Controllers and Processors (3) Flashcards

1
Q

What is a Data Protection Authority (DPA) or Supervisory Authority (SA)?

A

An entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In what 2 scenarios can a processor become a controller?

A

Retain data for records (beyond the original engagement)

Process beyond instructions of controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How is a data controller defined?

Article 4

A

natural or legal person, public authority, agency or body, which alone or jointly with others, determines the purposes and means of processing

Purposes and means: why, how, what data, how long, where, by whom

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Does the controller have to have access to the data to be qualified as a controller?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the 3 obligations for controllers under a joint controllership?

A
  1. jointly determine purpose and means
  2. determine respective responsibilities for compliance with GDPR (particularly inform and respond to data subjects)
  3. designate a contact point for data subjects
  • Essence of arrangement must be made available to data subject
  • Data subjects can exercise their rights against either controller
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What necessitates a joint controllership?

(EDPB Guidelines 7/2020)

A

Joint Controllership in 2 Forms:
- A common decision by two or more entities
- Converging decisions by two or more entities

Decisions complement each other and are necessary for processing to occur

Processing not possible without both parties’ participation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is a processor defined?

Article 4

A

a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the two basic conditions to qualify as a processor under EDPB Guidelines?

A

separate entity in relation to controller
processes personal data on controller’s behalf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are 4 processor requirements under Article 28 and 30?

Article 28 and 30

A
  1. processes on written instructions only
  2. assists and informs controller on GDPR infringements
  3. ensures confidentiality and technical and organization measures
  4. keeps record of processing activities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why is SWIFT an example of a factual controller?

A

Transferred personal data in response to subpeona by US Treasury. Decision to transfer data designated SWIFT as a controller, even though contractual designation was processor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are considerations as part of pre-contractual due diligence for data processors?

A

Technical and organization measures to safeguard data
Data protection knowledge
Recent breaches
Under investigation?
Accreditation
Policy framework
Sub-processors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What components should be included in a processor contract?

A

(Article 28) a contract must be in place that includes:

subject matter, duration, nature of processing
types of personal data
categories of data subjects
obligations and rights of controller
processor responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are contractual terms to engage processors (under Article 28)?

A

process on documented instructions only
ensure confidentiality
implement appropriate security
controller’s consent to engage processors and flow down contractual terms to subcontractor
assist with data breach notifications
delete or return personal data
assist controller in providing for data subject rights
demonstrate GDPR compliance
contribute to audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the 5 main building blocks in the definition of controller per GDPR?

A

natural or legal person, public authority, agency, or body

determines

alone or jointly with others

purposes and means

of the processing of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What determines the controller status?

A

factual elements or circumstances (not necessarily legal context)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the controller’s responsibilities related to non-essential means?

A

must be able to demonstrate that processing is performed in accordance with GDPR (article 24)

use only processors providing sufficient guarantees to implement technical and organization measures (article 28)

ensure data are subject to appropriate security (article 32)

17
Q

T/F It is necessary for a company to have actual contact with personal data to be a controller of that data

A

False

18
Q

What are the two forms of determination for a joint controllership?

A

common decision - decide together
converging decision - decisions complement each other and are necessary for processing to take place

19
Q

Is a contract required between controllers and processors?

A

yes

the essence of arrangement should be available to data subject

20
Q

Can a processor engage another processor?

A

Not without prior specific and general written authorization of the controller

controller may object

21
Q

What 3 conditions are required regarding the use of processors?

Recital 81

A
  1. only use processors providing sufficient guarantees
  2. carrying-out of processing should be governed by a contract or other legal act
  3. processor must return or delete personal data after completion of processing