Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP Certification > Module #3: GDPR > Flashcards

Module #3: GDPR Flashcards

1
Q

5 GDPR Provisions

A

1) International Data Transfers
2) Accountability
3) Individual Rights
4) Data Breach Notifications
5) Controller and Processor Obligations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Article 3 Section 1

A

1) Processing of personal data when a controller or processor is established in the EU (regardless of whether or not the actual processing takes place in the EU)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

GDPR Fines

A

Up to 20,00,000 EUR or 4% of total annual revenue, whichever is higher.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

GDPR Scope of Territorial (article 3)

A

1) When a controller or Processer is established in the EU
2) Of data subjects relating to offering goods or services or monitoring behavior
3) By a controller in a place where member state law applies

(1 of the following criteria must be met)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Material Scope of GDPR (article 2)

A

1) processing personal data wholly by automated means. any processing performed with or without human intervention. (doesn’t include automated decision making)
2) personal data that forms part of a filing system. processing is not conducted by automated means.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

GDPR’s definition of processing (article 4 section 2)

A
  • collection
  • recording
  • organization
  • structuring
  • storage
  • adaptation or alteration
  • retrieval
  • consultation
  • use
  • disclosure by transmission
  • dissemination or otherwise making available
  • alignment or combination
  • restriction, erasure, or destruction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What category is covered by

-withdraw consent

A

What consumers can do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What category is covered by

-Consult regulators before processing (sometimes)

A

What organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What category is covered by

Implement data protection by design and by default

A

What organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What category is covered by

take responsibility for vendor processing

A

What organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What category is covered by

request a copy of their personal data

A

What consumers can do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What category is covered by

follow rules for processing children’s data

A

What organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What category is covered by

request a copy of their personal data

A

What consumers can do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What category is covered by

enforce penalties up to 20 million euros or 4% total annual revenue

A

What regulators may do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What category is covered by

request a copy of their personal data

A

What consumers can do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What category is covered by

order erasure of personal data

A

What regulators may do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What category is covered by

ask for records of compliance

A

What regulators may do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What category is covered by

erasure compliance of data transfers

A

What organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What category is covered by

maintain appropriate data security

A

What organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What category is covered by

object to automated decision-making

A

What consumers can do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What category is covered by

provide notification of breaches (sometimes)

A

what organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What category is covered by

suspend international data flows

A

What regulators may do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What category is covered by

“freeze” processing of their personal data

A

What consumers can do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What category is covered by

impose temporary processing ban

A

What regulators may do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What category is covered by

Conduct DPIAs (sometimes)

A

what organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What category is covered by

keep records and demonstrate compliance

A

what organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What category is covered by

Appoint a DPO (sometimes)

A

what organizations must do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

International data transfers

  • What mechanisms before it can transfer data across borders
A

1) Adequacy decisions
2) Ad hoc contracts
3) standard contractual clauses (SCCs)
4) binding corporate rules (BCRs)
5) codes of contacts / self-certification mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

International data transfers

adequacy decisions definition

A

the European commission of the EU has deemed another country’s data protection laws “adequate” to safeguard its own data. article 45 of GDPR

30
Q

International data transfers

ad hoc contracts

A

Ad hoc contractual clauses may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus may be a less attractive option for controllers.

31
Q

International data transfers

Standard Contractual Clauses

A

A standard contractual clause, also known as a model clause (language written into a contract) may be a way for organizations to facilitate international data transfers.

32
Q

Schrems II

A

companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for data transferred under SCCs and where it doesn’t, companies must provide additional safegaurds or suspend transfers

33
Q

Binding Corporate Rules

A

BCRs are legally binding internal corporate privacy rules for transferring personal information within a corporate group.

-typically used by corporations that operate in multiple jurisdictions

34
Q

What must Binding Corporate Rules (BCRs) include?

A

BCRs must include

  • structure and contact details for the concerned group
  • information about the data and transfer
  • how the rules apply to GDPR principles,
  • complaint procedures and compliance mechanisms
35
Q

Codes of Conduct / Self certification mechanisms

A

Under GDPR, codes of conduct resemble the self-regulatory programs used elsewhere to demonstrate to regulators and consumers that a company adheres to certain info privacy standards.

36
Q

Who are self-certification available to?

A

controllers and processors outside the EU, provided they demonstrate, by contractual or other legally binding instruments, their willingness to adhere to the mandated data protection safeguards

37
Q

General basic for international data transfer is?

A

You must first have a legal basis for processing personal data

38
Q

US GDPR Adequacy history

July 2000

A

Safe Harbor is found adequate by the European commission

39
Q

US GDPR Adequacy history

Oct 2015

A

Safe Harbor is invalidated by Court of Justice of the EU as a result of the Schrems vs Data Protection commissioner case.

The CJEU finds Safe Harbor to lack protection of fundamental rights “essentially equivalent” to that in the EU. In particular, it says that national security, public interests and law enforcement have been placed above the Safe Haven principles

40
Q

US GDPR Adequacy history

Feb 2016

A

Negotiations with the European Commission result in the EU-US Privacy Shield agreement

41
Q

US GDPR Adequacy history

July 2016

A

The commission formally approves the EU-US Privacy Shield after review by the Article 29 Working Party, the European Parliament, the European Data Protection Supervisor and the Article 31 Committee, resulting in a revised text.

42
Q

US Adequacy history

Aug 2016

A

Companies can self-certify to the EU-US Privacy Shield

43
Q

US Adequacy history

July 2020

A

Schrems invalidated the European commission’s adequacy determination for the EU-US Privacy Shield citing that:

  • the US surveillance programs are not limited to what is strictly necessary and proportional as required by Article 52 of the EU Charter on Fundamental rights
  • EU data subjects lack actionable judicial redress and dont have the right to an effective remedy in the US

The CJEU decision also included findings regarding the need for case-by-case assessment of the sufficiency of foreign protections when using standard contractual clauses

44
Q

GDPR Accountability Article 24 (1)

A

controller must have a data protection program

  • risk based approach resulting in technical and organizational measures that demonstrate processing is performed within regulation.
  • those measures shall be reviewed and updated where necessary
45
Q

Who does Article 24 mention

A

Controllers only, yet processors also have accountability obligations such as record keeping

46
Q

4 Accountability requirements

A
  • implement data protection by design and data protection by default
  • conducting data protection impact assessments
  • maintaining data processing records
  • possibly needing to appoint a data protection officer
47
Q

Privacy by design

A

you are going to be developing systems themselves that are going to be processing personally identifiable info

you should have when you’re developing those business and technical requirements, you should be also developing and looking at the privacy requirements in the conceptual phase.

48
Q

Privacy by default

A
  • privacy thru out the entire process.
  • mechanisms in place so that it’s transparent to the customer or the individual.
  • controls embedded into your systems and technology
49
Q

Who must appoint a DPO?

A

Article 29 Working Party:
-GDPR requires all public authorities in the EU, and many private organizations within and outside the EU, to appoint a DPO

  • Orgs with core activities that include processing personal data on a large scale
  • orgs that process highly sensitive data or data relating to criminal convictions and offenses
50
Q

What does Article 37 (5) lay out for a DPO?

A

Article 37(5) DPO must be designated on the basis of professional qualities

expert knowledge of data protection laws and practices

51
Q

DPO tasks

A
  • train staff on proper data-handling practices
  • Keep informed upon changes in law and technology
  • build, implement, and manage privacy programs
52
Q

DPO skills

A

–Risk/IT: experience assessing risk and best practice mitigation

–Legal expertise/independence: knowledge of EI/relevant jurisdictional laws (including outsourcing activities)

–cultural/global: interpersonal flexibility and ability to effectively communicate with business functions (legal, IT, etc)

–leadership/broad exposure: Project management and ability to manage own professional development

–self-starter/board level: able to fulfill the role autonomously

–common touch/teaching: able to speak to citizens, handle requests/complaints and train others to assist data subjects

–no conflicts of interest

53
Q

EU Specific Rights

A

Data Portability: a data software company in the US must comply with GDPR building data portability into its product development

build data subject rights into policies and procedures including:

  • access and rectification of personal data
  • data portability
  • erasure (or the “right to be forgotten”)
  • restriction of processing
  • the right to object
  • right to “not be subject to a decision solely on automated processing”
54
Q

GDPR Provisions for individuals

A

1) right to be informed
2) right of access
3) right to rectification
4) right to erasure
5) right to restrict processing
6) right to data portability
7) right to object
8) rights in relation to automated decision making

55
Q

Data breach notification obligations

Processor

A

-Processor must inform controller without delay after becoming aware of a data breach

56
Q

Data Breach notification obligations:

Controller

A

Controller may be required to inform the supervisory authority and within 72 hrs. should include:

Who?
How many?
What types?
Contact info of DPO
Consequences
Follow up measures

-Controller may be required to inform the data subject

57
Q

Data breach notification exceptions

A
  • prior implementation of appropriate technical and organizational measures
  • post-breach actions greatly reduce the risk
  • individual notice requires disproportionate effort
58
Q

controllers

A

determine the purposes and means of processing (organization)

59
Q

processors

A

process personal data on behalf of the controller

60
Q

Accountability obligation

Data protection by design

A

controller

61
Q

Accountability obligation

Data protection by default

A

controller

62
Q

Accountability obligation

Data protection impact assessments

A

controller

63
Q

Accountability obligation

Data Protection Officer

A

processor and controller

64
Q

Accountability obligation

Records keeping

A

processor and controller

65
Q

Accountability obligation

Security

A

processor and controller

66
Q

Accountability obligation

Data Breach reporting

A

processor and controller

67
Q

True or False?

An Org that does not process personal data that forms part of a filing system, nor processes personal data by automated means, but does process personal data in a place where member state law applies is subject to the GDPR

A

False

68
Q

What type of international data transfer mechanism was invalidated for EU-US data transfers

A) code of Conduct
B) binding corporate rule
C) Adequacy decision
D) Standard contractual clause

A

C) Adequacy decision

69
Q

From the list below, select the obligations that are directly applicable to both the controller and processor?

A) Data breach reporting
B) Records keeping
C) Data protection impact assessments
D) Data Protection Officer
E) Security
A

All but Data Protection impact assessment

A) Data breach reporting
B) Records keeping
D) Data Protection Officer
E) Security

70
Q

True or false?

Under the GDPR, both controllers and processors have record-keeping obligations.

A

True

71
Q

Which of the following are data subject rights under the GDPR? Select all that apply.

A) Data portability
B) Rectification of inaccurate or incomplete personal data C) Erasure
D) Restriction of processing

A

All of the above

72
Q

True or False?

Under the GDPR, the controller is obligated to notify the supervisory authority of a personal data breach without undue delay (and within 72 hours of becoming aware of it) if the breach is likely to result in a risk for the rights and freedoms of natural persons.

A

True

CISSP Certification (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions