Privacy Operational Lifecycle - Section III.D. - Respond: Data Subject Request Flashcards
True or False: It is always best practice to provide consumers an electronic form in which to exercise opt-out consent.
False. Best practice is to permit consumer choice in the same form as you are communicating with a consumer.
True or False: The right to request information under Article 15 of the GDPR is limited to what information is processed and the reasons for processing.
False. There are at least eight required disclosures that must be made under Article 15, including the source of the information and the period of retention, among other disclosures.
What is the “No Option” form of consent?
Consent that is inferred based upon the context of a transaction or a company’s relationship with a consumer.
What two requirements are necessary for the right not to be subject to automated processing to apply under the GDPR?
(1) The decision-making is based solely on automated processing; and
(2) The processing “produces legal effects concerning him or her or similarly significantly affects him or her.”
As a general rule, should data be processed according to the privacy notice currently in effect or the privacy notice in effect at the time data was collected?
The privacy notice in effect at the time the data was collected.
What are some consequences that an organization may face if it fails to adequately respond to data subject requests?
Individual lawsuits,
regulatory scrutiny, and
adverse market consequences.
Other than the obligation to respond, what is another important component of most data protection laws related to data subject rights requests that organizations must address?
The timing in which organizations have to respond.
What are some best practices for responding to data subject requests?
Data subject requests should be fulfilled in their entirety in a timely manner, without charge to the individual, and in the same form as the request was made.
What does the GDPR require for consent to be considered valid before processing activities can begin?
It must be “freely given.”
What is the age of consent for data processing in the European Union under the GDPR?
16 years old, but member states can lower that age to as low as 13 years old.
What are privacy icons?
A symbol that indicates certain privacy practices of an organization.
Under the transparency-related requirements of the GDPR, when must data controllers make disclosures about their data practices to data subjects?
At the time when personal information is obtained.
What are the three main ways to present consumers a choice about whether they would like their data collected?
(1) Opt-in consent;
(2) Opt-out consent; and
(3) “No option” consent.
True or False: Data subject requests typically are made to organizations through one point of contact with the organization.
False. Data subject requests and complaints can take many forms and reach an organization through many different channels.
What three tasks are vital for any robust data subject request or complaint handling process?
(1) Differentiate between the types of requests received;
(2) Identify the proper recipient to handle the request;
(3) Implement a centralized process that can receive and track the handling of the request or complaint.
All things being equal, what is the form of consent preferred by regulatory authorities?
Opt-in consent.
What data subject right under the GDPR was not provided for under its precursor, the Data Protection Directive?
The right to data portability.
What right under the GDPR is often a prelude to further legal action by a data subject?
The right to access information under Article 15.
What two situations has the FTC stated always call for express, affirmative consumer consent?
(1) Before a company uses personal information in a manner materially different than the manner in which data was used when initially collected; and
(2) When particularly sensitive data is collected and processed.