Unit 4 / Section 6 - The EU GDPR Flashcards
What is the territorial jurisdiction of the GDPR, as approved by EU Parliament in Apr-16?
The EU GDPR applies to all firms which process the personal data of data subjects residing in the EU, regardless of the firm’s location.
What is the maximum fine under GDPR?
4% of annual global turnover, or €20 million (whichever is greater)
What are 3 examples of breaches which may give rise to a 2% annual global turnover fine under GDPR?
1) Firms not having their records in order (article 28)
2) Firms not notifying the supervising authority and data subject about a breach
3) Firms not conducting impact assessments
In what form must the request for consent be made?
In an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent must be clear and distinguishable and provided in an intelligible and easily accessible form, using clear and plain language.
It must be as easy to withdraw consent as it is to give it.
What circumstances give rise to the need to issue a breach notification?
- Where a data breach is likely to ‘result in a risk for the rights and freedoms of individuals’.
- Within 72 hours of first having become aware of the breach.
- Data processors must also notify their customers, the controllers, ‘without undue delay’.
What do the the expanded rights of data subjects outlined by the GDPR include?
- Right for data subjects to obtain from the data controller confirmation of whether or not personal data concerning them is being processed, where and for what purpose.
- The controller must provide a free copy of the personal data in an electronic format.
What is the “Right to be Forgotten”, otherwise known as Data Erasure?
The data subject is entitled to:
- Have the data controller erase their personal data;
- Cease further dissemination of the data; and
- Potentially have third parties halt processing of the data
What are the conditions for Data Erasure, as outlined in article 17 of the GDPR?
- The data no longer being relevant to original purposes for processing; OR
- Data subject withdrawing consent.
N.B. This right requires controllers to compare the subjects’ rights to ‘the public interest in the availability of the data’ when considering such requests.
What is “Data Portability”?
The right for a data subject to receive the personal data concerning them, which they have previously provided, in a ‘commonly used and machine readable format’ and exercise their rights to transmit that data to another controller.
What does GDPR Article 23 call for controllers to do in respect to “Privacy by Design”?
- To hold and process only the data which is absolutely necessary for the completion of its duties (data minimisation)
- To limit the access to personal data to those needing it to complete its processing
According to the GDPR, when is a Data Protection Officer a mandatory requirement for firms?
DPO appointment is mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or of special categories of data, or data relating to criminal convictions and offences.
What are 6 key criteria relating to a DPO?
1) must be appointed based on professional qualities and, in particular, expert knowledge on data protection law and practices
2) may be a staff member or an external service provider
3) contact details must be provided to the relevant DPA
4) must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
5) must report directly to the highest level of management
6) must not carry out any other tasks that could results in a conflict of interest
