GDPR and International Privacy Issues

Question 1

List one reason that GDPR may garner the attention of management

Answer 1

Fines for violations of GDPR are based on a company’s worldwide revenues, and fines can be as much as 4% of worldwide revenues

Question 2

Define “personal data” under GDPR

Answer 2

“Personal data” is broadly defined in the GDPR as any data that relates to “an identified or identifiable natural person”

Question 3

Distinguish between “personal data” and “sensitive personal data”

Answer 3

“Sensitive Personal Data” is a special category of “Personal Data” that receives additional protections under GDPR

Examples includes:

• Race or ethnic origin
• Political opinions
• Religious/philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data
• Health data
• Sex life or sexual orientation

Question 4

Explain the term “data subject”

Answer 4

A data subject is defined as any natural person whose data is being collected, stored, or processed

Question 5

Distinguish “controller” from “processor”

Answer 5

The term “controller” is defined as an individual or entity that “determines the purposes and the means of the processing of personal data” while the term “processor” means an individual or entity that “processes personal data on behalf of the controller”

Question 6

Describe the requirements of consent

Answer 6

“Consent” must be freely given, specific, informed AND an unambiguous indication of the data subject’s wishes

Question 7

Contrast the term DPA with the term DPO

Answer 7

The term DPA refers to an independent public authority that investigates and enforces data protection laws

• DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws

The term DPO refers to the primary point of contact on data protection issues within a business that is based in the EU

• The DPO facilitates and reviews the company’s GDPR compliance

Question 8

List the seven key principles in the GDPR

Answer 8

1. Lawfulness, fairness, and transparency
2. Purpose Limitation
3. Data Minimization
4. Accuracy
5. Storage Limitation
6. Integrity and Confidentiality
7. Accountability

Question 9

Describe how the principle of transparency impacts communications with data subjects

Answer 9

The principle of transparency requires that any communication (such as privacy notices) be easily accessible and that clear and plain language be used so that it is easy to understand

Question 10

Discuss the restrictions that the purpose limitation principle places on further processing of data

Answer 10

The purpose limitation principle requires that personal data not be further processed in a manner that is incompatible with the original purpose for which it was collected

Further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes is not considered to be incompatible with the original purposes

Question 11

Define the principle of data minimization

Answer 11

The principle of data minimization requires that the processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed

Question 12

Explain the steps that must be taken to comply with the accuracy principle

Answer 12

The accuracy principle requires that every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

Question 13

Discuss the main step that should be taken to ensure compliance with the principle of storage limitation

Answer 13

To ensure compliance with the principle of storage limitation, the controller should establish time limits for erasure or for a periodic review

Question 14

Explain numerous concerns that should be addressed regarding the principle of integrity and confidentiality

Answer 14

To comply with the principle of integrity and confidentiality, personal data must be processed in a manner that ensures appropriate security and confidentiality of the personal data, including:

• Protection against unauthorized or unlawful processing and against accidental loss
• Destruction or damage
• Using appropriate technical or organizational measures

Question 15

Name the entity responsible for compliance with accountability

Answer 15

The controller is accountable for compliance with the principles of processing

Question 16

List the eight rights that individuals have regarding the processing of their personal data

Answer 16

1. Right to be informed
2. Right of access
3. Right to rectify
4. Right to erase
5. Right to restrictprocessing
6. Right to data portability
7. Right to object
8. Right not to be subject to automated decision making

Question 17

Discuss the types of information that the controller must provide to the data subject

Answer 17

The controller must provide:

1. the purposes of processing
2. the lawful basis of processing
3. the recipients or the categories of recipients
4. the details of transfers

Question 18

Define the right of access

Answer 18

The right of access provides individuals with the right to obtain a copy of their personal data and more detailed information about the processing activities

Question 19

Explain the right to rectify

Answer 19

According to the right to rectify, individuals have the right to have inaccurate personal data corrected

Question 20

Provide an alternative name for the right to erase

Answer 20

The right to be forgotten

Question 21

Explain the interaction between the right to restrict processing and the right to erase

Answer 21

The right to restrict processing allows an individual to limit the way their personal data is processed. This right is an alternative to the right to erase

Question 22

Discuss the details of the right to data portability

Answer 22

Individuals have the right to port data to themselves or to another controller

The individuals may request data provided in a structured, commonly used and machine-readable format

Question 23

Describe the similarity between the right to object and the right to restrict processing

Answer 23

Both the right to object and the right to restrict processing allow individuals to limit how their personal data is processed

Question 24

Name the right that restricts profiling under the GDPR

Answer 24

The right not to be subject to automated decision-making

Question 25

Define data breach in the GDPR

Answer 25

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

Question 26

Explain the notice requirements concerning the DPA in a data breach

Answer 26

The GDPR requires controllers to report data breaches to the relevant DPA within 72 hours of detection

Question 27

Describe the notice requirements for a processor in a data breach

Answer 27

Processors are required to notify controllers “without undue delay” after discovering a breach

Question 28

Discuss the notice requirements regarding data subjects in a data breach

Answer 28

If a data breach occurs, the controller must notify affected data subjects without undue delay

At a minimum, the notification must include:

• The name and contact of the DPO (or appropriate person)
• The likely consequences of the data breach
• Any measures taken by the controller to mitigate the breach

Question 29

Explain who can initiate an administrative complaint for violation of the GDPR

Answer 29

An administrative complaint can be initiated by a data subject or by a DPA

Question 30

Discuss when a data subject can seek a judicial remedy for violation of the GDPR

Answer 30

1. The data subject is not satisfied with the decision of the DPA
2. The DPA does not inform the data subject - within 3 months -of the outcome of the complaint or of the progress on the complaint

Question 31

Describe who can be liable for harm caused by unlawful processing of personal data

Answer 31

Both the controller and the processor can be liable to data subjects for harm caused by unlawful processing of personal data

Question 32

Talk about the highest fines that can be given out under the GDPR

Answer 32

The highest fines that can be assessed under the GDPR are 4% of global annual revenues

Question 33

Detail the legal basis for data flows between the EU and the US that existed until 2015

Answer 33

Until 2015, many U.S. companies that did business in the EU participated in the U.S.–EU Safe Harbor program to provide a lawful basis for EU data to be transferred to the United States

Question 34

Describe the term SCCs

Answer 34

Standard Contract Clauses (SCCs) are a legal basis for transferring data between the EU and the U.S.

Question 35

Explain the term BCRs

Answer 35

Binding Corporate Rules (BCRs) are a legal basis for transferring data between the EU and the U.S.

Question 36

Discuss the case dubbed Schrems II and its impact on the EU/US Privacy Shield

Answer 36

In July 2020, the European Court of Justice – in the Schrems II decision - struck down the EU Commission’s finding that the EU/US Privacy Shield offered adequate protection

The Schrems II decision also cast significant doubt on the feasibility of transferring personal data based on Standard Contractual Clauses (SCCs), unless “supplemental measures” were in place to protect the data

Question 37

Analyze why the legal basis for data flows between the EU and US, and perhaps the rest of the world, is in flux

Answer 37

The implications of the decision could be staggering if the ultimate outcome of Schrems II is to limit flows of personal data based on the existence of U.S. surveillance practices

If this approach is applied to other countries outside the EU (without adequacy decisions), the impacts of the Schrems II decision in the EU could be hard data localization