Chapter 3D: Internet Technology and Communications Flashcards

1
Q

When may a cloud service supplier be considered a controller?

A

When it determined substantial and essential elements of the means of processing

When it processes data for its own purposes

When it determines aspects of the processing outside the controller’s instructions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Because a controller has significantly more obligations under the GDPR, distinguishing _______ in a customer cloud service supplier relationship is essential?

A

Between the controller and processor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

True or false: a cloud service supplier may determine technical and organisational means of processing and remain a processor

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When might the GDPR be applicable to a cloud provider outside of the EU?

A

When the customer is subject to the GDPR (resident) - in which case the processing contract should contain required controls and obligations set out in the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When are cookies collection and analysis subject to the GDPR under Recital 30 of the GDPR?

A

Where the information collected from them is personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is the controller in instances of web cookie collection?

A

The website operator is a controller of personal data collected by its own first-party cookies

Where the third party determines the means and purposes of processing of the personal data gathered from its third party cookies, it’s a controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What lawful basis do many organisations now rely on to process personal data in the form of online identifiers?

A

Consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does article 5(3) of the eprivacy directive say about access to a user’s terminal equipment?

A

Organisations must obtain prior informed consent for storage or access to information stored on a user’s terminal equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What cookies are exempt from the consent requirement of the eprivacy directive?

A

‘Strictly necessary’ cookies used solely for carrying out communication transmission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Who is the controller of personal data processed by search engines?

A

Search engines (because they determine the purposes and means of processing data about their users)

Search engine marketers (when web traffic is processed by search engines and provided as analytics, e.g. Google Analytics, to search engine marketers that fall within scope of the GDPR, the organisations conducting the marketing are also controllers)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Examples of cases re: search engines as controllers

A

Google v AEPD (2014)
CJEU ruled that Google remove from its search results linked to a 1998 newspaper article about the plaintiffs foreclosed house

This established that search engines are also controllers of personal data contained in third party webpages.

Search engines outside the EU are likely subject to the GDPR in respect of their processing of personal data contained in third party web pages if they have an EU establishment whose activities are economically linked to the search engine’s core activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What steps can search engine marketers take to ensure that aspects of the web traffic analysis process are anonymised?

A

Ensuring that data, including IP addresses, is not stored in Google Analytics even after the user has accepted the placement of cookies

Anonymising IP addresses before storage of processing takes place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Who is the controller of a social networking service?

A

The social networking service itself because it provides platforms for publishing and exchanging personal info as well as determining the use of personal information for advertising purposes

Authors of applications designed for SNS platforms that provide services in addition to the SNS

Users who act on behalf of an organisations or knowingly extend access to personal data beyond selected contacts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Re sensitive personal data and social networks…

A

Explicit consent usually is required to publish data on the internet, unless its published by the data subject.

An SNS requesting personal data must ensure the individual knows that the provision of data is voluntary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Re third-party personal data and social networks…

A

If third-party individuals’ personal data is published (for example, photo tags), the SNS must have a legal basis
for processing that personal data. According to the former Article 29 Working Party, third-party data of individuals who are not members of the SNS may not be aggregated to form profiles of those individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Re children’s data and social networks…

A

As discussed in Module 4, processing children’s data
on the basis of consent requires parental consent.

This applies to
children under 16 years old; member States may lower this age limit to
13 years old. Processing on the grounds of legitimate interest may not
be possible (GDPR, Article 6[f]). According to the former Article 29
Working party, a controller should have regard for the best interests of
the child.