Chapter 2C: Data Processing Principles Flashcards

1
Q

What 6 principles are listed under Article 5 of the GDPR?

Principles related to processing personal data.

A

Lawfulness, Fairness & Transparency
Accuracy
Purpose limitation
Data minimisation
Storage limitation
Integrity & Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Re: lawfulness, fairness and transparency, this means that…

A

Personal data must be processed only if there is a legal ground and the processing must be carried out in a fair and transparent manner towards the data subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What lawful bases are applicable for data processing?

A

Art. 6

Consent
Contractual performance
Legal obligation
Vital interest
Public interest
Legitimate interest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is ‘consent’ as a lawful basis?

A

Data subject gives consent to the processing of their data for one or more specific processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is ‘contract performance’ as a lawful basis?

A

Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is ‘legal obligation’ as a lawful basis?

A

Processing is necessary for compliance with a legal obligation to which the controller is subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is ‘vital interest’ as a lawful basis?

A

Processing is necessary in order to protect the vital interests of the data subject or another natural person.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is ‘public interest’ as a lawful basis?

A

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is ‘legitimate interest’ as a lawful basis?

A

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights of the data subject - in particular when a child is concerned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What makes processing ‘fair’?

A

Fairness is linked to the idea that data subjects must be aware that their data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree to it and enable them to exercise their data rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How can an organisation assess fairness?

A

With an assessment on how the processing will affect the data subject - if it negatively affects individuals and the detriment is not justified, the processing is unfair.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does the principle of transparency mean?

A

A controller must be open and clear toward data subjects when processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

On what basis did the regulation eliminate the Directive’s general obligation to also notify data protection authorities of the processing of personal data?

A

This did not necessarily contribute to protecting personal data. Recital 89 explains that such indiscriminate general notification obligations should be abolished and replaced by effective procedures and mechanisms which focus instead on processing operations likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does the regulation promote instead of notifying DPAs of processing?

A

Notifying data subjects of how their data will be processed; the regulation prescribes minimum amount of information controllers should provide, but considers whether collected directly from the data subject or a third party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the GDPR say about the duty to inform in cases where the data was obtained directly from the data subject and the data subject is already aware of the information?

A

They are exempt from the duty to inform in this case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When are data controllers free from the obligation to provide information where personal data is collected from other sources?

A

Providing information involves a disproportionate effort or can be considered impossible

To protect the data subject’s legitimate interest, in which case the disclosure is expressly governed by applicable law

To preserve the confidentiality of the information, also regulated by the laws to which the data controller is subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When should information be provided to a data subject under the transparency principle?

A

In a timely manner - when obtained directly from the data subject, it should be provided at the time of collection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What requirements are in place for the information provided to data subjects?

A

It should be clear, concise and easy to understand and provided in an accessible manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does the transparency principle say about information provided to children?

A

When processing involves personal data of children, the communication should be drafted in simple and plain language for the child to understand it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does the transparency principle say about information obtained in the context of a medical examination?

A

The patients must be informed using plain language (no scientific or medical terms that may not be understood by individuals who are not medical practitioners must be included unless clearly explained) - this must be provided before examination is carried out.

21
Q

What mechanism is frequently used in a digital environment to inform individuals?

A

Privacy notices - using short and adhoc privacy notices instead of long legal texts is recommended and considered best practice.

22
Q

What does the regulation promote as a visual tool for transparency?

A

The use of visual and standardises icons or symbols as an alternative means to inform individuals in a concise and clear way.

23
Q

What does purpose limitation mean?

A

Data controllers must only collect and process personal data to accomplish specified, explicit and legitimate purposes and not process beyond these purposes unless processing is considered compatible with the purpose. for which it was originally collected.

24
Q

What should a controller do before processing personal data to comply with purpose limitation?

A

Identify the purpose for which personal data will be processed.

25
Q

The use of personal data for statistical purposes, public interest, scientific or historical research purposes will be considered compatible as long as…

A

Such secondary processing takes place within the limits set out by the EU or member state’s law that governs the particular processing. If not, controllers must consider whether this is compatible with the purposes for which personal data was originally collected.

26
Q

Secondary processing can only be lawfully carried out when…

A

Such processing is considered compatible with the original purpose for which the data was collected.

27
Q

To assess whether secondary processing is compatible with original purposes, the controller should take into account…

A

Any link between those purposes
The context in which the data has been collected and the reasonable expectations of the data subject
The nature of the personal data
Consequences for the data subjects
The existence of appropriate safeguards in both original and intended processing operations

28
Q

When the second processing is considered incompatible with the original processing purpose, what is required?

A

A separate legal ground (e.g. consent) before processing the data for this new purpose. They will also need to inform the data subjects.

29
Q

What does the principle of data minimisation mean?

A

Data controllers must only collect and process data that is relevant, necessary and adequate to accomplish the designated purpose.

30
Q

What two concepts are applied in data minimisation?

A

Necessity and proportionality.

31
Q

What is the concept of necessity re: data minimisation?

A

Data collected must be suitable and reasonable to accomplish the specified purpose (i.e. of a nature necessary to attain that purpose). Verifying whether the specific purpose can be accomplished by using anonymous data is a useful starting point, or if the scope can be broadened (e.g. an age bracket rather than date of birth being sufficient).

32
Q

What is the concept of necessity re: proportionality?

A

Controllers should consider the amount of data to be collected - excessive data collection may be disproportionate.
Daa controllers should take into consideration the adverse impact of means of processing, and verify whether less intrusive means exist or means with less adverse consequences.
Example of excessive or disproportionate means may include using biometric data to identify individuals when they could just have an identity card.

33
Q

Data protection law is applicable and valid in relation to big data projects; true or false?

A

True.
To legally process and successfully use and protect personal data in the digital economy, DPOs and data scientists are expected to work together to find creative ways to implement data minimisation re: big data projects.

34
Q

What is big data?

A

Big data is a term that describes the large volume of data – both structured and unstructured – that inundates a business on a day-to-day basis

35
Q

What does the principle of accuracy mean?

A

Controllers must take reasonable measures to ensure that data is accurate and, where necessary, kept up to date.

36
Q

What ‘reasonable measures’ can be taken to ensure data is accurate?

A

Implementing processes to prevent inaccuracies in data collection process (i.e. verifying data is accurate, complete and not misleading) and for ongoing use. The controller must consider the type of data and specific purposes to maintain the accuracy in relation to the purpose.
Controllers should evaluate how reliable the source is and take additional care where inaccuracy could be to the data subject’s detriment.

37
Q

When might the inaccuracy of personal data occur during the collection process?

A

If controllers do not properly verify the authenticity of the information

38
Q

What does the ICO say about keeping records of errors?

A

It’s acceptable to keep records of events that happened in error provided those records are not misleading about the facts.
For instance, a misdiagnosis of a medical condition can continue to be part of a patient’s medical records for the purpose of explaining previous treatment given to the patient.

39
Q

What responsibility does a controller have over incorrect data already collected?

A

It should respond to data subject requests to correct records that contain incomplete information or inaccuracies.

40
Q

What is the storage limitation principle?

A

Personal data must not be kept for longer than necessary for the purposes of processing. It should be securely deleted once the purpose has run its course.

Article 5(1)(e) personal data must be kept in a form which permits identification for no longer than necessary.

41
Q

When can personal data be kept beyond its purpose for processing?

A

It can only be kept for longer periods if processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

42
Q

How should a controller ensure that data is not kept longer than required?

A

Time limits should be established for erasure or periodic review. The controller must assess whether the data is to be used for one or several purposes and limit the processing to a period during which its needed to accomplish these purposes.
(e.g. deletion of data at the end of a recruitment process)

43
Q

What should a controller do in relation to statutory data retention periods?

A

Verify whether they exist for the type of processing (e.g. tax, health and safety, employment regs) - when the law is silent, internal retention periods should be set to meet the storage limitation principle.

44
Q

Data controllers may keep personal data for an unlimited period if…

A

The data has become irreversibly anonymised.

45
Q

What is the principle of integrity and confidentiality?

A

Article 5(1)(f) - Personal data must processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

46
Q

To protect and preserve personal data throughout its life cycle, controllers should…

A

Implement an information security framework

Look to techniques such as pseudonymisation and encryption

47
Q

When processing sensitive personal data, additional care should be taken. In this respect, a controller must take into account…

A

Potential impact on individuals that a breach of the integrity or confidentiality may cause to implement sufficient measures.

48
Q

How does the regulation reinforce all privacy principles?

A

Imposing the burden of proof re: proper implementation of the principles upon organisations which may be required to present evidence at any time on a supervisory authority’s request.