Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP-E > Chapter 9 (Data Subject Rights) > Flashcards

Chapter 9 (Data Subject Rights) Flashcards

1
Q

What are the 9 data subject rights provided by the GDPR and what Articles are the listed under?

A
  1. Right of transparent communication and info (Article 12-14)
  2. Right of access (Article 15)
  3. Right of rectification (Article 16)
  4. Right to erasure, i.e. right to be forgotten (Article 17)
  5. Right to restriction of processing (Article 18)
  6. Obligation to notify recipients (Article 19)
  7. Right of data portability (Article 20)
  8. Right to object (Article 21)
  9. Right to not be subjected to automated decision-making (to profile) (Article 22)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Under the GDPR, a controller must use what kind of effort to verify the identity of data subjects?

A

All reasonable efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Under Article 12(3) what is a controller’s time frame for responding to a data subject’s request?

A

A controller has 1 month (starting from the receipt of the request)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Under Article 12(3) can a controller’s time to respond to a data subject’s request be extended for specific situations or especially complex requests?

A

Yes. A controller’s timeframe to respond can be extended by 2 further months. However, the controller must make this assessment during the first month of receiving the request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When a data subject exercises its right of access under Article 15 in addition to providing access to the personal data, controllers must also provide what 8 pieces of info?

A
  1. The purposes of the processing
  2. The categories of personal data concerned
  3. The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular, recipients in third countries or international orgs
  4. Where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period
  5. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or subject to such processing
  6. The right to lodge a complaint with a supervisory authority
  7. Where the personal data are not collected from the data subject, any available info as to their source
  8. The existence of automated decision making, including profiling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Controllers need to consider upfront what types of processes and technology need to be in place in order to comply with data subjects’ right of access. These processes should include solutions to the following 6 problems:

A
  1. Ensuring org responds to a subject access request without undue delay and within 1 month of receipt (e.g. ticketing or workflow system).
  2. Proportional procedures to verify data subjects identity when necessary.
  3. How to handle access request about a child (child’s age, respond directly or to parent, etc.)
  4. How to handle an access request that includes info about others (redaction, consent of other individuals, etc.)
  5. Verifying and honoring access requests by proxies
  6. How to handle if org considers an access request to be manifestly unfounded or excessive (needs to justify decision with thorough documentation)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

According to EDPB Guidelines 8/2020 on the targeting of social media users (adopted April 2021) data subjects should be able to learn what re a targeter?

A

The targeter’s identity and controllers should facilitate access to info re the targeting, including the targeting criteria used and any other info required by Article 15 of the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Under the GDPR are there any formal requirements attached to a request for rectification?

A

No, any individual can make a request either verbally or in writing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How long does a controller have to respond to a right of rectification?

A

1 calendar month after receipt of request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

If a controller is taken to follow the individual’s request to rectification, and if the org had previously disclosed any relevant personal data to third parties, what must the controller do?

A

It has to contact and inform the third parties of the rectification (unless doing so is impossible or involves disproportionate effort).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Article 17(1) of the GDPR establishes data subjects can request the right to be forgotten if what 5 possible circumstances exist?

A
  1. The data are no longer needed for its original purpose, and no new lawful purpose exists;
  2. The lawful basis for the processing is the data subject’s consent, the data subject withdraws that consent, and no other lawful ground exist
  3. The data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing
  4. The data have been processed unlawfully
  5. Erasure is necessary for compliance with EU law or the national law of the relevant member state
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does Article 17(2) of the GDPR require if the controller has made any personal data public and the data subject exercises the right to erasure?

A

The controller must take reasonable steps, including applying technological solutions, to inform third parties which are processing this published personal data as controllers that the data subject has exercised this right.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Article 17(3) of the GDPR allows orgs to decline a data subject’s request to erasure to the extent that processing is necessary for what 4 circumstances?

A
  1. For exercising the right of freedom of expression and info;
  2. For compliance with a legal obligation which requires processing by union members or state law to which the controller is subject
  3. For the performance of a task carried out in the public interest, like public health, archiving, and scientific, historical research or statistical purposes
  4. For the establishment of, exercise of, or defense against legal claims
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Does the right of erasure apply to a controller’s backup systems?

A

Yes, as long as no exemption applies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How did the CJEU’s decision in the Costeja case in May 2014 impact the right to erasure?

A

That the right applies to backup systems. Held that any data subject may request an online search engine provider to erase any links to webpages from the list of results displayed following a search of their name.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

According to the EDPB, what 2 considerations must be taken into account when applying Article 17 of the GDPR to search engine provider’s data processing?

A
  1. Whenever a data subject requests delisting this will only impact search results based on a search specifically of their name.
  2. Delisting requests do not result in the personal data being completely erased.
17
Q

Under the EDPB guidelines, what are the 4 grounds a data subject can rely on for a delisting request sent to a search engine provider based on Article 17(1) of the GDPR?

A
  1. The personal info is obviously outdated, dependent on the initial purposes of the original processing.
  2. The data subject objects to the processing of their data according to Article 21(1) of the GDPR and where there are no overriding legitimate grounds for the processing by the data controller.
  3. The personal data have been unlawfully processed.
  4. The personal data have been collected in relation to the offer of information society services (ISS) to a child
18
Q

Under the EDPB guidelines, what are the 4 exceptions search engine providers may use to deny the right to request delisting according to Article 17(3) of the GDPR?

A
  1. The search engine provider can demonstrate contents inclusion in the list of results is strictly necessary for protecting the freedom of info of internet users
  2. Processing is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  3. Processing is necessary for the performance of a public interest
  4. The search engine provider can demonstrate that the delisting of certain content on the results page is a serious obstacle or completely prevents archiving purposes, or statistical purposes in accordance with Article 89(1).
19
Q

Under Article 18 of the GDPR, data subjects have the right to restrict processing of their personal data if one of what 4 circumstance exist?

A
  1. The accuracy of the data is contested (and only for as long as it takes to verify that accuracy)
  2. The processing is unlawful, and the data subject requests restriction
  3. The controller no longer needs the data for their original purpose, but the data are still required by the data subject to establish, exercise, or defend legal rights
  4. Verification of overriding grounds is pending in the context of an objection pursuant to Article 21(1) of the GDPR.
20
Q

In accordance with Article 21(1) when may a data subject exercise its right to object?

A

Whenever a controller justifies data processing based on its legitimate interests.

21
Q

Can a data subject exercise its right to object verbally or in writing?

A

Yes, it may exercise its right in either manner.

22
Q

When exercising its right to object, may a data subject send the objection to any part of the organization or any person within the organization?

A

Yes.

23
Q

With regards to the balancing test triggered by a valid data subject objection, what 3 things should be considered when assessing whether the controller has a legitimate interest?

A
  1. Must be lawful
  2. Sufficiently specific to allow the balancing test to be carried out against the interests and fundamental rights of the data subject
  3. Representative of a real and present interest
24
Q

Under Article 21(6) of the GDPR how is the right to object impacted if the processing is for scientific and historical research purposes or statistical purposes?

A

The right to object exists only as far as the processing is not considered necessary for the performance of a task carried out for reasons of public interest.

25
Q

Article 22(1) establishes what with regards to automated processing?

A

Establishes a general prohibition for decision-making based solely on automated processing, and it applies irrespective of the data subject’s actions.

26
Q

Under Article 22, the right not to be subject to automated decision-making applies only if what?

A

Only if such a decision is based solely on the automated processing and produces legal effects concerning the data subject or similarly significantly affects them.

27
Q

Automated decision making is OK if the underlying processing of personal data is used for what 3 things and sufficient safeguards are in place?

A
  1. Authorized by law
  2. Necessary for the preparation and execution of a contract
  3. Done with the data subject’s explicit consent

CIPP-E (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions