Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/E > Data Processing Principles & Lawful Processing Criteria > Flashcards

Data Processing Principles & Lawful Processing Criteria Flashcards

1
Q

What are the data processing principles established under the GDPR?

A
  1. Accuracy
  2. Purpose Limitation
  3. Storage Limitation
  4. Integrity and Confidentiality
  5. Data minimisation
  6. Accountability
  7. Lawfulness, Fairness, Transparency
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Mnemonic device for remembering the data processing principles?

A

APSIDAL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is “APSIDAL”?

A

Mnemonic device for remembering the key data processing principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the L in APSIDAL?

A

Lawfulness, fairness and transparency.

Key data processing principle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the definition of the “lawful, fair and transparent” data processing principle?

A

Personal data should be processed in a lawful, fair and transparent manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What factors must be present for processing to be lawful?

A

ONE OF THESE MUST BE PRESENT:

(a) Consent
(b) Contract performance
(c) Legal Obligation
(d) Vital Interest of individual
(e) Public Interest
(f) Legitimate Interest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a pattern to remember the six types of lawful processing?

A

CC-VP-LL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is CC-VP-LL?

A

Pattern to remember conditions for lawful processing:

Consent
Contract Performance
Vital interest of individual
Public Interest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the definition of consent in terms of lawful processing?

A

Consent is when data subject has given consent to processing of personal data for one or more SPECIFIC PURPOSES.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the definition of contract performance in terms of lawful processing?

A

Processing is lawful when the processing is necessary for the performance of a contract to which the data subject is a party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the definition of “legal obligation” in terms of lawful processing?

A

Processing is lawful when necessary for compliance with a legal obligation to which the controller is subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the six methods for lawful processing recognized by the GDPR?

A

CC-VP-LL

  1. Consent
  2. Contract Performance
  3. Vital Interest of Individual
  4. Public Interest
  5. Legitimate Interest
  6. Legal Obligation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the definition of vital interest in terms of lawful processing?

A

Processing is necessary to protect a vital interest of the data subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the exception to lawful processing for a legitimate interest?

A

Processing is necessary for the purposes of legitimate interests pursued by the data controller EXCEPT where such interests are OVERRIDDEN BY FUNDAMENTAL RIGHTS OF THE DATA SUBJECT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define “fairness” in terms of data processing principles.

A

For processing to be fair, data subjects must be aware of the fact data will be processed, how its collected/used and allow them to make an informed decision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True or False: For data processing to be fair, the data subject must be able to make an informed decision.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Name this concept: A data controller must be open and clear toward data subjects when processing their data.

A

Transparency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

True or False: The Controller’s obligation to be transparent has no exceptions.

A

False.

Exceptions:

  1. Data was obtained directly from the data subject
  2. Process exceptions including:
    (a) Providing information would have DISPROPORTIONATE EFFECT, or is impossible, and
    (b) Disclosure is govern by applicable law
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

True or False: Data controller must notify the data subject with how their data is processed, with no time requirement.

A

False - Trick question:

Yes, Data controller must provide notice, but: (a) it must be in a TIMELY MANNER, and (b) clear, concise and easy to read.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the data principle of purpose limitation?

A

Data controllers must only collect and process personal data to accomplish SPECIFIC, EXPLICIT and LEGITIMATE purposes and not process data beyond such purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the data processing principle of data minimisation?

A

Data controller must only collect and process personal data that is RELEVANT, NECESSARY and Adequate to accomplish the purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the two key principles required for data minimisation?

A

(1) necessity, and (2) Proportionality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the definition of accuracy?

A

Data controller must take reasonable measures to ensure the data is accurate and kept up to date.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

True or False: If a data controller has implemented processes to prevent inaccuracies, then they have met the processing principle of accuracy?

A

True - likely :)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

True or False: Data controllers may kept personal data for unlimited amount of time?

A

False - this violates the data processing principle of storage limitation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the principle of storage limitation?

A

Personal data must be kept for no longer than necessary for the purposes for which the personal data is processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the definition of the data processing principle of “integrity and confidentiality”?

A

The personal data must be processed in a manner that ensures APPROPRIATE SECURITY OF PERSONAL DATA, including:

(i) protection against unauthorized processing
(ii) using technical or organisational measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Name this concept: Data is processed in a manner that ensures appropriate security of personal data, including protection against authorized or unlawful processing

A

Integrity and Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Name this concept: personal data must not be kept for longer than is necessary

A

Storage limitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Name this concept: Data controller must take reasonable measures to ensure data is kept up to date

A

Accuracy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Name this concept: data controller only collects/processes personal data that is relevent, necessary and adequate

A

Data minimisation

32
Q

Name this concept: Data controller only collects and processes personal data to accomplish specific, explicit and legitimate purposes.

A

Purpose limitation

33
Q

Name this concept: Controller must be open and clear

A

Transparency

34
Q

Name this concept: Data subject must be aware of the fact personal data will be processed

A

Fairness

35
Q

Name this concept: data subject has given consent to processing of personal data for specific purpose

A

Lawful processing by consent

36
Q

Name this concept: processing is necessary for the performance of a contract (DS is a party)

A

Lawful processing by contract performance

37
Q

Name this concept: processing is necessary for compliance with legal obligation to which controller is subject

A

Lawful processing by legal obligation

38
Q

Name this concept: processing is necessary for legitimate interests pursued by controller, except where such interests are overridden by fundamental rights of data subejct

A

lawful processing by legitimate interest

39
Q

Which Article of the GDPR establishes lawful processing criteria generally?

A

Article 6

40
Q

What is defined in Article 6 of the GDPR?

A

Lawful basis for processing personal data.

41
Q

Consent is a lawful basis for processing personal data - what is the definition of consent?

A

Consent must include the following to be valid:

  1. Freely given
  2. Specific
  3. Informed
  4. Unambiguous
42
Q

For lawful processing on the basis of consent, such consent must be freely given, what are some factors to confirm consent was freely given?

A

(a) Data subject must have a genuine choice.
(b) There is balance between data controller and data subject (no employee/employer relationship).
(c) data subject has the freedom to revoke

43
Q

The data subject gave consent with (i) genuine choice, (ii) balance in relationship to data controller and (iii) power to revoke – what does this mean?

A

Consent was freely given.

One of four factors of consent: freely given, specific, informed and unambiguous.

44
Q

What does it mean when consent to processing what specific?

A

Data subject gave consent for a specific purpose of processing.

*Watch for consent creep.

45
Q

What does it mean when data subject’s consent was informed?

A

Data subject gave consent after receiving ALL necessary details of the processing activity, in a language they can understand and form they can understand.

46
Q

What does it mean when a data subject has given consent to processing AFTER receiving all necessary details of processing, in a language and form they can understand.

A

It means the data subjects consent was INFORMED.

47
Q

Name at least 3 requirements for a data controller’s notice so that data subjects consent can be INFORMED.

A
  1. Identity of controller
  2. Purpose of processing
  3. Type of data collected
  4. Possible risk of transfer to third country without adequacy decision or appropriate safeguards
48
Q

Who has the burden of proof regarding whether consent was given with sufficient information (ie. informed consent)?

A

Data Controller

49
Q

True or False: For consent to be informed, the data subject must at least be aware of the data controller and the purpose of the data processing?

A

True.

50
Q

What does it mean that the data subjects consent to processing must be unambiguous?

A

Data subject must consent with a statement or clear affirmative act with no doubt to their intention.

51
Q

What does it mean that the data subjects consent to processing must be unambiguous?

A

Data subject must consent with a statement or clear affirmative act with no doubt to their intention.

52
Q

True or False: Data subjects selection of tick box for terms qualifies as unambiguous consent.

A

True. Tick box ok, pre-checked NOT OK.

53
Q

True or False: Data subjects consent is based on pre-ticked box of terms and qualifies as unambiguous consent.

A

False. This consent is ambiguous.

54
Q

True of False. Opt out feature qualifies as unambiguous consent.

A

False. Opt out feature fails and is ambiguous consent.

55
Q

True of False. Opt out feature qualifies as unambiguous consent.

A

False. Opt out feature fails and is ambiguous consent.

56
Q

True or False: Consent obtained from a 12 year old for processing geared toward children is valid.

A

False. Age of consent under GDPR is 13.

57
Q

What is the age minimum of consent under the GDPR?

A

Age 13

58
Q

What is the minimum age of consent for child services?

A

Age 16

59
Q

When do the minimum age rules for consent apply?

A

Only in context of: (1) information services offered directly to children, and (2) where controller relies solely on consent for lawful processing.

60
Q

True or False: a data subjects consent is perpetual as long as the processing does not change.

A

Likely false. Consent is not perpetual. It’s recommended that consent get updated regularly. But as soon as processing changes, new consent is required.

61
Q

What does it mean when the lawful processing is based on necessity?

A

Processing was necessary for certain reason.

TEST –> close substantial connection between the processing and the purposes.

62
Q

True or False: Processing that is unavoidable to complete a contract the data subject is a party to is lawful processing?

A

True. Necessary for the performance of a contract.

63
Q

True or False: Processing that is required to protect the vital interests of the data subject is lawful processing?

A

True - vital interests = life or death.

64
Q

True or False: Processing for public interests only is not a lawful means or processing.

A

False - processing necessary for the performance of a task carried out in public interest IS LAWFUL PROCESSING.

65
Q

True or False: A data subject may object to the use of their personal data when processing is based on public interest.

A

True.

66
Q

What is the most common basis for lawful processing?

A

Legitimate interests

67
Q

Define the concept of legitimate interests.

A

Legitimate interests is a basis for lawful processing of personal data under the GDPR.

Data controller must prove they have legitimate interest for processing personal data (Except where fundamental rights of data subject OVERRIDE such legitimate interest).

68
Q

What is the except to lawful processing for legitimate interests?

A

Where the legitimate interest is overridden because it violates the data subjects fundamental rights.

69
Q

What are the interests that must be balanced with the processing is based on legitimate interest of the data controller?

A

(1) Necessary for purpose.
(2) Purpose = legitimate interest
(3) Legit interest is not overridden by fundamental rights.

70
Q

What is the test to determine whether a legitimate interest is overridden by a fundamental interest?

A

Reasonable expectations of data subjects.

If a data subject would reasonably expect that the right would be protected, then the legitimate interest basis fails.

71
Q

True or False: Lawful processing based on (i) legal obligations or (ii) public interests can apply to law of any recognized nation.

A

False - applies to EU and member state law ONLY.

72
Q

What does Article 9 of the GDPR govern?

A

Processing of sensitive data.

73
Q

What are the categories of sensitive data?

A
  1. Race or ethnic origin
  2. Political opinion
  3. Religious or philosophical beliefs
  4. Trade Union Membership
  5. Genetic or Biometric data for the purpose of identifying a specific natural person
74
Q

What is different about the consent requirements for sensitive personal data?

A

Consent must be explicit in addition to:

  1. Freely given
  2. Specific
  3. Informed, and
  4. Unambiguous
75
Q

What is an example of valid consent for processing sensitive personal data?

A

Handwritten consent with signature (vs. just a tick of box.)

76
Q

What are some examples of the exceptions to Article 9 default rule?

A

Default rule - processing of sensitive data is prohibited.

Exceptions:

  1. Necessary processing for employment or social security obligations
  2. Necessary processing for vital interests
  3. Processing by religious, philosophical or trade union nonprofit
  4. Processing for medical care
  5. Processing for public health
  6. Processing for scientific research or historical research.
77
Q

What are the categories of sensitive data?

A
  1. Race or ethnic origin
  2. Political opinion
  3. Religious or philosophical beliefs
  4. Trade Union Membership
  5. Genetic or Biometric data for the purpose of identifying a specific natural person

CIPP/E (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions