision making.

51
Q

Indirect collection requirements

A

Source of data and categories of personal data must be provided to the DS, in addition to all info required for direct collection; should happen within a reasonable period after obtaining data (no more than 1 month) or upon first communication with the data subject when used to communicate.

Info may not have to be provided to the DS whose data was collected indirectly: (1) if DS already has the info; (2) if info provision is impossible or requires disproportionate effort or would render impossible or seriously impair the purpose of the processing; (3) if national or EU laws require obtaining or disclosing data and provide appropriate measures to protect individuals’ interests; or (4) if national or EU laws require that the personal data remain secret.

52
Q

International Data Transfers

A

GDPR - ensure the free flow of personal data between MS; also recognizes that transfers from a member state to a third country (outside the EEA) or an int’l org require special considerations. provisions for int’l data transfers also apply to onward transfers from one third country or int’l organization to another outside the EEA. In other words, if personal data is to be transferred outside the EEA, it still must be protected to an adequate standard.

53
Q

International data transfer options

A

(1) Adequacy decisions
(2) Appropriate safeguards
(3) Derogations

54
Q

Adequacy decisions

A

Based on assessments of third country law; determinations that certain third countries adequately protect EU data; laws have achieved a European level of protection, transferring personal data to these countries does not require additional safeguards.

European Commission makes adequacy decisions; reviewed every four years and may be overturned, repealed, suspended or amended.

Criteria: respect o the rule of law; access to justice; international human rights standards; general and sectoral laws; case law; effective and enforceable rights for individuals, including effective administrative and judicial redress; data protection rules, professional rules and security measures, including specific rules for onward transfers; and other int’l commitments and obligations.

55
Q

Data Protection Act (replaced Data Protection Act of 1998)

A

Enacted 23 May 2018

56
Q

Appropriate Safeguards

A

In the absence of adequacy decisions, may be used to legally transfer personal data internationally.

Legal tools designed to ensure recipients of personal data who are outside EEA are bound to continue to protect personal data to a European like standard; mechanisms that can be used by recipients to commit to protecting personal data and facilitate ongoing, systematic int’l data transfers.

Intended to provide enforcement and effective rights to individuals; require pre-approval from a SA:

Binding Corporate Rules (BCRs): designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company; if competent SA signs off, company is considered free to transfer personal data with their organization; min reqs: application of GDPR principles; different versions for controllers and processors.

Standard Contractual Clauses: model clauses, adopted by the Commission or adopted by a national supervisory authority and then approved by the Commission; standard form that is non-negotiable; once signed, company outside the EEA is considered safe to receive personal data from the EU; most commonly used tool for appropriate safeguards.

Approved codes of conduct and certification mechanisms: provisions with GDPR encourage industries to create their own codes of conduct and certification mechanisms that will be reviewed by the EDPB, and if approved, companies may adhere to them and be considered safe to receive data transfers from the EU.

Ad Hoc contractual clauses: must have SA authorization; allow for individual tailoring to a company’s needs; provisions may differ at MS level.

Reliance on int’l agreements: two countries may enter into an agreement between themselves to provide for the protection of personal data; eg, passenger name records (airlines) to transfer passenger data between EU and US, for example.

57
Q

Derogations

A

No adequacy decision and no appropriate safeguards, derogation is last option

Basically an exemption from the prohibition on transferring personal data outside the EEA; for limited circumstances and under very specific conditions

58
Q

Processing employee personal data

A

Article 88 allows for MS to have more specific rules around processing employees’ personal data. Rules must include suitable and specific measures to safeguard the data subject’s: human dignity, legitimate interests, and fundamental rights, with particular regard for: transparency of processing, transfer of personal data within a group of undertakings or group of enterprises engaged in joint economic activity; and monitoring systems.

Mix of EU data protection law with local law can make compliance relating to employment complicated; local employment law varies considerably across the EU.

59
Q

Legal grounds for processing employee personal data

A

Fulfillment of employment contract (bank account info to process salaries)

Legal obligation (sharing salary info with tax authorities)

Legitimate interests of the employer (migrating EE info from one system to another; cannot be adverse to EE rights and freedoms, cannot be used as grounds for processing special catagories of data)

Consent (freely given consent is difficult to prove due to unequal distribution of power between EE and employer; processing may be unlawful or unfair under local law, even if the EE has consented

60
Q

Processing sensitive employee data

A

Employers must comply with one of the exceptions specified in Article 9 of the GDPR. First, explicit consent, which should be used as a last resort (freely given)

May be necessary for employer to establish, exercise or defend legal claims

May be necessary for controller to carry out obligations and exercise specific rights under employment, SS or social protection laws where authorized by EU or MS

61
Q

Storage of personnel records

A

Records that contain personal data should not be kept longer than necessary

62
Q

Trade unions/works councils

A

Employers may also be obligated to communicate with a trade union or works councils; in certain jurisdictions, works councils may have considerable power over processing of EE personal data, requiring notification, consultation, and approval from works councils; trade unions and works councils may need to ensure they comply with GDPR, too.

63
Q

Lawful employee monitoring

A

MS data protection law may have specific requirements restricting use of employee monitoring systems

EE rights and freedoms must be balanced against the rights of the employer, and alternatives to monitoring should always be considered; prevention may be a better option (block websites)

Includes background checks, which are increasingly used for screening candidates

Another form is data loss prevention (DLP) technology; used to protect IT infrastructure and confidential business information from external and internal threats, but involve processing EE and other third party personal data since they operate on networks and systems used by EE; overriding intention is preventing loss of an org’s data.

Personal data collected through monitoring must be: (1) held securely; (2) accessed only by those within the org with legitimate reason; and (3) deleted when no longer needed (may be business need to retain it).

To monitor EE lawfully, an employer must ensure the monitoring is necessary (may require DPIA, any less intrusive options), proportional (data minimization), transparent (EE clearly informed)and legitimate (lawful grounds, fair processing)

64
Q

Whistleblowing schemes

A

Sarbanes Oxley 2002 - companies must have a system in place to receive anonymous complaints about potential wrongdoing, incl fraud, misappropriation of assets and material misstatements in financial reporting.

Under EU law, strongly discourage anonymous reporting; some local DPAs will consider a whistleblower scheme illegal if it mentions the ability to make anonymous reports

Under EU law, once a report is investigated and if it’s unsubstantiated, should be deleted after fairly short period of time (3-6 mos)

Diversion between MS about what can be reported through whistleblowing system - need to understand what may be reported legally in different countries.

If an individual has been the subject of a WB report, you have to tell them they’v been the subject of a report, but you don’t have to tell them immediately. if it’s substantiated, you have to communicate that to them, and they have the ability to have access to the report and to seek any corrections to it that they think are inaccurate (still have to protect reporter’s freedoms and private information

Reports made in EU, transferred to non-EU country, that’s an int’l transfer; may need model clauses or BCRs. if it’s a third party service provider who’s int’l, be sure they have model clauses.

65
Q

Surveillance

A

Involves the observation of an individual or group of individuals, may be carried out openly or covertly, conducted in realtime or by access to stored material

Include: social networks analysis and mapping, data mining and profiling, aerial surveillance, satellite imaging, telecommunications surveillance, CCTV cameras, biometric surveillance and geolocation technologies

May need to be conducted in manner that overrides data subject rights, as recognized by Article 23 of GDPR, which permits MS or E law to restrict the rights granted in Chapter 3 (rights of data subject).

Such a restriction must respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society

May be conducted by public and state agencies for national security or law enforcement purposes (respect individual rights enshrined in Charter of Fundamental Rights, right to private and family life and protection of personal data) or private entities for their purposes (based on legitimate purposes, must comply with GDPR and national laws on confidentiality, privacy, data protection and other civil rights)

66
Q

Communications Data

A

Communication surveillance traditionally - interception of postal services and human spies; however, surveillance of electronic communications is more prevalent today

Personal data generated from e-comms is categorized as either the content of a communication or the metadata

Metadata - data about data, information generated or processed as a consequence of a communication’s transmission, also falls within the definition of personal data because it provides context to content and can be used to identify an individual

67
Q

Content of Communication

A

convo between parties in a call, words in an SMS message, email subject line, words in body of an email, attachments to an email

68
Q

Metadata

A

Traffic data - calling and called numbers in relation to a telephone call

Location data - latitude, longitude and altitude of a user’s equipment; direction of travel; level of accuracy of location info; identification of network cell (Cell ID) in which a user device is located at a certain time; time and location info was recorded

Subscriber data - name, contact details and payment info of a subscriber

69
Q

ePrivacy Directive (Directive 2002/58)

A

Also called Cookie Directive and Privacy & Electronic Communications Directive.

Governs processing of location, content and traffic data over public communications network or publicly available communications system - data passing over public telephone or internet carries, or services that use a public communications network

Collection of precise location-based data - requires opt-in consent (with the exception of carriers, who need data to provide service)

Article 5(1) - confidentiality of the comms must be ensured and cannot be intercepted or disclosed to third parties unless there is consent from all users

Article 15(1) - MS can introduce some exemptions if necessary for very limited purposes such as national security and law enforcement

Access to traffic data is limited; however, telecom carriers can process traffic data for the purpose of conveying comms and possibly for some limited marketing activities with user’s consent

If data is passing over a private network (corp intranet) - ePrivacy rules do not apply; however, monitoring considerations are relevant

One provision allows for interception of a comm when an org has a lawful business purpose for accessing data going through their public networks. MS may define lawful business purpose

70
Q

CCTV

A

Video surveillance of individuals, including CCTV, contains personal data (images) which are considered biometric data under GDPR; when collection such personal data, compliance considerations should include

lawfulness (e.g., legitimate interest, defense of legal claims, public interest, public authority; consent likely not possible)

biometric data is considered a special category of data, so processing can only be carried out if one of the permitted conditions specified in Article 9 applies

data protection impact assessment - required if video surveillance is considered to be high risk or if it involves systematic monitoring of publicly accessible area or if it’s included by the SA on a list of data processing ops that require DPIA

prior checking - notify and in some circumstances seek authorization from local regulator

proportionality - proportional to the purpose

information provision - for overt video surveillance, comply with transparency requirement (sign posted)

individual rights - individual may request copy of CCTV recording, may pose a challenge of protecting others’ privacy

measures to protect personal data and rights of individuals - staff training, CCTV policy, regular reviews to ensure compliance

71
Q

Location data

A

Location based services (LBS) utilize information about location to delivery a wide array of applications and services; may be derived from satellite network generated data, cell based mobile network generated data, and chip card generated data

Referred to as an identifier in definition of personal data (GDPR); if it can be used alone or in combination with other info to identify someone, it’s personal data

72
Q

Biometric data

A

Biometrics - personal data resulting from specific technical processing relating to the physiological, physical or behavioral characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (DNA, fingerprints, retina and eye patters, voice, gait)

Main uses: Identification (who are you) and authentication (are you who you claim to be)

73
Q

Direct marketing

A

A communication, by whatever means of advertising or marketing material, directed toward specific individuals; messages that do not process personal data to communicate the marketing message or those that are purely service related in nature are not considered direct marketing

Most complex area - consent requirements are difficult, but crucial

Not only triggers data protection requirements but also other consumer protection regulatory requirements that vary from country to country; controllers must meet ALL national rules applicable to the direct marketing communications they send

Often involves using data collected from devices (location data and cookies)

No longer limited to postal mail and email, but can now be sent via third party platform messages, push messages and in-app messaging

74
Q

Direct marketing rules

A

Governed by GDPR and ePrivacy Directive

GDPR - applies to all direct marketing comms, regardless of channel, incl online advertising targeted at individuals based on browsing history; gives individuals absolute right to object to any form of direct marketing at any time (already there under consent, but also allowed under legitimate interest)

Direct marketers must meet these requirements: (1) lawful basis; (2) provide individuals with fair processing information; (3) appropriate technical and organizational measures to protect personal data; and (4) not exporting personal data outside EEA without adequate protection

Some MS require controllers to amend their contact lists against national opt out registers before sending direct marketing

ePrivacy Directive - applies to digital marketing comms - direct marketing communicated over electronic comm networks (phone, fax, email and message); also specifies rules that impact the use of online behavioral advertising

Different rules for different channels under ePrivacy Directive; most forms of digital marketing require opt-in consent (other than face to face); limited exemption from opt-in - market own similar products and services, ability to opt out at time contact details are collected, and reminded of ability to opt out in each subsequent marketing comm

75
Q

Online Behavioral Advertising (OBA)

A

website advertising targeted at individuals based on the observation of their behavior over time; is increasingly occurring through third party advertising networks with relationships with partnering website publishers that enable them to place cookies on individuals’ computers with unique identifiers; clearly defined in GDPR as personal data

ePrivacy Directive will generally apply to OBA regardless of whether or not OBA info collected constitutes personal data; use of cookies to store or access information in an individual’s computer is allowed only on the condition that the individual concerned has given their consent, having been provided with clear and comprehensive information

76
Q

Cloud computing

A

Provision of IT services over the internet; may provide infrastructure, platform, or application services, or a combination thereof

Commonalities: (1) infrastructure shared among customers and accessible in numerous countries; (2) customer data transferred around the infrastructure, according to capacity; and (3) supplier determines location, security measures and service standards applicable to processing

Challenging for cloud providers to determine whether GDPR applies; EU has no specific legislation regarding cloud computing, but the technology neutral GDPR set out controller and processor obligation

May be considered a controller when: it determines substantial and essential elements of the means of processing (data retention periods); it processes data for its own purposes; determines aspects of processing outside the controller’s instructions

77
Q

Web cookies

A

Text file stored on a individual’s computer by a website for later use; enables authentication of web visitors, personalization of web content and delivery of targeted advertising.

78
Q

Search engines

A

Services that find info on the internet; process large volumes of data, including IP addresses, cookies, user log file and third party web pages

Determine the purpose and means of processing data about users - they are controllers, and are controllers of personal data contained in third party web pages.

Search engines outside the EU are also likely subject to the GDPR in respect of their processing of personal data contained in third party web pages if they have an EU establishment whose activities are economically linked to the search engine’s core activities

79
Q

Social networking services

A

SNS - create opportunities for various parties and individuals to collect and use personal data; multiple controllers possible. SNS are controllers because they provide platforms for publishing and exchanging personal data as well as determining the use of personal information for advertising services

Authors of apps designed for SNS platforms that provide services in addition to the SNS may also be controllers as well

Users who act on behalf of an organization or knowingly extend access to personal data beyond selected contacts may also be controllers

SNS providers should be open and transparent about processing of personal data by providing: (1) notice if the personal data will be used for marketing purposes; (2) notice if personal data will be shared with specific third parties; (3) explanation of any profiling conducted; (4) info about processing of sensitive personal data; (5) warnings about risks to privacy; and (6) warning that if an individual uploads a third party’s personal data, such as photos, the consent of the third party should be obtained

Special considerations for sensitive personal data, third party personal data and children’s personal data:

Sensitive personal data - explicit consent is required

Third party personal data - if third party individuals’ personal data is published, SNS must have a legal basis for processing that personal data

Children’s data - requires parental consent; processing on the grounds of legitimate interest may not be possible

80
Q

Artificial Intelligence

A

The simulation of human intelligence created by machines and computers; AI can replace humans and act on its own to make automated decisions

Provisions within GDPR affect the AI functions of automated decision making (Article 22 highlights subject rights in conjunction with profiling and automated decision making)

Organizations implementing AI tech will want to ensure privacy regulations are being met in conjunction with the technology.

81
Q

Security of Processing

A

Security is very important to EU data protection law; often a prerequisite for achieving compliance with data protection principles

Security in practice should take a holistic approach; considerations may include mgmt and worker buy-in, policy framework, physical environment, information technology, and incident detection and response.

82
Q

Controller and processor obligations

A

Article 32:

State of the art - most cutting edge technology is not necessarily the best choice for security; reflect upon consensus of security professionals/experts

Cost of implementation - not required to choose the most expensive security controls, but should choose controls that reflect demonstrably good management decisions

Appropriate technical and organizational measures - results that those measures should bring about might include pseudonymisation, encryption, confidentiality, integrity and resilience

Level of security appropriate to risk - risk based approach based on risk assessment to determine controls for entire information lifecycle; controls are tighter and more sophisticated relating to vulnerable and special categories of data being processed

83
Q

Attributes of security controls (CIAR)

A

Confidentiality: individuals, entities, systems or applications access data on a need-to-know basis (access controls)

Integrity: controls in place to ensure data is accurate and complete

Availability: data is accessible when needed for a business activity

Resilience: data is able to withstand and recover from errors or threats

84
Q

Engaging processors

A

A data processor is a third party that processes data on behalf of a controller; controller shall only use processors providing sufficient guarantees to implement appropriate technical and organization measures in such a manner that processing will meet the requirements of this Regulation and ensure protection of the rights of the data subject

sufficient guarantees - covers assurance mechanisms such as appropriate checking and vetting of processor by supplier through a third party assessment of certification validations

Processor contract due diligence: data protection knowledge; recent high profile breaches; recent and current investigations; accreditations; policy framework; sub-processors; governed by a contract or other legal ct under EU or MS law that is binding on the processor

Contract may be based on SCCs identified by the EC or SA; must set out: subject matter and duration of processing, nature and purpose of processing, type of personal data, categories of data subjects, and obligations and rights of the controller

85
Q

Data breach notification

A

Personal data breach (Article 4(12)) - breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

86
Q

Controller and Processor Obligations for Communicating a Data Breach (Articles 33 and 34)

A

Processor must inform controller without undue delay after becoming aware

Depending on circumstances, controller must inform the SA and may be required to inform affected data subjects

87
Q

Data Breach Information Provision to SA

A

Obligated to report to SA without undue delay (within 72 hours of becoming aware) if breach is likely to result in a risk for the rights and freedoms of natural persons.

Notification should include: categories of affected data subjects, approximate number of data subjects and data records, name and contact details of the DPO or other POC, description of likely consequences of the breach, measures taken or to be taken in response to the breach

88
Q

Data Breach Information Provision to Data Subject

A

Should be notified without undue delay and in clear and plain language IF the breach is likely to result in a high risk to the rights and freedoms of those individuals.

Notification may not be necessary if:

(1) there was prior implementation of appropriate technical and organizational measures that rendered the personal data unintelligible or encrypted; (2) post breach actions greatly reduce the risk to the rights and freedoms of data subjects; or (3) individual notice requires disproportionate effort (in such case, equally effective public notification is still required).

SA may still decide the controller needs to notify the data subjects

89
Q

NIS Directive (Directive on Security of Network and Information Systems

A

May 2018
first EU wide cybersecurity law
not specifically concerned with personal data, it aligns with GDP/R and indirectly bolsters the security of personal data within orgs that are regulated by the Directive.

Focuses: national capabilities, cross border collaboration and national supervision of critical sectors

90
Q

Accountability

A

Article 24(1) mandates that the controller have a data protection program in place based on the nature, scope, context and purpose of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons; implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation; measures shall be reviewed and updated where necessary.

Risk based approach resulting in technical and nontechnical measures that can demonstrate compliance with the GDPR; continuously review and update.

Processors also have obligations (though not named specifically), record keeping and duty to support controller in fulfilling obligations

91
Q

Steps to Accountability

A

Implementing data protection by design and data protection by default

Conducting a DPIA

Maintaining data processing records

Possibly appointing a DPO

92
Q

Auditing privacy programs

A

DPAs have the following audit rights: audit or inspect premises and processing equipment, data protection written systems, and data protection business operations

DPAs can issue warnings or put a stop to business activity

Regulators have the right to conduct audits

93
Q

Data protection by Design

A

More familiar with “by default

Begins prior to processing and incorporates data protection considerations into the planning phase.

Sustains those considerations into the processing phase by limiting the collection, processing, storage and accessibility of personal data

Orgs should build data protection into their products throughout their life cycle (at time of planning); necessary safeguards should be integrated into org’s systems; GDPR highlights data minimization and pseudonymisation; program assesses the risks of a product and takes stems to mitigate those risks to meet the data protection by design requirements

94
Q

Data protection by default

A

Where a product or service provides users with multiple setting options, the most data protective settings should be the default.

Users should have to opt into any setting that presents greater risks.

By default, a product or service processes only the necessary personal data

Considerations: purpose of processing, amount of personal data collected, extent of processing, storage period and accessibility

95
Q

Data Protection Impact Assessment (DPIA)

A

Main values: (1) help with incorporating data protection considerations into org planning and with demonstrating compliance to SAs

When is a DPIA required? if processing is likely to entail a high risk to the rights and freedoms of natural persons

Risks should be considered from the POV of the data subject and the SA

Considerations: nature, scope, context, purpose, type of processing, and use of new technologies

Use of new technologies whose consequences and risks are less understood may increase the need for DPIA

Ex of processing that would require a DPIA: (1) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing; (2) processing on a large scale of special categories of data or of personal data relating to criminal convictions or offenses; (3) systematic monitoring of a publicly accessible area on a large scale

Should include: (1) description of processing, incl purpose and legitimate interest; (2) necessity of processing, its proportionality and the risks that it poses to data subjects; and (3) measures to address those risks (by design and by default controls)

When must a SA be contacted? high risk to data subjects that is not mitigated. SA will provide advice and can block processing activities within 8 weeks (or add’l 6 weeks for complex situations)

96
Q

Data Protection Policy

A

Useful tool to ensure that their EE are properly trained and follow GDPR reqs

Purpose: explain to EE what can and cannot be done with data they are handling and to outline consequences of a policy breach

Falls within the appropriate technical and org measures category and may be included as part of a larger data protection program

Not required for all situations but should be used where proportionate in relation to processing activities

GDPR does not specify contents, best practices - considerations: concise and understandable language; consider how metrics may be used to demonstrate results; ensure tasks are achievable, realistic, relevant and timely

97
Q

Recording obligation

A

Important aspect of accountability is being able to demonstrate compliance with the regulation - applies to both controllers and processors

What triggers recording obligation: processing personal data for orgs of 250+ EEs; or regardless of size, if processing is likely to result in a high risk to the rights and freedoms of data subjects, is not occasional, or incl special categories of data or data relating to criminal convictions or offenses

98
Q

Controller and processor records/obligations

A

Name/contact info of controller and DPO

Purposes of Processing (not req’d by processor)

Categories of data subjects, personal data and recipients of data (processor - cats of data)

Int’l data transfers and measures put in place to ensure lawfulness

How long the data is retained and timeline for deleting (not req’d by processor)

General description of technical and org security measures

99
Q

DPO role

A

Staff member of contractor appointed by the controller or processor to ensure and demonstrate compliance with data protection law; must be an expert in data protection law and practices

Required in certain circumstances (Article 37): (1) controller is public authority; (2) core activities of controller or processor include regular and systematic monitoring of data subjects on a large scale; (3) if core activities of controller or processor consist of large scale processing of special categories of personal data

100
Q

DPO Guidelines

A

Large scale - determined based on number of data subjects concerned, the volume or range of data items, the duration of processing and/or the geographical extent of processing

Regular and systematic monitoring - all forms of tracking and profiling on the internet, including for purposes of behavioral advertising; not restricted to the online environment

Tasks and responsibilities: (1) ensure compliance with regulation; (2) advise controller, processors and EEs who carry out processing of their data protection obligations; (3) manage risk; (4) be a point of contact with SA; (5) communicate with data subjects and the SA; provide advice on and monitor DPIA; exercise professional secrecy

Should report to the highest level of management

Controller or processor may not instruct the DPO with regard to their tasks or curtail their action

101
Q

Obligation to designate a rep in the EU

A

Process personal data within the territorial scope of the GDPR Article 3(2) - must designate a rep within the MS of the data subjects to whom that processing applies.

Article 3(2) - processing of data subjects in the EU by controllers or processors not established in the EU where the processing activities are related to offering them goods or services or monitoring their behavior that takes place within the EU

102
Q

Supervisory Authorities (SA)

A

Also known as data protection authorities, promote, monitor and enforce GDPR

(1) promote awareness by helping orgs understand their obligations in an advisory capacity; (2) conduct investigations; (3) protection fundamental human rights by providing info to individuals; (4) draw up annual reports that explain data protection in their country; facilitate the free flow of personal data within the EU

Three categories of power: (1) Investigate powers; (2) corrective powers; and (3) authorization and advisory

103
Q

Lead Supervisory Authority

A

Primary regulator responsible for dealing with the cross-border processing activities of controller or processor, including coordination of operations of all supervisory authorities concerned.

104
Q

Cross-border processing

A

Processing of personal data which takes place in the context of the activities of the establishments in more than one MS of a controller or processor in the Union where the controller or processor is established in more than one MS OR processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to affect data subjects in more than one MS

Identifying LSA - place of central administration, unless decisions about purpose, means and implementation of processing occur at a different location; then that one will be the lead.

105
Q

Cooperation and consistency between SA

A

Mechanisms to support cooperation and consistency between SAs:

Cooperation; mutual assistance (relevant info passed between SAs); joint operations (joint investigation and enforcement); consistency mechanism (collaborative process for adopting certain measures and ensuring consistent GDPR application); dispute resolution; urgency procedure (immediate adoption of provisional measures within a MS

106
Q

European Data Protection Board (EDPB)

A

Replaced Article 29 Working Party

Rep of every MS’s SA (31 member states of EEA); only reps from 27 EU MS may actively participate.

Presided over by a Chair who is elected by the EDPB reps

European Data Protection Supervisor (EDPS) and the Commission participate on the board, but EDPS has limited voting rights and the Commission has none

EDPB must act independently; roles are to monitor for correct application of GDPR and oversee consistency mechanism; issue guidance and advice to Commission; an preside over dispute resolution process

107
Q

Administrative Fines

A

20,000,000 Euros or 4% of total turnover (denying fundamental right to privacy) or 10,000,000 Euros or 2% of total turnover (data breaches)

CIPP/E (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions