CIPP/E Part II: European Data Protection Law and Regulation

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

GDPR Article 5

Principles relating to the processing of personal data

GDPR Article 9

Processing of special categories of personal data is prohibited. However, there are a number of exceptions to the prohibition

Incident detection and response

Regular testing of technical and organisational measures assesses and evaluates their effectiveness. This also helps to ensure the ability to restore availability and access to personal data in a timely manner if it is lost

GDPR Article 15

Right of access by the data subject; provides data subjects with entitlements to certain information, obtainable from the controller upon request.

GDPR Article 17

Right to erasure; the right to be forgotten

GDPR Article 16

Right to rectification; Right to rectification without undue delay - generally within 1 month.

GDPR Article 10

States that processing of such personal data 'shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects'. In addition, 'Any comprehensive register of criminal convictions shall be kept only under the control of official authority'.

True (a processor must have consent from the controller to engage any sub-processors if allowed to same data protection obligations must be imposed on the sub)

T/F: A processor shall not engage a sub-processor without the prior written authorization of the controller

True (if controllers plan to transfer personal data internationally, they must tell data subjects of the existence or absence of an adequacy decision)

T/F: Controllers are obligated to inform data subjects about data transfers

True (once data is being used for a new purpose controllers must notify data subjects of this and provide all relevant information)

T/F: Even if a controller obtained data from an indirect source; if a controller later wants to process personal data for a different purpose, data subjects must be provided with all relevant information, including the new purpose, prior to processing.

True (It should be free of charge unless the request by the data subject is excessive)

T/F: Notice and access to personal data must be provided free of charge unless the data subject's request is unfounded or excessive?

True (The GDPR endorses the use of standardised icons within privacy notices to communicate required information)

T/F: Rectial 60 of the GDPR endorses the use of standardized icons to communicate required information?

True (information must be easily accessible, and in intelligible clear and plain language)

T/F: When communicating to individuals about what's going to happen to their information you must take context into account and your message should be understood by the audience you are actually collecting and using data from. (even if it is children)

GDPR Article 32

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk

Article 9 (1) of the GDPR

'Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited'

Article 4(8) of the GDPR

'processes personal data on behalf of the controller'. A processor's activities must be transparent to the controller, and any decisions that determine where personal data is processed or by whom must rely on approval from the controller.

Legitimate interests

(unless overridden by the interests, rights or freedoms of the data subject, in particular where the data subject is a child) This has often been used as a safety net in the absence of another lawful basis for processing personal data, and while it may still prove a more realistic option than consent, it should be used with caution.

Layered Privacy Notice

- Contains multiple layers of increasingly detailed notices - Top: short notice w/ key elements - Middle: Condensed notice - Bottom: Full notice

Options for derogations

- Explicit consent for the data subject - Necessary for the performance of a contract with the data subject - Public interest recognised by EU or member state law only - Establishment, exercise or defence of legal claims (covers international litigation scenarios) - Protection of vital interests (designed for emergency situations) - Transfer from a register of public information - Legitimate interests of the controller (transfer must be nonrepetitive and concern a limited number of individuals)

Direct Collection Requirements

- Identity and contact details of the controller and DPO - Purpose and legal basis of processing - Recipients - Intention to transfer data to a third country or international organization - Legal basis for intended international transfers - Legitimate interests of the controller (if used as legal basis for collection) - Storage period/criteria used to determine - Data Subject Rights - Whether the provision of personal data is a statutory or contractual requirement - Info about the use of automated decision-making

Reasons why information may not have to be provided to data subjects whose data was collected indirectly

- data subject already has the info - if information provision is impossible or requires disproportionate effort - National/EU laws require obtaining or disclosing data and provide appropriate measures to protect individuals' interest - If national or EU laws require that the personal data remain secret

The Three Criteria of Territorial Scope

1. processing of personal data when a controller or processor is established in the EU 2. processing the personal data of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU 3. processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law

direct marketing, public interest/legitimate interest, research/statistical purposes

3 Valid reasons for the right to object

Public Interest

A controller may be required to process personal data in the public interest, and member state legislation may determine what tasks fall within the public interest. Examples include the administration of justice, tax collection, and research and statistical purposes, such as census.

Privacy Notice

A statement made to a data subject that describes how the organisation collects, uses, retains and discloses personal data. (a.k.a privacy statement/fair processing statement/privacy policy)

Management and Worker Buy-in

An organisation should foster a culture of risk awareness and respect for personal data throughout the entire employment lifecycle (from hiring and on-boarding through termination).

data processing

Any operation or set of operations which is performed on personal data

Reliance on international agreements

Appropriate safeguard where two countries may enter into an agreement between themselves to provide for the protection of personal data

Standard Contractual Clauses (SCCs)

Approved codes of conduct and certification mechanisms: Provisions within the GDPR encourage industries to create their own codes of conduct and certification mechanisms that will be reviewed by the European Data Protection Board. If approved, companies may adhere to them and be considered safe to receive transfers of personal data from the EU.

Personal Data

Article 4(1) of the GDPR defines it as 'Any information relating to an identified or identifiable natural person'

freely given, specific, informed, unambiguous

Consent must be?

Physical Environment (security)

Considerations may include sophisticated entry control systems, video surveillance, and lock-and-key and clean-desk policies.

integrity

Controls are in place to ensure data is accurate and complete

Resilience

Data is able to withstand and recover from errors or threats

availability

Data is accessible when needed for a business activity

Just in Time Notice

Delivered at or right before a user accepts a service or product, helping to facilitate meaningful choice. May also be given when previously collected data is to be used for a new purpose

Adware, web cookie, web beacon, digital fingerprint

Examples of behavioral profiling

Activities outside the scope of EU law, Law enforcement and public security, purely personal or household activities

Exclusions to the material scope of the GDPR

Exceptions to the prohibition of the processing of special data

Explicit Consent, Context of Employment, Vital Interest of the Individual; Political, Philosophical and Religious Purposes; Made public by Data Subject, legal claims, Substantial Public Interests, Medicine and Social Healthcare, Public Health, Public archives or scientific or historical research or statistical purposes

Confidentiality, Integrity, Availability, Resilience

Four Main Attributes of Security Controls

Within one month (or upon first communication with the data subject when personal data is used to communicate)

How long is the information provision to data subjects whose data was collected indirectly?

Protection of vital interests

If personal data must be processed to ensure an individual's survival, a controller may rely on vital interests for lawful processing. This basis for processing should only be used in an emergency situation and if no other option is available.

Appropriate safeguards

In the absence of an adequacy decision, these may be used to legally transfer data internationally; legal tools designed to ensure recipients of personal data who are outside the EEA are bound to continue to protect personal data to a European-like standard

confidentiality

Individuals, entities, systems or applications access data on a need-to-know basis

GDPR Article 13

Information to be provided where personal data are collected from the data subject. Notice is not required if data subjects already have the information. (i.e If personal data is collected from an indirect source)

Ad hoc contractual clauses

Must have supervisory authority authorization. They allow for individual tailoring to a company's needs. Provisions for such clauses may differ at the member state level

Reasons for Data Subjects to request erasure

Personal data is no longer necessary for the purpose for which it was collected, If the processing is based on consent, and the data subject withdraws that consent, If the processing is based on the controller's legitimate interest, and the data subject objects to the processing, and the controller is unable to demonstrate that its legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject, If the processing is unlawful, If the personal data must be erased for compliance with EU or member state law, if consent was given when the data subject was a child

GDPR Article 28

The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject

Data Subject

The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store.

Adequacy decisions, appropriate safeguards, derogations

The landscape of international data transfers is comprised of?

Compliance with a legal obligation

This option is also meant to be interpreted narrowly. It applies to legal obligations required by EU and member state laws only. It does not include legal obligations of contracts or those of third countries (outside the EU)

GDPR Article 12

Transparent information, communication, and modalities for the exercise of the rights of the data subject. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally

lawfulness, fairness and transparency of processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability

What are the GDPR processing principles?

consent, performance of a contract, compliance with a legal obligation, vital interests of the data subject, public interest/exercise of official authority of the controller, legitimate interest

What are the SIX lawful grounds for controllers to rely on to process personal data?

A country outside the EEA

What is a third-country?

When the data processing is based on the user's consent or on a contract and the data processing is carried out by automated means

When does the right to data portability apply?

Direct Collection

When the data collected comes from the data subject to whom the information relates

European Commission

Who determines adequacy?

supervisory authority and data subjects

Whom must a processor notify if a personal data breach occurs that is likely to result in a risk for the rights and freedoms of natural persons

Controller

Whom must a processor notify if a personal data breach occurs?

Reasons to request restriction of data

accuracy of data contested by data subject; processing is unlawful but data subject prefers restriction over erasure; controller no longer needs the personal data but data subject needs it saved; data subject objects processing, pending the controller's attempt to verify legitimate grounds

Right to data portability

allows data subjects to 'obtain and reuse "their" data for their own purposes and across different services'; allows the data subject to receive personal data concerning them that they provided to the controller. The data may be transferred directly to the data subject for storage on a private device, another controller or a trusted third party.

Supervisory Authority

an entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction

Data Controller

an organization or individual that decides how and why personal data is processed

Data Processor

an organization or individual that processes information on behalf of the data controller

Profiling

automatic processing of personal data for the purpose of evaluating, analysing or predicting personal aspects of a natural person

Adequacy Decision

based on assessments of third-country laws; determinations that certain third countries adequately protect EU data because their laws have achieved a European level of protection; , transferring personal data to these countries does not require additional safeguards

consent

common basis used to lawfully process personal data; however, under the GDPR, additional conditions must be met to use this option.

Right to Erasure

data subjects may, in some circumstances, request that their personal data be erased and, therefore, no longer processed.

GDPR Article 4(12)

defines a 'personal data breach' as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

GDPR Article 4(2)

defines processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Binding Corporate Rules (BCRs)

designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company; If competent supervisory authorities sign off on rules, a company is considered free to transfer personal data within their organisation around the world

Article 4(7) of the GDPR

distinguishes the controller as the individual or body who, 'alone or jointly with others, determines the purposes and means of the processing of personal data', and this distinction leads to greater legal obligations

Integrity and confidentiality

ensuring personal data is secure

Example of Personal Data Elements

gender, age and date of birth, marital status, citizenship, languages spoken and veteran status; may relate to an individual's employment or association with an organization, such as physical addresses, phone numbers, email addresses, internal identification numbers, government-issued identification numbers and identity verification information.

GDPR Article 2

material scope; activities must fall within processing personal data wholly or partly by automated means; or processing, other than by automated means of personal data, that forms part of a filing system

Pseudonymous data

not fully anonymous data; It has undergone a process that has detached the aspects of the data attributed to a specific individual, similar to creating an alias for a person's name, yet the personal data is still retrievable; typically a security measure that makes the use of the data less risky; still subject to EU data protection laws

anonymous data

not related to an identified or an identifiable natural person. It has been rendered unidentifiable and, as such, is not protected by the GDPR.

indirect collection

personal data is obtained from an indirect source, such as the news media or public records

Personal Data Elements

pieces of data that happen to be personal information

Accuracy

processing complete and up-to-date personal data

performance of a contract

processing is necessary to perform the contract (and the data subject is a party to the contract) or if the data subject requests the processing in order to enter into a contract

Data minimisation

processing only personal data that is relevant and necessary for the purpose.

Accountability

processing personal data responsibly and demonstrating compliance with EU and member state data protection laws; ability to demonstrate that a data protection programme has been implemented and is run in compliance with the law

Automated Processing

prohibition on automated processing that applies to decisions that are based solely on automated processing without human intervention in a way that produces legal or similarly significant effects

Policy Framework

repository of all the organisation's rules for confidentiality and security. It contains security objectives and scope; security principles, standards and compliance requirements; and roles and responsibilities. The policy should be approved by management, communicated to all employees and relevant external parties, and reviewed periodically

Purpose limitation

requires collecting and processing personal data for the specified purpose only. To determine if personal data may be processed further, use a compatibility test to look for links between purposes, nature of the data, method of collection, consequences of secondary uses and safeguards.

Transparency obligation

requires data controllers to communicate with data subjects using an intelligible and easily accessible form, clear and plain language, and concise communication

Lawfulness, fairness and transparency of processing

requires honest practices, such as communicating openly with data subjects about personal data processing activities.

Storage limitation

retaining only personal data that is relevant and necessary for the purpose

GDPR Article 21

right to object the processing of personal data; not absolute; only available if the grounds for data processing fall into one of three catergories

GDPR Article 18

right to restriction; allows for personal data to continue being stored without being further processed

Information Technology

robust IT security measures; include protection mechanisms, such encryption, antivirus and antispam technology, firewalls, identity and access management, incident detection, data loss prevention, two-factor authentication, IP log management, and regular security code peer review

Special Categories of Data

sensitive because its processing has a more profound impact on individuals' privacy rights; it has a higher standard of protection; personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic or biometric data for the purpose of uniquely identifying a natural person; and data concerning health, sex life or sexual orientation

Derogation

should be used as a last resort for international transfers of data; is an exemption from the prohibition on transferring personal data outside the EEA; for limited circumstances and allow organisations to transfer personal data across borders under very specific conditions

GDPR Article 3

territorial scope; relies on 3 criteria and just needs to be met for the GDPR to be applicable

Security Controls

the actual processes used to ensure the security of an information system, must function properly, and the system must provide prompt notification if a control fails

GDPR Article 22

the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects; strictest for decisions involving children

Restriction

the marking of stored personal data with the aim of limiting their processing in the future; provides an alternative to erasure in circumstances where storing personal data is legally required

GDPR Article 48

third-country court, tribunal or administrative authority orders for personal data may not be authorised, unless the request is made under the basis of EU or member state law, or through a mutual legal assistance treaty that is enforced in the EU


Kaugnay na mga set ng pag-aaral

Musculoskeletal & Superficial Structures

View Set

Real Estate Fundamental lessons 5-9

View Set

6.2 Explain cryptography algorithms and their basic characteristics

View Set

Management CLEP Practice Questions

View Set