UNIT 2 DATA PROTECTION REQUIREMENTS ACCORDING TO GDPR

Question 1

Lawfulness, Fairness, and Transparency

Answer 1

Under GDPR, data processing must have a lawful basis such as the data subject’s clear and informed consent. It must also be transparent, providing individuals with clear information on how their data is used, and fair, ensuring data use aligns with the individual’s expectations and benefits, such as enhancing online shopping experiences.

Question 2

The term of Consent

Answer 2

Although consent is the
most prevalent (and visible) legal basis on which
personal data are processed, it is not the only
one. It is permitted to
process personal data
without consent if one of
the other five legal bases
applies.

Question 3

Purpose Limitation

Answer 3

The principle of purpose limitation requires that data be collected for specific, legitimate reasons which are clearly communicated to data subjects. If the purpose changes, data subjects must be informed, as any use of data beyond the originally stated purpose requires a new legal basis and explicit communication. For example, if an e-commerce site initially collects data for processing purchases but later wants to use that data for marketing new products, it must obtain new consent or establish a new legitimate reason, and inform the customers accordingly.

Question 4

Data Minimization

Answer 4

Personal data should be adequate, relevant, and limited to what is needed for the
intended processing purposes. This principle dictates that an organization should identify
and collect only the minimum amount of personal data necessary to achieve the specific
purposes communicated to the data subject. As part of the data minimization principle, it
is important to consider whether the objectives could still be accomplished if some of the
data were anonymized. For instance, a ride-sharing app in Italy might reasonably ask for
payment card details on registration, but probably does not need to know the user’s fiscal
or tax code and it would contravene the principle of data minimization to request it.

Question 5

The term of Anonymization

Answer 5

The process of transforming personal data in such
a way that they can no
longer be attributed to a
specific individual. True
anonymization is irreversible and makes it nearly
impossible to identify a
natural person.

Question 6

Accuracy

Answer 6

Reasonable measures need to be taken to ensure that the personal data collected are
accurate and kept up to date throughout its processing. This is difficult to achieve in practice, but at a minimum an organization should put in place processes to ensure the datas’
accuracy, not only during the collection process but throughout all stages of processing.
For example, an online healthcare provider might regularly verify a patient’s allergies by
implementing an app dialogue that presents a list of known allergies on login, and obliges
the user to confirm that the list is accurate before proceeding to use the app.

Question 7

Storage Limitation

Answer 7

Personal data should only be kept if they are required to achieve the goals for which they
were collected, and the information should be securely erased or anonymized once the
intended use has been achieved. The GDPR further clarifies that data that have been anonymized can be retained indefinitely, as anonymous data are no longer considered personal data and are not subject to this principle. Once a student completes a language course, their performance records become irrelevant and should be securely erased or anonymized for research purposes.

Question 8

What does the security principle in data protection entail?

Answer 8

The security principle requires that personal data be treated securely, with safeguards against unauthorized processing and protections against loss, destruction, or damage.

Question 9

How might a financial institution implement the security principle for international payments?

Answer 9

A bank might use two-factor authentication (2FA) and encryption for payment messages, and partner with an IT provider like IBM for a secondary backup system behind a separate firewall.

Question 10

What is the GDPR’s accountability requirement as stated in Article 5(2)?

Answer 10

Article 5(2) mandates that data controllers demonstrate compliance with the core data protection principles, possibly through comprehensive contracts or clear procedures on data handling.

Question 11

What does GDPR Article 25 specify about data protection?

Answer 11

Article 25 requires data protection “by design and by default,” ensuring data protection principles are embedded throughout the data processing life cycle.

Question 12

How might a university ensure data protection by design when creating a student feedback survey?

Answer 12

The university might minimize personal data collection (e.g., asking for age range instead of birthdate), ensure anonymity by default with an opt-in for providing names, and require secure login protocols.

Question 13

What are examples of data protection by default in the design of a survey?

Answer 13

Designers might include technical settings such as disabling location services by default on mobile platforms, ensuring responses are anonymous unless explicitly opted otherwise.

Question 14

What is the purpose of data protection principles according to the text?

Answer 14

Data protection principles aim to establish a solid foundation for data protection practices, ensuring the privacy, security, and rights of individuals are respected throughout the data processing lifecycle.

Question 15

Layered privacy notice

Answer 15

This is a privacy policy
format that presents
essential information in a
concise initial notice,
while offering more comprehensive details
through expandable sections or by way of new
tabs or hyperlinks.

Question 16

What inspired the foundation of the GDPR?

Answer 16

The GDPR is rooted in the European Convention on Human Rights (ECHR), which underlined the right to privacy as a fundamental right for all European citizens, especially in the context of rising digital interactions.

Question 17

What significant regulation did the EU introduce in 1995 to address online privacy?

Answer 17

In 1995, the EU introduced the Data Protection Directive to set minimum standards and rules for safeguarding privacy online, though its implementation varied across member states.

Question 18

What prompted the replacement of the Data Protection Directive with the GDPR?

Answer 18

The rapid growth of industries based on the collection and sharing of personal data highlighted the need for a harmonized regulation across all member states, leading to the enactment of the GDPR.

Question 19

What are some major impacts of the GDPR since its implementation?

Answer 19

Since its implementation, the GDPR has led to over 1,700 enforcement actions, more than four billion euros in fines, and influenced 32 rulings by the Court of Justice of the EU, significantly shaping global privacy practices and data protection measures.

Question 20

Describe the scope of the GDPR.

Answer 20

The GDPR applies broadly to any processing of personal data, affecting entities outside the EU if they handle the personal data of EU citizens, as seen in its application to an American SaaS provider processing data from EU citizens.

Question 21

invisible processing,”

Answer 21

Transparency is equally important when an organization collects personal data from
another source and there is no direct relationship with the data subject. In such cases,
often referred to as “invisible processing,” individuals may be unaware that their data are
being collected and used, hindering their ability to assert their data protection rights. To
be compliant with the transparency principle, organizations must ensure that they provide accessible and comprehensible information using plain language to inform individuals about their data processing activities

Question 22

Just-in-time notices

Answer 22

Just-in-time notices are alerts that provide privacy
information when a user is about to provide personal data. Icons can be used in combination with standardized privacy information to give an easily visible and intelligible overview of the intended processing. These techniques ensure transparency and help users
better understand how their data are processed.

Question 23

What does GDPR Article 12 require of controllers in terms of communicating with data subjects?

Answer 23

GDPR Article 12 requires controllers to develop clear, straightforward, and understandable communication that is easily accessible, using simple language. Controllers can employ layered privacy notices to effectively customize and clarify their information strategies.

Question 24

What is the concept of layered privacy design and how does it relate to Creative Commons (CC) license layers?

Answer 24

Layered privacy design involves structuring privacy notices in multiple layers to enhance understanding and accessibility, similar to Creative Commons license layers. The first layer is a legal version for court validity, the second is a human-readable version using plain language, and the third is a machine-readable version that facilitates digital interpretation by search engines and software. This approach ensures that the license or privacy terms are implemented accurately and comprehensively understood by users.

Question 25

What is the purpose of Article 15 of the GDPR?

Answer 25

Article 15 of the GDPR grants individuals the right of access to their personal data held by an organization, allowing them to submit a Data Subject Access Request (DSAR) to confirm how their data is being processed, its accuracy, and whether it is shared with other parties.

Question 26

What are the requirements for responding to a Data Subject Access Request (DSAR) according to GDPR?

Answer 26

A data controller must respond to a DSAR without undue delay and within one month from the date of receiving the request. The response should be provided free of charge and include detailed information about the purposes of processing, categories of personal data, recipients of the data, retention period, rights to rectification and erasure, and the existence of automated decision-making.

Question 27

What is the procedure when an individual wishes to submit a Data Subject Access Request (DSAR) under GDPR Article 15?

Answer 27

An individual can submit a DSAR through simple communication, such as an email, explicitly requesting all personal data held by the organization. The organization is obliged to provide all requested information, including purposes of processing, storage duration, and parties involved in data exchanges, unless specific derogations apply.

Question 28

What types of information must be included by an organization in response to a DSAR under GDPR?

Answer 28

he organization must include comprehensive records such as financial records of payments and medical records with diagnoses, examination results, assessments by healthcare professionals, and details of treatments or interventions. The response should also articulate the purposes of processing, data retention period, and details of third parties receiving the data.

Question 29

How does the right of access to personal data benefit individuals according to GDPR?

Answer 29

The right of access allows individuals to verify the lawfulness of data processing, ensure the accuracy of data held about them, and request rectification of incorrect data. This promotes transparency and accountability, enabling individuals to exercise control over their data and protect their rights.

Question 30

Right to Rectification

Answer 30

Right to Rectification

Question 31

Right to Erasure

Answer 31

The right to erasure, often referred to as the “right to be forgotten,” allows data subjects to request the deletion of their data under specific conditions, though it’s not absolute. Controllers must comply with such requests within a month, with some exceptions. This right only applies to data held at the time of the request, and under circumstances such as no longer having a lawful basis for processing or withdrawal of consent. Additionally, it requires controllers to inform other controllers processing the same data about the erasure request. However, restrictions exist, like when data processing is essential for public interest, freedom of expression, research purposes, or legal claims.

Question 32

Right to Restriction of Processing

Answer 32

Data subjects are granted the right to request the restriction or suppression of their personal data, which empowers them with increased control over the processing of their
data. This allows for temporary storage without processing and can involve making the
data unavailable or removing published data from a website. The right to restrict processing applies in cases where the data might be inaccurate, when it has been unlawfully processed, when retention is necessary for legal claims, or when the data subject has exercised
the right to object pending a legitimate interest assessment

Question 33

Right to Data Portability

Answer 33

The concept behind the right to data portability is to provide greater consumer choice to
users by allowing them to change online providers easily, for example, by choosing to
move from one social media provider to another. By providing a right that allows users to
migrate their personal data across different services, GDPR prevents “lock-in” to a single
provider and helps users leverage applications without compromising usability or integrity

Question 34

Right to Object

Answer 34

Data subjects have the right to object to the processing of their personal data based on
their specific circumstances. Unless they can show compelling legitimate grounds for
processing that outweigh the interests, rights, and freedoms of the data subject, controllers are required to respect these objections. Data subjects have an absolute right to
object to the processing of their personal data for direct marketing purposes, including
any profiling associated with such marketing

Question 35

Right to Object

Answer 35

Data subjects have the right to object to the processing of their personal data based on
their specific circumstances. Unless they can show compelling legitimate grounds for
processing that outweigh the interests, rights, and freedoms of the data subject, control
lers are required to respect these objections. Data subjects have an absolute right to
object to the processing of their personal data for direct marketing purposes, including
any profiling associated with such marketing.

Question 36

Rights in Relation to Automated Decision-Making and Profiling

Answer 36

Automated decision-making is the process of making decisions without human involvement, for example, when an organization uses an algorithm to exclude CVs in a recruitment exercise. Profiling entails the assessment of specific aspects of an individual based
on their personal data, such as when a bank relies on an algorithm to assess the eligibility
of an applicant for a loan.
Although data subject rights conferred by the GDPR place an additional burden on businesses, they help establish trust and transparency between data subjects and data controllers. Importantly, they address the imbalance between these parties by empowering
individuals and promoting a more privacy-centric approach to data processing.