Privacy Operational Lifecycle - Section III.D. - Respond: Data Subject Request

Question 1

True or False: It is always best practice to provide consumers an electronic form in which to exercise opt-out consent.

Answer 1

False. Best practice is to permit consumer choice in the same form as you are communicating with a consumer.

Question 2

True or False: The right to request information under Article 15 of the GDPR is limited to what information is processed and the reasons for processing.

Answer 2

False. There are at least eight required disclosures that must be made under Article 15, including the source of the information and the period of retention, among other disclosures.

Question 3

What is the “No Option” form of consent?

Answer 3

Consent that is inferred based upon the context of a transaction or a company’s relationship with a consumer.

Question 4

What two requirements are necessary for the right not to be subject to automated processing to apply under the GDPR?

Answer 4

(1) The decision-making is based solely on automated processing; and
(2) The processing “produces legal effects concerning him or her or similarly significantly affects him or her.”

Question 5

As a general rule, should data be processed according to the privacy notice currently in effect or the privacy notice in effect at the time data was collected?

Answer 5

The privacy notice in effect at the time the data was collected.

Question 6

What are some consequences that an organization may face if it fails to adequately respond to data subject requests?

Answer 6

Individual lawsuits,
regulatory scrutiny, and
adverse market consequences.

Question 7

Other than the obligation to respond, what is another important component of most data protection laws related to data subject rights requests that organizations must address?

Answer 7

The timing in which organizations have to respond.

Question 8

What are some best practices for responding to data subject requests?

Answer 8

Data subject requests should be fulfilled in their entirety in a timely manner, without charge to the individual, and in the same form as the request was made.

Question 9

What does the GDPR require for consent to be considered valid before processing activities can begin?

Answer 9

It must be “freely given.”

Question 10

What is the age of consent for data processing in the European Union under the GDPR?

Answer 10

16 years old, but member states can lower that age to as low as 13 years old.

Question 11

What are privacy icons?

Answer 11

A symbol that indicates certain privacy practices of an organization.

Question 12

Under the transparency-related requirements of the GDPR, when must data controllers make disclosures about their data practices to data subjects?

Answer 12

At the time when personal information is obtained.

Question 13

What are the three main ways to present consumers a choice about whether they would like their data collected?

Answer 13

(1) Opt-in consent;
(2) Opt-out consent; and
(3) “No option” consent.

Question 14

True or False: Data subject requests typically are made to organizations through one point of contact with the organization.

Answer 14

False. Data subject requests and complaints can take many forms and reach an organization through many different channels.

Question 15

What three tasks are vital for any robust data subject request or complaint handling process?

Answer 15

(1) Differentiate between the types of requests received;
(2) Identify the proper recipient to handle the request;
(3) Implement a centralized process that can receive and track the handling of the request or complaint.

Question 16

All things being equal, what is the form of consent preferred by regulatory authorities?

Answer 16

Opt-in consent.

Question 17

What data subject right under the GDPR was not provided for under its precursor, the Data Protection Directive?

Answer 17

The right to data portability.

Question 18

What right under the GDPR is often a prelude to further legal action by a data subject?

Answer 18

The right to access information under Article 15.

Question 19

What two situations has the FTC stated always call for express, affirmative consumer consent?

Answer 19

(1) Before a company uses personal information in a manner materially different than the manner in which data was used when initially collected; and
(2) When particularly sensitive data is collected and processed.

Question 20

Under the GDPR, consent is not considered to have been freely given in the following situations:

Answer 20

If the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Question 21

Other than applicable data protection laws and regulations, what is one other source of data subject rights?

Answer 21

Contractual agreements, such as those contained in an organization’s privacy notice.

Question 22

What are some of the primary purposes for providing consumers notice about their privacy-related rights?

Answer 22

(1) Compliance with applicable law;
(2) Building trust with consumers;
(3) Meeting market or industry-wide expectations;
(4) Providing transparency; and
(5) Providing details about how personal information is processed in an accessible manner.

Question 23

Who has the burden of establishing that a weighing of the legitimate interests of the data controller and the rights of a data subject comes out in their favor?

Answer 23

A data controller has the burden of demonstrating that its legitimate interests outweigh the rights of the data subject.

Question 24

How does the implementation of a centralized data subject request and complaint handling process facilitate information security?

Answer 24

It facilitates training for those involved in the process, such as how to verify and authenticate data subjects.

Question 25

What federal law in the United States provides data subject rights to individuals that may be enforced against federal government agencies?

Answer 25

The Privacy Act of 1974

Question 26

True or False: Federal law in the United States requires that consent be provided by a user before a web cookie may be placed on their computer.

Answer 26

False. This is a requirement in the EU, but not in the United States.

Question 27

True or False: The right to erasure is always available to data subjects under the GDPR.

Answer 27

False. The right to erasure applies only in limited situations.

Question 28

What four requirements must be met in order for consent to be considered valid under the GDPR?

Answer 28

Consent must be (1) freely given; (2) specific to the processing at issue; (3) informed; and (4) unambiguous.

Question 29

In designing and managing user preferences, organizations should be mindful of what three considerations?

Answer 29

(1) The scope of consent;
(2) The form of consent; and
(3) How consumer choice is implemented.

Question 30

True or False: Companies may be required to provide a privacy notice to their customers under federal laws in the United States.

Answer 30

True. Though there is no overarching obligation to have a privacy notice under federal law, some federal laws (such as the GLBA and HIPAA) have privacy notice requirements.

Question 31

What are the circumstances in which a member state of the European Union may restrict data subject rights under the GDPR by passing legislation?

Answer 31

Where doing so is necessary to safeguard the security of the nation or its public, to facilitate law enforcement, to facilitate public government functions, to protect judicial independence, to regulate certain professions, to protect the rights of other data subjects, or to permit the enforcement of civil claims.

Question 32

What obligation does Article 12 of the GDPR impose on data controllers?

Answer 32

The obligation to facilitate the exercise of data subject rights.

Question 33

Opt-out consent is also referred to as what other name?

Answer 33

Implied consent.

Question 34

True or False: The FTC has stated that consumers should provide affirmative consent before their data is used in a manner materially different than how data was used when first obtained.

Answer 34

True.

Question 35

What are some situations in which the FTC has said that a “no option” form a consent is permissible?

Answer 35

Product fulfillment,
Fraud prevention,
Internal operations,
Legal compliance, and
Most first-party marketing.

Question 36

True or False: “Opt-in” consent refers to a passive form of consumer consent implied by a person’s conduct.

Answer 36

False. This is referred to as “Opt-out” or implied consent.

Question 37

Who should always review a company’s privacy notice?

Answer 37

A lawyer and an employee/executive with the authority to make legal decisions on behalf of the company.

Question 38

Express consent is also referred to as what other name?

Answer 38

Opt-in consent.

Question 39

What must data controllers implement to verify the identity of data subjects making data subject rights requests under the GDPR?

Answer 39

Verification requirements that are reasonable and proportionate, while being limited to the minimum necessary to verify data subject identity.

Question 40

What law in the United States contains specific requirements necessary to obtain consent from a child before his or her data can be processed?

Answer 40

The Children’s Online Privacy Protection Act (“COPPA”).

Question 41

True or False: If a data subject requests that no further processing occur of his or her personal information, a data controller must erase the data because storing data is a form of data processing.

Answer 41

False. Although storing data is a form of data processing, a request made under Article 18 of the GDPR permits (and may require) a data controller to continue storing the relevant data.

Question 42

True or False: The data subject rights provided under the GDPR are sacrosanct and may never be restricted.

Unantastbar

Answer 42

False. Under Article 23, member states are permitted under certain circumstances to restrict data subject rights through legislation.

Question 43

True or False: An organization should never have more than one privacy notice active at any one time.

Answer 43

False. A company might consider having multiple privacy notices if different parts of a company or subsidiaries use data in fundamentally different ways.

Question 44

The effectiveness of privacy icons depends on what factor?

Answer 44

Whether the symbols are universally adopted or standardized in use.

Question 45

Does the requirement to provide a copy of any information requested by a data subject under the Right to Access materially expand upon this right?

Answer 45

No. The obligation to provide a copy does not widen the scope of the right to access; it is intended only as providing modality of a response.

Question 46

What state law implemented in the United States provides broad consumer rights similar to those afforded by the GDPR?

Answer 46

The California Consumer Privacy Act.

Question 47

True or False: The right to object to data processing is the same as the right to withdraw consent to processing.

Answer 47

False. The right to object to data processing is provided to data subjects when processing is based not on the consent of the individual.

Question 48

How best does a company make consumer choice meaningful?

Answer 48

The option of consumer choice should be provided at a time and in a context in which the consumer is making a decision about his or her data.