General Data Protection Regulation (GDPR) Flashcards

1
Q

Personal Data

A

Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Processing

A

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Controller

A

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Processor

A

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Principles of GDPR

A
  1. Lawfulness: Be able to rely on a legal justification for using the data.
  2. Fairness: Do not use the data in a manner that is unexpected, detrimental, or misleading.
  3. Transparency: Be clear about what you are doing with data.
  4. Purpose Limitation: Be clear why you are collecting/using data and only use it for a purpose compatible with what was originally specified.
  5. Data minimization: Only process data that is necessary for the purpose you have identified.
  6. Accuracy: Keep data accurate and/or give data subjects ability to correct.
  7. Storage Limitation: Do not store data for longer than you need it.
  8. Data integrity and Security: Implement appropriate measures to ensure data security and avoid breaches.
  9. Accountability: Burden is on the company to be able to demonstrate compliance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Legal Bases

A
  1. Consent
  2. Contractual necessity
  3. Legitimate interests

(Not important/rare)
4. Compliance with a legal obligation
5. To protect the vital interests of a person
6. Performance of a task carried out in the public interest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Consent

A
  1. Freely Given
  2. Specific
  3. Informed
  4. Unambiguous indication of data subject’s wishes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Contractual Necessity

A

Lawful when “processing is necessary for the performance of a contract.”

You must be able to demonstrate that the specific processing is necessary for the service.
a. Necessity is to be assessed objectively, according to the perspective of a hypothetical reasonable data subject.
b. If there are realistic and less intrusive alternatives to the type of processing envisaged, it is not necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Legitimate Interest

A

Most appropriate when you can use people’s data:
- in ways they would reasonably expect
- have a minimal privacy impact
- or where there is a compelling justification for the processing

Elements:
1. Identify a legitimate interest,
2. Show that the processing is necessary to achieve it,
3. Balance it against the individual’s interests, rights, and freedoms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Rights of the Data Subject

A
  1. Right to be informed
  2. Right to access
  3. Right to rectification
  4. Right to erasure
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Rights in relation to automated decision making and profiling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Exceptions to Access and Portability Rights

A
  1. Where access would adversely affect the rights and freedoms of other consumers
  2. Where data constitutes the controller’s trade secrets
  3. Where requests are manifestly unfounded or excessive
  4. Where the requestor’s identity cannot be verified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Data Protection Impact Assessment (DPIA)

A

Process designed to help systematically analyze, identify and minimize the data protection risks of a project.

Initial fact gathering and documenting-> Seeking additional information-> Assessing the design-> Identifying risks-> Mitigating risks-> Documenting decisions

Consequence X Probability = Overall Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Sensitive Personal Data

A

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Data Protection Authorities (DPAs)

A

Independent public authorities that monitor and supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints that may have breached the law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Data Protection Officer (DPO)

A

Appointed by a controller, they must be an expert in data protection who informs the controller of their responsibilities under GDPR and monitors their compliance. A DPO can be an employee but must not have a conflict of interest between business interests’ and GDPR compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly