Data Protection Law & Regulation

Question 1

Personal Data

Answer 1

Any information relating to an identified or identifiable natural person.

Question 2

Sensitive Personal Data

Answer 2

Subset of personal info; usually requires additional safeguarding of its collection, use, and disclosure

Question 3

Pseudonymized Data

Answer 3

A unique code or pseudonym is used as a temporary solution to protecting info.

It is reversible.

Subject to EU data protection laws

Question 4

Anonymous Data

Answer 4

Not related to an identified or an identifiable natural person aka unidentifiable

Not protected by the GDPR

Question 5

Data Processing

Answer 5

Any operation performed on data

Question 6

Controller

Answer 6

An organization or individual that decides how and why personal data is processed

Question 7

Data Processor

Answer 7

An organization or individual that processes information on behalf of the data controller

Question 8

Data Subject

Answer 8

An individual about whom the data is processed

Question 9

Territorial Scope

Answer 9

1. Processing of personal data when a controller or processor established in the EU (regardless of whether or not the actual processing takes place in the EU).
2. Processing the personal data of data subjects in the EU relating to offering goods or services or monitoring behaviour in the EU (where the controller or processor is not established in the EU).
3. Processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law.

Question 10

Material Scope

Answer 10

Activities covered by the GDPR

Processing of personal data wholly or partly by automated means

And to the processing of personal data other than by automated means which form part of a filing system

Question 11

Exclusions to Material Scope

Answer 11

(Processing not regulated by the GDPR)

1. Activities outside of the scope of EU law: for example national security activities.
2. Law Enforcement and Public Security
3. Purely personal or household activities.

Question 12

Organizations that are not established in the EU that monitor behavior will be subject to the GDPR when:

Answer 12

The behavior being monitored occurs within the EU

Question 13

GDPR Processing Principles

Article 5

Answer 13

Lawfulness, Fairness and Transparency of Processing
Purpose Limitation
Data Minimization
Accuracy
Storage Limitation
Integrity and Confidentiality
Accountability

Question 14

Lawfulness, fairness, and transparency

Answer 14

GDPR processing principle:

Data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, so they can make informed decisions

Question 15

Purpose Limitation

Answer 15

Principle that requires collecting and processing personal data for the specified purpose only

Question 16

Proportionality

Answer 16

considers the amount of data to be collected and whether it is adequate and relevant in relation to the purposes for which it is being processed

Question 17

Accuracy

Answer 17

GDPR Principle that states organizations ensure personal data is accurate, complete, and up-to-date

Question 18

Storage limitation (retention)

Answer 18

retaining only personal data that is relevant and necessary for the purpose

organizations should retain personal information only as long as necessary to fulfill the stated purpose

Question 19

Integrity and Confidentiality

Answer 19

GDPR requires that controllers and processors implement measures to ensure the ongoing confidentiality, integrity, availability and resilience (CIAR) of processing systems and services.

Integrity refers to the consistency, accuracy and trustworthiness of the data

aka security safeguards (OECD)

Question 20

Data Minimization Principle (EU specific)

Answer 20

Data controllers must only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed.

Controllers should consider Necessity and Proportionality when applying Data Minimization principle

Question 21

Lawful Processing Criteria

Answer 21

1. Consent
2. Contract
3. Legal obligations
4. Vital interests
5. Public Interest or official authority
6. Legitimate interests

Question 22

Consent

Answer 22

clearly distinguishable 
intelligible
in clear and plain language
freely given
as easy to withdraw as it was to provide
specific 
informed 
unambiguous

Question 23

Explicit consent

Answer 23

Article 9 - special categories

unambiguous, freely given, specific, informed

+ a clear affirmative act by the data subject
(checking opt-in or choosing technical settings for web apps)

Question 24

Contractual necessity

Answer 24

Lawful basis for processing

Performance of a contract if the processing is necessary to perform the contract (and data subject is party)
or if the data subject requests the processing to enter into a contract

Ex: Customer purchases book from company, they need process in order to send book