Chapter 1 - GDPR Flashcards
In what ways is GDPR extra territorial?
- Applies to data processors and controllers in the EU processing EU data subject personal data.
- Applies to data processors and controllers outside the EU who are processing EU data subject personal data for the purpose of selling goods or services or monitoring the behaviour of EU data subjects.
What is something special data processors and controllers outside the EU have to do?
Appoint an EU representative
What does Article 28 of the GDPR relate to?
Record keeping requirements
What is the maximum penalty under GDPR and what sort of offences can it be used for?
- 4% of global annual turnover or 20 million euros which ever is greater - not obtaining consent or not having privacy by design.
- 2% of global annual turnover for
- not informing the regulator of a breach in a timely manner
- not conducting a DPIA
- breach Article 28 - record keeping requirements - 2% of global annual turnover
How long do firms have to inform the regulator after discovering a data breach?
72 hours
Are clouds exempt for GDPR?
No because it impacts data controllers as well.
What does Article 17 relate to under GDPR?
Right to be forgotten/erasure
What does Article 23 relate to under GDPR?
Data minimisation - privacy by design - not giving access to those who don’t need it.
What are a data subject’s rights under GDPR?
- Right to consent
- Right to be forgotten - Article 17
- Right to access data
- Right for data portability
- Right to privacy by design - Article 23 - data minimisation
- Right to be informed of a breach
When is a Data Protection Officer required?
When there are systematic and large scale processing of personal data or processing of special category data.
What are the qualities and requirements for a DPO?
- Sufficiently trained and knowledgeable
- Report to the highest levels of management
- Adequately resourced
- Contact details shared with DPA
- Avoids conflicts of interest
