Compliance Considerations (8)

Question 1

What does Article 88 allow member states to do regarding rules around processing of employee data?

Answer 1

To establish - by law or collective agreement - more specific rules around processing employees’ data

must include safeguards to dignity, interests and rights

Question 2

What 3 elements must be safeguarded in member state rules established under Article 88?

processing in the context of employment

Answer 2

suitable and specific measures to to safeguard:

1. Human dignity
2. Legitimate interests
3. Fundamental rights (transparency of processing, transfer of personal data and monitoring in the workplace)

Question 3

What are three most common legal bases to process employee personal data?

Answer 3

1. Fulfillment of a contract (e.g. bank account info for salaries)
2. Compliance with legal obligation (e.g. tax authorities)
3. Necessary for legitimate interests (e.g. data management)

consent in contract not valid under data protection law

Question 4

Can consent serve as a legal basis for processing employee data?

Answer 4

Unlikely.

Due to imbalance of power. Where consent is not freely given it is not valid.

Question 5

Can explicit consent be used as a legal basis for processing employee special category data?

Answer 5

No, not freely given

some cases not possible to lift prohibition on special category

Question 6

Under what two legal bases can an employer process special category data?

Answer 6

1. Establish, exercise or defend legal claims
2. Carry out obligations and exercise specific rights under employment law

Question 7

Who is responsible for personal data processed on an employee’s device for work-related purposes?

Answer 7

The employer as the controller

Question 8

What are 5 elements of effective management of a BYOD program?

Answer 8

1. Provide notice to employees
2. Have a BYOD policy - how employees can use BYOD and responsibilities
3. Know where data is stored and measures to keep secure
4. Ensure transfer from device is secure
5. Offboarding procedure

Question 9

What are the 4 conditions of lawful monitoring of employees?

Answer 9

Necessary - (ie is there a less intrusive)
Legitimate - (ie lawful grounds?)
Proportional - (ie proportionate to the issue)
Transparent - (ie employee informed)

Question 10

What are 3 types of monitoring carried out in employment?

Answer 10

Background checks
Data loss prevention
Whistleblowing schemes

Question 11

What is the best way to determine if an employee monitoring initiative is compliant ?

(necessary, legitimate and proportionate)

Answer 11

Conduct a DPIA

Question 12

What is surveillance?

Answer 12

the observation of an individual or group of individuals

can be covert or open or real time or stored

(SNA, data mining, aerial, satellite, telecom, biometric, geoloc)

Question 13

What are the 10 circumstances where the scope of data subject rights can be limited by legislative measure?

Article 23

Answer 13

1. national security
2. defense
3. public security
4. crime
5. general public interest of the union
6. judicial proceedings
7. regulated professions breach of ethics
8. regulatory functions
9. protection of rights and freedoms of others
10. enforcement of civil claims

Question 14

What 2 conditions must apply to restrict the scope of data subject rights under Article 23?

Article 23

Answer 14

1. respect essence of fundamental rights and freedoms
2. necessary and proportionate measure in a democratic society

Question 15

What does Recital 66 of the Law Enforcement Protection Directive (LEPD) state?

Answer 15

Lawful, fair and transparent personal data processing should not prevent law enforcement authorities from carrying out activities to:

investigate criminal offenses
safeguard public security

Question 16

What is content data versus metadata in electronic communications?

Answer 16

1. Content: content of communication
2. Metadata: data about the data about communication’s transmission

Question 17

What regulation(s) protects the content of e-communication?

Answer 17

Freedom of expression

EPrivacy Rules (cant see content without consent of both parties)

Question 18

What regulation(s) protects the metadata of e-communication?

Answer 18

GDPR

falls within definition of personal data

Question 19

What regulation sets rules about data passing over public electronic communication networks?

Answer 19

ePrivacy Directive

governs processing of location, content and traffic data

Question 20

Does the ePrivacy Directive apply to private communications networks?

Answer 20

No

Question 21

What is required to obtain location data?

ePrivacy Directive

Answer 21

opt-in consent for precise location-based data

(except when data required to provide the service)

Question 22

What does the ePrivacy directive require for content data?

Answer 22

Article 5 - confidentiality unless consent from all parties

Article 15 - member states can introduce some exceptions

Question 23

What does the ePrivacy directive require for traffic data?

Answer 23

Limit access to traffic data

Can process traffic data for some limited marketing with user’s consent

Question 24

What does the ePrivacy directive require for traffic data?

Answer 24

Limit access to traffic data

Can process traffic data for some limited marketing with user’s consent

Question 25

Does CCTV require prior authorization?

Answer 25

In many countries CCTV triggers requirement to notify local regulator and in some cases seek authorization

Question 26

When is a DPIA required for CCTV?

Answer 26

high-risk systematic monitoring of publicly accessible area on a large scale

if required by SA of list of data processing operations that require DPIA

Question 27

Is location data within the GDPR definition of personal data?

Answer 27

Yes, if can be used alone or in combination with other information to identify

Question 28

What are the 3 main areas of location data identified by Google?

Answer 28

implicit location - search terms
internet traffic - IP
device-based location - google maps

Question 29

What is biometrics data?

Answer 29

personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm unique identification

Question 30

What are the two uses of biometrics systems?

Answer 30

1. Identification - who are you
2. Authentication - are you who you claim to be

Question 31

When is biometric data considered special category data (article 9)?

Answer 31

when the purpose is for uniquely identifying an individual

Question 32

What is considered direct marketing?

Answer 32

directed to a particular individual
must process personal data to communicate the message
not service-related in nature

Question 33

Which laws regulate direct marketing?

Answer 33

ePrivacy Directive: marketing over electronic networks (phone, fax, email or SMS)

GDPR: all channels, including online targeting based on browsing history

Question 34

What right does GDPR establish for direct marketing?

Answer 34

absolute right to object to any form of marketing

Question 35

What does GDPR require of controllers related to direct marketing?

Answer 35

1. notice of right to opt out
2. allow individuals to opt out
3. honor opt out requests in timely fashion and no cost
4. remove personal data and profiling after opt out
5. ensure compliance with GDPR

Question 36

What is the best practice when an individual opts out of direct marketing?

Answer 36

To suppress rather than delete contact details to avoid reacquiring individual’s details later

Question 37

Is postal marketing subject to ePrivacy Directive?

Answer 37

No

Question 38

Is telemarketing subject to ePrivacy Directive?

Answer 38

yes

Article 13: member states decide if opt-in or opt-out
Individuals must have means to opt-out for free
Check opt-out registers against call lists

Question 39

Is email marketing subject to ePrivacy Directive?

Answer 39

Yes: email and SMS

Prior consent required

Question 40

In what cases is email marketing exempt from opt-in under ePrivacy Directive?

Answer 40

in the context of a sale of product or service

controller must market its own similar products/services
individuals must be able to opt out at time of collection
individuals must be reminded of ability to opt out

Question 41

Are web cookies subject to GDPR?

Answer 41

if they collect personal data

Question 42

Who is the controller of web cookies?

Answer 42

Data gathered by first party cookies –> website operator

Data gathered by third party cookies –> third party

Question 43

Which cookies are exempt from consent under ePrivacy Directive?

Answer 43

strictly necessary cookies and those used for solely carrying out communication transmission

Question 44

What does Article 5 of the ePrivacy Directive state regarding cookies?

Answer 44

organizations must obtain prior informed consent for storage or access to information stored on user’s terminal equipment

Question 45

What did the GDPR change regarding consent for cookies?

Answer 45

GDPR requires specific, informed and unambiguous indication of consent and must be presented separate from other matters.

CJEU clarified that consent must be obtained through active behavior (opt in)

Question 46

What is Online Behavioral Advertising?

Answer 46

website advertising targeted at individuals based on the observation of their behavior

Question 47

When does GDPR apply in cloud computing relationships?

Answer 47

When processing relates to activities of an EU establishment of the controller

Processing relates to offering goods or services to individuals in the EU, or monitor their behavior even when controller/processor not in the EU

Question 48

Who is a controller of personal data processed by search engines?

Answer 48

Search engines: determine the purpose and means of processing data about their users

Question 49

What was decided in Google vs AEPD regarding Google’s obligation to honor right to be forgotten?

Answer 49

Established Google as controller and required to remove links to a 1998 article about the plaintiff

Question 50

Are search engines outside the EU subject to the GDPR?

Answer 50

likely to be for processing of personal data contained in third party websites if they have an EU establishment with economic activities linked to search engine core activities

Question 51

Are search engine marketers considered controllers?

Answer 51

yes, when web traffic data is processed by search engines and provided as analytics to search engine marketers

Question 52

Who are considered controllers in social networking services?

Answer 52

1. Social networking services
2. Authors of applications designed for SNS platforms
3. Users acting on behalf of organization
4. Users extending access to personal data beyond contacts

Question 53

What is required to publish sensitive personal data on the internet?

Answer 53

Data subject – to know it’s voluntary
Third party – explicit consent

Question 54

What is required to publish third party personal data on SNS?

Answer 54

Must have legal bases

Question 55

Can third party data of individual who are not members of the SNS be aggregated to form a profile?

Answer 55

No

Question 56

What is required to process children’s data on SNS?

Answer 56

Parental consent

(under 16, member states can lower to 13)

Question 57

What does Recital 43 state with regard to consent as a valid legal ground?

Answer 57

consent is not valid where there is a clear imbalance of power

Question 58

Can an employer compile blacklists as part of background checks?

Answer 58

This is considered to be a significant intrusion of privacy and generally illegal

Question 59

Is use of a DLP tool considered employee monitoring?

Answer 59

Yes

Question 60

What 4 principles must a controller ensure if it will engage in workplace monitoring?

Answer 60

1. necessity
2. legitimacy
3. proportionality
4. transparency

Question 61

Can an employer take action against a rogue employee for actions caught through monitoring if notice of monitoring wasn’t provided?

Answer 61

probably not

requirement to notify is critical to how courts see these cases

Question 62

What are 4 types of surveillance data?

Answer 62

1. communications
2. video
3. biometric
4. location

Question 63

What are examples of surveillance?

Answer 63

employee monitoring
social networks analysis
daa mining and profiling
aerial surveillance
satellite imaging
telecommunications surveillance
mobile telecommunications location data
CCTV
geolocation or GPS

Question 64

Who regulates governmental surveillance activities for national security or law enforcement?

Answer 64

mostly member states

Question 65

What are the European essential guarantees for surveillance measures?

Answer 65

assess whether member state surveillance laws maintain the level of privacy and data protection expected by the EU Charter of Fundamental Rights

Question 66

What are the 4 considerations for conducting surveillance activities?

Answer 66

1. processing based on clear, precise and accessible rules
2. necessity and proportionality need to be demonstrated
3. independent oversight mechanism
4. effective remedies for individual

Question 67

What conditions are necessary when restricting the right to privacy in specific situations?

Answer 67

necessity and proportionality
and
due process connected

Question 68

What two categories of personal data do electronic communications generate?

Answer 68

1. Content of communication
2. Metadata of communication

Question 69

What are examples of communications metadata?

Answer 69

1. Traffic Data
2. Location Data
3. Subscriber Data

Question 70

Under what legal basis is CCTV commonly used?

Answer 70

Legitimate interest. Therefore, a balancing exercise must be carried out to ensure CCTV doesn’t override rights and freedoms

Question 71

What must a controller do when relying on legitimate interest as the legal basis?

Answer 71

Demonstrate interest exists, weigh against rights and freedoms of data subjects

Question 72

What should happen before the use of CCTV?

Answer 72

evaluate feasibility of using other less-intrusive methods and a finding of them to be inapplicable or inadequate

Question 73

Why should DPIAs be conducted before implementing video surveillance?

Answer 73

if video surveillance considered high risk

involves systematic monitoring of a publicly accessible area on a large scale

process special category data on a large scale

if on list of processing activities that require a DPIA (per SA)

Question 74

What is the definition of direct marketing?

Answer 74

any form of sales promotion, including charities and political organizations that is directed to particular individuals

Question 75

What is NOT considered direct marketing?

Answer 75

marketing communications not directed at individuals

messages that are purely service related

Question 76

Which marketing does GDPR apply to?

Answer 76

direct marketing communications - post, phone, fax, electronic mail, web browsing targeting

Question 77

Which marketing does the ePrivacy Directive apply to?

Answer 77

direct marketing communicated over electronic means - phone, fax, email, SMS

does NOT apply to postal

Question 78

Is the right to refuse (or opt out) of direct marketing absolute?

Answer 78

Yes.

if based on consent, can withdraw consent
if based on legitimate interest, exercise right to object (article 21)

Question 79

What does GDPR require for opt-ing out?

Answer 79

• individuals are always informed of their right to opt out
• marketers must allow individuals to opt out of all channels
• opt-out requests must be honored in a timely fashion and at no cost
• must delete all personal information on record (unless compelling legitimate grounds)
• profiling must be removed

Question 80

Should controllers suppress or delete data related to an opt-out request?

Answer 80

Suppress. to ensure they don’t reacquire individuals and remarket to them

Question 81

What is the general rule for digital marketing under the ePrivacy Directive?

Answer 81

prior opt-in consent required

Question 82

What is the exception to consent for the ePrivacy Directive?

Answer 82

email marketing to individuals whose data was collected in the context of a sale of a product or service

Question 83

What is required to obtain valid consent for the use of cookies?

Answer 83

1. information about use and purpose of the cookie provided to user
2. consent before placement of cookie in a clear affirmative manner
3. user must have a choice whether to give consent

Question 84

What criteria exists to determine if information was made manifestly public on Social Media platforms?

Answer 84

whether the user took a step to change default private settings to public

whether the social media platform is intended to connect close acquaintances or wider scope

accesibility of page with special category data

prominence of notice by the SMP that special category data will be made public

whether special category data was published by SMP user or third party

Question 85

What does Article 95 state with regard to the relationship between the GDPR and ePrivacy Directive?

Answer 85

GDPR shall not impose additional obligations in relation to processing in connection with provision of publicly available electronic communication services

Question 86

Which has stronger consent requirements for digial marketing - ePrivacy or GDPR?

Answer 86

GDPR

Question 87

What does ePrivacy Directive Article 5 require related to consent and cookies?

Answer 87

prior informed consent must be provided before placing the cookie on the user’s device

Question 88

What are the compliance responsibilities under GDPR for direct marketing activities?

Answer 88

1. Ensure lawful basis (consent or legitimate interest)
2. Provide fair processing information (data will be used for marketing)
3. Appropriate technical and organizational measures
4. No export outside of EEA without adequate protection
5. Satisfy other compliance duties under GDPR

Question 89

What regulations apply to background checks?

Answer 89

data protection and employment laws, which can vary between member states