Chapter 2E: Information Provision Obligations Flashcards

1
Q

With relation to transparency, what does the regulation aim to ensure?

A

That it is clear to data subjects that their personal data is collected and processed, and that they are aware of their rights, the risks, rules and safeguards in relation to that processing. Controllers should be open and honest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the information that should be given to data subjects often referred to as?

A

Fair processing information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Controllers are more likely to be able to support a legitimate interest claim when…

A

a data subject is given clear information about how their personal data will be processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How did the Directive ensure transparency?

A

Imposed a requirement that controllers notify their processing to a supervisory authority; data subjects could then consult that notification to learn more about the processing conducted by a particular controller.

The GDPR removed this as it did not in all cases contribute to improving the protection of personal data. Should be replaced by mechanisms and effective procedures which focus on processing operations likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the combined effect of Article 13 (covering cases where data is collected from the DS) and Article 14 (re: instances where personal data is obtained from a third party source) of the regulation?

A

Data subjects have the right to receive certain information from controllers, regardless of whether they supplied the data directly or if it was by a third party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Article 13: the obligation to provide information to a data subject where personal data is collected from the data subject. What needs to be provided?

A

Identity and contact details of the controller and DPO
Purposes and legal basis for processing (if legitimate interest, outline this)
Recipients or categories of recipients of personal data
International transfers and whether this is adequate or based on another transfer mechanism and the means to obtain a copy of these

Further information for transparency:
Retention period
Data rights
Right to withdraw (when based on consent)
Right to complain
Whether statutory or contractual requirement
Existence of automated decision making

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Article 14: the obligation to provide information to a data subject where personal data is not obtained from the data subject

A

The controller must provide the data subject with the same information required in Article 13(1) and (2) but also…

The categories of personal data concerned
From which source the personal data originated and whether it came from publicly accessible sources

If origin cannot be given due to a number of sources, general information should be given (Recital 61)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Under article 14, as personal data is not obtained directly from the data subject, there is no requirement to…

A

Inform the data subject where the provision of personal data is statutory or contractual requirement or to explain whether the data subject is obliged to provide the personal data and the possible consequences of not doing so.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Information has to be provided to the data subject in Article 14(2) and Article 13 to ensure…

A

Fair and transparent processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What differences exist between Article 13 and 14 obligations practically?

A

Time at which the required information should be provided and circumstances in which a controller does not have to provide information about processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Further information provision obligations are imposed on controllers in the context of rights granted to data subjects. What article creates a freestanding right to be informed?

A

Article 15.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When a data subject requests a controller to restrict processing of personal data, what must a controller do before lifting the restriction?

A

Inform the data subject of the restriction being lifted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Data subjects can object to processing where that processing is…

A

Conducted based on the controller’s legitimate interest or carried out in public interest (including profiling based on these provisions)
or
For the purpose of direct marketing, including profiling in this arena

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Where data is transferred to a third country or international organisation on the basis of a controller’s legitimate interests and own assessment of the transfer, data subjects must be…

A

Informed of the transfer and compelling legitimate interests pursued by the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Where data is transferred to a third country or international organisation on the basis of consent under article 49(1)(a), data subjects must be…

A

Informed of the possible risks of the transfer due to the absence of either an adequacy decision from the commission or another appropriate safeguards, such as standard data protection clauses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Where data is transferred to a third country or international organisation on the basis ofa BCR, data subjects must be…

A

Provided with information about the general data protection principles contained in the BCR, their rights re the processing and how to exercise them, including the right to obtain compensation for breaches of the BCR and the liability arrangements under the BCR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Where a controller intends to process personal data for a purpose other than the original purpose, the controller must provide data subjects with…

A

Information about the new purpose together with any relevant further information as referred to in Article 13 and 14 as appropriate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

In situations where two or more controllers jointly determine the purposes and means of processing, what does the regulation require of the controllers re: information provision?

A

Those controllers transparently determine their respective responsibilities for complying with the regulation, in particular in relation to the obligation to provide information to data subjects under Article 13 and 14, and also that the essence of the arrangement should be made available to the data subjects and that the data subject is clearly informed on which controller will field their data protection enquiries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Data subjects should be informed of personal data breaches - true or false?

A

True only in some circumstances, where breach may have caused detriment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

When personal data is collected from the data subject, when should the fair processing information be provided?

A

At the point of data collection.

21
Q

When personal data is collected from a source other than the data subject, when should the fair processing information be provided?

A

Within a reasonable period of obtaining the personal data but at the latest within 1 month or if the personal data is to be used for communication with the subject at the latest at the time of first communication or, if a disclosure to another third party is envisaged, at the latest when the personal data is first disclosed.

22
Q

What does Article 21(4) or the regulation say about the timescale for giving information about the data subject’s right to object?

A

It must be provided to data subjects at latest at the time of first communication.

Similarly, Article 7(3) states that information about the right to withdraw consent must be provided before a data subject gives their consent.

23
Q

How should fair processing information be provided to data subjects?

A

In a concise, transparent, intelligible and easily accessible form using clear and plain language.
It should be provided in writing or by other means, including, where appropriate, by electronic means.

24
Q

Electronic means for fair processing information may be particularly relevant where…

A

There are a number of parties involved in the processing and technological complexity makes it difficult for data subjects to understand who is processing their personal data/for what purposes (e.g. online advertising)

25
Q

Fair processing information may be provided orally: true or false?

A

True when requested by the data subject.

26
Q

Can data subjects be charged for Information provided under article 13 and 14?

A

No - it must be free of charge.

27
Q

What does the regulation require when standardises icons are presented electronically?

A

They must be machine readable.

28
Q

What format requirements are imposed by the regulation for information provided to data subjects in the context of consent?

A

Request for consent must be presented in a clearly distinguishable manner from other matters and also in an intelligible and easily accessible form using plain and clear language

29
Q

What format requirements are imposed by the regulation for information provided to data subjects in the context of the right to object?

A

Information must be explicitly brought to the attention of the data subject and presented clearly and separately from other information.

30
Q

Member states may legislate to provide specific rules for the processing of personal data in certain areas (for example, the processing of employee data in an employment context) - what must additional rules introduced include?

A

Suitable and specific measures to safeguard data subject rights, in particular, in relation to the transparency of processing.

31
Q

When is the fair processing information required by Article 13(1) and 13(2) not required to be provided?

A

If the data subject already has the information.

32
Q

When is the fair processing information required by Article 14(1) and 14(2) not required to be provided?

A

If the data subject already has the information;

If obtaining or disclosing the personal data is expressly laid down by union or member state law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests;

Where personal data must remain confidential subject to an obligation of professional secrecy regulated by union or member state law

If the provision of information proves impossible or would involve a disproportionate effort, in each case in particular for processing for archiving purposes in the public interest, scientific or historic research purposes, or statistical purposes provided that conditions and safeguards are met OR the provision of fair processing information is likely to render impossible or seriously impair the achievement of the objectives of that processing (e.g. tipping off).

33
Q

How can an organisation assess the meaning and application of disproportionate effort?

A

Recital 40 of the directive, which is largely replicated in Recital 62 of the regulation - the number of data subjects, the age of the personal data, or any appropriate safeguards aopted should be considered in assessing whether the effort would be disproportionate.

34
Q

What does WP29 say about disproportionate effort?

A

Disproportionate effort exemption should not be routinely relied upon

Disproportionate effort must relate directly to collection of personal data from a source other than the data subject

Controllers must document the assessment undertaken to determine that this exemption is applicable

The WP29 states that something is either impossible or not; there is no degree of impossibility.

35
Q

What does WP29 say about instances where origin of personal data cannot be provided?

A

As a result of the regulations requirement for privacy by design, organisations should be able to identify the source of the personal data they process (so should not need to lean into Recital 61 of giving ‘general information’ for various sources in practicality).

36
Q

The regulation allows member states to provide exemptions and derogations where processing is carried out for the purposes of…

A

Journalism, academic artistic or literary expression and those exemptions or derogations are necessary to reconcile the right to the protection of personal data with freedom of expression and information.

37
Q

What information requirements exist relevant to the use of cookies and similar technologies by the operators of websites, apps and other connected devices under the ePrivacy directive?

A

Storing or accessing information already stored in the terminal equipment of a subscriber or user is only allowed on the condition that the user has given their consent and has been provided with clear and comprehensive information.

The requirement to provide full and transparent disclosure of the use of cookies applies irrespective of the mechanism chosen to obtain consent, and operators must adopt a stand-alone cookie use policy to meet this obligation.

38
Q

What are the commercial benefits of effective fair processing information?

A

Increased data subject trust, contributing to loyalty and retention.
Data subjects will be likely to provide more valuable personal data to organisations they can trust.
The risk of complaints and disputes arising from the use of personal data will be reduced when the processing is explained.

39
Q

What approaches could a controller take to the provision of fair information?

A

Using layered fair processing notices
Providing just in time notices
Adopting privacy dashboards
Using alternative formats and channels of communication
Taking steps to adapt to the requirements of diverse technologies, in particular, the Internet of Things (IoT)

40
Q

What is a layered fair processing notice?

A

Most important information is provided in a short initial notice, and more detailed information is available should a data subject wish to know more.

WP29 - first layer should include purpose, controller’s identity, and rights granted by the regulation, along with processing which could surprise or have an impact on the data subject.
It should also make it clear what information is available and how to find more detail.

WP29 also considers it should be available to data subjects in one single place or document.

41
Q

What are the benefits of a layered fair processing notice?

A

Assist in addressing conflict between volume of information and requirement that it be provided in concise, easily accessible and intelligible manner

Shorter - easier to understand and remember

Layered notices can be used to account for space or time limitations

Longer notices tend to attract complicated legal terms and industry jargon that impair readability

42
Q

What care should controllers take with layered fair processing notices?

A

All content and timing of the information provided addresses all requirements

There is consistency in information provided in all layers

Information which must be explicitly brought to the attention of data subjects is not buried in secondary layers

43
Q

What is a just in time notice?

A

A notice which provides the data subject with information at the point at which it is relevant to them (e.g. information about purpose of processing a specific item of personal data at the point at which they provide that data in an online form)

44
Q

What is a privacy dashboard?

A

A privacy dashboard is a one-stop shop that can link fair processing notices and allows data subjects to control how their personal data is processed. Controllers can engage with data subjects regarding processing of their data.

WP29 - this is most useful when data subjects access a service through multiple devices.

45
Q

Can alternative formats be considered by controllers for fair processing notices?

A

Yes - for example, animations for children

But a full unlayered version should always be available so that data subjects can search for and refer to it without the need to click through web pages or easily read in a different medium (such as a hard copy) if required.

46
Q

Some technologies present a challenge for fair processing information - e.g. usage of CCTV or drones. The WP29 recommends…

A

Using sign-posts and information sheets in the specific area of operation

Using social media, newspapers, leaflets and posters to inform when used at specific events

Making fair processing information available on the operator’s website

Taking time to ensure that the surveillance itself is visible

Ensuring that the operator is clearly visible with signage identifying them as the individual responsible

47
Q

IoT devices present a challenge for fair processing information - The WP29 recommends…

A

Hard copy privacy information with the device, providing a QR code, embedding videos in set up information, or sending short message services or email messages to enable data subjects access to this information.

48
Q

What is the Internet of Things (IoT)?

A

The Internet of Things (IoT) refers to a system of interrelated, internet-connected objects that are able to collect and transfer data over a wireless network without human intervention. E.g. Alexa.