GDPR and International Privacy Issues Flashcards
List one reason that GDPR may garner the attention of management
Fines for violations of GDPR are based on a company’s worldwide revenues, and fines can be as much as 4% of worldwide revenues
Define “personal data” under GDPR
“Personal data” is broadly defined in the GDPR as any data that relates to “an identified or identifiable natural person”
Distinguish between “personal data” and “sensitive personal data”
“Sensitive Personal Data” is a special category of “Personal Data” that receives additional protections under GDPR
Examples includes:
- Race or ethnic origin
- Political opinions
- Religious/philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
Explain the term “data subject”
A data subject is defined as any natural person whose data is being collected, stored, or processed
Distinguish “controller” from “processor”
The term “controller” is defined as an individual or entity that “determines the purposes and the means of the processing of personal data” while the term “processor” means an individual or entity that “processes personal data on behalf of the controller”
Describe the requirements of consent
“Consent” must be freely given, specific, informed AND an unambiguous indication of the data subject’s wishes
Contrast the term DPA with the term DPO
The term DPA refers to an independent public authority that investigates and enforces data protection laws
- DPAs are responsible for enforcing data protection laws at a national level, and providing guidance on the interpretation of those laws
The term DPO refers to the primary point of contact on data protection issues within a business that is based in the EU
- The DPO facilitates and reviews the company’s GDPR compliance
List the seven key principles in the GDPR
- Lawfulness, fairness, and transparency
- Purpose Limitation
- Data Minimization
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
- Accountability
Describe how the principle of transparency impacts communications with data subjects
The principle of transparency requires that any communication (such as privacy notices) be easily accessible and that clear and plain language be used so that it is easy to understand
Discuss the restrictions that the purpose limitation principle places on further processing of data
The purpose limitation principle requires that personal data not be further processed in a manner that is incompatible with the original purpose for which it was collected
Further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes is not considered to be incompatible with the original purposes
Define the principle of data minimization
The principle of data minimization requires that the processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
Explain the steps that must be taken to comply with the accuracy principle
The accuracy principle requires that every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
Discuss the main step that should be taken to ensure compliance with the principle of storage limitation
To ensure compliance with the principle of storage limitation, the controller should establish time limits for erasure or for a periodic review
Explain numerous concerns that should be addressed regarding the principle of integrity and confidentiality
To comply with the principle of integrity and confidentiality, personal data must be processed in a manner that ensures appropriate security and confidentiality of the personal data, including:
- Protection against unauthorized or unlawful processing and against accidental loss
- Destruction or damage
- Using appropriate technical or organizational measures
Name the entity responsible for compliance with accountability
The controller is accountable for compliance with the principles of processing
List the eight rights that individuals have regarding the processing of their personal data
- Right to be informed
- Right of access
- Right to rectify
- Right to erase
- Right to restrictprocessing
- Right to data portability
- Right to object
- Right not to be subject to automated decision making
Discuss the types of information that the controller must provide to the data subject
The controller must provide:
- the purposes of processing
- the lawful basis of processing
- the recipients or the categories of recipients
- the details of transfers
Define the right of access
The right of access provides individuals with the right to obtain a copy of their personal data and more detailed information about the processing activities
Explain the right to rectify
According to the right to rectify, individuals have the right to have inaccurate personal data corrected
Provide an alternative name for the right to erase
The right to be forgotten
Explain the interaction between the right to restrict processing and the right to erase
The right to restrict processing allows an individual to limit the way their personal data is processed. This right is an alternative to the right to erase
Discuss the details of the right to data portability
Individuals have the right to port data to themselves or to another controller
The individuals may request data provided in a structured, commonly used and machine-readable format
Describe the similarity between the right to object and the right to restrict processing
Both the right to object and the right to restrict processing allow individuals to limit how their personal data is processed
Name the right that restricts profiling under the GDPR
The right not to be subject to automated decision-making
Define data breach in the GDPR
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
Explain the notice requirements concerning the DPA in a data breach
The GDPR requires controllers to report data breaches to the relevant DPA within 72 hours of detection
Describe the notice requirements for a processor in a data breach
Processors are required to notify controllers “without undue delay” after discovering a breach
Discuss the notice requirements regarding data subjects in a data breach
If a data breach occurs, the controller must notify affected data subjects without undue delay
At a minimum, the notification must include:
- The name and contact of the DPO (or appropriate person)
- The likely consequences of the data breach
- Any measures taken by the controller to mitigate the breach
Explain who can initiate an administrative complaint for violation of the GDPR
An administrative complaint can be initiated by a data subject or by a DPA
Discuss when a data subject can seek a judicial remedy for violation of the GDPR
- The data subject is not satisfied with the decision of the DPA
- The DPA does not inform the data subject - within 3 months -of the outcome of the complaint or of the progress on the complaint
Describe who can be liable for harm caused by unlawful processing of personal data
Both the controller and the processor can be liable to data subjects for harm caused by unlawful processing of personal data
Talk about the highest fines that can be given out under the GDPR
The highest fines that can be assessed under the GDPR are 4% of global annual revenues
Detail the legal basis for data flows between the EU and the US that existed until 2015
Until 2015, many U.S. companies that did business in the EU participated in the U.S.–EU Safe Harbor program to provide a lawful basis for EU data to be transferred to the United States
Describe the term SCCs
Standard Contract Clauses (SCCs) are a legal basis for transferring data between the EU and the U.S.
Explain the term BCRs
Binding Corporate Rules (BCRs) are a legal basis for transferring data between the EU and the U.S.
Discuss the case dubbed Schrems II and its impact on the EU/US Privacy Shield
In July 2020, the European Court of Justice – in the Schrems II decision - struck down the EU Commission’s finding that the EU/US Privacy Shield offered adequate protection
The Schrems II decision also cast significant doubt on the feasibility of transferring personal data based on Standard Contractual Clauses (SCCs), unless “supplemental measures” were in place to protect the data
Analyze why the legal basis for data flows between the EU and US, and perhaps the rest of the world, is in flux
The implications of the decision could be staggering if the ultimate outcome of Schrems II is to limit flows of personal data based on the existence of U.S. surveillance practices
If this approach is applied to other countries outside the EU (without adequacy decisions), the impacts of the Schrems II decision in the EU could be hard data localization
