Module 3: GDPR
What are binding corporate rules?
Legally binding rules that authorize the transferring of personal information within a corporate group and are typically used by corporations that operate in multiple jurisdictions.
Describe how ad hoc contracts allow organizations to transfer personal data across borders.
May be used for GDPR compliance, although they must receive prior supervisory authority approval and thus may be a less attractive option for controllers.
Describe how adequacy decisions allow organizations to transfer personal data across borders.
Means that the European Commission of the EU has deemed another country's data protection laws meet the standard to safeguard its own data.
Describe the requirements for binding corporate rules.
Approval from a supervisory authority and must include: 1) structure and contact details for the concerned group 2) information about the data and transfer processes 3) how the rules apply to general data protection principles 4) complaint procedures 5) compliance mechanisms.
What type of approach should a data controller take regarding the operation of their privacy program under the GDPR and why?
1) A risk- based approach to data protection, resulting in technical and nontechnical measures that can demonstrate compliance with the GDPR. 2) must also continuously review and update their systems to ensure they remain robust.
If a U.S. organization collects personal data from individuals in the EU, what must they build into their internal policies and procedures to address GDPR specific data subject rights?
1) Access and rectification of personal data, 2) data portability, 3) erasure (or the "right to be forgotten"), restriction of processing, 4) the right to object to processing of one's personal data, and 5) the right "not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects.
What should the controller inform the supervisory authority in instances of a data breach?
1) Categories of affected data subjects, 2) the approximate number of affected data subjects and data records, 3) the categories of affected data records, 4) the name and contact details of the data protection officer or other point of contact, 5) a description of likely consequences of the breach, and 6) measures that have been taken or will be taken in response to the breach. The controller should also keep documentation of all the facts to be able to prove compliance to the supervisory authority.
What accountability obligations are required for controller's of personal information under the GDPR?
1) Data protection by design; 2) data protection by default; 3) data protection impact assessments; 4) data protection officer; 5) records keeping; 6) security; 7) data breach reporting
In practice what are the accountability requirements?
1) Implementing data protection by design and data protection by default; 2) Conducting data protection impact assessments; 3)Maintaining data processing records; and 4) possibly needing to appoint a data protection officer
What are the accountability requirements in the GDPR?
1) Must have a data protection program; 2) take into account the nature, scope, context and purposes of processing 3) Understand the risks of varying likelihood and severity for the rights and freedoms of natural persons 4) implement appropriate technical and organizational measures to ensure processing is performed in accordance with the GDPR. 5) Measures shall be reviewed and updated where necessary.
What are the Safe Harbor Privacy Principles?
1) Notice - Individuals must be informed that their data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints. 2) Choice - Individuals must have the option to opt out of the collection and forward transfer of the data to third parties. 3) Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles. 4) Security - Reasonable efforts must be made to prevent loss of collected information. 5) Data Integrity - Data must be relevant and reliable for the purpose it was collected. 6) Access - Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate. 7) Enforcement - There must be effective means of enforcing these rules.
What is the material scope criteria of the GDPR?
1) Processing personal data wholly or partly by automated means which include any processing operation performed without or partly without human intervention. 2) personal data that forms part of a filing system, which applies even if the processing is not conducted by automated means.
What accountability requirements do data processors have in the GDPR
1) Record-keeping 2) processors have a duty to support the controller in fulfilling the controllers obligations.
Why was the EU-U.S. Privacy Shield invalidated in Data Protection Commission v. Facebook Ireland, Schrems?
1) The U.S. surveillance programs process data beyond what is strictly necessary and proportional; 2) EU data subjects lack actionable judicial redress and don't have the right to an effective remedy in the U.S.
When can a controller choose not to notify data subjects in instances of a data breach
1) There was prior implementation of appropriate technical and organizational measures that rendered the personal data unintelligible or encrypted; 2) if post-breach actions greatly reduced the risk to the rights and freedoms of the data subjects; or 3) if individual notice requires disproportionate effort (equally effective public notification is still required).
What are the tasks of a Director of Privacy Officer?
1) Work closely with regulators to help ensure compliance; 2) Train staff on proper data-handling practices; 3) Keep informed upon changes in law and technology; 4) Build, implement and manage privacy programs
What are the mechanisms that allow organizations to transfer personal data across borders?
1) adequacy decisions; 2) ad hoc contracts; 3) standard contractual clauses; 4) binding corporate rules; 5) codes of conduct or self-certification mechanisms
What accountability obligations are required for processor's of personal information under the GDPR?
1) data protection officer; 2) records keeping; 3) security; 4) data breach reporting
According to the GDPR what may regulators do to personal information?
1) order erasure of personal data; 2) ask for records of compliance; 3) impose temporary processing bans; 4) suspend international data flows; 5) enforce penalties up to 20 million euros or 4% total annual revenue
According to the GDPR what are organizations obligations to personal information?
1) provide notice to process personal data; 2) provide notification of breaches; 3) implement data protection by design and default; 4) take responsibility for vendor processing; 5) consult regulators before processing; 6) follow rules for processing children's data; 7) keep records and demonstrate compliance; 8) maintain appropriate data security; 9) conduct Data Protection Impact Assessment; 10) appoint a director or privacy officer; 11) ensure compliance of data transfers
According to the GDPR what are consumers rights and obligations to personal information?
1) withdraw consent; 2) request a copy of their personal data; 3) freeze processing of their personal data; 4) object to automated decision-making
When was the Safe Harbor Privacy Principles implemented
2000 by the European Commission
What is the U.S. Privacy Shield Agreement?
A framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the US.
Describe how standard contractual clauses allow organizations to transfer personal data across borders.
Also known as a model clause and may be a way for organizations to facilitate international data transfers. Companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred and, where it doesn't, companies must provide additional safeguards or suspend transfers.
How does the GDPR define processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Why was the Safe Harbor Privacy Principles invalidated?
As a result of the Schrems v Data Protection Commissioner case. The CJEU finds that it lacks protection of fundamental rights "essentially equivalent" to that in the EU. In particular, it says that national security, public interest and law enforcement have been placed above the Privacy principles.
Describe how codes of conduct/self-certification mechanisms transfer personal data across borders.
Demonstrate to regulators and consumers that a company adheres to certain information privacy standards, provided they demonstrate, by contractual or other legally binding instruments, their willingness to adhere to the mandated data protection safeguards.
What were the goals of the Safe Harbor Privacy Principles?
Designed to prevent private organizations within the EU or US which store customer data from accidentally disclosing or losing personal information. US companies could opt into a program and be certified if they adhered to seven principles and 15 frequently asked questions and answers per the Directive.
What did the U.S. Privacy Shield Agreement replace?
International Safe Harbor Privacy Principles
When was the U.S. Privacy Shield Agreement invalidated?
July 16, 2020
What are the controller's notice obligations to the data subject in instances of a data breach?
Notification without undue delay and in clear and plain language if it is likely to result in a high risk to the rights and freedoms of those individuals.
What year was the International Safe Harbor Privacy Principles declared invalid by the European Court of Justice?
October 2015
Who must have a Director of Privacy Officer?
Organizations that fall under the scope of the GDPR, whose core activities involve processing personal data on a large scale, or who consistently process highly sensitive data or data relating to criminal convictions and offenses.
What is the territorial scope criteria of the GDPR?
Processing of personal data: 1) when a controller or processor is established in the EU; 2) of data subjects in the EU relating to offering goods or services or monitoring behavior; and 3) by a controller not established in the EU but in a place where member state law applies.
What happened in the case Data Protection Commission v. Facebook Ireland, Schrems
The Court of Justice of the European Union invalidated the European Commission's adequacy determination for the EU-U.S Privacy Shield. The CJEU decision also included findings regarding the need for case-by-case assessments of the sufficiency of foreign protections when using standard contractual clauses.
What was the purpose of the U.S. Privacy Shield Agreement
To enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect EU citizens.
How long does a controller have to notify a supervisory authority in instances of a data breach?
Within 72 hrs of becoming aware if it is likely to result in a risk for the rights and freedoms of natural persons.
What scope does the General Data Protection Regulation cover?
territorial and material