Privacy Operational Lifecycle - Section III.D. - Respond: Data Subject Request Flashcards
True or False: It is always best practice to provide consumers an electronic form in which to exercise opt-out consent.
False. Best practice is to permit consumer choice in the same form as you are communicating with a consumer.
True or False: The right to request information under Article 15 of the GDPR is limited to what information is processed and the reasons for processing.
False. There are at least eight required disclosures that must be made under Article 15, including the source of the information and the period of retention, among other disclosures.
What is the “No Option” form of consent?
Consent that is inferred based upon the context of a transaction or a company’s relationship with a consumer.
What two requirements are necessary for the right not to be subject to automated processing to apply under the GDPR?
(1) The decision-making is based solely on automated processing; and
(2) The processing “produces legal effects concerning him or her or similarly significantly affects him or her.”
As a general rule, should data be processed according to the privacy notice currently in effect or the privacy notice in effect at the time data was collected?
The privacy notice in effect at the time the data was collected.
What are some consequences that an organization may face if it fails to adequately respond to data subject requests?
Individual lawsuits,
regulatory scrutiny, and
adverse market consequences.
Other than the obligation to respond, what is another important component of most data protection laws related to data subject rights requests that organizations must address?
The timing in which organizations have to respond.
What are some best practices for responding to data subject requests?
Data subject requests should be fulfilled in their entirety in a timely manner, without charge to the individual, and in the same form as the request was made.
What does the GDPR require for consent to be considered valid before processing activities can begin?
It must be “freely given.”
What is the age of consent for data processing in the European Union under the GDPR?
16 years old, but member states can lower that age to as low as 13 years old.
What are privacy icons?
A symbol that indicates certain privacy practices of an organization.
Under the transparency-related requirements of the GDPR, when must data controllers make disclosures about their data practices to data subjects?
At the time when personal information is obtained.
What are the three main ways to present consumers a choice about whether they would like their data collected?
(1) Opt-in consent;
(2) Opt-out consent; and
(3) “No option” consent.
True or False: Data subject requests typically are made to organizations through one point of contact with the organization.
False. Data subject requests and complaints can take many forms and reach an organization through many different channels.
What three tasks are vital for any robust data subject request or complaint handling process?
(1) Differentiate between the types of requests received;
(2) Identify the proper recipient to handle the request;
(3) Implement a centralized process that can receive and track the handling of the request or complaint.
All things being equal, what is the form of consent preferred by regulatory authorities?
Opt-in consent.
What data subject right under the GDPR was not provided for under its precursor, the Data Protection Directive?
The right to data portability.
What right under the GDPR is often a prelude to further legal action by a data subject?
The right to access information under Article 15.
What two situations has the FTC stated always call for express, affirmative consumer consent?
(1) Before a company uses personal information in a manner materially different than the manner in which data was used when initially collected; and
(2) When particularly sensitive data is collected and processed.
Under the GDPR, consent is not considered to have been freely given in the following situations:
If the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Other than applicable data protection laws and regulations, what is one other source of data subject rights?
Contractual agreements, such as those contained in an organization’s privacy notice.
What are some of the primary purposes for providing consumers notice about their privacy-related rights?
(1) Compliance with applicable law;
(2) Building trust with consumers;
(3) Meeting market or industry-wide expectations;
(4) Providing transparency; and
(5) Providing details about how personal information is processed in an accessible manner.
Who has the burden of establishing that a weighing of the legitimate interests of the data controller and the rights of a data subject comes out in their favor?
A data controller has the burden of demonstrating that its legitimate interests outweigh the rights of the data subject.
How does the implementation of a centralized data subject request and complaint handling process facilitate information security?
It facilitates training for those involved in the process, such as how to verify and authenticate data subjects.