Module #3: GDPR Flashcards
5 GDPR Provisions
1) International Data Transfers
2) Accountability
3) Individual Rights
4) Data Breach Notifications
5) Controller and Processor Obligations
Article 3 Section 1
1) Processing of personal data when a controller or processor is established in the EU (regardless of whether or not the actual processing takes place in the EU)
GDPR Fines
Up to 20,00,000 EUR or 4% of total annual revenue, whichever is higher.
GDPR Scope of Territorial (article 3)
1) When a controller or Processer is established in the EU
2) Of data subjects relating to offering goods or services or monitoring behavior
3) By a controller in a place where member state law applies
(1 of the following criteria must be met)
Material Scope of GDPR (article 2)
1) processing personal data wholly by automated means. any processing performed with or without human intervention. (doesn’t include automated decision making)
2) personal data that forms part of a filing system. processing is not conducted by automated means.
GDPR’s definition of processing (article 4 section 2)
- collection
- recording
- organization
- structuring
- storage
- adaptation or alteration
- retrieval
- consultation
- use
- disclosure by transmission
- dissemination or otherwise making available
- alignment or combination
- restriction, erasure, or destruction
What category is covered by
-withdraw consent
What consumers can do
What category is covered by
-Consult regulators before processing (sometimes)
What organizations must do
What category is covered by
Implement data protection by design and by default
What organizations must do
What category is covered by
take responsibility for vendor processing
What organizations must do
What category is covered by
request a copy of their personal data
What consumers can do
What category is covered by
follow rules for processing children’s data
What organizations must do
What category is covered by
request a copy of their personal data
What consumers can do
What category is covered by
enforce penalties up to 20 million euros or 4% total annual revenue
What regulators may do
What category is covered by
request a copy of their personal data
What consumers can do
What category is covered by
order erasure of personal data
What regulators may do
What category is covered by
ask for records of compliance
What regulators may do
What category is covered by
erasure compliance of data transfers
What organizations must do
What category is covered by
maintain appropriate data security
What organizations must do
What category is covered by
object to automated decision-making
What consumers can do
What category is covered by
provide notification of breaches (sometimes)
what organizations must do
What category is covered by
suspend international data flows
What regulators may do
What category is covered by
“freeze” processing of their personal data
What consumers can do
What category is covered by
impose temporary processing ban
What regulators may do
What category is covered by
Conduct DPIAs (sometimes)
what organizations must do
What category is covered by
keep records and demonstrate compliance
what organizations must do
What category is covered by
Appoint a DPO (sometimes)
what organizations must do
International data transfers
- What mechanisms before it can transfer data across borders
1) Adequacy decisions
2) Ad hoc contracts
3) standard contractual clauses (SCCs)
4) binding corporate rules (BCRs)
5) codes of contacts / self-certification mechanisms
International data transfers
adequacy decisions definition
the European commission of the EU has deemed another country’s data protection laws “adequate” to safeguard its own data. article 45 of GDPR
International data transfers
ad hoc contracts
Ad hoc contractual clauses may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus may be a less attractive option for controllers.
International data transfers
Standard Contractual Clauses
A standard contractual clause, also known as a model clause (language written into a contract) may be a way for organizations to facilitate international data transfers.
Schrems II
companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for data transferred under SCCs and where it doesn’t, companies must provide additional safegaurds or suspend transfers
Binding Corporate Rules
BCRs are legally binding internal corporate privacy rules for transferring personal information within a corporate group.
-typically used by corporations that operate in multiple jurisdictions
What must Binding Corporate Rules (BCRs) include?
BCRs must include
- structure and contact details for the concerned group
- information about the data and transfer
- how the rules apply to GDPR principles,
- complaint procedures and compliance mechanisms
Codes of Conduct / Self certification mechanisms
Under GDPR, codes of conduct resemble the self-regulatory programs used elsewhere to demonstrate to regulators and consumers that a company adheres to certain info privacy standards.
Who are self-certification available to?
controllers and processors outside the EU, provided they demonstrate, by contractual or other legally binding instruments, their willingness to adhere to the mandated data protection safeguards
General basic for international data transfer is?
You must first have a legal basis for processing personal data
US GDPR Adequacy history
July 2000
Safe Harbor is found adequate by the European commission
US GDPR Adequacy history
Oct 2015
Safe Harbor is invalidated by Court of Justice of the EU as a result of the Schrems vs Data Protection commissioner case.
The CJEU finds Safe Harbor to lack protection of fundamental rights “essentially equivalent” to that in the EU. In particular, it says that national security, public interests and law enforcement have been placed above the Safe Haven principles
US GDPR Adequacy history
Feb 2016
Negotiations with the European Commission result in the EU-US Privacy Shield agreement
US GDPR Adequacy history
July 2016
The commission formally approves the EU-US Privacy Shield after review by the Article 29 Working Party, the European Parliament, the European Data Protection Supervisor and the Article 31 Committee, resulting in a revised text.
US Adequacy history
Aug 2016
Companies can self-certify to the EU-US Privacy Shield
US Adequacy history
July 2020
Schrems invalidated the European commission’s adequacy determination for the EU-US Privacy Shield citing that:
- the US surveillance programs are not limited to what is strictly necessary and proportional as required by Article 52 of the EU Charter on Fundamental rights
- EU data subjects lack actionable judicial redress and dont have the right to an effective remedy in the US
The CJEU decision also included findings regarding the need for case-by-case assessment of the sufficiency of foreign protections when using standard contractual clauses
GDPR Accountability Article 24 (1)
controller must have a data protection program
- risk based approach resulting in technical and organizational measures that demonstrate processing is performed within regulation.
- those measures shall be reviewed and updated where necessary
Who does Article 24 mention
Controllers only, yet processors also have accountability obligations such as record keeping
4 Accountability requirements
- implement data protection by design and data protection by default
- conducting data protection impact assessments
- maintaining data processing records
- possibly needing to appoint a data protection officer
Privacy by design
you are going to be developing systems themselves that are going to be processing personally identifiable info
you should have when you’re developing those business and technical requirements, you should be also developing and looking at the privacy requirements in the conceptual phase.
Privacy by default
- privacy thru out the entire process.
- mechanisms in place so that it’s transparent to the customer or the individual.
- controls embedded into your systems and technology
Who must appoint a DPO?
Article 29 Working Party:
-GDPR requires all public authorities in the EU, and many private organizations within and outside the EU, to appoint a DPO
- Orgs with core activities that include processing personal data on a large scale
- orgs that process highly sensitive data or data relating to criminal convictions and offenses
What does Article 37 (5) lay out for a DPO?
Article 37(5) DPO must be designated on the basis of professional qualities
expert knowledge of data protection laws and practices
DPO tasks
- train staff on proper data-handling practices
- Keep informed upon changes in law and technology
- build, implement, and manage privacy programs
DPO skills
–Risk/IT: experience assessing risk and best practice mitigation
–Legal expertise/independence: knowledge of EI/relevant jurisdictional laws (including outsourcing activities)
–cultural/global: interpersonal flexibility and ability to effectively communicate with business functions (legal, IT, etc)
–leadership/broad exposure: Project management and ability to manage own professional development
–self-starter/board level: able to fulfill the role autonomously
–common touch/teaching: able to speak to citizens, handle requests/complaints and train others to assist data subjects
–no conflicts of interest
EU Specific Rights
Data Portability: a data software company in the US must comply with GDPR building data portability into its product development
build data subject rights into policies and procedures including:
- access and rectification of personal data
- data portability
- erasure (or the “right to be forgotten”)
- restriction of processing
- the right to object
- right to “not be subject to a decision solely on automated processing”
GDPR Provisions for individuals
1) right to be informed
2) right of access
3) right to rectification
4) right to erasure
5) right to restrict processing
6) right to data portability
7) right to object
8) rights in relation to automated decision making
Data breach notification obligations
Processor
-Processor must inform controller without delay after becoming aware of a data breach
Data Breach notification obligations:
Controller
Controller may be required to inform the supervisory authority and within 72 hrs. should include:
Who? How many? What types? Contact info of DPO Consequences Follow up measures
-Controller may be required to inform the data subject
Data breach notification exceptions
- prior implementation of appropriate technical and organizational measures
- post-breach actions greatly reduce the risk
- individual notice requires disproportionate effort
controllers
determine the purposes and means of processing (organization)
processors
process personal data on behalf of the controller
Accountability obligation
Data protection by design
controller
Accountability obligation
Data protection by default
controller
Accountability obligation
Data protection impact assessments
controller
Accountability obligation
Data Protection Officer
processor and controller
Accountability obligation
Records keeping
processor and controller
Accountability obligation
Security
processor and controller
Accountability obligation
Data Breach reporting
processor and controller
True or False?
An Org that does not process personal data that forms part of a filing system, nor processes personal data by automated means, but does process personal data in a place where member state law applies is subject to the GDPR
False
What type of international data transfer mechanism was invalidated for EU-US data transfers
A) code of Conduct
B) binding corporate rule
C) Adequacy decision
D) Standard contractual clause
C) Adequacy decision
From the list below, select the obligations that are directly applicable to both the controller and processor?
A) Data breach reporting B) Records keeping C) Data protection impact assessments D) Data Protection Officer E) Security
All but Data Protection impact assessment
A) Data breach reporting
B) Records keeping
D) Data Protection Officer
E) Security
True or false?
Under the GDPR, both controllers and processors have record-keeping obligations.
True
Which of the following are data subject rights under the GDPR? Select all that apply.
A) Data portability
B) Rectification of inaccurate or incomplete personal data C) Erasure
D) Restriction of processing
All of the above
True or False?
Under the GDPR, the controller is obligated to notify the supervisory authority of a personal data breach without undue delay (and within 72 hours of becoming aware of it) if the breach is likely to result in a risk for the rights and freedoms of natural persons.
True