Class topics

Question 1

What is the key distinction between personal and anonymous data?

Answer 1

Personal data is identifiable information, while anonymous data is not tied to any individual and falls outside the scope of GDPR.

Question 2

How does article 5 of the GDPR define pseudonymous data?

Answer 2

Pseudonymous data is defined in the GDPR as the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and is subject to technical and organisational measures which ensure that the personal data cannot be attributed to an identified or identifiable natural person

It is still personal data however.

Question 3

How is pseudonymized data treated under GDPR?

Answer 3

Pseudonymized data is treated as personal data under GDPR, just like identifiable personal information.

Question 4

How does GDPR treat anonymous data?

Answer 4

Anonymous data is not covered under GDPR; however, its status depends on the cost of identifying the data subject. If it’s economically unfeasible, it can be considered anonymous.

Question 5

Define the role of a controller in processing personal data.

Answer 5

The controller decides the characteristics and process of personal data, being the person in control and responsible for the processing. The legal representative may differ from the controller.

Question 6

Who is the processor, and what role do they play?

Answer 6

The processor is someone, often external to the organization, who assists in processing personal data on behalf of the controller.

Question 7

According to GDPR, what is the first criterion for applying its rules?

Answer 7

The first rule is to look for the establishment of the company. If there’s a connection with a European territory, GDPR tends to apply.

Question 8

What is the second criterion for applying GDPR, and how does it relate to the data subject?

Answer 8

The second criterion is connected to where the data subject is physically located. If they are on European soil, GDPR rules should be followed.

Question 9

In which article of the GDPR is confidentiality explicitly mentioned?

Answer 9

Article 5.f of the GDPR specifically addresses confidentiality, emphasizing the importance of maintaining the integrity and confidentiality of personal data.

Question 10

What are the two kinds of liability a controller may face in GDPR?

Answer 10

Administrative liability involves fines imposed by supervisory authorities for breaches. Civil liability involves compensation claims from individuals affected by a data breach.

Question 11

how are Article 5 and Article 25 of the GDPR linked?

Answer 11

Article 5 principles, such as minimization and integrity, are specifications of Article 25, emphasizing the importance of data protection by design and by default.

So the principles of article 5 are guidelines to article 25

Question 12

According to Article 6 of the GDPR, when is processing considered lawful?

Answer 12

Processing is lawful if at least one of the following conditions is met: the data subject gives consent, processing is necessary for a contract, for legal compliance, to protect vital interests, for a public task, or for legitimate interests.

Question 13

Which point of Article 6 specifies an exception to lawful processing for public authorities?

Answer 13

Point (f) of the first subparagraph of Article 6 specifies that it does not apply to processing carried out by public authorities in the performance of their tasks.

Question 14

Can Member States introduce more specific provisions for certain types of processing under Article 6?

Answer 14

Yes, Member States can maintain or introduce more specific provisions, especially for processing related to legal obligations and tasks carried out in the public interest.

Question 15

Which article of the GDPR prohibits the processing of special categories of personal data?

Answer 15

Article 9 GDPR prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a person, data concerning health, or data concerning a person’s sex life or sexual orientation.

Question 16

Under what circumstances can the processing of special categories of personal data be allowed, as per Article 9, despite the general prohibition?

Answer 16

Processing can be allowed if the data subject gives explicit consent for one or more specified purposes, except where Union or Member State law prevents the data subject from lifting the prohibition.

Processing is allowed if the personal data are manifestly made public by the data subject.

Consent,data made public, and states can object.

Question 17

When is processing special categories of personal data allowed for employment and social security purposes under Article 9?

Answer 17

Processing is allowed if it is necessary for fulfilling obligations and exercising specific rights related to employment and social security, as authorized by Union or Member State law or a collective agreement providing appropriate safeguards.

Question 18

In what situations can processing special categories of personal data be permitted to protect the vital interests of the data subject or another person?

Answer 18

Processing is allowed if it’s necessary to protect vital interests when the data subject is physically or legally incapable of giving consent.

Question 19

According to GDPR, what are the three defined roles in the context of processing personal data?

Answer 19

The three defined roles in GDPR are the Controller (decision-maker for data processing), Processor (works on behalf of the Controller), and Subprocessor (may be involved in more complex outsourcing chains).

Question 20

How does GDPR handle liability in outsourcing chains involving Processors and Subprocessors?

Answer 20

The liability is clearly defined within the contractual agreements. The Subprocessor is liable to the Processor, but there is no direct liability connection between the Subprocessor and the Controller.

Question 21

What should be ensured to comply with GDPR when transferring personal data between Processor and Subprocessor?

Answer 21

contract must exist between the Processor and Subprocessor. Without this contract, it’s considered a breach of GDPR and can be treated as a data breach, especially if the data subject did not consent to the transfer.

Question 22

What does GDPR require when transferring personal data outside an organization?

Answer 22

there should be a legal basis for transferring personal data outside the organization. If not, the second company needs to be designated and nominated according to the roles defined by GDPR to avoid a data breach.

Question 23

Why is a contract crucial when transferring personal data between Processor and Subprocessor according to GDPR?

Answer 23

without a contract, transferring data is considered a breach of GDPR. The contract ensures the roles, responsibilities, and liabilities are clearly defined, preventing unauthorized data transfers.

Question 24

What is the Schrems I case about?

Answer 24

The Schrems I case is about the invalidation of the Safe Harbour agreement, which allowed for the transfer of personal data from the EU to the US. The Court of Justice of the European Union (CJEU) invalidated this agreement due to concerns about the protection of EU personal data in accordance with EU data protection standards and fundamental rights.

Question 25

What is the Schrems II case about?

Answer 25

The Schrems II case led to the invalidation of the Privacy Shield agreement, which was a replacement for the Safe Harbour agreement invalidated in the Schrems I case. The CJEU found that the Privacy Shield did not provide adequate protection for EU personal data when transferred to the US.

Question 26

What are the implications of the Schrems I and II cases?

Answer 26

The Schrems I and II cases have had significant implications for the EU-US data transfer relationship, affecting trade and the development of technologies such as cloud computing and artificial intelligence. They have also placed additional obligations on data controllers and national data protection authorities to prospectively monitor and enforce compliance with protections that purport to afford essentially equivalent protections.

Question 27

How have the Schrems I and II cases influenced global data privacy?

Answer 27

The Schrems I and II cases have shaped how the world thinks about data privacy and have influenced the development of data protection laws globally. They emphasize the high value the Court places on securing EU personal data.

Question 28

What is a Data Protection Impact Assessment (DPIA)?

Answer 28

A DPIA is a formalized process used to evaluate the potential risks and impact of a product, project, or activity on individuals’ personal data and privacy rights. It is a key part of accountability obligations under the GDPR.

Question 29

When is a DPIA required under the GDPR?

Answer 29

Under the GDPR, a DPIA is required when processing personal data that is likely to result in high risks to individuals’ rights and freedoms. This includes using new technologies, tracking people’s location or behavior, systematically monitoring a publicly accessible place on a large scale, or processing sensitive personal data.

Question 30

What does a DPIA include?

Answer 30

A DPIA must describe the nature, scope, context, and purposes of the processing; assess necessity, proportionality, and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.

Question 31

What happens if a high risk is identified in a DPIA that cannot be mitigated?

Answer 31

If a high risk is identified that cannot be mitigated, the organization must consult the relevant data protection authority before starting the processing.

Question 32

What is a Data Protection Officer (DPO)?

Answer 32

A DPO is an enterprise security leadership role required by the GDPR. The DPO ensures that an organization applies the laws protecting individuals’ personal data.

Question 33

What are the responsibilities of a DPO?

Answer 33

The DPO’s responsibilities include informing and advising the organization on data protection compliance, monitoring data protection compliance within the organization, providing advice on DPIAs, acting as a contact point for requests from individuals and DPAs, and cooperating with DPAs.

Question 34

When is the appointment of a DPO mandatory?

Answer 34

The appointment of a DPO is mandatory when the organization is a public authority, when the organization’s core activities consist of regular and systematic monitoring of individuals on a large scale, or when sensitive data or data relating to criminal convictions and offences are processed on a large scale.

Question 35

To whom does the DPO report in an organization?

Answer 35

The DPO must report directly to the highest level of management of the organization. They must not receive any instructions from the controller or processor for the exercise of their tasks.

Question 36

What is the right of access under the GDPR?

Answer 36

The right of access, also known as subject access, is a fundamental right under the GDPR. It allows individuals to obtain a copy of their personal data as well as other supplementary information.

Question 37

What is the purpose of the right of access?

Answer 37

The purpose of the right of access is to help individuals understand how and why their data is being used, and to ensure that the processing is done lawfully. It also allows the data subject to exercise further rights, such as rectification and erasure.

Question 38

What information must be provided when a right of access request is made?

Answer 38

When a right of access request is made, the controller must provide a range of information, including the processing purposes, the categories of personal data processed, the recipients or categories of recipients, the planned duration of storage, and information about the rights of the data subject.

Question 39

What is the timeframe for responding to a right of access request?

Answer 39

Information must be provided without undue delay and at the latest within one month.

Question 40

What is the right to erasure under the GDPR?

Answer 40

The right to erasure, also known as “the right to be forgotten”, is a fundamental right under the GDPR. It allows individuals to have their personal data erased.

Question 41

When does the right to erasure apply?

Answer 41

The right to erasure applies when the personal data is no longer necessary for the purpose which it was originally collected or processed, when the individual withdraws their consent to the processing and there is no other lawful basis for processing the data, when the individual objects to the processing of their data and there is no overriding legitimate interest to continue this processing, when the personal data has been unlawfully processed, or when the personal data has to be erased in order to comply with a legal obligation.

Question 42

Is the right to erasure absolute?

Answer 42

No, the right to erasure is not absolute and does not apply to data that may be created in the future.

Question 43

What is the timeframe for responding to a right to erasure request?

Answer 43

If a request for erasure is made, the organization must respond without undue delay and within one month.

Question 44

What are the 7 principles of the GDPR stated in article 5? explain them

Answer 44

1. Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
2. Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Data minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

4.Accuracy: Personal data must be accurate and, where necessary, kept up to date.

5.Storage limitation: Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

6.Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

7. Accountability: The controller shall be responsible for, and be able to demonstrate compliance with, the above principles.

Question 45

What is data protection by design?

Answer 45

Data Protection by Design is about considering data protection and privacy issues upfront in everything you do. It requires organizations to implement technical and organisational measures, at the earliest stages of designing their processing operations, in such a way that safeguards privacy and data protection principles right from the start. This means integrating or ‘baking in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle. For example, the use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them) are part of this principle.

Question 46

What is data protection by default

Answer 46

Data Protection by Default, requires that organizations ensure that personal data is processed with the highest privacy protection by default. This means only the data necessary should be processed, short storage period, limited accessibility, so that by default personal data isn’t made accessible to an indefinite number of persons. For instance, a social media platform should be encouraged to set users’ profile settings in the most privacy-friendly setting by, for example, limiting from the start the accessibility of the users’ profile so that it isn’t accessible by default to an indefinite number of persons

Question 47

What is the difference between data protection by design and by default?

Answer 47

In summary, while both principles aim to ensure the protection of personal data, they approach it from different angles. Data protection by design is about proactively embedding data protection into the design of systems and processes, while data protection by default is about ensuring the highest level of privacy settings are automatically applied.