Module 4
What are the 8 data processing principles of the Organisation for Economic Co-operation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines)?
Collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.
Which exception to the prohibition on processing special categories of data must be explicit?
Consent
What is the security safeguards principle according to OECD Guidelines?
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
What is the accountability principle according to OECD Guidelines?
A data controller should be accountable for complying with measures which give effect to the OECD Guideline principles.
Hard copies of the surveys are digitized, and the data is aggregated. What type of data processing is this?
Adaptation or alteration. The hard copies are being turned into digital copies.
The combination of the employee's quarterly performance reviews is used to inform their annual review. What type of data processing is this?
Alignment or combination.
What is the individual participation principle according to OECD Guidelines?
An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
How does Article 4(2) of the GDPR define 'processing'?
Article 4(2) of the GDPR defines processing as 'any operation' performed upon data, and it comprises the many possible actions in the data lifecycle.
A product development team collects results from customer satisfaction surveys at a trade show. What type of data processing is this?
Collection. The product development team is collecting the data.
A representative asks the caller for their location in order to recommend a service provider in their area. What type of data processing is this?
Consultation. The representative recommends a service provider in the caller's area.
Which lawful processing criteria is commonly used when a customer purchases a good or service?
Contract.
An HR director shares a list of candidates for an open job position with their team. What type of data processing is this?
Disclosure. The HR director is disclosing a list of candidates.
Applications for employment and other related documents are destroyed when they are no longer needed. What type of data processing is this?
Erasure or destruction.
True or false: Compliance with a legal obligation to which the controller is subject also applies to legal obligations required by third countries.
False. It applies to legal obligations required by EU and member state laws only. It does not include legal obligations of contracts or those of third countries (outside the EU).
True or false: All three criteria set out in Article 3 of the GDPR for Territorial Scope must be met for the GDPR to be applicable.
False. Just one of the three criteria set out in Article 3 of the GDPR for Territorial Scope must be met for the GDPR to be applicable.
True or false: Purpose limitation does not require collecting and processing personal data for the specified purpose only.
False. Purpose limitation requires collecting and processing personal data for the specified purpose only.
True or false: Silence, pre-ticked boxes and inactivity do qualify as unambiguous indications of a data subject's wishes.
False. Silence, pre-ticked boxes and inactivity do not qualify as unambiguous indications of a data subject's wishes.
For consent to be legitimate, what must data subjects be informed of?
For consent to be legitimate, data subjects must be informed, at least, of the controller's identity, the purpose for processing, and information about how processing may affect data subjects
The survey results are split into categories based on demographic information. What type of data processing is this?
Organization. The survey results are being categorized.
What is the data quality principle according to OECD Guidelines?
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.
What is the use limitation principle according to OECD Guidelines?
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the purpose specification principle] except a) with the consent of the data subject; or b) by the authority of law.
What are the three criteria as set out in Article 3 of the GDPR for Territorial Scope?
Processing of personal data 1. when a controller or processor is established in the EU 2. of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU 3. by a controller not established in the EU but in a place where member state law applies by virtue of public international law
A customer services representative records a phone call with a client to demonstrate accountability for following company procedures. What type of data processing is this?
Recording. The customer services representative is recording the data.
The representative asks the caller for their full name and birthdate in order to access the account information, but the information cannot be accessed because the name they provided is incorrect. What type of data processing is this?
Restricting. The representative is restricting the access to the data.
The representative discovers a typo in the full name and birthdate provided over the phone, corrects the mistake, and accesses the account information. What type of data processing is this?
Retrieval. The representative gets the data for the caller once their identity is confirmed.
The HR department stores the newly hired employee's file containing their employment application, performance reviews, and benefits information. What type of data processing is this?
Storage.
The aggregated data is shown on a graph that compares it with results from previous surveys. What type of data processing is this?
Structuring.
What are the GDPR's data processing principles?
The GDPR's processing principles are: lawfulness, fairness and transparency of processing; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
What is the purpose specification principle according to OECD Guidelines?
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
What is the openness principle according to OECD Guidelines?
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
What is the collection limitation principle according to OECD Guidelines?
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
True or false: Accountability means processing personal data responsibly and demonstrating compliance with EU and member state data protection laws.
True. Accountability means processing personal data responsibly and demonstrating compliance with EU and member state data protection laws.
True or false: Accuracy includes processing complete and up-to-date personal data.
True. Accuracy includes processing complete and up-to-date personal data.
True or false: Controllers should keep records of consent.
True. Controllers should keep records of consent, as they may be obligated to demonstrate that it was obtained.
True or false: Integrity and confidentiality require ensuring personal data is secure.
True. Integrity and confidentiality require ensuring personal data is secure.
True or false: communicating openly with data subjects about personal data processing activities is considered lawful, fair, and transparent.
True. Lawfulness, fairness and transparency of processing requires honest practices, such as communicating openly with data subjects about personal data processing activities.
True or false: Storage limitation means retaining only personal data that is relevant and necessary for the purpose.
True. Storage limitation means retaining only personal data that is relevant and necessary for the purpose.
True or false: the GDPR's processing principles, as set out in Article 5, have been carried over from earlier laws and regulations, including the OECD Guidelines.
True. The GDPR's processing principles, as set out in Article 5, have been carried over from earlier laws and regulations, including the OECD Guidelines.
True or false: Data minimization means processing only personal data that is relevant and necessary for the purpose.
True: Data minimization means processing only personal data that is relevant and necessary for the purpose.
The team uses the survey results to create a marketing plan for a new product. What type of data processing is this?
Use. The team is using the survey results.
