Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/e > International transfers > Flashcards

International transfers Flashcards

1
Q

Which European body is responsible for making adequacy decisions?

A

The European Commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How often are adequacy decisions reviewed?

A

Every four years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which countries are adequacy decisions in place with?

A 
Argentina
Uruguay
Faroe Islands
Isle of Mann
Guernsey and Jersey
Andorra
Switzerland
Israel
Japan (only covers private sector organisations)
New Zealand
Also USA (under privacy shield) 
Canada (data protected by PIPEDA only, which is applicable to commercial organisations. Adequacy doesn’t cover all all forms of personal data)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How often does Privacy Shield certification need to be renewed?

A

Annually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If you load personal data onto a UK server which is then available through a website, and you plan or anticipate that the website may be accessed from outside the EEA, is this a restricted transfer?

A

you should treat this as a restricted transfer (ICO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If you want to transfer personal data to a US organisation under the Privacy Shield, what are the two things you need to check?

A
  • Check on the Privacy Shield list to see whether the organisation has a current certification
  • Make sure the certification covers the type of data you want to transfer.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the options are available if you want to make a restricted transfer (in order of preference)

A
  • Adequacy decisions
  • Appropriate safeguards (which are set out in the GDPR)
  • Derogations

If none of these apply, then the transfer would be in breach of GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 3 things you’re obliged to tell the data subject about data transfers?

A
  • Intent to transfer data internationally
  • Existence (or lack of) an adequacy decision
  • Safeguards that are in place
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are “appropriate safeguards”?

A

They are legal tools designed to ensure recipients of data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard
Mechanisms that can be used to recipients to commit to protecting personal data and facilitate ongoing, systematic cross-border transfers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Give some examples of appropriate safeguards when it comes to international transfers of data outside the EU

A
  • Binding corporate rules
  • Standard contractual clauses
  • Approved codes of conduct and certification mechanisms
  • Ad hoc contractual clauses
  • Reliance on international agreements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the three over-arching options for international transfers under the GDPR?

A
  1. Adequacy decisions
  2. International safeguards
  3. Derogations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Before you even think about data transfers, what do you need to make sure you have?

A

A legal basis for processing the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If you’re transferring data internationally, what are you obliged to tell the data subject(s)?

A
  • Notify them of your intent to transfer personal data internationally
  • Existence of an adequacy decision
  • what Safeguards are in place
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

As well as territories, what else can adequacy decisions apply to?

A

Under GDPR, adequacy decisions can also apply to sectors (e.g. regulated financial or healthcare sectors)
And
International organisations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which European body is responsible for making adequacy decisions?

A

The European Commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How often are adequacy decisions made under the Data Protection Directive reviewed?

A

Decisions made under the Data Protection Directive will remain in force until amended, replaced or repealed

17
Q

What factors must the European Commission take into account when making adequacy decisions?

A

Respect of the rule of law
Access to justice
International human rights standards
Law (inc case law)
Effective and enforceable rights for individuals (inc judicial redress)
Data protection rules, professional rules and security measures (inc around onward transfers)
Other international commitments and obligations

18
Q

Is EU-US Privacy Shield self-certified?

A

Yes

19
Q

What recourse mechanisms does Privacy Shield offer?

A
  • Internal complaint process
  • Independent dispute resolution provider
  • Department of Commerce or Federal Trade Commission
  • Binding arbitration
20
Q

What are “appropriate safeguards”?

A

They’re legal tools designed to ensure that recipients of data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard

21
Q

What are binding corporate rules?

A

BCR are a form of appropriate safeguard
they’re designed to allow large, multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company.
They have to be signed off by a competent supervisory authority and are legally binding
They confer enforceable rights on data subjects

22
Q

What are standard contractual clauses also known as?

A

Model clauses

They are a form of appropriate safeguard

They are a standard form which is non-negotiable

23
Q

What is most commonly used tool for appropriate safeguards?

A

Standard contractual clauses (aka model clauses)

24
Q

What must ad hoc contractual clauses have if they are to be used as a tool for delivering Appropriate Safeguards?

A

They must have supervisory authority authorisation

25
Q

Appropriate Safeguards: reliance on international agreements

Give an example

A

Passenger name records when someone flies from EU to US

The US has an agreement with the EU to facilitate the transfer of this data

26
Q

What is a derogation and when should it be used?

A

A derogation is an exemption from the prohibition on transferring personal data outside of the EAA

Derogations are used as a last resort, when an there isn’t an adequacy decision and appropriate safeguards are not in place

They allow organisations to transfer personal data across borders under very specific conditions

27
Q

What options exist for derogations?

A
  • Explicit consent from the data subject
  • Where it is necessary for performance of a contract with the data subject
  • Public interest (when recognised by EU/member state law only)
  • Establishment, exercise or defence of legal claims (to cover international litigation scenarios)
  • Protection of vital interests of the data subject (or other person) - emergency situations only (e.g. provision of medical care)
  • Transfer from a register of public information
  • Legitimate interests of the controller - BUT must be limited and concern a limited number of individuals. Provisions are very narrow
28
Q

Do we have an adequacy decision with Argentina?

A

Yes

29
Q

Are approved codes of conduct and certification mechanisms appropriate safeguards for international data transfers?

A

Yes

Along with standard contractual clauses and binding corporate rules

30
Q

What is a derogation?

A

An exemption from the prohibition on transferring personal data outside of the EEA.
Used when there isn’t an adequacy decision and appropriate safeguards aren’t in place
Derogations are for limited circumstances

31
Q

List out the circumstances in which derogations can apply

A
  • Consent (subjects must understand the possible risks of the transfer)
  • Performance of contract (there must be no way to fulfil the contract unless the data is transferred. Good example, is hotel booking in 3rd country)
  • Public Interest (must be recognised in EU or member state law)
  • Establishment, exercise or defence of legal claims (int’l litigation)
  • Protection of vital interests of data subject or other persons (e.g. emergency medical care)
  • Transfer from a register of public information (conditions apply)
  • Legitimate Interests (must be non-repetitive and concern a Ltd number of individuals). Also have to notify the data subject and supervisory authority of the transfer
32
Q

What do BCRs deal with (and what do they not cover)?

A

They (only) deal with intra-organisational transfers and not with transfers to 3rd parties

BCRs are specifically designed to provide adequate safeguards within multiple-national corporations who move data within their corporation

33
Q

Organisations that are not established in the EU, but that monitor behaviour are subject to the GDPR - when?

A

A) the offering of goods and services to data subjects in the EU
B)When the behaviour being monitored occurs within the EU

EDPB: The behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the union

Note - the monitoring bit covers a lot of advertising and marketing use cases including behavioural advertising, geo-localisation activities for marketing, fingerprinting etc

CIPP/e (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions