Module 4

Question 1

Processing

Answer 1

Any operation performed upon personal data

Question 2

GDPR principles

Answer 2

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimalisation
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

Question 3

Denmark DPA recommends GDPR fine for
taxi company (2019)

Answer 3

Danish DPA issues its first GDPR fine for late deletion of customer telephone numbers

Question 4

Dutch DPA hits tennis association with 525K
euro GDPR fine (2020)

Answer 4

The Dutch Data Protection Authority (Dutch DPA) recently imposed a fine of EUR 525,000 on the Royal Dutch Tennis Association (KNLTB) for sharing the personal data of its members with two of its sponsors in June 2018 on the basis of its own commercial interests.

Question 5

Territorial scope of the GDPR: Three criteria

Answer 5

1. Where the data is processed in the context of the activities of an
   establishment of a controller or processor in the EU
2. Intentional processing of personal data of data subjects in the
   EU relating to offering goods or services or intentional monitoring
   behaviour in the EU
3. Processing of personal data by a controller not established in
   the EU but in a place where member state law applies by virtue
   of public international law

Question 6

Material scope

Answer 6

Processing
of personal data wholly or
partly by automated means’

or

‘processing other than by
automated means of personal
data which form part of a
filing system’ (Article 2)

Question 7

Lawfull grounds for controllers

Answer 7

• Consent
• Contractual necessity
• Legal obligation
• Vital interests
• Public interest
• Legitimate interests

Question 8

Processing personal data - consent

Answer 8

• Clear affirmative act
• Freely given
• Specific and informed
• Unambiguous indication of wishes
• Written, electronic, oral or any other means
• Conditions

Question 9

Consent for children’s data

Answer 9

Article 8
- Information society services
- Authorisation of parent or guardian of children below 16 years old
- Reasonable efforts to verify

Question 10

Legitimate interests

Answer 10

• Processing is necessary
• Interests are balanced against
  the data subject’s
• Criteria is more restrictive

Question 11

Belangenafweging - driestappentoets

Answer 11

1. Heeft de organisatie een gerechtvaardigd belang?
2. Is het verwerken van persoonsgegevens noodzakelijk
   om het doel te bereiken?
   - Proportionaliteit
   - Subsidiariteit
3. Belang van de organisatie vs. het belang van de
   betrokkene

Question 12

Processing special categories of personal data

Prohibition to proces, except if:

Answer 12

• Explicit consent
• In the context of employment
• Vital interest of individual
• Political, philosophical and religious purposes
• Sensitive data manifestly made public
• Establishment, exercise or defence of legal claims
• Substantial public interest
• Medicine and social healthcare
• Public health
• Public archives, scientific or historical research or statistical

Question 13

What is data processing?

Answer 13

Any action performed upon data

Question 14

What are the criteria used to
determine the territorial scope
of the GDPR? Select all that
apply

Answer 14

A. Where the data is processed in the
context of the activities of an
establishment of a controller or
processor in the EU

B. Intentional processing of personal data
of data subjects in the EU relating to
offering goods or services or intentional
monitoring of their behaviour in the EU

C. Processing of personal data by a
controller not established in the EU but
in a place where member state law
applies

Question 15

Which exception to the
prohibition on processing
special categories of personal
data must be explicit?

Answer 15

Consent