Summary

Question 1

Art. 5 GDPR Data Processing Principles

Base for FIPs

Answer 1

• Lawfull, Fairness, Transparency
• Accountability
• Data Minimization
• Storage Limitation
• Purpose Limitation
• Accuracy Principle
• Integrity & Confidentiality

Question 2

OECD Fair Information Processing Principles FIP

Govern the use of personal data.

Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Answer 2

• Use limitation Principle
• Data Quality Principle
• Openness Principle
• Purpose Specification Principle
• Individual Participation Principle
• Accountability Principle
• Security Safeguard Principle
• Collection Limitation Principle

Question 3

Art. 33 & 34 GDPR

Answer 3

Art. 33 - Notification of a breach to SA

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the SA competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

• Nature of breach
• Categories
• Number of DS and records
• DPO
• Consequences
• Mititgation measures

may be provided in phases
C must document internally for compliance purposes any breach and details

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

Art. 34 - Notification of a breach to DS

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Same requirements as in Art. 33 for reporting content.

Not required if:
* No risk due to measures (i.e. encryption)
* Risk no longer materializes
* Disproportionate effort - Public communication instead.

SA can require notification to DS

Question 4

Art. 47 GDPR

Answer 4

Binding Corporate Rules

• Specific Categories
• Method of communication to DS
• Tasks of any person in charge of monitoring
• Details of the transfer
• Legally binding nature
• Acceptance for liability
• DPO
• How BCR is communicated

Question 5

Art. 83 GDPR

Answer 5

Administrative Fines

They must be:
Dissuasive
Effective
Proportionate

Question 6

Recital 4
Data Protection in Balance with other Fundamental Rights

Answer 6

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular:
* the respect for private and family life,
* home and communications,
* the protection of personal data,
* freedom of thought, conscience and religion,
* freedom of expression and information,
* freedom to conduct a business,
* the right to an effective remedy and to a fair trial,
* and cultural, religious and linguistic diversity.

Question 7

Beginning of the EU

Answer 7

1958 Treaty of Rome - Treaty Establishing the European Economic Community (EEC)

*evolved to Treaty Establishing the European Community (EC)

1992 Maastricht Treaty - Treaty on European Union (TEU)
- Created the EU created EU citizenship

2009 Treaty of Lisbon
- Change the name of the EEC / T. o. Rome to Treaty on the Functioning of the European Union) TFEU

The Treaty of Lisbon amended the two foundational documents establishing the European Union:

(1) the Treaty Establishing the EEC now “TFEU”; and

(2) the Treaty on European Union

The right to protection of personal data is directly incorporated into the TFEU, but this only applies when implementing Union law

Article 16 of the TFEU, as amended, gives binding legal effect to Article 8 of the Charter on Fundamental Rights. In other words, because of the Lisbon Treaty, the Charter on Fundamental Rights now has the same legal efficacy as the two enabling treaties themselves.

In a more technical level, however, the Charter of Fundamental Rights applies to member states “only when they are implementing Union law.

Question 8

How should fair processing information be communicated

Answer 8

• Consice
• Transparent
• Easily accessible
• Intelligible and in clear and plain language
• Accurate and up to date

Question 9

7 EU - US Privacy Shield Principles

Answer 9

The seven Privacy Shield Principles are
(1) notice;
(2) choice;
(3) security;
(4) access;
(5) accountability for onward transfer;
(6) data integrity and purpose limitation; and
(7) recourse, enforcement and liability.

Once an organisation publicly commits to comply with the Privacy
Shield Principles, that commitment is enforceable by the U.S. Federal Trade Commission under the authority of Section 5 of the FTC Act (prohibition on deceptive acts).

Question 10

The dispute resolution procedure is when:

Answer 10

• A DPA does not accept a objection opinion of another DPA (under Art. 60)
• SA disagree on the application of the GDPR
• When the SA fails to request the opinion of the EDPB or follow the opinion of the EDPB (Art. 64)

Question 11

Fair Processing Information should be:

Answer 11

Concise
Transparent
Easily accessible

Intelligible and clear language
Accurate and up to date

Question 12

What is a data transfer

Answer 12

In November 2021, the EDPB issued draft guidelines on what constitutes an international “transfer” under the GDPR. There, the EDPB suggests that a three-part test is needed to determine whether a transfer to a third country has occurred, such that the transfer is subject to the data transfer rules of Chapter V of the GDPR:

(1) A controller or a processor is subject to the GDPR for the given processing;

(2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”); and

(3) The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.

Question 13

A Privacy Impact Assessment is

Answer 13

“[a]n analysis of how information is handled:

(i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy;

(ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and

(iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.”

Question 14

What is Inferred, Observed and Provided data

Answer 14

The EDPB identified three types of data that social media companies utilize to target individuals: provided data, observed data, and inferred data.

Provided: Information actively provided i.e. emai address, age

Obersved: Provided, but more passive. IP address, pixels or plug-ins, activity of the user (website clicks)

Inferred: Created by the data controller on the basis of the data provided by the DS or observed by the C