CIPPE

Question 1

Who gives adequacy decision to transfer data outside the EU?

Answer 1

European Commission

Question 2

Article 8 of the Convention– Right to respect for private and family life
“1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Which statement is correct about 8th article of European Convention on Human Rights?

Answer 2

The right to privacy has to be balanced with other rights in ECHR.

Question 3

What is the difference between ECHR and CJEU?

Answer 3

CJEU can force national governments to implement and honour EU law, ECHR cannot.

Question 4

Which institution can propose legislation about data protection on its own?

Answer 4

European Commission

Question 5

What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

Answer 5

The synchronization of approaches to data protection

Question 6

A key component of the OECD Guidelines is the “Individual Participation Principle”.

What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

Answer 6

The rights granted to data subjects under Articles 12 to 22

Question 7

What is required for a company to market to EU consumer via Email?

Answer 7

Prior opt in consent
OR
Previous consumer purchase

Question 8

How many EU member states are there?

Answer 8

28

Question 9

What is special about the Universal Declaration of Human Rights?

Answer 9

• The Human Rights Declaration contains specific provisions in connection with the right to a private and family life and to freedom of expression. (Basis of EU laws and standards)
• Article12: Private life and associated freedoms.
• Article19: Freedom of expression
• Article29(2): individual rights are not absolute and that there will be instances where a balance must be struck. (morality, public order and the general welfare in a democratic society)

Question 10

What is the application scope of the European Convention of Human Rights? (ECHR)

Answer 10

Member states of Council of Europe

Question 11

Why ECHR is a powerful instrument?

Answer 11

Because of the scope of the fundamental rights and freedoms, it protects. These include the right to life; prohibition of
torture; prohibition of slavery and forced labor; right to liberty and security; right to a fair trial; no punishment without law; respect for private and family life; freedom of thought, conscience, and religion; freedom of expression; freedom of
assembly and association; right to marry; right to an effective remedy; and prohibition of discrimination.

Question 12

What is the enforcement mechanism of the European Convention on Human Rights?

Answer 12

European Court of Human Rights (Strasbourg)

Question 13

What can the European Court of Human Rights rule and are they binding?

Answer 13

Rulings of the European Court of Human Rights are binding on
the states concerned and can lead to an amendment of legislation or a change in practice by national governments. At the request of the Committee of Ministers of the Council of Europe, the European Court of Human Rights may also give
advisory opinions that concern the interpretation of the ECHR and the protocols.

Question 14

Who and when adopted Universal Declaration of Human Rights?

Answer 14

-Adopted by the General Assembly of United Nations on 10 December 1948.

Question 15

What is common for Human Rights Declaration and ECHR?

Answer 15

Both the Human Rights Declaration and the ECHR inherently recognize a need for balance between the rights of individuals and the justifiable interference with these rights, which is a recurring theme within data protection law.

Question 16

Which European countries have data protection in their constitutions?

Answer 16

Spain, Portugal and Austria

Question 17

What is the most important guideline of OECD in the data privacy field?

Answer 17

Protection of Privacy and Transborder Flows of Personal Data (1980)

Question 18

What is the aim of OECD guidelines about transborder data transfer?

Answer 18

The aim of the Guidelines is to strike a balance between protecting the privacy and the rights and freedoms of individuals without creating any barriers to trade and allowing the uninterrupted flow of personal data across national borders.

Question 19

What are the principles of OECD transborder data flow guidelines?

Answer 19

• Collection limitation
• Data Quality
• Purpose specification
• Security Safeguards
• Openness
• Individual Participation
• Accountability

Question 20

Who and when adopted Convention 108?

Answer 20

28 January 1981 - Council of Europe

Question 21

What is the first binding international instrument on data protection?

Answer 21

Convention 108

Question 22

What is the only exception that parties can include to Convention 108?

Answer 22

Necessary measure in a democratic society’ (e.g., state
security or criminal investigation) reflecting the proportionality requirements embodied in Articles 6, 8, 10 and 11 of the ECHR.

Question 23

When parties can derogate from international data transfer under Convention 108?

Answer 23

Derogation from the provisions is permitted only where the exporting country has in place specific rules in its national law for certain categories of personal data or of automated personal data files and the importing country does not provide
equivalent protection or where the transfer is to a country that is not a party to Convention 108.

Question 24

What was the drawback of the 1995/46/EC Directive?

Answer 24

Directives are a form of legislation binding upon member states, but they ‘leave to the national authorities the choice of form and methods’ for implementation.

Question 25

What went specifically wrong with the 1995/46/EC Directive?

Answer 25

One example of inconsistencies arising due to divergence in the national law concerned the requirement for businesses to notify the Data Protection Authorities (DPAs) of their processing details. The national laws of the member states differed considerably as to their requirements in this regard, which resulted in substantial bureaucracy and cost for businesses, particularly for those that also transfer personal information to countries outside the EU.

Question 26

What is the Charter of Fundamental Rights?

Answer 26

Mix of EU Treaty, CJEU case law, EU member states’ constitutional traditions and ECHR. 2000 Nice but binding with 2009 Treaty of Lisbon.

Question 27

What are the core values of the Charter of Fundamental Rights?

Answer 27

• The processing must be fair
• The processing must be carried out for specified purposes
• There must be legitimate basis for the processing
• Individuals must have the right to access and rectify personal data
• There must be a supervisory authority to oversee compliance

Question 28

What is the aim of the Treaty of Lisbon?

Answer 28

Its main aim is to strengthen and improve the core structures of the EU to enable it to function more efficiently.

Question 29

What is the outcome of Lison Treaty?

Answer 29

The European Parliament and the Council shall lay down rules regarding processing of personal data by Union and Member States if it falls under Union law and it is about free movement of such data. DPAs will control the compliance.

Question 30

Who negotiated the GDPR?

Answer 30

Trilogue!

• European Commission
• European Parliament
• Council of EU.

Question 31

When there can be divergences from GDPR?

Answer 31

• Sector-specific laws (Ex: Employee Data)
• Archiving purposes in the public interest, scientific or historical research purposes, statistical purposes
• Special categories of personal data
• Legal obligation

Question 32

What are the key changes brought by GDPR?

Answer 32

• Stronger rights in the online environment
• Data Privacy Design & Default
• Accountability
• Increased powers for supervisory authorities
• One-Stop-Shop Concept
• Broader applicability when targeting EU consumers

Question 33

What’s new in Convention 108 +?

Answer 33

It’s like an update after GDPR to the convention:

• Processor
• Legal basis for processing data
• Genetic, Biometric Data, Ethnic, Origin, Trade Union Memberships
• Enhancing declaration of data breaches
• Transparency
• Demonstrative compliance (to supervisory authority)

Question 34

What is the aim of The Law Enforcement Data Protection Directive?

Answer 34

The aim of the LEDP Directive is to harmonise the rules in place across the member states to protect citizens’ fundamental rights whenever personal data is used by criminal law enforcement authorities, but it does not preclude member states from providing higher safeguards in their national law to protect the rights of data subjects.

Question 35

What is the purpose of the E-Privacy Directive?

Answer 35

The ePrivacy Directive sets out rules relating to processing personal data across ‘public communications networks’. (ePrivacy Regulation is still negotiating)

Question 36

What is mutatis mutandis?

Answer 36

When you adopt a law, if it needs some change to fit into the legal environment, it is mutatis mutandis.

Question 37

How can the UK transfer data to the EU after Brexit?

Answer 37

• Permission to transfer to the EEA and Gibraltar.
• Permit transfers made subject to an EU Commission adequacy decision
• Standard contractual clauses
• BCR

Question 38

What are the European Union’s institutions?

Answer 38

-European Parliament
-European Council
-The Council
-European Commission
-Court of Justice of the EU
-European Central Bank
-Court of Auditors
(Lisbon Treaty reformed the structure of EU’s institutions)

Question 39

What are the treaties that the Treaty of Lisbon changed?

Answer 39

• Charter of Fundamental Rights of the European Union (‘the Charter’)
• Treaty on European Union

Question 40

When Charter is applicable?

Answer 40

Only when the Member States are implementing Union law.

Question 41

Who didn’t sign the Charter of Fundamental Rights of the European Union (Charter) but made a protocol to be bound?

Answer 41

UK and Poland.

Question 42

What is the function of the European Parliament?

Answer 42

The European Parliament shall, jointly with the Council, exercise legislative and budgetary functions. It shall exercise functions of political control and consultation as laid down in the Treaties. It shall elect the President of the Commission.

Question 43

What are the responsibilities of the European Parliament?

Answer 43

• Legislative development
• Supervisory oversight of the other institutions
• Democratic representation
• Development of the budget

Question 44

How European Parliament and the Council legislates?

Answer 44

Ordinary Procedure: Both of them must assent to legislation. If it is opposed by either of them, they can’t legislate.

Consultation Procedure: Council must consult Parliament but not bound by the opinion.

Consent Procedure: For important decisions, Parliament’s consent is required. (Ex: EU Enlargement)

Question 45

How European Parliament is gathered?

Answer 45

Minimum 6 - Maximum 96 per member state. 751 MAX.

Question 46

Right to private life articles for ECHR & Universal Declaration of Human Rights?

Answer 46

ART 12 UDHR

ART 8 ECHR

Question 47

Freedom of expression articles for ECHR & Universal Declaration of Human Rights?

Answer 47

Art 19 UDHR

Art 10 ECHR

Question 48

What is the origin of adequacy?

Answer 48

95/46/EC

Question 49

What is first regional european data protection law?

Answer 49

Germany, Hesse 1973

Question 50

What is the first national european data protection law?

Answer 50

Sweden 1973

Question 51

What is the major advance of Directive over 108?

Answer 51

Its applicability to manual data. (held in filing system)

Question 52

Which legislation mandated to establish DPAs?

Answer 52

95/46/EC Directive

Question 53

When GDPR has a country-by-country approach?

Answer 53

Child data!

Question 54

According to GDPR, how you should keep your data in order to comply with data portability?

Answer 54

‘structured, commonly

used and machine-readable format’

Question 55

According to GDPR, when you should notify data subjects?

Answer 55

If it results in a risk for the rights and freedoms

of natural persons. (Otherwise just DPA in 72 hours)

Question 56

What is the application scope of ePrivacy Directive? (“The Privacy and Electronic Communications
Directive”)

Answer 56

The processing of personal data in
connection with the provision of publicly available electronic communications
services in public communications networks.

Question 57

What is the application scope of ePrivacy Directive? (“The Privacy and Electronic Communications
Directive”)

Answer 57

The processing of personal data in
connection with the provision of publicly available electronic communications
services in public communications networks.

Question 58

What is the main approach of ePrivacy directive to digital marketing?

Answer 58

OPT-IN

Question 59

How can you process location data under ePrivacy Directive?

Answer 59

Consent + Duration of necessary usage for value-added services

Question 60

What is the data breach requirement according to ePrivacy Directive?

Answer 60

The
most pertinent changes relate to the introduction of mandatory notification for
personal data breaches by electronic communications service providers – to both
the relevant national authority and the relevant individual in cases where the breach
is likely to ‘adversely affect the personal data or privacy of a subscriber or
individual’.

Question 61

When an you collect cookies under ePrivacy Directive?

Answer 61

Consent! Exceptions:

• Sole purpose of transmission of communication
• Strictly necessary for the service requested by subscriber or user.

Question 62

What is the first cybersecurity directive of EU?

Answer 62

The Directive on security of network and information systems (the ‘NIS Directive’)

Question 63

What is the directive invalidated by CJEU?

Answer 63

The Data Retention Directive (it was
disproportionate in scope and incompatible with the rights to privacy and data
protection under the EU Charter of Fundamental Rights.)

Question 64

Who controls directives implementation?

Answer 64

Commission