Compliance Considerations (8) Flashcards

1
Q

What does Article 88 allow member states to do regarding rules around processing of employee data?

A

To establish - by law or collective agreement - more specific rules around processing employees’ data

must include safeguards to dignity, interests and rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What 3 elements must be safeguarded in member state rules established under Article 88?

processing in the context of employment

A

suitable and specific measures to to safeguard:

  1. Human dignity
  2. Legitimate interests
  3. Fundamental rights (transparency of processing, transfer of personal data and monitoring in the workplace)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are three most common legal bases to process employee personal data?

A
  1. Fulfillment of a contract (e.g. bank account info for salaries)
  2. Compliance with legal obligation (e.g. tax authorities)
  3. Necessary for legitimate interests (e.g. data management)

consent in contract not valid under data protection law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Can consent serve as a legal basis for processing employee data?

A

Unlikely.

Due to imbalance of power. Where consent is not freely given it is not valid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Can explicit consent be used as a legal basis for processing employee special category data?

A

No, not freely given

some cases not possible to lift prohibition on special category

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Under what two legal bases can an employer process special category data?

A
  1. Establish, exercise or defend legal claims
  2. Carry out obligations and exercise specific rights under employment law
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who is responsible for personal data processed on an employee’s device for work-related purposes?

A

The employer as the controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are 5 elements of effective management of a BYOD program?

A
  1. Provide notice to employees
  2. Have a BYOD policy - how employees can use BYOD and responsibilities
  3. Know where data is stored and measures to keep secure
  4. Ensure transfer from device is secure
  5. Offboarding procedure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 4 conditions of lawful monitoring of employees?

A

Necessary - (ie is there a less intrusive)
Legitimate - (ie lawful grounds?)
Proportional - (ie proportionate to the issue)
Transparent - (ie employee informed)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are 3 types of monitoring carried out in employment?

A

Background checks
Data loss prevention
Whistleblowing schemes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the best way to determine if an employee monitoring initiative is compliant ?

(necessary, legitimate and proportionate)

A

Conduct a DPIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is surveillance?

A

the observation of an individual or group of individuals

can be covert or open or real time or stored

(SNA, data mining, aerial, satellite, telecom, biometric, geoloc)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the 10 circumstances where the scope of data subject rights can be limited by legislative measure?

Article 23

A
  1. national security
  2. defense
  3. public security
  4. crime
  5. general public interest of the union
  6. judicial proceedings
  7. regulated professions breach of ethics
  8. regulatory functions
  9. protection of rights and freedoms of others
  10. enforcement of civil claims
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What 2 conditions must apply to restrict the scope of data subject rights under Article 23?

Article 23

A
  1. respect essence of fundamental rights and freedoms
  2. necessary and proportionate measure in a democratic society
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does Recital 66 of the Law Enforcement Protection Directive (LEPD) state?

A

Lawful, fair and transparent personal data processing should not prevent law enforcement authorities from carrying out activities to:

investigate criminal offenses
safeguard public security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is content data versus metadata in electronic communications?

A
  1. Content: content of communication
  2. Metadata: data about the data about communication’s transmission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What regulation(s) protects the content of e-communication?

A

Freedom of expression

EPrivacy Rules (cant see content without consent of both parties)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What regulation(s) protects the metadata of e-communication?

A

GDPR

falls within definition of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What regulation sets rules about data passing over public electronic communication networks?

A

ePrivacy Directive

governs processing of location, content and traffic data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Does the ePrivacy Directive apply to private communications networks?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is required to obtain location data?

ePrivacy Directive

A

opt-in consent for precise location-based data

(except when data required to provide the service)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does the ePrivacy directive require for content data?

A

Article 5 - confidentiality unless consent from all parties

Article 15 - member states can introduce some exceptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does the ePrivacy directive require for traffic data?

A

Limit access to traffic data

Can process traffic data for some limited marketing with user’s consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does the ePrivacy directive require for traffic data?

A

Limit access to traffic data

Can process traffic data for some limited marketing with user’s consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Does CCTV require prior authorization?

A

In many countries CCTV triggers requirement to notify local regulator and in some cases seek authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

When is a DPIA required for CCTV?

A

high-risk systematic monitoring of publicly accessible area on a large scale

if required by SA of list of data processing operations that require DPIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Is location data within the GDPR definition of personal data?

A

Yes, if can be used alone or in combination with other information to identify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are the 3 main areas of location data identified by Google?

A

implicit location - search terms
internet traffic - IP
device-based location - google maps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is biometrics data?

A

personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm unique identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the two uses of biometrics systems?

A
  1. Identification - who are you
  2. Authentication - are you who you claim to be
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

When is biometric data considered special category data (article 9)?

A

when the purpose is for uniquely identifying an individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is considered direct marketing?

A

directed to a particular individual
must process personal data to communicate the message
not service-related in nature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which laws regulate direct marketing?

A

ePrivacy Directive: marketing over electronic networks (phone, fax, email or SMS)

GDPR: all channels, including online targeting based on browsing history

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What right does GDPR establish for direct marketing?

A

absolute right to object to any form of marketing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What does GDPR require of controllers related to direct marketing?

A
  1. notice of right to opt out
  2. allow individuals to opt out
  3. honor opt out requests in timely fashion and no cost
  4. remove personal data and profiling after opt out
  5. ensure compliance with GDPR
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is the best practice when an individual opts out of direct marketing?

A

To suppress rather than delete contact details to avoid reacquiring individual’s details later

37
Q

Is postal marketing subject to ePrivacy Directive?

A

No

38
Q

Is telemarketing subject to ePrivacy Directive?

A

yes

Article 13: member states decide if opt-in or opt-out
Individuals must have means to opt-out for free
Check opt-out registers against call lists

39
Q

Is email marketing subject to ePrivacy Directive?

A

Yes: email and SMS

Prior consent required

40
Q

In what cases is email marketing exempt from opt-in under ePrivacy Directive?

A

in the context of a sale of product or service

controller must market its own similar products/services
individuals must be able to opt out at time of collection
individuals must be reminded of ability to opt out

41
Q

Are web cookies subject to GDPR?

A

if they collect personal data

42
Q

Who is the controller of web cookies?

A

Data gathered by first party cookies –> website operator

Data gathered by third party cookies –> third party

43
Q

Which cookies are exempt from consent under ePrivacy Directive?

A

strictly necessary cookies and those used for solely carrying out communication transmission

44
Q

What does Article 5 of the ePrivacy Directive state regarding cookies?

A

organizations must obtain prior informed consent for storage or access to information stored on user’s terminal equipment

45
Q

What did the GDPR change regarding consent for cookies?

A

GDPR requires specific, informed and unambiguous indication of consent and must be presented separate from other matters.

CJEU clarified that consent must be obtained through active behavior (opt in)

46
Q

What is Online Behavioral Advertising?

A

website advertising targeted at individuals based on the observation of their behavior

47
Q

When does GDPR apply in cloud computing relationships?

A

When processing relates to activities of an EU establishment of the controller

Processing relates to offering goods or services to individuals in the EU, or monitor their behavior even when controller/processor not in the EU

48
Q

Who is a controller of personal data processed by search engines?

A

Search engines: determine the purpose and means of processing data about their users

49
Q

What was decided in Google vs AEPD regarding Google’s obligation to honor right to be forgotten?

A

Established Google as controller and required to remove links to a 1998 article about the plaintiff

50
Q

Are search engines outside the EU subject to the GDPR?

A

likely to be for processing of personal data contained in third party websites if they have an EU establishment with economic activities linked to search engine core activities

51
Q

Are search engine marketers considered controllers?

A

yes, when web traffic data is processed by search engines and provided as analytics to search engine marketers

52
Q

Who are considered controllers in social networking services?

A
  1. Social networking services
  2. Authors of applications designed for SNS platforms
  3. Users acting on behalf of organization
  4. Users extending access to personal data beyond contacts
53
Q

What is required to publish sensitive personal data on the internet?

A

Data subject – to know it’s voluntary
Third party – explicit consent

54
Q

What is required to publish third party personal data on SNS?

A

Must have legal bases

55
Q

Can third party data of individual who are not members of the SNS be aggregated to form a profile?

A

No

56
Q

What is required to process children’s data on SNS?

A

Parental consent

(under 16, member states can lower to 13)

57
Q

What does Recital 43 state with regard to consent as a valid legal ground?

A

consent is not valid where there is a clear imbalance of power

58
Q

Can an employer compile blacklists as part of background checks?

A

This is considered to be a significant intrusion of privacy and generally illegal

59
Q

Is use of a DLP tool considered employee monitoring?

A

Yes

60
Q

What 4 principles must a controller ensure if it will engage in workplace monitoring?

A
  1. necessity
  2. legitimacy
  3. proportionality
  4. transparency
61
Q

Can an employer take action against a rogue employee for actions caught through monitoring if notice of monitoring wasn’t provided?

A

probably not

requirement to notify is critical to how courts see these cases

62
Q

What are 4 types of surveillance data?

A
  1. communications
  2. video
  3. biometric
  4. location
63
Q

What are examples of surveillance?

A

employee monitoring
social networks analysis
daa mining and profiling
aerial surveillance
satellite imaging
telecommunications surveillance
mobile telecommunications location data
CCTV
geolocation or GPS

64
Q

Who regulates governmental surveillance activities for national security or law enforcement?

A

mostly member states

65
Q

What are the European essential guarantees for surveillance measures?

A

assess whether member state surveillance laws maintain the level of privacy and data protection expected by the EU Charter of Fundamental Rights

66
Q

What are the 4 considerations for conducting surveillance activities?

A
  1. processing based on clear, precise and accessible rules
  2. necessity and proportionality need to be demonstrated
  3. independent oversight mechanism
  4. effective remedies for individual
67
Q

What conditions are necessary when restricting the right to privacy in specific situations?

A

necessity and proportionality
and
due process connected

68
Q

What two categories of personal data do electronic communications generate?

A
  1. Content of communication
  2. Metadata of communication
69
Q

What are examples of communications metadata?

A
  1. Traffic Data
  2. Location Data
  3. Subscriber Data
70
Q

Under what legal basis is CCTV commonly used?

A

Legitimate interest. Therefore, a balancing exercise must be carried out to ensure CCTV doesn’t override rights and freedoms

71
Q

What must a controller do when relying on legitimate interest as the legal basis?

A

Demonstrate interest exists, weigh against rights and freedoms of data subjects

72
Q

What should happen before the use of CCTV?

A

evaluate feasibility of using other less-intrusive methods and a finding of them to be inapplicable or inadequate

73
Q

Why should DPIAs be conducted before implementing video surveillance?

A

if video surveillance considered high risk

involves systematic monitoring of a publicly accessible area on a large scale

process special category data on a large scale

if on list of processing activities that require a DPIA (per SA)

74
Q

What is the definition of direct marketing?

A

any form of sales promotion, including charities and political organizations that is directed to particular individuals

75
Q

What is NOT considered direct marketing?

A

marketing communications not directed at individuals

messages that are purely service related

76
Q

Which marketing does GDPR apply to?

A

direct marketing communications - post, phone, fax, electronic mail, web browsing targeting

77
Q

Which marketing does the ePrivacy Directive apply to?

A

direct marketing communicated over electronic means - phone, fax, email, SMS

does NOT apply to postal

78
Q

Is the right to refuse (or opt out) of direct marketing absolute?

A

Yes.

if based on consent, can withdraw consent
if based on legitimate interest, exercise right to object (article 21)

79
Q

What does GDPR require for opt-ing out?

A
  • individuals are always informed of their right to opt out
  • marketers must allow individuals to opt out of all channels
  • opt-out requests must be honored in a timely fashion and at no cost
  • must delete all personal information on record (unless compelling legitimate grounds)
  • profiling must be removed
80
Q

Should controllers suppress or delete data related to an opt-out request?

A

Suppress. to ensure they don’t reacquire individuals and remarket to them

81
Q

What is the general rule for digital marketing under the ePrivacy Directive?

A

prior opt-in consent required

82
Q

What is the exception to consent for the ePrivacy Directive?

A

email marketing to individuals whose data was collected in the context of a sale of a product or service

83
Q

What is required to obtain valid consent for the use of cookies?

A
  1. information about use and purpose of the cookie provided to user
  2. consent before placement of cookie in a clear affirmative manner
  3. user must have a choice whether to give consent
84
Q

What criteria exists to determine if information was made manifestly public on Social Media platforms?

A

whether the user took a step to change default private settings to public

whether the social media platform is intended to connect close acquaintances or wider scope

accesibility of page with special category data

prominence of notice by the SMP that special category data will be made public

whether special category data was published by SMP user or third party

85
Q

What does Article 95 state with regard to the relationship between the GDPR and ePrivacy Directive?

A

GDPR shall not impose additional obligations in relation to processing in connection with provision of publicly available electronic communication services

86
Q

Which has stronger consent requirements for digial marketing - ePrivacy or GDPR?

A

GDPR

87
Q

What does ePrivacy Directive Article 5 require related to consent and cookies?

A

prior informed consent must be provided before placing the cookie on the user’s device

88
Q

What are the compliance responsibilities under GDPR for direct marketing activities?

A
  1. Ensure lawful basis (consent or legitimate interest)
  2. Provide fair processing information (data will be used for marketing)
  3. Appropriate technical and organizational measures
  4. No export outside of EEA without adequate protection
  5. Satisfy other compliance duties under GDPR
89
Q

What regulations apply to background checks?

A

data protection and employment laws, which can vary between member states