Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

GDPR > Data Protection Concepts > Flashcards

Data Protection Concepts Flashcards

1
Q

Is online identifiers, such as IP addresses and cookies, personal data?

A

Yes. GDPR expressly states that online identifiers are personal data in the definition of personal data in art. 4 (1).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the concept of personal data include?

A

All information concerning an identifiable individual. The concept is widely interpreted and is not limited to information about the individual’a privat and family life.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the four building blocks that compromise the meaning of personal data?

A

Within Opinion 4/2007, WP29 sets these four building blocks: 1) Any information, 2) Relating to, 3) An identified of identifiable. 4) Natural person.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Does information have to be true to be personal data?

A

No, information does not have to be true to be considered personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Can a subjective statement, such as “the employee is a good worker and merits promotion” be considered personal data?

A

Yes, both objective and subjective statements may be considered personal daa.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Is information in any form included in the concept of personal data?

A

No. The Regulation expressly applies to information processed by automated means and manual means when this is part of a filing system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which elements does the WP29 in Opinion 4/2007 consider in regards to when information is relating to an individual?

A

One or more of the three elements must apply for the information to be relating to an individual: the content element, the purpose element or the result element.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When is the individual identifiable?

A

When it is possible to identify the person either directly or indirectly. The person does not have to be identified yet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the threshold for the possibility of identification?

A

There must be a reasonable likelihood. The factors to consider is, cost of and the amount of time required for identification and the available technology at the time of the processing and technological developments. See Recital 26.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the definition of ‘natural person’?

A

The Regulation does not define the concept of natural person, but leaves it up to member states. However, Recital 27 states that personal data of deceased persons is not included.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Why does the Regulation identify certain types of personal data as special categories/sensitive personal data?

A

The nature of the information needs special protection as the processing of the information could create significant risks to individuals’ fundamental rights and freedoms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is defined as being sensitive personal data?

A
  • Racial or ethnic origins
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric dta
  • Health data
  • Sexlife or sexual orientation data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When will a photograph be sensitive personal data?

A

Photographs aren’t always sensitive personal data, as they are only covered by the definition of biometric data, when processed by specific technical means allowing the identification or authentication of a natural person (recital 51)

The regulation doesn’t address where a photography shows racial origin, religious beliefs or certain physical disabilities (health data) .

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the definition of a data controller?

A
  • The natural or legal person, public authority, agency or any other body
  • Which alone or jointly
  • Determines the purpose and means of the processing of personal data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the definition of a data processor?

A
  • A person, other than an employee of the controller

- Who process on behalf of a controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the definition of a data controller?

A
  • The natural or legal person, public authority, agency or any other body
  • Which alone or jointly
  • Determines the purpose and means of the processing of personal data.
17
Q

What is the definition of a data processor?

A
  • A person, other than an employee of the controller (a natural or legal person, public authority, agency or any other body who is a separate legal entity with respect to the controller)
  • Who process on behalf of a controller.
18
Q

Does joint data controller mean, that the data controllers processing occurs at the same time an is equal in proportion?

A

No. Joint data controllers does not necessarily process personal data at the same time or will be equal in proportion.

19
Q

When is data controllers of the same set of personal data joint data controllers?

A

It depends on how the data is passed between them.

20
Q

When is data controllers of the same set of personal data joint data controllers?

A

It depends on how the data is passed between them. Joint processing means that the data controllers are processing personal data “together with” or “not alone”, but does not have to be equal or at the same time.

21
Q

Is the contractual designation of the parties’ determining for the parties roles under data protection law?

A

No, it is what happens in practice that is decisive.

22
Q

What does it mean to identify the controller by “Control stemning from explicit legal competence”?

A

Explicit appointment of a controller under national or community law. More typically, the law establishes a task or imposes a duty on someone to collect data.

23
Q

What does it mean to identify the controller by “Control stemning from implicit competence”?

A

Control stems from common legal provisions or established legal practice (e.g. an employer with employee data). The capacity to determine processing activities can be considered to be naturally attached to the functional role of an organisation.

24
Q

What does it mean to identify the controller by “Control stemning from factual influence”?

A

Responsibility as controller is attributed on the basis of an assessment of the factual circumstances. Where the matter is not clear, an assessment should consider the degree of actual control exercised by a party, the impression given to the individual, and the reasonable expectations of individuals on the basis of the visibility.

25
Q

Opinion 1/2010 has three circumstances where a controller can be identified vy the source of control

A
  1. Explicit legal competence (appointment by law)
  2. implicit competence (legal provisions and legal practice)
  3. Factual influence (assessment)
26
Q

Opinion 1/2010 has three circumstances where a controller can be identified by the source of control.

A
  1. Explicit legal competence (appointment by law)
  2. implicit competence (legal provisions and legal practice)
  3. Factual influence (assessment)
27
Q

The controller determines the purposes and means of processing. What does “means” refer to?

A

Means does not only refer to the technical ways of processing, but also to the how of processing, hereunder which data shall be processed, which third parties shall have access to this data, and when shall data be deleted.

28
Q

What does the data processor agreement have to include?

A
  • The nature and purpose of any data processing.
  • The type of personal data
  • The categories of data subjects
  • Instructions from the controller
  • Confidentiality
  • Security measures pursuant to art. 32 - 36.
  • Sub-data processors
  • Assistance of the controller in regards to the exercise of data subject requests
  • Deletion and/or returning data on the choice of the controller
  • All necessary information in regards to demonstrate compliance.
29
Q

What is the defintion of processing?

A

1) processing must be wholly or partly carried out by automated means or
2) where the processing is not by automated means, it must concern personal data that forms a part of a filing system or is intended to form a part of a filing system.

30
Q

What is the definition of data subjects?

A

“An identified or identifiable natural person”. A legal entity is not a data subject (recital 14).

GDPR (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions