Incorrect Answers Practice Exam Flashcards
How does the GDPR define ‘processing’?
Art. 4(2) Any operation or set of operations performed by automated means on personal data or on sets of personal data.
Processing is defined by the Regulation as ‘any operation or set of operations
which is performed on personal data or on sets of personal data whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction’. See Article 4(2) of the GDPR.
A breach of security leading to the accidental destruction or loss of personal data triggers notification obligations. According to Article 33(2) of the GDPR, how soon must the data processor notify the data controller about such breach of security?
Without undue delay after becoming aware of the personal data breach.
A data breach occurs when the data for which an organisation is responsible
suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, the organisation must notify the supervisory authority without undue delay and at the latest within 72 hours after becoming aware of the breach. If the organisation is a data processor, it must notify the data controller of any data breach without undue delay after becoming aware of it. If the data breach poses a high risk to those affected, then the controller should inform the data subjects unless there are effective technical and organisational protection measures that have been put in place or other measures that ensure the risk is no longer likely to materialise. As an organisation, it is vital to implement appropriate technical and organisational measures to avoid possible data breaches. See Article 33(2) of the GDPR.
Under the GDPR, when processing an individual’s personal data in the context of direct marketing activities, data controllers must do the following?
Provide individuals with information explaining that their personal data will be used for marketing purposes.
Under the GDPR, an organisation must disclose to data subjects how their
personal data will be used and must obtain unambiguous consent for direct marketing unless the direct
marketing falls and can be justified under the basis of legitimate interest. However, the organisation is
not required to make specific direct disclosures about the lawful basis for processing to data subjects.
The organisation would generally need to include information about its lawful basis )or bases, if more
than one applies) in its privacy notice. In addition, organisations must disclose to consumers the actual
names of any third parties with whom the data will be shared; providing the categories under which
those third parties are classified is not sufficient. Encryption must be considered but is not required
under the GDPR although it is a best practice for cybersecurity.
Binding Corporate Rules (BCR) must include what specific elements?
Art. 47 GDPR
Article 47 of the GDPR specifically references BCRs as legally binding data
transfer mechanisms.
It sets forth data subjects’ enforceable rights as well as the elements that must be included.
- List of specific categories of personal data to be processed under the BCR
- List of methods through which the BCRs are communicated to data subjects
- List of tasks of any person in charge of monitoring compliance with the BRC
- The details of the data transfers;
- The legally binding nature, both internally and externally, of the BCR;
- The acceptance for liability for any breaches of the BCR;
- The tasks of the data protection officer DPO, if any;
- And how the BCR is communicated to the data subject.
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?
CJEU can force national governments to implement and honour EU law, while the ECHR cannot.
The ECHR is not an institution of the EU; instead, it is part of the apparatus of
the Council of Europe, a broader group of member states than the EU. The ECHR was founded in 1959 to oversee the European Convention on Human Rights. Thus, it enforces the European Convention on Human Rights rather than EU law.
While the ECHR’s powers don’t encompass the implementation of EU law, the CJEU can force national governments to administer and honour EU law. The CJEU interprets EU law to make sure it is applied in the same way in all EU countries and settles legal disputes between national governments and EU institutions. It can also, in certain circumstances, be used by individuals, companies or organisations to take action against an EU institution if they feel it has somehow infringed their rights.
According to GDPR Article 56, what is a lead supervisory authority’s (LSA) main concern?
Cross-border processing
A lead supervisory authority (LSA) is assigned when a company operates in multiple EU jurisdictions. Article 56 requires, without prejudice to Article 55, that the supervisory
authority of the main establishment or of the single establishment of the controller or processor be
competent to act as lead supervisory authority for the cross-border processing carried out by that
controller or processor in accordance with the procedure provided in Article 60. Additionally, Article
60(1) creates duties of cooperation for cross-border processing. While the LSA is concerned with data subject rights, data access disputes and special categories of data, the lead role was established specifically for dealing with cross-border issues.
What are amongst the rights and freedoms that must be considered when balancing privacy rights under the GDPR?
The right to a fair trial, freedom of expression and freedom to conduct a lawful business are rights mentioned in Recital 4 of the GDPR.
Administrative fines imposed under GDPR Art. 83 must be?
Effective
Proportionate
Dissuasive
According to the GDPR, Art. 83, ‘Each supervisory authority (SA) shall ensure
that the imposition of administrative fines pursuant to this Article due to infringements of this
Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective,
proportionate, and dissuasive’.
Supervisory authorities can levy significant fines against entities for GDPR violations which vary
depending on the nature of the violation. However, before imposing a fine, the SA must consider a
variety of factors (Article 83(2)). A proposed fine can be challenged in court and attempts to impose
exorbitant fines have been rejected by the courts.
An organisation wants to use a digital identity verification app to authenticate the identities of new customers. Customers will be asked to upload a photo ID document such as passport, driving licence or national ID and then asked to upload a picture of their face in the app. The ID documents authenticity is checked, and biometrics are used to ensure the ID document belongs to
the customer.
What step should the organisation take to ensure the data minimisation principle is implemented when collecting the personal data?
Undertake a data protection impact assessment to identify and assess the risk to individuals for this activity.
Processing biometric data for the purpose of identification is high-risk processing under the GDPR, so a data protection impact assessment is likely to be required for this activity. The assessment should consider whether this processing activity is necessary and whether the information collected is necessary to meet the purpose of identity verification and consider the minimum amount of information required to fulfil the purpose identified. The data minimisation principle states that personal data shall be ‘adequate, relevant
7 EU - US Privacy Shield Principles?
The seven Privacy Shield Principles are
(1) notice;
(2) choice;
(3) security;
(4) access;
(5) accountability for onward transfer;
(6) data integrity and purpose limitation; and
(7) recourse, enforcement and liability.
Once an organisation publicly commits to comply with the Privacy
Shield Principles, that commitment is enforceable by the U.S. Federal Trade Commission under the authority of Section 5 of the FTC Act (prohibition on deceptive acts).
What are the controlles for fair processing information guidelines
When providing information to data subjects with respect to the processing of the data subject’s personal data, controllers should ensure that such information is:
- Concise: Although there is a clear conflict between this requirement and the volume of fair processing information the Regulation mandates, controllers can assist data subjects by separating
content into headed sections, using short sentences and paragraphs, and adopting a layered approach to information provision. - Transparent: Controllers should be genuine, open and honest with data subjects, and not misleading. Data subjects should not be surprised by processing and, where there are risks or important consequences associated with it, these should be spelled out.
- Easily accessible: It should be clear where fair processing information is and how it can be accessed. Data subjects should not be required to search for it, including amongst other content,
and the provision of information should be appropriate for the context in which personal data is obtained.
Two additional requirements are that the information be:
- Intelligible and in clear and plain language: The language used should be easy for the target audience to understand, and controllers should avoid overly legal language, jargon and terminology.
- Accurate and up to date: Fair processing information should therefore be regularly reviewed.
Which EU entity has the authority to invalidate adequacy determinations made by the European Commission?
Court of Justice of the EU
The Court of Justice of the European Union (CJEU) interprets EU law to make certain it is applied in the same way across all member states and settles legal disputes between national governments and EU institutions. It can also, in certain circumstances, be used by individuals,
What is the main reason GDPR Article 4(22) establishes the concept of the supervisory authority concerned?
To ensure that the interests of data subjects residing outside the lead authority’s jurisdiction are represented
For companies that process data outside of their lead supervisory authority’s
location, the concept of ‘supervisory authority concerned’ gives the DPA the ability to also represent the interests of individuals residing outside of the lead authority’s jurisdiction. For example, where there is a regulatory problem that concerns a controller in one jurisdiction and a processor in another jurisdiction, the lead authority will be the controller’s while the processor’s authority will be a ‘supervisory authority concerned’. As noted in Article 56(2), ‘By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State’.
What are BRCs
BCRs are legally binding rules and policies that allow a company established
in the EU to transfer personal data outside the EU within a multinational company group (such as from a parent company to a subsidiary). Details about BCRs can be found in Article 47 of the GDPR.
An unforeseen power outage results in Company Z’s lack of access to customer data for six hours, which is considered a breach under Article 32 of the GDPR. Based on the WP29’s February 2018 Guidelines on Personal data breach notification (later adopted by the EDPB), Company Z should do which of the following?
Document the loss of availability to demonstrate accountability.
While Article 32 of the GDPR sets forth the circumstances that constitute a breach, Article 33 includes the notification requirements for when a breach occurs. According to the WP29 guidance, ‘As with a permanent loss or destruction of personal data (or indeed any other type of breach), a breach involving the temporary loss of availability should be documented in accordance with
Article 33(5). This assists the controller in demonstrating accountability to the supervisory authority, which may ask to see those records’. Since the loss of accessibility to customer data was limited to a few hours, and did not result in harm to data subjects, it is sufficient for Company Z to document the specifics of the situation.