Privacy Operational Lifecycle - Section III.D. - Respond: Data Subject Request Flashcards
True or False: It is always best practice to provide consumers an electronic form in which to exercise opt-out consent.
False. Best practice is to permit consumer choice in the same form as you are communicating with a consumer.
True or False: The right to request information under Article 15 of the GDPR is limited to what information is processed and the reasons for processing.
False. There are at least eight required disclosures that must be made under Article 15, including the source of the information and the period of retention, among other disclosures.
What is the “No Option” form of consent?
Consent that is inferred based upon the context of a transaction or a company’s relationship with a consumer.
What two requirements are necessary for the right not to be subject to automated processing to apply under the GDPR?
(1) The decision-making is based solely on automated processing; and
(2) The processing “produces legal effects concerning him or her or similarly significantly affects him or her.”
As a general rule, should data be processed according to the privacy notice currently in effect or the privacy notice in effect at the time data was collected?
The privacy notice in effect at the time the data was collected.
What are some consequences that an organization may face if it fails to adequately respond to data subject requests?
Individual lawsuits,
regulatory scrutiny, and
adverse market consequences.
Other than the obligation to respond, what is another important component of most data protection laws related to data subject rights requests that organizations must address?
The timing in which organizations have to respond.
What are some best practices for responding to data subject requests?
Data subject requests should be fulfilled in their entirety in a timely manner, without charge to the individual, and in the same form as the request was made.
What does the GDPR require for consent to be considered valid before processing activities can begin?
It must be “freely given.”
What is the age of consent for data processing in the European Union under the GDPR?
16 years old, but member states can lower that age to as low as 13 years old.
What are privacy icons?
A symbol that indicates certain privacy practices of an organization.
Under the transparency-related requirements of the GDPR, when must data controllers make disclosures about their data practices to data subjects?
At the time when personal information is obtained.
What are the three main ways to present consumers a choice about whether they would like their data collected?
(1) Opt-in consent;
(2) Opt-out consent; and
(3) “No option” consent.
True or False: Data subject requests typically are made to organizations through one point of contact with the organization.
False. Data subject requests and complaints can take many forms and reach an organization through many different channels.
What three tasks are vital for any robust data subject request or complaint handling process?
(1) Differentiate between the types of requests received;
(2) Identify the proper recipient to handle the request;
(3) Implement a centralized process that can receive and track the handling of the request or complaint.
All things being equal, what is the form of consent preferred by regulatory authorities?
Opt-in consent.
What data subject right under the GDPR was not provided for under its precursor, the Data Protection Directive?
The right to data portability.
What right under the GDPR is often a prelude to further legal action by a data subject?
The right to access information under Article 15.
What two situations has the FTC stated always call for express, affirmative consumer consent?
(1) Before a company uses personal information in a manner materially different than the manner in which data was used when initially collected; and
(2) When particularly sensitive data is collected and processed.
Under the GDPR, consent is not considered to have been freely given in the following situations:
If the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Other than applicable data protection laws and regulations, what is one other source of data subject rights?
Contractual agreements, such as those contained in an organization’s privacy notice.
What are some of the primary purposes for providing consumers notice about their privacy-related rights?
(1) Compliance with applicable law;
(2) Building trust with consumers;
(3) Meeting market or industry-wide expectations;
(4) Providing transparency; and
(5) Providing details about how personal information is processed in an accessible manner.
Who has the burden of establishing that a weighing of the legitimate interests of the data controller and the rights of a data subject comes out in their favor?
A data controller has the burden of demonstrating that its legitimate interests outweigh the rights of the data subject.
How does the implementation of a centralized data subject request and complaint handling process facilitate information security?
It facilitates training for those involved in the process, such as how to verify and authenticate data subjects.
What federal law in the United States provides data subject rights to individuals that may be enforced against federal government agencies?
The Privacy Act of 1974
True or False: Federal law in the United States requires that consent be provided by a user before a web cookie may be placed on their computer.
False. This is a requirement in the EU, but not in the United States.
True or False: The right to erasure is always available to data subjects under the GDPR.
False. The right to erasure applies only in limited situations.
What four requirements must be met in order for consent to be considered valid under the GDPR?
Consent must be (1) freely given; (2) specific to the processing at issue; (3) informed; and (4) unambiguous.
In designing and managing user preferences, organizations should be mindful of what three considerations?
(1) The scope of consent;
(2) The form of consent; and
(3) How consumer choice is implemented.
True or False: Companies may be required to provide a privacy notice to their customers under federal laws in the United States.
True. Though there is no overarching obligation to have a privacy notice under federal law, some federal laws (such as the GLBA and HIPAA) have privacy notice requirements.
What are the circumstances in which a member state of the European Union may restrict data subject rights under the GDPR by passing legislation?
Where doing so is necessary to safeguard the security of the nation or its public, to facilitate law enforcement, to facilitate public government functions, to protect judicial independence, to regulate certain professions, to protect the rights of other data subjects, or to permit the enforcement of civil claims.
What obligation does Article 12 of the GDPR impose on data controllers?
The obligation to facilitate the exercise of data subject rights.
Opt-out consent is also referred to as what other name?
Implied consent.
True or False: The FTC has stated that consumers should provide affirmative consent before their data is used in a manner materially different than how data was used when first obtained.
True.
What are some situations in which the FTC has said that a “no option” form a consent is permissible?
Product fulfillment,
Fraud prevention,
Internal operations,
Legal compliance, and
Most first-party marketing.
True or False: “Opt-in” consent refers to a passive form of consumer consent implied by a person’s conduct.
False. This is referred to as “Opt-out” or implied consent.
Who should always review a company’s privacy notice?
A lawyer and an employee/executive with the authority to make legal decisions on behalf of the company.
Express consent is also referred to as what other name?
Opt-in consent.
What must data controllers implement to verify the identity of data subjects making data subject rights requests under the GDPR?
Verification requirements that are reasonable and proportionate, while being limited to the minimum necessary to verify data subject identity.
What law in the United States contains specific requirements necessary to obtain consent from a child before his or her data can be processed?
The Children’s Online Privacy Protection Act (“COPPA”).
True or False: If a data subject requests that no further processing occur of his or her personal information, a data controller must erase the data because storing data is a form of data processing.
False. Although storing data is a form of data processing, a request made under Article 18 of the GDPR permits (and may require) a data controller to continue storing the relevant data.
True or False: The data subject rights provided under the GDPR are sacrosanct and may never be restricted.
Unantastbar
False. Under Article 23, member states are permitted under certain circumstances to restrict data subject rights through legislation.
True or False: An organization should never have more than one privacy notice active at any one time.
False. A company might consider having multiple privacy notices if different parts of a company or subsidiaries use data in fundamentally different ways.
The effectiveness of privacy icons depends on what factor?
Whether the symbols are universally adopted or standardized in use.
Does the requirement to provide a copy of any information requested by a data subject under the Right to Access materially expand upon this right?
No. The obligation to provide a copy does not widen the scope of the right to access; it is intended only as providing modality of a response.
What state law implemented in the United States provides broad consumer rights similar to those afforded by the GDPR?
The California Consumer Privacy Act.
True or False: The right to object to data processing is the same as the right to withdraw consent to processing.
False. The right to object to data processing is provided to data subjects when processing is based not on the consent of the individual.
How best does a company make consumer choice meaningful?
The option of consumer choice should be provided at a time and in a context in which the consumer is making a decision about his or her data.
