GDPR

Question 1

Sector

Answer 1

All

Question 2

Year Passed/Amended

Answer 2

2018

Question 3

Key principles

Answer 3

Lawfulness, Fairness and Transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

Question 4

Data subject rights

Answer 4

Right to be informed of transparent communication and information
Right of access
Right to rectification
Right to erasure
Right to restriction of processing
Right to data portability
Right to object (to processing)
Right not to be subject to automated decision-making

Question 5

Primary requirements

Answer 5

On data controllers:
Implement data protection by default and by design
Provide instructions to data processors
Ensure data security
Report data breaches
Cooperate with DPAs
Appoint a DPO/EU representative for the business
Identify the legal basis for processing
Maintain data processing records
Conduct data protection impact assessments

On data processors:
Compliance with instructions of the controller
Confidentiality
Keep a record of processing activities
Data security
Report data breaches
Cooperate with DPAs

Must also facilitate all of the data subject rights

Any processing requires “consent:” freely given, specific, informed, and an unambiguous indication of the data subject’s wishes.

Question 6

Entities subject to the law

Answer 6

EU-based data controllers and data processors

Anyone processing the data of EU data subjects, regardless of location

Data controller: an entity that “determines the purposes and the means of the processing of personal data”

Data processor: an entity that “processes personal data on behalf of the controller”

Question 7

Term for relevant PII or regulated data

Answer 7

Two classes: personal data and sensitive personal data

Question 8

Definition of relevant PII or regulated data

Answer 8

Personal data: any data that relates to an identified or identifiable natural person, including data that can be grouped together to identify a person.

Deidentified/encypted/pseudonymized data is still personal data if it can be used to identify a person, and data is only considered anonymized if the process is irreversible.

Examples:
First and last name
Home address
Email address including first and last name
ID card number
Location data
IP address
Cookie ID
Advertising ID on a phone
Data held by a doctor or hospital, even if separated from a patient's name

Examples that are not personal data:
Registration number for a company
Email addresses such as support@company.com
Anonymized data

Sensitive personal data: no overall definition provided. Requires "explicit consent" to use.
Examples:
Race or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data
Health data
Sex life or sexual orientation

Question 9

Civil or criminal?

Answer 9

Civil and criminal, at the discretion of member states

Question 10

Enforcing authority - civil

Answer 10

Data Protection Authorities (DPAs) - one per member country, except Germany, which has one federal one for public sector and one for the commercial sector in each Lander

Question 11

Penalties - civil

Answer 11

Higher-level fines: up to the greater of 20 million Euro or 4% of global revenues
Imposed for infringements related to basic principles of processing (e.g. consent, lawfulness of processing, and processing sensitive personal data), rights of data subjects, and transfers to recipients outside the EU.

Lower-level fines: up to the greater of 10 million Euro or 2% of global revenues.
Imposed for infringements related to integrating data protection by default or by design, records or processing, cooperation with DPAs, security of processing data, notification of breach, and designation of DPO.

Question 12

Enforcing authority - criminal

Answer 12

DPAs?

Question 13

Penalties - criminal

Answer 13

Up to the member states?

Question 14

Private right of action?

Answer 14

Yes. Additionally, data subjects can file complaints with DPAs. If unsatisfied, can appeal to national court

Question 15

FIP individual rights implicated

Answer 15

Notice, choice and consent, access (so, all)

Question 16

Notice provisions - non-breach

Answer 16

In order to get informed consent, the business must provide:
Controller’s identity
Purpose of processing
Types of data to be collected
Information about the right to withdraw consent
Information about automated processing
Risks of transfers outside Europe

Question 17

Notice provisions - breach

Answer 17

Data controllers: must report breach to DPA within 72 hours of becoming aware of the breach, where feasible. If not feasible, must provide the reason for the delay with the notice.

If a breach is likely to result in a “high” risk to individuals’ rights and freedoms, the controller must notify affected data subjects without undue delay. At minimum, it must:
Be in clear and plain language
Include the data controller’s name
Include the likely consequences of the breach
Include any mitigating measures the controller took

Data processors: have to notify controllers “without undue delay”

Question 18

Exceptions for notice - non-breach

Answer 18

None?

Question 19

Exceptions for notice - breach

Answer 19

Not required to report to DPA if it is unlikely to result in a risk to individuals’ rights and freedoms (i.e. the data are encrypted), but still have to document it

Not required to notify data subjects if:

(a) it is unlikely to result in a risk to individuals’ rights and freedoms (i.e. the data are encrypted), but still have to document it;
(b) the controller has taken steps to protect the data (e.g. by suspending accounts); AND
(c) the notice would impose disproportionate effects on the controller

Question 20

Consent provisions

Answer 20

Can express consent by statement or by clear affirmative action (must be proven by business)

In order to get informed consent, the business must provide the data subject with the following info:
Controller’s identity
Purpose of processing
Types of data to be collected
Information about the right to withdraw consent
Information about automated processing
Risks of transfers outside Europe

Question 21

Exceptions for consent

Answer 21

none?

Question 22

Access provisions

Answer 22

Data subjects have the right of access, defined as:

(a) confirmation of whether a data controller is processing their data;
(b) a copy of their personal data;
(c) any other info that should be provided in a privacy notice.

Data subjects also have the right to rectification and the right to erasure or, alternatively, the right to restriction of processing

Question 23

Requirements for right to erasure

Answer 23

(a) The personal data is no longer necessary…for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent, and there is no other legal basis for processing;
(c) the data subject objects to the processing based on legitimate interests, and there is no overriding legitimate interest in processing;
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased to comply with a legal obligation;
(f) the personal data have been collected to offer information services to children

Question 24

Requirements for right to restriction of processing

Answer 24

(a) accuracy is contested and the controller is verifying the accuracy;
(b) processing is unlawful, and data subject prefers to have processing restricted instead of having data erased;
(c) controller no longer need the data, but data subject needs it for the establishment, exercise or defense of legal claims;
(d) data subject has objected to processing, and the controller is verifying whether it has overriding legitimate grounds for continuing