Criminal law Flashcards

1
Q

What is the criminal law? The distinction between criminal and civil law?

A

Criminal law is a specific branch of law. It is a system of legal rules that express community standards, determines whether they have been violated (that is crime) and allocates punishment (that are consequences of crime).

The distinction between criminal and civil
Civil law - the relationship between individuals (making agreements). Protect - not suffer from damage. The main consequence is monetary compensation (Plaintiff- Private party, Defendant - private party).

Criminal law - the relationship between individuals and community. A consequence of the action is not only monetary compensation but also social compensation (imprisonment). (Plaintiff - Government, Defendant - private party).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List of the constitutional principles which concern criminal law

A

1) Principle of legality (nullum crimen nulla poena sine lege: no crime, no punishment without law)
2) Principle of materiality (nullum crimen nulla poena sine actione: no crime, no punishment without a material act)
3) Harm principle (nullum crimen nulla poena sine iniuria: no crime, no punishment without a real offense)
4) Principle of culpability (nullum crimen nulla poena sine culpa, no punishment without a real culpability)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

List and define the elements of the crime of Unauthorized access to an IT or a telematic system

A

Sec. 615-ter Italian Criminal Code

Whoever

1) illegally (i.e. without defence);
2) logs himself into (or enters) a computer or a telematic system;
3) which is protected by security measures (i.e. not open access or free access);
4) or stays inside the system against the will of those who have the right to exclude it,
5) is punished with imprisonment up to three years.

1) Illegally:forexample,
- in a first time the perpetrator was authorized to access the system, then the authorization was revoked;
- a public officer, who works at the Criminal Court, can enter the telematic system of the Court within the scope of his duties; but if he – staying at home, outside working hours – enters the system to verify if his neighbor has been convicted, the access becomes illegal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How can cybercrime be defined? what are 2 basic forms of cybercrime

A

criminal acts committed using electronic communications networks and information systems or against such networks and systems.

We can make a distinction between two basic forms of criminal offences:

  1. Offenses where digital technology is the tool or the instrument of the crime;
  2. Offenses where digital technology is the target of criminal activity.

Cyber crime in a narrow sense (computer crime):
any illegal behaviour directed by means of electronic operations that targets the security of computer systems and the data processed by them;
and
• Cyber crime in a broader sense (computer-related crime):
any illegal behavior committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession and offering or disturbing information by means of a computer system or network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List the main types of cyber criminals and explain the importance of cyber criminology

A

Cyber criminality -People who intentionally abuse and misuse ICT cover a spectrum of criminals.

TYPES OF CYBER CRIMINALS:

  • Children and adolescents;
  • Organised hackers;
  • Professional hackers/crackers – White-collar criminals: their criminal activity is motivated by financial gain.

But also:

  • Criminals with a specific personal motivation;
  • Accidental cyber criminals;
  • Low profile cyber criminals.

Common traits of cyber criminals:
• Technical knowledge;
• Generally non-violent individuals;
•Tendency to not perceive himself/herself as a criminal (e.g.: rationalizations about why particular laws are invalid or should not apply to them);
• Lack of perception of the damages caused to the victim.

•Cyber criminology is a valuable tool that can give investigations many clues about the person who commits a specific crime or series of crimes.
Criminal profiling - science of developing a description of a criminal’s characteristics (physical, intellectual, and emotional) based on information collected at the crime scene, in order to determine the identity of the person that committed a specific crime.

Digital profiling -A new tool to digital investigation, that analyses the digital memory through specific technical and intelligence profiling (through mining, comparison and recognition of digital profiles of a user digital device), in order to obtain information useful to reconstruct the user fingerprint and the description of the modus operandi, and to identify the perpetrator of a crime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what are the risk factors and the main characteristics of cybercrime

A

Use of ICT (Information and Communications Technology) to commit crimes:
• has a global reach;
• leads to deterritorialisation, which implies that cybercrime is almost by
definition transnational;
• allows for decentralized, flexible networks in which perpetrators can organize themselves to divide labour or to share skills, knowledge, and tools;
• facilitates anonymity,
• enables distant interaction with victims, removing potential social
barriers that perpetrators face in physical, person-to-person interaction;
• reduces the costs of crime, allowing for automation of criminal processes
has structural limitations to capable guardianship that can serve as a social or technical obstacle to commit crime;
• has rapid innovation cycles.
* it is the combination of such factors that makes cybercrime a special challenge for the legislators.

Characteristics of cyber crimes:
 Two of the main characteristics that confer to cybercrime its specificity come from the perceived anonymity and the transnational character.
Transnational character can be met also in the case of the classical forms of crime, but not to the same degree. Time, distance, and national borders are much less important than in traditional crime.
These traits make difficult identifying the offender or the place where he/she operates and much more difficult to prosecute him/her and consequently to apply a sentence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are substantive law and its difference from criminal procedural law?

A

Substantive Criminal Law involves:
• the general principles that apply to all crimes (so called “general part” of Criminal Law), and
• the definition of specific crimes and their punishment (“special part” of Criminal Law)
It is distinguished from Criminal

Procedure Law, which involves the study of all the rules and standards governing the detection, investigation, evidence and prosecution of a crime: in short, how the Law is enforced by the judge.

Substantive Criminal Law
What is crime? Concepts, Categories, Notions about Criminal Law.
For example: intention, negligence, defence… Definitions of single crimes: theft, bribery, murder, sexual offences.

Criminal Procedure Law
How to do a trial: Investigations, arrest and charge, first court appearance, evidences.
Trial; verdict and sentencing; imprisonment/Fine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Social functions of criminal law

A

Retribution: punishment is meted out to the offender because this is what he deserves in response to his infraction of the Criminal Law (you have killed somebody>you deserve prison)
• General deterrence: dissuading other possible offenders from offending by the example made of each particular offender (punishing murder, the State prevents murders in general);
• Special deterrence: dissuading the individual criminal from re- offending in the future (punishing a specific murder, the State prevents other murders by the same killer);
• Rehabilitation: the purpose of the training and treatment of convicted prisoners shall be to encourage and assist them to lead a good and useful life (punishing a specific murder, the State gives a moral example, re-educates the guilty person).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe the principle of legality

A

Article 25 of the Constitution:
No one can be punished if not in compliance with a law that was in force before the act was committed.
No crime without law
No punishment without law

Corollaries:
1) the prohibition to interpret criminal law by analogy, punishing actions that the Law does not expressly describe as “crime” (if a behavior is not expressly punished, it is not a crime).

For example: a “file” is not a material thing for the Criminal Law: “no
theft of files”
For punishing whoever “steals files”, you must introduce a new Law that expressly punishes this kind of theft.
Whithout this new law, you cannot punish the “theft of files”, because you cannot extend the area of the legal concept of “theft”.

2) the express determination of the offences (whereby it is the rule itself which should exactly and precisely distinguish an unlawful act from an action that is irrelevant from a criminal point of view: avoiding ambiguous formulations in the Criminal Law)

3) the prohibition against the retrospective application of a criminal law
having NEGATIVE consequences for the offender. For example:
If “A” commits an action that, at this time, is not a crime (there is not a positive Law that expressly punishes this action).
After one month, the Parliament introduces a new Law, that punishes with imprisonment this kind of behavior for the first time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Principle o materilaty

A

A person cannot be convicted if he or she did not perform a materially observable act (in Italian: «fatto»).
• No liability for «evil thoughts» alone

General rule: all the people can express his own opinions without any punishment
Exception: also opinions and speech can be punished when they are intolerable or bring a danger

Sec. 604 bis, Italian Criminal Code:
The punishment of imprisonment between two and six years
is applied if the propaganda or incitement, committed in a way that results in a concrete danger of diffusion, are based in whole or in part on denial or serious minimization for the Shoah or crimes of genocide, crimes against humanity and war crimes, as defined by articles 6, 7 and 8 of the statute of the International Criminal Court.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Harm principle

A

It is only permissible to punish a behavior if it causes harm to a ‘‘legal good‘ (bene giuridico), that is to say to an interest that has to be protected by Criminal Law.
• Criminal law allocates punishment for those conducts which harm or endanger some legal interests which are considered worth to be protected (life, property, honour, etc.)

for example:
Printing money in «black and white», because everybody can realise that is fake money, not real money;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Principle o culpability

A

one person could not be held responsible for the act of another
•principle upon which the individual must be considered blameworthy for the offence committed in order to be punishable.

In Italy, crimes can be punished only
1) For “intention”: for example, killing someone desiring and wanting death as a consequence of his action
2) For “negligence”: for example, killing someone by mistake, that is by violation of legal rules of diligence and caution (for example, violating the Road Traffic Act – Codice della Strada).
If somebody kills somebody without intention and without negligence, cannot be punished.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Criminal violations: felonies and misdemeanours

A

Two main categories:

1) Felonies («delitti») – more serious
2) Misdemeanours («contravvenzioni») – less serious criminal violations

Felonies («delitti») are criminal violations that are punished with three kinds of penalties:
a) life imprisonment («ergastolo») b) imprisonment («reclusione») c) a special fine called «multa»
Misdemeanours («contravvenzioni») are criminal violations that are punished with:
a) special imprisonment called «arrest» («arresto») b) special fine called «ammenda».

Example:
Sec. 640 ter c.p. (Cyber Fraud): (a serious crime)
Whoever, altering the functioning of a telematic system or intervening in any way (without right) on data, information or programs contained in a computer or a telematic system, causes for himself or others an illegal profit with others damage, is punished with imprisonment (“reclusione”) from six months to three years and with a fine (“multa”) from Euro 51 to Euro 1.032

he distinction between FELONY and MISDEMEANOURS carries out many legal consequences.

For example:
- crimes are punished only by way of intention
- misdemeanours by way of intention or negligence (both), even if the punishment by way of negligence is not expressly
established by the law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Elements of crime

A

There are 3 elements of crime:

  1. Actus reus
  2. Mens rea
  3. Not existence of defences (negative element)
  4. ACTUS REUS
    • Criminal act (material conduct or behaviour): a crime involves an act or a failure to act (omission): criminal act called actus reus (objective element)
    •Action/Omission + Event: the physical consequence (result or effect) of the offender’s conduct

The connection between Action and Event is called: CAUSATION (if I shoot somebody > I kill or hurt him or her)… causing death.
There is a «natural or physical law» that says: if you shoot somebody > you kill or hurt him or her

Haker attack -> … damages to a server or a computer

  1. MENS REA
    • Criminal intent or inner (psychological) attitude: Criminal punishment is usually directed at individuals who intentionally or negligently (for recklessness) harm other individuals or properties, or other legal goods which deserve penal protection (subjective element)

INTENTION:
the will of the action and of the event
I want to kill somebody
I shoot somebody FOR KILLING him

RECKLESSNESS - NEGLIGENCE:
I do not want to kill anybody
But I cause somebody’s death, violating legal rules of diligence and caution (for example Road Traffic Act)

Example:
Sec. 575 c.p. (Murder)
Whoever causes intentionally the death of a man is punished with imprisonment for a term no less than twenty-one years
Actus reus:
Mens rea (Criminal intent or inner attitude): “intentionally…” (desiring and wanting to kill somebody)

Actus reus without men’s rea -> No crime
Example: A surgeon operates the patient in a technically perfect way
(without negligence); nevertheless, the patient dies.

A men’s rea without actus reus -> No crime
Example: A surgeon operates the patient’s actus intention to with the intention to steal them with negligence, not respecting the rules of medicine alive.

  1. Not existence of defences (negative element):
    •Criminal liability is not imposed on an individual if it is demonstrated that his/her criminal act is justified (necessity, self-defence, superior order) or excused (i.e. duress, mistake of law or mistake of fact)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

illegal interference in private life through video or a sound recording tools

A

Art. 615-bis: illegal interference in private life
Whoever,
1) through a video or a sound recording tools,
2) procures unduly informations or images relating to the private life taking place at home or in private residence,
3) is punished with imprisonment from six months to four years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Unauthorized possession, diffusion and installation of equipment, codes and other means for accessing IT or telematic systems.

A

Sec. 615-quater Italian Criminal Code
Unauthorized possession, diffusion and installation of equipment, codes and other means for accessing IT or telematic systems.
Whoever ,
1) in order to procure a profit for himself or to others (MENS REA)
2) or to bring to others damage (MENS REA),
3) illegally procures, holds, produces, reproduces, disseminates, imports, communicates, delivers, makes available to others in any other way or install (ACTUS REUS),
4) devices, tools, parts of tools, codes, words key or other means suitable for accessing a computer or telematic system, protected by security measures, or in any case providing indications or instructions suitable for the aforementioned purpose,
5) is punished with imprisonment for up to two years and with a fine of up to € 5,164.
13

17
Q

Unauthorized possession, dissemination and installation of equipment, devices or computer programs aimed at damaging or interrupt an IT or telematic system

A

Sec. 615-quinquies Italian Criminal Code

Whoever

1) in order to illegally damaging a computer or a telematic system, or the information, data or programs contained therein or thereto pertinent (MENS REA)
2) or to encourage a total or partial interruption or alteration of its functioning (MENS REA),
3) illegally procures, holds, produces, reproduces, imports, disseminates, communicates, delivers or install equipment, devices or computer programs (ACTUS REUS),
4) is punished with imprisonment of up to two years and with a fine up to € 10,329.

18
Q

Violation, theft and suppression of correspondence

A

Sec. 616 Italian Criminal Code

Whoever
1) reads the content of a closed correspondence, not directed to him or to her, that is,
2) or subtracts or distracts a closed or open correspondence, not direct, to him in order to read it or to let other read it
3) or, in whole or in part, destroys or suppresses it,
4) is punished with imprisonment up to one year or with a fine between € 30 and € 516.
If the culprit, without just cause, reveals, in whole or in part, the content of correspondence, is punished if the fact causes harm with up to three imprisonment years.
For the purposes of the provisions of this section, “correspondence” means that by letter, telegraphy, telephone, computer or telematics, or carried out with any other form of remote communication.

19
Q

Unlawful interception, impediment or interruption of IT or telematic communications

A

Sec. 617-quater Italian Criminal Code

Whoever
1) fraudulently intercepts communications relating to an IT or telematic system or between multiple systems,
2) or prevents or interrupts them,
3) is punished with imprisonment from one year and six months to five years.
The same penalty applies to anyone who discloses to the public, through any means of information, the content of the communications referred to in the first paragraph.

20
Q

Damage to information, data and computer programs.

A

Whoever:
1) destroys, damages, deletes, alters or suppresses information, data or computer programs of others
2) is punished, upon complaint of the injured person, with imprisonment from six to three months years.
If the fact is committed with violence to the person or with a threat or with abuse of the quality of system operator, the penalty is imprisonment from one to four years

21
Q

Damage to IT or telematic systems

A

Sec. 635-quater Italian Criminal Code

Damage to IT or telematic systems
Whoever
1) through the conduct referred to in Sec. 635-bis, or through the introduction or transmission of data, information or programs,
2) destroys or damages in all or part an IT or telematic systems or seriously hinders their functioning
3) is punished with imprisonment from one to five years.
If the fact is committed with violence to the person or with a threat or with abuse of the quality of system operator, the penalty has increased.

22
Q

Computer fraud

A

Sec. 640-ter Italian Criminal Code

Whoever,
1) altering in any way the functioning of an IT or telematic system or intervening without right way on data, information or programs contained in a computer system or telematic
2) procures an illegal profit for himself or others
3) causing damage to others,
4) is punished with imprisonment from six months to three years and with the fine from € 51 to € 1,032.
The penalty is imprisonment from two to six years and a fine from € 600 to € 3,000 if the fact is committed with theft or improper use of the digital identity of anybody

23
Q

According to the GDPR, what is personal data?

A

means any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
- a name,
- an identification number,
- location data,
- an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1)
2)
Sec. 4 GDPR
PERSONAL DATA
“NORMAL” PERSONAL DATA
SPECIAL categories of personal data: “SENSITIVE INFORMATIONS” see below
- ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person;
- ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
- ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
SPECIAL categories of personal data: bounded to more stringent duties of protection:

24
Q

According to the GDPR, what is “processing personal data”?

A

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as:

  • collection,
  • recording,
  • organisation,
  • structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.
25
Q

According to the GDPR, what is profiling?

A

means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person…
… in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Cookie profiling, also called web profiling, is the use of persistent or permanent cookies to track a user’s overall activity online.

26
Q

Describe the subjects who process personal data?

A

1) controller of data: means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data;
2) processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3) Data protection officer (DPO): a third party, external to both the “controller of data” and the “processor”, who is appointed as “guarantor” in larger companies and checks whether the controller of data and processors comply with the law in data processing

27
Q

Principles relating to processing of personal data

A
  1. Personal data shall be:
    (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
    (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
    (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
    e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
    (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)
28
Q

The lawfulness of processing personal data

A
  1. Processing shall be lawful only if and to the extent that at least one of the following applies:
    (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (if I rent a car, the renting company can process my data).
    (c) processing is necessary for compliance with a legal obligation to which the controller is subject (every hotels must communicate the name and surname of the guests to the public offices);
    (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person (the hospital can process the personal data of patients even in an emergency);
    (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (the criminal court may process the personal data of the accused people)
29
Q

Conditions for consent

A
  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data (for example through a written document or an audio recording).
    1. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language (in the contract with the telephone company, the contractual conditions of the service must be written separately from the privacy consent
  2. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
30
Q

Processing of special categories of personal data

A
General rule:
Processing of personal data revealing
1) racial or ethnic origin,
2) political opinions,
3) religious or philosophical beliefs,
4) or trade union membership,
5) and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
shall be prohibited.

Exceptions:
a) the data subject has given explicit consent to the processing of those
personal data for one or more specified purposes
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not- for-profit body with a political, philosophical, religious or trade union aim .
Exceptions:
e) processing relates to personal data which are manifestly made public by the data subject. (I write on Facebook that I am Catholic or that I am a member of a trade union: by publishing this information, afterwards I cannot complain that someone has disseminated or divulged it)
f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (there is a civil case or trial; so that the judge entrusts the children to me and not to my wife, I reveal that my wife is part of a satanic religious sect)
g) processing is necessary for reasons of substantial public interest;
h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
i) processing is necessary for reasons of public interest in the area of public health,
such as protecting against serious cross-border threats to health or ensuring high
standards of quality and safety of health care and of medicinal products or medical
devices.

31
Q

Information to be provided to the data subject (GDPR)

A

The controller shall provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organization.
(g) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(h) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(i) the right to lodge a complaint with a supervisory authority;
(l) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract,
(f) the existence of automated decision-making, including profiling.

32
Q

Records of processing activities (GDPR)

A

ach controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization
(f) the envisaged time limits for erasure of the different categories of data;
(g) a general description of the technical and organisational security measure

32
Q

Records of processing activities (GDPR)

A

ach controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization
(f) the envisaged time limits for erasure of the different categories of data;
(g) a general description of the technical and organisational security measure

33
Q

Data breach(GDPR)

A

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The notification referred to in paragraph 1 shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.