CIPPE Module 4 - Processing Personal Data Flashcards

1
Q

What are the OECD Guidelines on protection of privacy and trans-border flow of personal data?

A
  1. Collection Limitation
  2. Data Quality
  3. Purpose specification
  4. Use Limitation
  5. Security Safeguards
  6. Openness
  7. Individual Participation
  8. Accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the GDPR processing principles?

A

Defined by Article 5 of the GDPR
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data Minimization
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality
7. Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is data processing?

A

Defined by Article 4 (2)
- Any operation on data whether automated or manual
- Collecting, Storing, Using, Sharing, Deleting etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the territorial scope of the law?

A

GDPR applies when (Article 3):
1. Controller or Processer is established in the EU AND the context of the processing is related to that establishment.
2. Data subjects in the EU and the DC or DP is processing data in relation to offerings of goods/services or DS is in the EU and DC&DP are monitoring behavior in the EU - this applies even if the DC & DP are not in the EU.
3. Controller not in the Union but in a place where member law applies by virtue of public international law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the material scope of the law?

A

GDPR applies when (Article 2):
- Personal data is processed by automated or manual means

Exclusions are:
* Activities outside scope of EU law - e.g. national security activities
* Law enforcement and public security
* Purely personal or household activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the lawful grounds for processing personal data?

A

Six criteria defined by Article 6 of GDPR:
1. Consent
2. Performance of a contract - e.g. to complete a sale
3. Compliance with a legal obligation - e.g. an EU law.
4. Protect the vital interest of a data subject - e.g. to render critical medical assistance
5. Performance of a task in the public interest or exercise of authority - e.g. tax collection
6. Legitimate interests of the controller/3rd party balanced with the rights of the data subject -e.g. a company keeps an address book for its employees to reach each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the characteristics of consent that is a valid basis for processing personal data?

A
  1. Freely given
  2. Specific (i.e. to the purpose, and distinct - not bundled with other matters).
  3. Informed (no legal mumbo jumbo) - a) identity of the controller, b) purpose of each processing operation c) type of data collected d) right to withdraw consent e)any automated decision and f) transfer to third country.
  4. Unambiguous

Best not to rely on consent as a basis.

Employer-employee relations are inherently unequal and employers will find it difficult to claim that consent was freely given. Same with children who may not have the capacity to give consent.

Controller must keep a record of the consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When is consent not an acceptable basis for processing personal data?

A
  1. When there is an power imbalance between controller and data subject - e.g. controller is a public authority
  2. A service or performance of a contract should not be conditional upon consent.
  3. Public authorities may not use “legitimate interests” as a grounds for processing personal data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

GDPR Principles - what is lawfulness, fairness and transparency mean?

A
  1. Lawfulness - the basis of personal data has to be lawful
  2. Fair - Processing has to be fair and should not negatively impact the subject - e.g. travel website increase ticket prices for certain destinations preferred by the data subject
    3 Transparent - open and clear; no technical mumbo jumbo
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

GDPR Principles - what is Purpose Limitation?

A

Data Controllers must only collect and process personal data to accomplish specified, explicit and legitimate purpose.

Any secondary purpose requiring further processing must be compatible with the original stated purpose. Or else, new consent/legal basis is required to do so.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

GDPR Principles - what is Data Minimization?

A
  • Data controllers must only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed.
  • Involves the concept of necessity and proportionality.
  • Necessity - is the data collected suitable and adequate?
  • Proportionality - avoiding a “save everything” approach
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

GDPR Principles - what is Data Accuracy?

A

Controllers must take reasonable measures to ensure the data is accurate and, where necessary, kept up to date.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

GDPR Principles - what is Storage Limitation?

A

Personal data must not be kept for longer than necessary for the purposes for which the personal data is processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

GDPR Principles - what is Integrity and Confidentiality?

A

Personal data must be ‘processed in a manner that ensures appropriate security of the personal data. Use of technical and organizational measures.
Requirement to implement a information security framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly