GDPR

Question 1

GDPR application for establishment in EU

Answer 1

The GDPR will apply directly in all Member States of the European Union and in Iceland, Liechtenstein and Norway, which are part of the European Economic Area (EEA)

Question 2

GDPR application for non-establishment in EU

Answer 2

Applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Question 3

Scope of GDPR

Answer 3

GDPR Art 3 covers scope. Applies to processing of personal data of any controller or processor in the union regardless of whether the processing takes place in the union or not.

1. You are established in EU as a process or a controller
   Should be interpreted with a wide scope. If HQ is in one country but team making decisions is in the EU, you are in the scope
2. You offer goods or services to data subjects in the union
   Website simply accessible to global audience is not enough.
3. You monitor (or profile) behavior of EU citizens such as location, wellness monitoring, CCTV, OBA, home automation…

Question 4

Name the Data 8 Subject Rights

Answer 4

• Right of transparent communication and information
• Right of Access
• Right to recitifcaiton
• Right to erasure
• Right to restriciton on processing
• Right to data portability
• Right to object
• Right not tho be subject to automated decision making or profiling

Question 5

Right of Access

Answer 5

Individuals have right to obtain copy of their personal data and supplementary information.

If a request is made, there is a one month window to respond. Company can ask for 2 month extension if needed. Under GDPR, you generally cannot charge but you can charge a reasonable fee if the request is unless, unfounded, or excessive.

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

Question 6

Right of Rectification

Answer 6

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Question 7

Right of Erasure

Answer 7

Also known as the Right to be Forgotten. Not absolute and only applies if:

• Personal data no longer necessary for original purpose it was collected for
• Individual the info is about withdraws consent
• No legitimate interest any more
• Direct marketing purposes and the individual objects to the processing
• The data was unlawfully processed
• Information involves children

Does not apply to processing done for following reasons:

• Data collected in public interest or due to legal obligation
• To exercise or protect legal claims
• If it is necessary for public health purposes/preventative or occupational medicine

Question 8

Right to Restriction of Processing

Answer 8

Individual has right to restrict processing of personal data in limited circumstances. This is an alternative to erasure.

In most cases you only need to have the restriction in place for certain period of time.

Can request restriction if:

• They contest the accuracy and entity is now confirming it
• The data was unlawfully processed
• The individual needs you to keep data
• The individual has objected to you processing and you are evaluating claim.

Question 9

Right to Data Portability

Answer 9

Right to receive the personal data they have provided to controllers in a structured and commonly used, machine readable format

Question 10

Right to Object

Answer 10

Individuals can ask that their data stop being processed.

Absolute right: Direct marketing and profiling

Right to be evaluated: tasks carried out in public interest, official authority, or for legitimate interest. Processing must be stopped until dispute is resolved.

Question 11

Right to not be subject to automated decision making or profiling

Answer 11

he data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Examples: Online decision for loan, recruitment tests…

Question 12

Restrictions on Privacy Rights

Answer 12

Member states can restrict obligations under GDPR hen such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

• national security/defense
• public security
• prevention of crime
• other important interests of the member state
• protection of judicial independence

Question 13

GDPR Security Obligations

Answer 13

Mirror the requirements from the Data Protection Directive.

Question 14

Data Breach Notifications

Answer 14

Controller needs to notify DPA and data subjects
Processors only need to notify controllers
Controller needs to notify DPA without undue delay which is subject to 72 hour limit
Provide contact details of DPA contact person
Also, information regarding the categories and approx number or data subjects concerned
A description of the nature of the breach
Likely consequence of the breach
Measures the organization has taken or proposed to take to address the breach.

Controllers must provide notification to data subjects if the breach is high risk to their rights and freedoms

Question 15

Exceptions to Controller Requirement to Notify Data Subjects of Breach

Answer 15

• Data is unintelligible such as encryption
• Controller took steps to prevent high risks from materializing
• Notification would involve disproportionate effort: in such cases some effort must be made such as a public announcement.

Question 16

Signs of Proper Accountability

Answer 16

Regulators want to see data protection embedded within corporate DNA

• Need to have in place appropriate technical and organizational efforts
• Data protection policies
• Data protection by design and default
• Documentation of processing activities
• Appropriate security measures
• Data protection officers and impact assessments.

Question 17

Data Protection by Design/Default

Answer 17

1) Proactive not reactive
2) Privacy as the default setting
3) Privacy embedded into design
4) Full functionality
5) End to end security
6) Visibility and transparency
7) Respect for user privacy

By default:

• Most protective option is the default option. No action by the data subject will result in the most privacy.
• Data retention period being kept at minimum amount is a similar option

Question 18

Vendor Contracts

Answer 18

When a controller uses a processor they must have a contract in place with certain requirements specified by GDPR
Controllers are liable for their compliance with GDPR and should only apoint processors that adhere to GDPR standards.
Processors have direct responsibilities
Contracts must set out the subject matter and duration of the processing along with the nature and purpose of the processing, type of data and categories of data subject, and obligations and rights of the controller.

Question 19

Processor Responsibilities Under GDPR

Answer 19

• Controller authorization to use sub-processor
• Co-operate with supervisory authorities
• Ensure security
• Keep records of processing
• Notify data breaches to the controller
• Employ a data protection officer
• Appoint a representative within the EU if established outside of EU.

Question 20

Data Protection Impact Assessment (DPIA)

Answer 20

Required under GDPR. GDPR requires DPIA before carrying out process likely to result in high risk
Consult DPA if high risk

DPIAs are mandatory in some situations
Must do a DPIA if:
- Systematic and extensive profiling with significant effects
- Special category or criminal offence data on a large scale
- Systematically monitor publicly accessible places on a large scale.

DPIA must contain at least:

• Processing operation, purposes and legal basis
• Necessity and proportionality of processing
• Assessment of risks
• The measures, safeguards, security.

Question 21

Data Protection Officer (DPO)

Answer 21

Recognized by GDPR but not required for every company
Mandatory if:
- Controller is a Public authority
- Core activities involve systematic monitoring on a large scale
- Large scale = number of subjects, range of data, duration of permanence of processing, geographic coverage.

Code of Conduct Must be submitted to DPA for authorization

Question 22

Cross Border Transfers

Answer 22

Personal data may only be transferred beyond the EEA if done so in compliance with GDPR under these conditions:

1) Adequacy decisions: European Commission can issue a decision that the county or territory in question has an 2) Appropriate Safe Guards
3) Derogation

Question 23

Exceptions for Cross Border Transfers

Answer 23

Also known as Derogations:

• Informed consent
• Performance of contract
• Public interest
• Exercise or defence of legal claims
• Vital interest of the data subject

Certification is not a valid derogation. If you wish to use a derogation, must notify DPA.

Must be non-repetitive, for a limited number of data subjects, and for “compelling” legitimate interest. Controller must inform the DPA of the derogation-based transfer and compelling legitimate interest.

Question 24

6 Bases for Legal Processing

Answer 24

1. Consent - Most unreliable because data subject can withdraw at any time.
2. Contract
3. Legal Obligation
4. Vital Interest
5. Public Interest
6. Legitimate Interest

Question 25

Requirements for Consent

Answer 25

Must be clearly distinguishable. Does not exist when there is a clear imbalance between data subject and controller (employer must treat emloyees that refuse consent as favorably as those that do)

If person finds the consent form confusing it will lack consent.

Question 26

eCookie Directive

Answer 26

Does not apply to cloud computing

Question 27

Which body votes on directives

Answer 27

Council of Europe

Question 28

Name things processors are not responsible to do

Answer 28

Perform data protection assessments.

Question 29

When data subject takes back consent

Answer 29

Can do this at any time. Once it is done, future processing is not allowed. The processor does not need to destroy prior processing unless data subject invokes right of erasure.

Question 30

Processing pursuant to contract

Answer 30

Data subject cannot just revoke consent and ask for something to be taken down if it is in violation of the terms of the contract.

Question 31

Legal obligation processing

Answer 31

Example: Employer must report employee wages to IRS. The legal basis must be based on a union or member state law.

Question 32

Vital interest processing

Answer 32

Such as saving someone’s life. Think about a hospital having to access information to save your life when neither you or a family member are available to consent.

Question 33

Public Interest Processing

Answer 33

Processing in the exercise of an official authority vested in the controller.

Question 34

Legitimate Interest Processing

Answer 34

Any interest of the controller or processor to process data that does not violate rights of subject. Examples: Processing data to prevent fraud, processing employee data for administrative purposes, providing network security to your organization.

Question 35

What types of data are generally prohibited from processing?

Answer 35

Race, ethnicity, politics, religion, philosophy, trade union membership, genetic data, biometric data, health, sex life, and sexual orientation.

Question 36

When may typically prohibited data be processed?

Answer 36

1. When data subject gives explicit consent (like a yes or no option).
2. To comply with state employment laws.
3. Vital interest.
4. Legitimate activity of a political, philosophical, religious, or trade organization but info cannot be disclosed outside organization without explicit consent.
5. Data subject makes the sensitive data public
6. Establishment, exercise, or defense of legal claims
7. Preventative or occupational medicine (worker’s compensation and treatment).
8. Public health
9. Archiving in the public interest.

Question 37

Transparency Principle

Answer 37

Anything presented to data subject should state:

• What date is collected and how it is used.
• Be easily accessible
• Be easy to understand.

Requests by a data subjects exercise of rights shall be free. If the requests are unfounded or repetitive and excessive, the controller my charge a reasonable fee or refuse the request.

Question 38

What data subject rights apply to all types of processing?

Answer 38

Rights of access, rectification, and restriction.

Question 39

Things Controller should do when hiring a Processor…

Answer 39

1) Implement technical and organizational measures
2) Written contract stating duration, purpose of processing, type of personal data, and categories of data subjects.
3) The processor can only process per your instructions
4) They will keep data confidential
5) They will assist Controller with data subject requests
6) They will delete or return data to controller at conclusion of contract.

*A processor hiring a sub-processor should do the same because a processor is fully liable to a controller for a sub-processor’s work.

Question 40

Three elements of territorial scope of GDPR

Answer 40

1) Establishment in the EU, or
2) Offering goods or services To people in the EU, or
3) Monitoring people’s behavior in the EU

Question 41

Documentation and Cooperation with Regulators

Answer 41

You do not need to document if your organization is under 250 people. Since most companies will be larger than this, then need to document by keeping records of processing activity and having data protecting policies.

Question 42

Adequacy Decision

Answer 42

The Commission deems the recipient county has adequate safeguards. The adequacy decision that pertains to the US is the Privacy Shield.

Question 43

US Safe Harbor

Answer 43

2000 TO 2015, ruled illegal by CJEU because it violated rights to privacy

Question 44

Privacy Shield

Answer 44

US-EU privacy framework adopted in 2016. This is a self-certification program. A company fills out a form with the US Department of Commerce.

Question 45

Name which authorities have authority to approve certain types of data transfer frameworks

Answer 45

Commission: Adequacy decisions and Standard Contractual Clauses.
DPA: Ad Hoc Clauses, Derogations, and Binding Corporate Rules
Code of Conduct: European Data Protection Board then the Commission.

Question 46

Binding Corporate Rules

Answer 46

1) Multinational company drafts them
2) Sends to DPA for approval
3) Gets put on approved list.

Disadvantage is they don’t bind anyone or entity outside your company.

Question 47

Codes of Conduct

Answer 47

These are used by smaller business and allow them to engage in international data transfer.

Question 48

DPA

Answer 48

Data Protection Authority or Supervisory Authority. They monitor, enforce, promote, and advise on data protection issues. They have investigative, corrective, and authorization and advisory powers.

They can issue warning s but not notice of alleged infringement. They can issue reprimands, order compliance with data subject’s request, ban processing, and impose fines. They also issue opinions, approve BCRs, clauses, codes of conduct, and certifications.

Question 49

Who is the lead DPA?

Answer 49

The place with the greatest “substantial affect” on data subjects. If the events took place in multiple jurisdictions then the lead DPA is where the data processing decisions were made.

Question 50

European Data Protection Board

Answer 50

Head of each DPA. They monitor the DPAs, advise the Commission, and oversees consistency. They issue guidelines for interpreting the GDPR.

Question 51

What can data subject do if GDPR is violated?

Answer 51

They have three options:

1) Lodge complaint with SA. Can be based on where there residence is, where they work, or where the infringement took place.
2) Sue any DPA where it is located.
3) Sue any controller or processor where they are established, or where the data subject lives, works, or where the infringement took place.

Question 52

Infringements and Fines under GDPR

Answer 52

10m OR 2% of revenue: Involving children’s parent’s consent; poor data protection design; failure to hire DPO or causing dysfunction for DPO; Issue with certification such as false claim of cert.

20m or 4% revenue: All other infringements.