CIPP/E GDPR Terms
Right to data portability
Requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests
Exceptions to transferring personal data outside the EU without adequate protections
- Explicit consent - For the performance of a contract - Important reasons of public interest - Establishment, exercise or defense of legal claims - To protect vital interests where the data subject is physically or legally incapable of giving consent - Made from a register that is intended to provide information to the public
Data protection principles
- Lawfulness, fairness and transparency - Purpose limitation - Data minimisation - Accuracy - Storage limitation - Integrity and confidentiality - Accountability
Processors' records of processing to keep
- contain contact information for the processor(s) and controller(s) - the categories of processing carried out for each controller - information on cross-border transfers if applicable - a general description of the implemented technical and organizational security measures
Processors' duties to controllers
- process data only as instructed by controllers; - use appropriate technical and organizational measures to comply with the GDPR - delete or return data to the controller once processing is complete - submit to specific conditions for engaging other processors
Information provided to data subjects when their information is collected
- that the controller intends to transfer personal data to a third country or international organization - that such transfer is pursuant to an adequacy decision by the Commission - reference to the appropriate or suitable safeguards and the means for the data subject to obtain them
Disclosures a controller must make before collecting personal data
- the identity of the controller - the purposes for processing - any recipients of personal data - how long the data will be stored - the right to withdraw consent at any time, - the right to request access, rectification or restriction of processing - the right to lodge a complaint with a supervisory authority
Factors in determining data protection adequacy for cross-border transfer
- the specific processing activities - access to justice - international human rights norms - the general and sectoral law of the country - legislation concerning public security, defense and national security - public order - criminal law
Affirmative actions signaling consent
- ticking a box on a website - choosing technical settings for information society services - another statement or conduct that clearly indicates assent to the processing
Top 10 operational impacts of GDPR
1. Data Security and Breach Notification Standards 2. The Mandatory DPO 3. Data Subject Consent 4. Cross-border Data Transfers 5. Profiling and the Right To Object 6. The New Rights To Be Forgotten and to Data Portability 7. Clarifying Duties and Responsibilities of Controllers and Processors 8. 'Pseudonymization' of Personal Data 9. Codes of Conduct and Certifications 10. Complex Administrative Procedures and Hefty Fines
GDPR's new requirements for consent
1. the right to withdraw consent at any time and it shall be as easy to withdraw consent as to give it 2. consent is not freely given if there is a clear imbalance of power 3. consent must be specific to each data processing operation
Explicit consent
All situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing
Binding Corporate Rules
Allow companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law
Right to be forgotten
Allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request
Profiling examples
Analyzing or predicting aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements
Data protection by design and by default
Controllers should design products with privacy in mind, rather than tacking it on as an afterthought, and that privacy-protective settings should be the default in any product
Special categories of data
Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like
Direct identifiers
Data that can be used to identify a person without additional information or with cross-linking through other information that is in the public domain
How consent must be given
Freely given, specific, informed and unambiguous by a statement or by a clear affirmative action.
Data Subject Consent
The GDPR requires the data subject to signal agreement by "a statement or a clear affirmative action."
How photographs qualify as biometric data
When they are processed through a specific technical means allowing the unique identification or authentication of a natural person
Personal data breach
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
Personal data
any information relating to an identified or identifiable natural person ('data subject')
Profiling
involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person
Pseudonymization
the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately
Joint controllers
when two or more controllers jointly determine the purposes and means of processing
