Datafication 5 Flashcards

1
Q

Responsibility of dc Art. 24 & 5

A
  • dc must ensure & demonstrate processing in accordance with GDPR
  • by implementing technical & organizational measures appropriate to risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List of Technical & Organizational Measures

A

1) Privacy by design & default
2) DPO
3) records & documentation related to processing
4) privacy / risk impact assessment
5) performing audits
6) code of conduct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data Protection by Design

A
  • dc & dp must implement appropriate technical & organizational measures that
  • are designed to implement data-protection principles of processing such as data minimization (during planning & performance)
  • Take into consideration a) State of the art & cost, b) Nature, scope, context & purpose of processing, c) risk for np rights & freedoms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data Protection by Design - example measures

A
  • pseudonymization
  • transparency to functions & processing to enable ds to monitor processing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Data Protection by default

A
  • dc & dp must implement appropriate technical & organizational measures that
  • ensure that by default only pd necessary for each specific purpose processed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data Protection by default - applies to

A
  • Amounts & types of data
  • Extent of processing
  • Period of storage
  • Accessibility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data Protection by default - example measures

A

Website: data collection “set to off” by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Role of Data processor Art. 28

A
  • Requires written contract (to understand responsibilities & liabilities) incl.
    a) information of processing (e.g. duration, purpose)
    b) procedures to comply obligations &
    c) level of guarantees & security (dc needs to assess expert knowledge, reliability & resources)
  • dc are liable for GDPR compliance
  • Requires risk assessment prior to implementation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Role of Joint Controllers Art. 26

A
  • Requires written agreement on responsibility (“who does what” = mapping of processing activities & of responsibilities for compliance)
  • Essence made available to ds
  • Ds can exercise rights against each dc
  • Requires risk assessment prior to implementation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Role of Data controller to data controller

A
  • 2 dc transfer pd without jointly determining purposes & means
  • Need of legal basis for transferring pd
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Transparency Art. 30 - registry

A
  • dc & dp must document processing in detail in written & electronic register (basis for measures) including:
  • Information on dc
  • Purpose(s) of processing
  • Categories of registered person (e.g. consumers, representatives, employees, customer)
  • Categories of personal information
  • Categories of recipients of personal information
  • recipients when transferring outside EU/EEA
  • Deletion (retention deadline)
  • description of technical & organizational measures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Transparency Art. 30 - exception

A

employer < 250 employees & processing a) not risk to rights & freedoms of ds, b) occasional or c) doesn’t include sensitive or criminal data (a & b almost never)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Codes of Conduct

A
  • voluntary sets of rules that assist members
  • to ensure compliance with rules
  • have to be first approved by competent SA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Data Protection Officer (DPO) Art. 37 - When?

A

DPO required where processing
- by public authority / body
- regular & systematic monitoring of ds on larger scale
- sensitive data or criminal pd on large scale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Data Protection Officer (DPO) Art. 37 - role, how chosen?

A
  • chosen based on professional qualities (knowledge of data protection law & practices)
  • employee of dc or dp or service contract (e.g. consultant)
  • no one who determines means & purposes
  • not senior management position
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Data Protection Officer (DPO) Art. 37 - Tasks general

A
  • contact details published & communicated to SA
  • Reports directly to highest management level
  • cover all data processing activities
17
Q

Data Protection Officer (DPO) Art. 37 - Not Tasks

A

<-> not: inform & advise on solutions; design & operations on solutions; performing processes & controls because: cannot control what they did themselves

18
Q

Data Protection Officer (DPO) Art. 37 - Role, responsibility

A
  • DPO not personally responsible for GDPR non-compliance (responsibility = dc or processor)
19
Q

Data Protection Officer (DPO) Art. 37 - Role, requirements

A
  • Independence: no instructions from dc or processor
  • not dismissed or penalized for tasks
  • no conflict of interests with other duties
20
Q

Data Protection Officer (DPO) Art. 37 - Tasks detail

A
  • Inform & advise on GDPR obligations (dc & employees) (e.g. by training)
  • Monitor compliance (e.g. by audits)
    if ds complain -> need to investigate further (e.g. complaints from ds that they never signed up for receiving newsletter)
  • Raising awareness of data protection (to management, employees, dc)
  • Advice of DPO for DPIAs (e.g. whether to carry out, what methodology, whether in-house, what safeguards)
  • Collaborate with authorities (point of contact for supervisory authorities)
  • Contact point ds