Data protecton -law Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

Explain the term Manual data

A

Physical data recorded as part of a filing system. e.g. CV on file, interviewer notes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain the term Automated data

A

Data held electronically
The Data Protection Acts 1988-2003 regulate the processing of personal data of a living person which is in the possession of a Data Controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

explain Sensitive personal data

A

Data in relation to
1. Racial or ethnic origin, political opinions, religious or philosophical
beliefs
2. Trade union membership
3. Physical/mental health or condition, or sexual life
4. Information in relation to the commission or alleged commission
of any offence, related proceedings/disposal of proceedings or sentences.
In general the express permission of the data subject must be obtained before sensitive personal data can be gathered or processed. (some exceptions)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Give a definition for data controller

A

controls the content and use of personal data. Must be a person recognised in law i.e. a natural person, organisation or body corporate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain the term Data Processor

A

any person other than the Data Controller who processes the data on behalf of the DC
Registration with the Office of the Data Protection Commissioner
Financial institutions, government/public bodies, telecoms and internet providers businesses mainly involved in direct marketing, data processing, debt collection, credit references

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Give a defition for a data subject

A

A living person who is the subject of personal data.
e.g. Workers (past/present/future), customers, employees, students.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain the six lawful bases

A

A business will need to look at the data it holds on a Data Subject and then refer to the six lawful bases to decide which one it can rely on for processing of the Data Subject’s personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

list the six Lawful bases

A

Consent
* Legal Obligation
* Vital Interest
* Legitimate Interest
* Performance of a Contract
* Public Interest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain the term concent

A

For example a customer must be given the option to opt in to receiving marketing emails

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain the term Legal Obligation

A

For example Safety Health and Welfare at Work Act 2005 ,
You must retain all accident reports and incident report forms for 10 years
Revenue Commissioners, Working Time Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

explain the term Vital interest

A

For example it is permissible to hand over someone’s information in a medical emergenc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

explain the term Legitmate interest

A

For example sending appointment reminders to customers, although there can be no marketing material included

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain the term Performance of a contract

A

For example an employer requiring specific information from an employee so that they can enter into a contract of employment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain the term Pubic interest

A

For example the Central Statistics Office carrying out a census.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Explain the six principals of GDPR

A

Lawfulness, fairness and transparency
Tell the Data Subject why you are collecting their data and what you will be doing with it, and explain the lawful basis/bases that it is relying upon
Purpose Limitations
Data can only be used for a specific processing purpose that the subject has been made aware of and no other additional purpose, without further consent
Data Minimisation
Only ask the Data Subject for the least amount of information that you need to satisfy one of the 6 lawful bases
Accuracy
Data held must be up to date and accurate
Storage Limitations
Cannot keep Data Subject’s information indefinitely without grounds to do so. The business must have a Data Retention Policy in place
Integrity and Confidentiality
Protect against unlawful processing or accidental loss, destruction or damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe consent to processing

A

Data Controller must be able to demonstrate that the Data Subject consented to processing
Must be genuine consent, given freely (Data Subject informed of their right not to consent without detriment). Consent must be active not passive.
Data Subject must be clear as to what they are consenting to Any request for consent must be clear
Where consent is sought in conjunction with other matters it must be distinguishable from the other matters
The consent must be in an intelligible and easily accessible format, using clear and plain language
Data Subject has the right to withdraw consent at any time (should be highlighted once every 12 months)It is not legal to make consent necessary to the completion of a contract where such consent is not necessary for the performance of that contract
Consent for processing of child’s data must be given by the parents of that child or persons acting in ‘loco parentis’ where the child is under the age of 16
Data Controllers are required to have adequate systems in place to verify individual ages and gather relevant consents
Where a service is provided directly to a child a privacy notice must be drafted in a clear and plain way, so that the child can understand it.

17
Q

Describe the 8 principals of the gdpr and data protection act

A

To obtain and process information fairly

To keep information only for one or more specified, explicit and lawful purposes

To use and disclose it only in ways compatible with these purposes

To keep it safe and secure

To keep it accurate, complete, and up-to-date

To ensure that it is adequate, relevant and not excessive

To retain for no longer than is necessary for the purpose
* To give a copy to an individual on request

18
Q

List the rights of a data subjuct

A

To establish the existence of personal data
* To access their personal data
* To have personal data corrected or erased where appropriate * Articles 16 and 17 of GDPR give individuals a right to
rectification or erasure (right to be forgotten) * To object to disclosure of the data to 3rd parties.

19
Q

Describe the right to erasure

A

Applies anywhere in the EU where:
* Information has been retained for excessive period of time
* Consent to process has been withdrawn
* Data has been unlawfully processed
* No compelling reason to justify continued processing by
the data controller or erasure is required to comply with a legal obligation
The right of erasure includes the right to have information removed from appearing in internet search results (carried out against data subject’s name)
Data controller must comply as soon as practicable or in any event not less than 1 month.

20
Q

What are the roles and powers of the data protection commissioner ?

A

Conduct investigations to ensure compliance
Issue enforcement notices to Data Controllers and Data Processors Authorise persons to enter premises to inspect personal data

21
Q

Explain thecorrection powers of the data protection commissioner

A

These include the right to:
* Issue a warning to the data controller /processor that intended
data is likely to infringe a relevant provision
* Issue a reprimand to the data controller/processor where they
have infringed a relevant provision
* Order the data controller/processer to comply with a data subject’s
request to exercise their rights under a relevant provision * Order a data controller/processor to bring processing into
compliance in a specified manner and within a specified time
period
* Impose temporary or definite limitations including a ban on
processing
* Impose a restriction on processing by the data
controller/processor
* Serve an enforcement notice on the controller/processor to take
such steps as the DPC considers necessary for those purposes.

22
Q

Explain administrative fines

A

Breach of an Order of the DPC can result in administrative fines of up to €20m
or
in the case of an undertaking, up to 4% of total worldwide
annual turnover of the preceding financial year, whichever is the greater

23
Q

list the sanctiond ofr the data commissioner

A

Criminal Sanctions
*Brought by the Office of the Data Protection Commissioner
*Punishable by fines of up to €3,000 per offence on summary conviction, up to €100,000 on indictment
*Offences by electronic communications companies relating to security obligations €5,000 on summary conviction
€50,000 (natural person on indictment)
€100,000 (body corporate on indictment

24
Q

Explain the term forfeiture

A

Forfeiture
Court can order that the data material or data equipment connected with the offence be forfeited or destroyed. Must give the owner of the data or other interested parties a chance to show just cause for avoiding forfeiture

25
Q

When is a data procession officer appointed ?

A

the entity is a public body, or
(2) where the entity is a private body whose core businesses core
activity involves the:
(a) regular and systematic monitoring of data subjects on a large scale, or (b) the handling of a large scale of special categories of data (sensitive personal dat

25
Q

Explain the term Civil Sanctions

A

Civil action based on negligence (proximity between the parties and damage/loss is foreseeable)

example collin v Insurance

26
Q

What are the functions of the data protection officer ?

A

Informing and advising Data Controllers and processors of their obligations under the Regulation,
Monitoring compliance with GDPR in the context of policies, assignment of responsibilities, raising awareness and training of staffing,
Providing advice regarding Data Protection Impact Assessments, Co-operating with the Data Protection Commission, and
Acting as a contact point with the Commission on issues relating to processing

27
Q

When is a company obligated to conduct date protection impact assessment ?

A

where the data will undergo a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, decisions will be based that produce legal

(2)where there is processing on a large scale of special categories of sensitive data, or of personal data relating to criminal convictions and offences, and
(3)where there is a systematic monitoring of a publicly accessible area on a large scale

28
Q

what information is included in a data procetion impact assessment ?

A

A description of the envisaged processing operations and the purposes of the processing,
* An assessment of the necessity and proportionality of the processing operations,
* An assessment of the risks to the rights and freedoms of data subjects, and
* Details of the measures envisaged to address the risks, including safeguards, security measures

29
Q
A