CIPP/E
DSAR: Restriction and Objection
Restriction i. Right to restrict the processing of personal data where a) Accuracy of the personal data is contested by the data subject (may restrict for time to allow controller to verify accuracy of data) b) Processing is unlawful and the data subject opposes the erasure of the personal data c) Controller no longer needs the personal data for purposes of the processing, but are required by the data subject for the establishment, exercise or defense of legal claims d) Data subject has objected to processing, pending verification whether the legitimate grounds of the controller override those of the data subjects ii. If data subject "restricts" the processing of their personal data, then the controller may only store the data. a) The controller may not further process the data unless: 1) The data subject consents; or 2) The processing is necessary for a) the establishment, exercise or defense of legal claims b) Protection of rights of another person c) Reasons of important public interest b. Objection i. Right to object to processing of personal data on grounds relating to the data subject's particular situation a) Controller may no longer process the personal data, unless: 1) the controller demonstrates compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject, or 2) For the establishment, exercise or defense of legal claims ii. Right to object to processing for direct marketing purposes (including profiling) a) This is an absolute right--must cease immediately iii. Right to object to processing for scientific/historical research/statistical purposes, on grounds relating to data subject's personal situation, unless a) Unless processing is necessary for performance of a task carried out for reasons of public interest.
Legitimate Processing Criteria
1. Consent 2. Contractual Necessity 3. Legal Obligation, vital interests, and public interest 4. Legitimate interests 5. Special categories of processing 6. Processing of personal data relating to criminal convictions and offences
When are data protection officers mandatory?
1. Controllers and processors must appoint a DPO if: a. They are a public authority; or b. Their core activities include: i. "regular and systematic monitoring" of data subjects "on a large scale"; or ii. "large scale" processing of Sensitive Data or criminal records; or c. Are required to do so by local law 2. DPOs must be selected by reference to their professional qualities and expert knowledge 3. Groups of companies can appoint a single DPO 4. DPO can be a staff-member or hired contractor. 5. Must ensure that DPO can operate independently and is not dismissed or penalized for doing their job.
Data Protection Principles
1. Fairness and lawfulness transparency 2. Purpose limitation 3. Proportionality 4. Data Quality 5. Accuracy 6. Storage Limitation 7. Integrity and confidentiality 8. Accountability
Examples of technical and organizational security measures?
a) Pseudonymisation of personal data b) Encryption of personal data c) Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services d) Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident e) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
What must be taken into account for appropriate technical and organization security measures?
a) State of the art b) Costs of implementation c) Nature, scope, context and purposes of processing d) Risk of varying likelihood and severity for rights and freedoms of natural persons e) Risks of presented by processing, 1) in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. iii. Adherence to an approved code of conduct or certification mechanism may be used to demonstrate compliance with the above requirements iv. Controller and processor must take steps to ensure that any natural person acting under the authority of the controller/processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by EU or Member State law.
What must controllers do in the event of a data breach?
a) notify supervisory authority 1) w/o undue delay; and 2) Where feasible, not later than 72 hours after becoming aware 3) *exemption: if breach is unlikely to result in risk to the rights and freedoms of natural persons. b) notify data subjects 1) w/o undue delay 2) *exemptions: a) Breach is unlikely to result in a high risk for the rights and freedoms of data subjects; b) Appropriate technical and organizational protections were in place at the time of the inciden (e.g. encryption); or c) Notification would involve disproportionate efforts (instead, a public information campaign or similar measures should be used to inform individuals
Breach Notificaton
a. "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"
Consent
a. 'Consent' = freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or clear affirmative action, signifying agreement to the processing of personal data relating to him/her. (Art. 4(11)) b. Controller must be able to demonstrate that the data subject has consented. c. The request for consent must be clearly distinguishable from other matters (i.e., must be explicit), intelligible, easily accessible, clear and plain language. d. Data subject has right to withdraw consent at any time, and must be informed of this right prior to giving consent. i. Withdrawal will not affect the lawfulness of any processing that was based on the consent before it was withdrawn. ii. It must be as easy to withdraw consent as it was to give it. e. Consent is less likely to be considered freely given if performance of a contract, including provision of a service, is made conditional on consent to processing that is not necessary to performance of the contract.
European Court of Human Rights (ECHR)
a. A body of the Council of Europe. b. Enforces the European Convention on Human Rights (ECHR).
DPO Tasks
a. Advising colleagues b. Monitoring their organization's compliance w/ GDPR and other privacy laws. c. Training d. Raising awareness e. Running audits f. Advising on DPIAs/PIAs g. Co-operating w/ supervisory authorities
Privacy Notices
a. All of the information you're providing to people about how you are processing their data b. May be oral, in writing, through signage, or electronic
Countries outside of EU with adequate protection
a. Andorra b. Argentina c. Canada d. Faeroe Islands e. Guernsey f. Israel g. Isle of Man h. Jersey i. New Zealand
Binding corporate rules
a. Another method of proof of adequate data protection for transfers of EU personal data from the EU to a non-adequate jurisdiction. b. Used by multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance w/ EU data protection law. c. Favored by the GDPR b/c of their flexibility and lower administrative burden once implemented.
Personal Data
a. Any information relating to an identified or identifiable natural person ('data subject') i. "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an ID number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Whistleblowing systems
a. Basically, for whistleblowing to work properly, data subject rights have to be adjusted slightly (e.g., the accused does not have a right to access information on the whistleblower) b. WP29 Opinion 117 i. There must be a legal basis for whistleblowing schemes ii. Principles of data quality and proportionality a. Limiting the number of persons entitled to report b. Limiting number of persons who may be incriminated c. Problems of anonymous reporting d. Clearly defining the type of information to be disclosed through the system e. Whistleblowing data should be promptly deleted after completion of the investigation iii. Require clear and complete information iv. Rights of the incriminated person a. The reported employee has right to be informed b. Rights of access, rectification and erasure -- person accused shall not be allowed to obtain information on the whistleblower
Council of the European Union ("the Council")
a. Can adopt EU laws together w/ Parliament upon proposal of Commission b. Made up of government ministers from each EU member state
CoE Convention 108 (1981)
a. CoE Convention 108 i. the 1st (and only) international legally binding instrument to specifically address data protection. ii. Protects individuals from abuse iii. Regulates trans-border flow of personal data
When are controller and processor liable for penalties
a. Controller is liable for damage caused by processing "which infringes" the GDPR b. Processor is liable i. "only where it has not complied with the obligations of the GDPR specifically directed to processors or ii. where it has acted outside or contrary to lawful instructions of the controller." a. i.e., must show that processor violated one of their specific legal duties or contractual obligations. c. When non-compliance is established, the burden shifts to the controller/processor to prove it is not responsible for the damage in any way.
Codes of conduct and certifications
a. Controllers may demonstrate GDPR compliance by adhering to codes of conduct and/or certifications that were approved by DPAs in the relevant member states. b. May also be used as a mechanism for transferring personal data to third countries. c. GDPR encourages controllers to adopt codes of conduct approved by member states, supervisory authorities, the EDPB, or the Commission.
Data subject rights for GDPR violation
a. Data subject has right to lodge complaint w/ supervisory authority b. Data subject has right to effective judicial remedy against a supervisory authority c. Data subject has right to effective judicial remedy against controller/processor d. Public interest bodies will be set up for representing data subjects and lodging complaints on their behalf.
Data subject compensation for GDPR infringement
a. Data subjects can seek monetary damages in court from i. Controllers who violate their rights; and from processors if they are liable for a data breach ii. Processors if they: a. Are liable for a data breach, b. Violate the processor-specific provisions of the GDPR, or c. Act outside a controller's lawful instruction.
European Parliament
a. Directly elected parliament of EU. b. Together w/ Council of European Union and the European Commission, makes up legislative branch of EU. c. 751 members
Employer storage of personnel records
a. Employer must implement appropriate technical and organizational measures to guarantee security of employees' personal data. b. If data processor used, there must be contract between employer and third party providing for security guarantees and ensuring the processor acts only on employer's instructions.
Article 29 Working Party (WP29)
a. Evolving into the EDPB under GDPR b. Originally established by the Directive. i. Currently consists of representatives from EU Member State supervisory authorities (DPAs,) the Commission and the EDPS. ii. Will become part of EDPB, which will take over WP29 duties in an expanded role.
Workplace monitoring and data loss prevention
a. GDPR applies broadly to processing of all "personal data," which is defined to mean "any information related to an identified or identifiable natural person." i. Employers can lawfully "process" employee data ONLY IF the GDPR specifically permits the processing. a. The GDPR defines processing to cover any operation during the course of the information life cycle, from initial collection to final destruction, and includes cross-border data transfers. [see Art 4(2)] b. THEREFORE, it is CRITICAL to identify the permissible purpose for processing each category of employee data. b. Member States MAY establish (either by law or collective agreement) more specific rules w/ respect to processing employee personal data (from recruitment to termination). i. Includes the ability to implement rules setting out when consent may be deemed valid in employment relationship a. Such rules MUST include specific measures to safeguard the data subject's "dignity, legitimate interests and fundamental rights" i. Transparency of processing, intragroup transfers and monitoring systems are all areas where specific regard for these issues is required. ii. Member States MUST notify the Commission of any laws introduced under Art 88 by the time the GDPR enters into force, and MUST also notify it of any amendments.
Where does GDPR processing of personal data apply if establishment is outside of EU/EEA?
a. GDPR applies to processing of personal data of data subjects who are in the EU/EEA by a controller or processor not established in the EU/EEA, where the processing activities are related to: i. The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU/EEA; or ii. The monitoring of their behavior as far as their behavior takes place within the EU/EEA. b. GDPR applies to the processing of personal data by a controller not established in the EU/EEA, but in a place where Member State law applies by virtue of public international law.
Controller best practices when engaging a processor
a. High duty of care on controllers when selecting processors (and when processors select sub-processor) b. Must use only processors that provide sufficient guarantees of their abilities to implement the technical and organizational measures necessary to meet the GDPR's requirements. c. Controllers should consider carrying out a DPIA prior to selecting a processor, particularly when the parties are handling sensitive personal data. d. If using a particular processor may involve high risk to personal data, the controller should consult with the relevant DPA first before engaging the processor.
Council of Europe (1949)
a. International organization (distinct from EU) focused on protecting human rights, democracy, rule of law in Europe and promoting European culture. b. 47 member states c. No country has ever joined the EU w/o first belonging to the Council of Europe.
Derogations
a. Member States may introduce derogations to data protection law in certain situations. i. For example, derogations from transparency obligations and data subject rights, but only where the measure respects the essence of fundamental rights and freedoms and is necessary and proportionate in a democratic society.
Vendor management best practices
a. Once processor is selected, the relationship should be governed by contract. i. Contract should describe the tasks/responsibilities of processor a) How and when data will be returned/deleted after processing b) Details of the processing (e.g., subject matter, duration, nature, purpose, type of data, categories of data subjects) ii. May choose to use standard contractual clauses adopted by the Commission. b. Vendor agreements will need to be reassessed to ensure compliance w/ GDPR. c. Processors have additional duties under GDPR and have enhanced liability for non-compliance or for acting outside authority granted by controller. d. Controller is liable for actions of processors and responsible for compliance w/ GDPR personal data processing principles. i. If a processor acts as a controller or outside the scope of authority granted by the controller, the GDPR treats the processor as a controller for the relevant processing and the processor becomes subject to the provisions regarding controllers..
Sensitive Personal Data
a. Personal data revealing: i. racial or ethnic origin, ii. political opinions, iii. religious or philosophical beliefs, or iv. trade union membership, and b. the processing of: i. genetic data, ii. biometric data, iii. health data iv. data concerning a natural person's sex life or sexual orientation c. shall be prohibited, except in certain cases [see Art 9(2)]
The EU Data Protection Directive (95/46/EC)
a. Principal EU legal instrument on data protection (for now, until GDPR) b. Adopted 1995 c. Aimed to harmonize data protection law at national level d. Sets a floor for data protection law e. Seeks to give substance to and expand the principles in Convention 108 f. Extends beyond the EU, including non-member states that are part of the EEA g. CJEU has jurisdiction to determine whether a Member State has fulfilled its obligations under the Directive
Legal obligation, vital interests and public interest
a. Processing is necessary for compliance with a legal obligation to which the controller is subject b. Processing is necessary to protect the vital interests of the data subject or of another natural person i. Vital interest = concerning person's health/safety c. Processing is necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller i. Public interest = not limited to official government authorities
Legal basis for processing of employee data
a. Processing is necessary for the performance of a contract to which the data subject is a party i. e.g., employer paying its employees b. Processing is necessary for compliance with a legal obligation i. e.g., employer under legal obligation to disclose personal data of its employees to tax authorities c. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject i. i.e. a balancing of the interests of employer and employee d. Processing is necessary in order to protect the vital interests of the data subject i. e.g. in the context of ensuring employee safety e. Processing is necessary for the performance of a task carried out in the public interest i. e.g., unlikely in the employment context f. Consent. If none of the above are applicable, employer can obtain employee's unambiguous consent to the processing. i. However, consent in the employment context should be limited to situations where the employee has a GENUINE FREE CHOICE and is subsequently able to withdraw the consent without detriment. I.e., the employment relationship is unbalanced--employee will feel pressure to consent
Legitimate interests
a. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject i. Does not apply to processing carried out by public authorities in performance of their tasks.
Special categories of processing
a. Processing of personal data revealing i. Racial or ethnic origin, ii. Political opinions, iii. Religious or philosophical beliefs, or iv. Trade union membership; and b. Processing of: i. Genetic data, ii. Biometric data for the purpose of uniquely identifying a person, iii. Data concerning health or iv. Data concerning a natural person's sex life or sexual orientation c. Member States may maintain or introduce further conditions/limitations w/ regard to processing of genetic data, biometric data or data concerning health
DSAR: Erasure and the right to be forgotten
a. Right to have personal data erased w/o undue delay where: i. Personal data is no longer necessary in relation to the purposes for which they were collected/processed ii. Data subject withdraws consent and there is no other legal ground for processing iii. Data subject objects to processing and there are no overriding legitimate grounds for processing iv. Personal data have been unlawfully processed v. Personal data must be erased to comply w/ legal obligation in EU or Member State law vi. Personal data have been collected in relation to the offer of information society services b. If Controller has already made the personal data public and is obligated to erase the personal data, must take reasonable steps, including technical measures, to inform other entities processing the data that the data subject has requested erasure, taking into account available technology, and costs of implementation. c. Exceptions where processing is necessary for i. Exercising right of freedom of expression and information ii. Compliance w/ a legal obligation iii. Performance of a task carried out in the public interest iv. Exercise of official authority vested in the controller v. Reasons of public interest in the area of public health vi. Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes vii. Establishment, exercise or defense of legal claims.
DSAR: Access
a. Right to obtain confirmation as to whether or not their personal data is being processed b. Right to the following information: i. Purposes of the processing ii. Categories of personal data concerned iii. Recipients or categories of recipients to whom data has been/will be disclosed iv. Retention periods v. Right of rectification vi. Right of erasure vii. Right to restrict processing viii. Right to lodge a complaint w/ supervisory authority ix. Source of data (if not the data subject) x. Existence of automated decision (e.g. profiling) and the logic involved, significance and potential consequences c. Right to be informed of appropriate safeguards relating to transfer of data to a 3rd country or international org d. Right to a copy of the personal data undergoing processing in a commonly used electronic form e. Right to obtain copy shall not adversely affect rights and freedoms of others
Cookies under GDPR
a. Small text files sent automatically by many websites to the terminal equipment of the users of those websites. i. Enables organizations to personalize websites based on users' browsing habits and deliver online advertising to individuals based on their preferences b. ePrivacy Directive requires that the user provide consent before storing information in the terminal equipment of a user, unless: i. The technical storage or access is a. For the sole purpose of carrying out the transmission of a communication over an electronic communications network; or b. Strictly necessary for provision of an information society service explicitly requested by the user ii. What constitutes valid consent under the Directive is/was not clearly defined--each EU Member State interpreted it differently. a. Many countries allowed implied (i.e. opt-out) consent
GDPR Violations and Fines
a. Supervisory authorities have discretion to assess fines that are "effective, proportionate and dissuasive." i. Can also issue reprimands in place of fines in cases of minor infringements where the fine would be disproportionate. ii. Fines are not compounded for multiple violations arising from same incident; total fine cannot exceed fine for gravest violation. iii. When fines imposed on natural person, as opposed to corporation, their general income level and personal economic situation will inform the appropriate amount of fine. iv. GDPR sets forth mitigating and aggravating factors b. Two tiers of maximum fines, depending on whether the controller/processor committed any previous violations and the nature of the violation i. High: 4% of worldwide annual turnover or 20 million Euros, whichever is higher ii. Low: 2% of worldwide annual turnover or 10 million Euros, whichever is higher.
Role of the European Data Protection Supervisor (EDPS)
a. The EU's independent DPA (the head DPA) b. Supervises personal data processing by European institutions and bodies. c. Advises the Commission, Parliament and the Council on proposals for new legislation and other issues impacting data protection. d. Will take part in the new EDPB
Online behavioral advertising under GDPR
a. The GDPR considers online identifiers for behavioral advertising to be personal data. b. This is called out as an example of "regular and systematic monitoring" and "profiling" by the WP29, thus triggering the requirement for a DPIA under the GDPR. c. Many organizations that were outside the reach of EU data protection law, will now be subject to the GDPR if they monitor behavior of EU residents for advertising purposes.
What can have an effect on the fine amount by a SA?
a. The level of cooperation with regulators in reporting and responding to a violation can be a mitigating (or aggravating) factor when DPAs assess the amount of a fine. (Controllers should ensure that documentation is kept demonstrating their compliance with the GDPR's various requirements.)
Transparency principle (Art 12)
a. Transparent information, communication and modalities for the exercise of the rights of the data subject b. Must provide notice to data subject i. Concise, transparent, intelligible, easily accessible form, clear and plain language ii. In writing c. Must facilitate the exercise of data subject rights d. Must respond to data subject requests for information without undue delay, no later than one month. i. May be extended by two further months where necessary, taking into account the complexity and number of requests e. Free of charge, unless the request is manifestly unfounded or excessive (e.g. b/c it's repetitive)
Interception of communications
a. Under the ePrivacy Directive, Member States are required to pass national legislation that ensures confidentiality of communications and related traffic data in public communications networks and publicly available eCommunications services. i. Supposed to prohibit listening, tapping, storage and other interceptions or surveillance of communications and related traffic data w/o consent, except when legally authorized.
Layered Notice
a. Usually starts with a short notice containing key information (e.g., identity of the organization, the way the personal information will be used, etc.) b. May contain links that expand each section to its full version, or a single link to a second, longer notice with more detailed information i. This, in turn, may contain links to further information explaining specific issues (e.g., when information may be disclosed to law enforcement
Risks of cloud computing
a. WP29 -- two major risks identified i. Lack of control over the data ii. Lack of transparency--insufficient information regarding the processing operation itself b. Cloud providers = processors i. Therefore, cloud provider will now be required to keeps records of processing under Art. 30 of the GDPR.
Surveillance by public authorities
a. WP29 Opinion "The European Essential Guarantees" i. Processing should be based on clear, precise and accessible rules ii. Necessity and proportionality w/ regard to legitimate purposes need to be demonstrated. iii. An independent oversight mechanism should exist. iv. Effective remedies need to be available to the individual. b. There's a national security exemption written into the European treaties that makes EU Member State surveillance programs not subject to EU law. i. However, European data protection principles found in the European Convention on Human Rights and Council of Europe Convention 108 still need to be respected and taken into account. ii. Many conventions still restrict how and what a government may do in terms of surveillance for national security reasons. Surveillance should be necessary and proportional and should respect the freedoms and rights of individuals.
Lisbon Treaty (2009)
i. Aimed to strengthen and improve the core structures of the EU to enable it to function more efficiently. ii. Amended the two core EU treaties: a) Treaty on European Union (TEU) b) Treaty Establishing the European Community (renamed Treaty on the Functioning of the European union, or TFEU) iii. Promoted Charter of Fundamental Rights and requires countries wishing to join the EU to respect its core values—this was not previously required.
Data protection impact assessment triggers
i. Automated processing for purposes of profiling a. Using data to analyze or predict a person's work performance, economic situation, health status, personal preferences, interest, reliability, behavior, location, movements. b. Automated loan approvals c. Behavioral advertising ii. processing on a large scale of special categories of data a. Special categories - data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning a person's sex life or sexual orientation. b. There's no precise number for "large scale" iii. data relating to criminal convictions and offences; iv. systematic monitoring of a publicly accessible area on a large scale. a. seems to focus around big data, new
The EU Directive on Privacy and Electronic Communications (2002/58/EC) (e-Privacy Directive)
i. Complements the Data Protection Directive ii. Addresses requirements of new digital technologies and eases advance of electronic communications services iii. Security obligations iv. Duty to inform subscribers of risk (virus, malware, etc.) v. Confidentiality vi. Member States should prohibit wire-tapping, interception, surveillance, etc. of communications b. Unsolicited e-mail and other messages i. Use of email addresses for marketing purposes is prohibited ii. Opt-in only for unsolicited emails c. Cookies i. Exempts cookies that are "strictly necessary for the delivery of a service requested by the user" (e.g., shopping cart cookies) ii. Cookies allowed only if user: a) is provided notice about purpose, storage, access to the cookie information; and b) Gives consent (opt-in only).
What are the contents of a breach notification to a supervisory authority?
i. Controller to supervisory authority: a) Describe the nature of the breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned, etc.)
EU Data Retention Directive (2006/24/EC)
i. Declared invalid in April 2014. a) In absence, Member States may still provide their own data retention scheme, but they must still comply with the ePrivacy Directive, the EU Charter of Fundamental Rights and the CJEU ruling. ii. Member states must store citizens/ telecommunications data for minimum 6 months and max 24 months. iii. Service providers are obligated to erase/anonymize traffic data processed when no longer needed, unless exception applies
Cross border data transfers jurisdictional differences between EU and US
i. EU a. Privacy is a fundamental human right b. Processing must meet strict guidelines c. Broad omnibus comprehensive privacy laws d. default rule is no processing of personal info unless law says you can ii. US a. People have some constitutional rights to privacy b. Privacy is largely a consumer protection issue c. Commercial use of personal information is generally acceptable d. Processing is limited by sectoral laws e. Default rule is you can process personal info unless law says you can't
Controller accountability requirements
i. Ensure that processing activities are GDPR compliant. ii. Implement appropriate technical and organizational measures to ensure and demonstrate compliance. iii. Carry out DPIAs when processing is likely to result in a high risk to rights and freedoms of natural persons iv. Assure protection of data subject rights v. Duties to supervisory authority (e.g., breach notification, consultation prior to processing) vi. Maintain detailed records of processing.
Universal Declaration of Human Rights (UDHR) 1948, Art. 12
i. First international legal instrument announcing a right to privacy ii. Catalyst for other human rights instruments in Europe. iii. Recognized universal values and traditions of "the inherent dignity and the equal and inalienable rights of all members of the human race in the foundation of freedom, justice, and peace in the world."
Council of Europe (CoE)
i. Formed after WWII to unite Europe and promote rule of law, democracy, human rights and social development.
Treaty No. 181
i. Improves upon Convention 108 a) Provides for setting up of national supervisory authorities responsible for ensuring compliance w/ data protection/trans-border data flow laws adopted in pursuance of the convention b) Data may only be transferred to third-countries if recipient State or international organization is able to afford adequate level of protection
Charter of Fundamental Rights of the European Union (2000)
i. Incorporated human rights protections (the original treaties of the European Communities did not contain any reference to human rights or their protection) ii. Became legally binding as EU primary law (Art 6(1) of TEU) when the Lisbon Treaty came into force in 2009. iii. respect for private and family life (Art. 7) iv. right to data protection (Art. 8)
Concerns on CCTV
i. Information on identified/identifiable persons being collected as they move through public places. ii. Individuals may expect a lesser degree of privacy while in public, but do not expect to lose their privacy rights and freedoms. iii. Rights of free movement of individuals who are lawfully within a State's territory. (ECHR) a. Freedom of movement is subject to restrictions where necessary and proportionate to the achievement of specific purposes. I.e., it's a balance.
European Convention on Human Rights (ECHR) 1950, Art. 8
i. International treaty to protect human rights and fundamental freedoms. ii. Protects wide scope of fundamental rights and freedoms
How are cookies affected when ePrivacy Regulation replaces ePrivacy Directive?
i. Makes it clear that consent must be opt-in before setting a cookie, unless it is strictly necessary to deliver the service requested by the user. ii. Users must be provided with cookie consent choices.
Employee monitoring under The Directive
i. Necessity -- the monitoring must be absolutely necessary for a specified purpose ii. Finality -- the data must be collected for a specified, explicit and legitimate purpose and not further processed in a way incompatible with those purposes iii. Transparency -- employer must be clear and open about monitoring activities a. Must provide notice to the employee b. Must notify supervisory authorities before processing c. Right of access iv. Legitimacy -- there must be a legitimate purpose as provided in the Directive v. Proportionality -- the personal data involved must be adequate, relevant and not excessive w/ regard to achieving the specified purpose. vi. Accuracy and Retention -- accurate data and appropriate retention periods vii. Security -- right of employer to protect its system against malware; may involve automated scanning of emails and network traffic.
Processor accountability requirements
i. Process data only as instructed by controllers; ii. Use appropriate technical and organizational measures to comply with the GDPR; iii. Delete or return data to the controller once processing is complete; and iv. Submit to specific conditions for engaging other processors. v. Maintain records of all categories of processing carried out on behalf of the controller. The records should contain: a. Contact info for processor(s) and controller(s); b. Categories of processing carried out for each controller; c. Information on cross-border transfers if applicable; and d. A general description of the implemented technical and organizational security measures.
When must a processor notify a controller of a data breach?
i. Processors must notify controller w/o undue delay after becoming aware
EU-U.S. Privacy Shield
i. Replaces Safe Harbor as adequacy framework for EU-US data transfer. ii. Allows for EU personal data to be transferred from EU to a company in the US, provided that the company self-certifies against the Privacy Shield's standards. iii. Adopted in July 2016
What should records of all categories of processing by processor contain?
i. The records should contain: a. Contact info for processor(s) and controller(s); b. Categories of processing carried out for each controller; c. Information on cross-border transfers if applicable; and d. A general description of the implemented technical and organizational security measures.
Safe Harbor
i. US companies could opt in and be certified if adhered to seven principles and 15 FAQs per the Directive. ii. Allowed certified companies to transfer EU personal data from EU to U.S. iii. Snowden NSA leaks and Max Schrems litigation led to the invalidation of Safe Harbor--the CJEU found that the Safe Harbor did not guarantee adequate protections for EU residents. iv. Developed between 1998-2000
Joint Controller accountability requirements
i. When "two or more controllers jointly determine the processing and means of processing." ii. Required to create an agreement outlining respective duties to comply w/ GDPR. a. Agreement must be available to data subjects b. May designate one point of contact for data subjects iii. Data subjects are entitled to enforce their rights against either controller. iv. Each joint controller is individually liable for compliance w/ GDPR.
Treaty of Rome (1957)
i. established European Economic Area (EEA) ii. Adopted ECHR in 1950 a) International obligations b) All CoE member states have now incorporated or given effect to ECHR in their national law iii. EEA is all EU member states plus Iceland, Liechtenstein and Norway
What are the contents of a breach notification to data subjects?
ii. Describe in clear and plain lanugage the nature of the breach and provide at least the following: b) Name and contact details of DPO or other contact point; c) The likely consequences of the breach; d) The measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, to mitigate its possible adverse effects.
Which of the following are categories under which a data subject may object to processing his or her personal data?
- Direct marketing - Public interest or legitimate interest - Research or statistical purposes
Select all that are potential solutions to lengthy privacy notices
- Standardized icons - Layered privacy notices - Just in time notices
Which of the following are circumstances that require an organization to appoint a DPO. Select all that apply
- The core activities of the controller or processor consist of large scale processing of special categories of data - The controller is a public authority - The core activities of the controller or processor include regular systematic monitoring of data subjects on a large scale
The right of access grants DS access to which of the following types of information?
- The purpose of the processing - Retention periods - Locations where data is being process
Which of the following statements are true of private sector entities that conduct surveillance?
- The surveillance they conduct must be based on legitimate purposes - The surveillance they conduct must comply with national laws
The e-Privacy Directive governs the processing of which types of data?
- Traffic - Location - Content
How many legitimate processing criteria should be met within GDPR for personal data to be processed legally?
1 of 6 conditions must be met in order to be considered lawful.
How many active participants will the European Data Protection Board have?
28 (one representative from each EU member state)
True or false: A processor is responsible for implementing appropriate technical and organizational measures to keep personal data secure
A: True
• Prior opt-in Consent or previous customer purchase
Age of child consent
Anonymous Data
Anonymous data' means information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
What is data processing?
Any action performed on data (not just collection)
Right to privacy must...
Be balanced with other rights and freedoms
Safe guard under 'Article 42'? - keyword is "NEW" to GDPR
Certifications
Which of the following mechanisms facilitates a specific collaborative process between supervisory authorities, the Commission and the European Data Protection Board for adopting certain measures and ensuring consistent GDPR Application
Consistency Mechanism
Which legitimate processing criteria is commonly used when a customer purchases a good or service?
Contract
What information must be provided to data subjects when the controller's necessity is being used as legal basis for processing:
Controller's legitimate interest
Which of the following data protection milestones is a treaty among member states of Council of Europe
Convention 108
What did ePrivacy make happen in 2009? - not sure on this verify.
Cookies opt-in
Which European institution is composed of 47 member states?
Council of Europe
What is the function of the four-step test?
Determine if it qualifies as personal data
Which of the following is not a data protection consideration associated with collecting personal data via CCTV
Duration of the video
Who can propose new laws in EU?
EU Commision
Who can approve adequate countries?
EU Commission - has the ability to update, grant, and remove adequacy status of a country
What is the main purpose of the DPO
Ensure compliance with local and EU Data Protection Law
Which of the following statements is true regarding direct marketing channels?
For email and text, opt-in is required (not required for postal marketing or telemarketing)
Where does GDPR processing of personal data apply if establishment is in EU/EEA?
GDPR applies to processing of personal data in the context of controller or processor activities in the EU/EEA, regardless of whether the processing takes place in the EU/EEA or not
What is true about Pseudonymisation?
Gives controllers a bit more leeway on if/how they can process data besides purpose of initial collection and processing.
Why was the data retention directive invalidated in 2014
It impacts everyone without exception (their privacy rights)
What characteristic describes the Court of Justice of the EU?
Makes decisions on issue of EU law
Which of the following mechanisms facilitates between supervisory authorities?
Mutual Assistance
What is REQUIRED for a company to market to EU consumer via email?
Prior opt-in Consent or previous customer purchase
Which of the following must be included in controllers' personal data processing records but not in processors' records
Purpose of processing
Which of the follow data subject rights provides data subjects with entitlements to certain information, obtainable from the controller upon request?
Right of access
Right to be forgotten is part of what data subject right?
Right to erasure
Employee requesting information from employer?
They have to comply unless there's an exemption (option 4)
True or false: Alternatives to employee monitoring should always be considered first
True
True or false: Both controllers and processors have accountability obligations under the GDPR
True
True or false: Criteria for derogations are strict and should be interpreted narrowly
True
True or false: Data protection by design begins prior to processing and incorporates data protection considerations into the planning phase
True
True or false: Pseudonymous data is protected by the GDPR
True
True or false: The GDPR requires a data protection policy to be used where proportionate in relation to processing activities
True
Timeline for data subject notice of breach?
Without undue delay (only if it results in a HIGH risk to rights and subjects of natural person)
Timeline for a Processor to notifiy controller for a breach?
Without undue delay after becoming aware of it (*the 72 hour timeline only refers to Controllers to Supervisory Authority*)
Are IP addresses considered personal data under the GDPR?
Yes
Contractual Necessity
a. Processing is necessary for the performance of a contract to which the data subject is party; or b. In order to take steps at the request of the data subject prior to entering into a contract.
DSAR: Rectification
a. Right to have inaccurate personal data corrected. b. Right to have incomplete personal data completed
Direct marketing under GDPR
a. Under GDPR, data subjects may object to processing for direct marketing, as well as to "profiling to the extent that it is related to . . . direct marketing"
The European Data Protection Board
a. Will consist of heads of national supervisory authorities (or their representatives) the EDPS, and the WP29. b. An evolution of the WP29 i. Not merely an advisory committee ii. Will be an independent body of the EU iii. Primary role: contribute to the consistent application of the GDPR throughout the EU. It will: a. advise the Commission on the level of protection offered by third countries or international organizations b. promote cooperation between national supervisory authorities c. Issue guidelines, recommendations and statements of best practice (e.g., when a data breach is "likely to result in a high risk to the rights of freedoms of individuals") d. Encourage Codes of Conduct and Certification e. Conciliate and determine disputes between national supervisory authorities. iv. EDPB's views will have greater force and effect than WP29's did.
What 7 EU institutions established by Lisbon Treaty?
d. Establishes 7 EU institutions i. European Parliament (> 700 members) - Legislative ii. European Council (28 heads of member states) iii. Council of the EU (groups of 28 ministers by theme) = Legislative iv. European Commission (28 commissioners and 23,000 civil servants) v. The Court of Justice of the EU (CJEU) vi. European Central Bank vii. Court of Auditors
Which of the following data protection milestones applies to public electronic communications services and networks
e-Privacy Directive
Concerns with Search Engine Marketing under GDPR
i. Ads containing external applications can often affect users' browser settings, or show pop-ups; spyware concerns. ii. Third-party cookies may compromise user's privacy/anonymity; can enable advertisers to trace browser address.
Breach Notifcation: Internal Register contents
i. Controller must document each incident "comprising the facts relating to the personal data breach, its effects and the remedial action taken."
Which of the following are appropriate safeguards for cross-border data transfers?
- Binding Corporate Rules - Standard Contractual Clauses - Approved codes of conduct or certification mechanisms
What information must be provided to data subjects in all circumstances?
- Data subject's right - Purpose of processing - Identity of controller
Which types of laws should be considered when processing employees' personal data?
- EU data protection law - Member state data protection laws - Local employment law
What are the main values of a data protection impact assessment (DPIA)
- Incorporating data protection considerations into organizational planning - Demonstrating compliance to supervisory authority
Which of the following are methods listed by the GDPR as a method for restricting processing of personal data?
- Moving the data to separate system - Temporarily blocking a website - Noting the restriction in the system
What is included in processor contract?
- Nature and purpose of processing - Types of personal data - Categories of data subjects - Subject matter and duration of processing
___ must be included in a processor contract
- Nature and purpose of the processing - Type of personal data - Categories of data subjects - Subject matter and duration of the processing
Which of the following should be considered for a holistic approach to data security?
- Policy framework - Information technology - Incident detection and response - Management/worker buy-in - Physical environment
Controller must notify DS of a personal data breach if the breach is likely to result in a high risk to right and freedoms of those individuals unless:
- Prior implementation of appropriate technical and organizational measures - Post-breach actions greatly reduce the risk - Individual notice requires disproportionate effort
What are the criteria used to determine the territorial scope of the GDPR?
- Processing of personal data when a controller or processor is established in EU - Processing of personal data of EU subjects relating to offering goods or services or monitoring behavior - Processing of personal data by a controller not established in the EU but in a place where member state law applies
Which of the following are EU-US Privacy Shield requirements?
- Publicize the commitment to the US Department of Commerce to adhere to the Privacy Shield Principles - Publicly disclose the organizations privacy policy - Implement the Privacy Shield Principles
Which appropriate safeguards allow large multinational companies to adopt a policy suite with rules for handling personal data?
- Binding Corporate Rules
Cross Border Data Transfer Adequate Guidelines
1. Safe jurisdictions 2. EU-US Privacy Shield 3. Model contracts 4. Binding Corporate Rules 5. Codes of conduct and certifications 6. Derogations
True or false: Processor may process personal data only on documented instructions from the controller
A: True
What best defines GDPR ?
Comprehensive
What information DOES NOT need to be provided (gives you a list)? Processor has a breach - what don't they need to include in their breach report:
Link to DPIA
What US act requires companies to have a system in place to receive anonymous complaints about potential wrongdoings?
Sarbanes-Oxley Act (SOX)
True or false: Some employers may be required to consult with works councils and/or trade unions to process employee personal data
True
European Court of Justice (ECJ)
a. Part of CJEU b. Highest court in EU c. 1 judge per member state (28) i. Normally hears cases in panels of 3, 5 or 15 judges d. Interprets EU law and ensures equal application across all EU member states
European Commission
a. Proposes legislation b. Implements decisions c. Upholds EU treaties d. Enforces EU law w/CJEU e. Represents EU internationally f. Manages day-to-day EU business g. 28 members (commissioners)
DSAR: Automated decision-making, including profiling
a. Right not to be subject to decisions based solely on automated processing (including profiling), unless the decision: i. is necessary for entering into/performance of a contract between data subject and controller; or ii. Is authorized by EU or Member State law and lays down suitable measures to safeguard the data subject's rights, freedoms and legitimate interests; or iii. Is based on the data subject's explicit consent b. Decisions may not be based on special categories of personal data c. 'Profiling' = automated processing to evaluate/analyze/predict certain aspects concerning data subject's work performance, economic situation, health, personal preferences, interest, reliability, behavior, location or movement. (e.g. online credit decisions, e-recruiting, etc.)
DSAR: Data Portability
a. Right to receive a copy of their personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, where technically feasible, where i. Processing is based on consent or contract; and ii. Processing is carried out by automated means
Treaty of Maastricht (1992)
i. Established the EU
Treaty on European Union (TEU) (2007)
i. Forms the basis of EU law
Data Subject Access Rights
1. Access 2. Rectification 3. Erasure and the right to be forgotten 4. Restriction and Objection 5. Automated decision making (including profiling) 6. Data portability
Which of the following fall under the material scope of the GDPR?
1. Processing personal data wholly or partly by automated means. 2. Personal data that forms part of a filing system.
What is profiling?
A form of automated decision making
What order should cross border data transfers be decided?
Adequacy Decisions --> Appropriate Safeguards --> Derogations
Which of the following options for cross border data transfers is a determination by the European Commission that a third country has achieved an EU-level of personal data protection
Adequacy decisions
What is Forum Shopping?
Choosing to place your Headquarters or Main Establishment in a State with more relaxed Privacy laws
_____ is/are a key part of the equation when assessing risk
Expected loss
True or False: The most cutting edge technology always is the best choice for security?
False
True or false: A contract protects a processor from being held to same legal obligations as controller
False
True or false: A controller may charge an admin fee to data subject if they request that the information provision be in oral format
False
True or false: Anonymizing personal data is always possible
False
True or false: Exclusions to material scope of GDPR should be interpreted broadly
False
True or false: Personal data either belongs to special categories or does not. There is no grey area
False
True or false: The GDPR requires controllers to always contract the supervisory authority following a DPIA and before processing of personal data
False
True or false: Under the GDPR, web cookies qualify as personal data but IP addresses do not.
False
True or false: The e-Privacy Directive governs the processing of data through both private and public carriers and communication networks
False - The e-Privacy Directive concerns only public carriers and communications networks
True or false; Transparency principle states that detail is more important than conciseness in a privacy notice
False - conciseness is more important
What characteristic describes the European Commission?
Has the power to propose legislation
Company X contracts company Y to process. Company Y has a breach, what is its first priority?
Inform company X immediately
If the data for DS is collected via indirect means what is the controller's primary obligation?
Inform the Data Subject about it.
What do GDPR and Convention 108 have in common?
International Data Transfers
What is NOT needed in article of processing records?
Links to DPIA not needed
What characteristic describes the Council of EU?
Main decision-making bodies of EU
What infraction can lead to the 2 tier fine of 2% or 10M?
Not implementing the technical organizational measures
What must be provided to employees when processing their personal data
Notice that their personal data will be processed
When would consent NOT be needed from a child?
Providing counselling services
What characteristic describes the European Parliament?
Responsible for legislative development, supervisory oversight of other institutions, and development of budget
What characteristic describes the European Council?
Sets overall political agenda of EU
What information must be provided to data subjects when the personal data that will be processed was collected indirectly?
Source of data
Whats info need to be provided to a Data Subject if their data collected indirectly?
Source of the data
Who does the GDPR tasks with promoting, monitoring, and enforcing the GDPR
Supervisory Authorities
The Universal Declaration of Human Rights is a product of which institution
The United Nations
A controller must notify the SA of a personal data breach if _____
The breach is likely to result in a risk to rights and freedoms of natural person (not just high risk for SA)
Pseudonymous Data
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
What will an employer do with employee data once they are terminated?
They will keep data legally required to keep
Where would full version of the privacy notice be located in a layered notice?
Third layer
What was the goal of the original EU DP Directive 95/46?
To further reconcile the protection of fundamental rights with free flow of data from one-member state to another
Privacy notices should use visualization where appropriate
True
True or false: The data protection officer must be an expert in data protection law practices
True
True or false: Under the GDPR, individuals have the absolute right to object to any form of direct marketing at any time
True
True or false; When personal data is processed, there is always a controller
True
When is DPIA needed?
Type of processing is "likely to result in a high risk to the rights and freedoms of natural persons"
What are exemptions for controllers not being required to notify a Supervisory Authority of a data breach?
a) Breach is unlikely to result in a high risk for the rights and freedoms of data subjects; b) Appropriate technical and organizational protections were in place at the time of the incident (e.g. encryption); or c) Notification would involve disproportionate efforts (instead, a public information campaign or similar measures should be used to inform individuals
Processing of special categories exceptions
a) Explicit consent of data subject b) Processing is necessary for purposes of carrying out obligations and exercising specific rights c) Processing is necessary to protect vital interest of data subject or another person d) Processing is carried out in course of legitimate activities with appropriate safeguards e) Processing relates to personal data that was already made public by data subject f) Processing is necessary for establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity g) Processing is necessary for reasons of substantial public interest h) Processing is necessary for purposes of preventive or occupational medicine i) Processing is necessary for reasons of public interest in the area of public health j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
The EU Directive on Electronic Commerce (2000/31/EC) (e-Commerce Directive)
a. Addresses legal aspects of e-commerce.
Data protection by design and by default
a. Controllers encouraged to implement these principles, where feasible. i. i.e., should design products w/ privacy in mind, rather than as an afterthought a. Privacy-protective settings should be the default in any product
European Council
a. Defines EU's overall political direction and priorities b. Comprises the heads of state/government of member states c. Includes President of European Council d. Includes President of European Commission
EU Works councils
a. Organized per country; each country has specific laws on works councils. b. A body of people representing a company's employees. c. Represents the employees when decisions are made concerning the employees. d. Before engaging in processing of employee data, employer should consult with works council.
Social networks under GDPR
a. Processing of personal data by a natural person as part of a "purely personal or household activity" falls outside the GDPR's scope -- this includes social networking and online activities undertaken for social and domestic purposes.
Model contracts
a. Standard contractual clauses that can be used as proof of adequate data protection for transfers of EU personal data from the EU to a non-adequate jurisdiction. Developed by the Commission and the Article 29 Working Party. b. Controller-to-controller transfers (2 sets of clauses to choose from) c. Controller-to-processor transfers (1 set to choose from)
Supervisory authorities and their powers
a. Supervisory authority = DPA b. Each Member State must have its own supervisory authority. c. Each controller/processor will be subject to the authority of a single "lead supervisory authority" in the Member State where it has its "main establishment." d. Hears complaints from data subjects. e. Pursues data protection law violations/infringements
EU Data Protection Directive (95/46/EC) (1995)
i. Aimed to further reconcile the individual data protection rights with free flow of data between member states. ii. Will be replaced by GDPR, May 28, 2018
Convention 108 (1981)
i. Convention for the protection of individuals w/ regard to automatic processing of personal data a) Applies to all data processing carried out by both private/public sector b) Protects individual from abuse c) Regulates trans-border data flow d) Includes FIPPs e) Outlaws processing of sensitive data without proper legal safeguards f) Data subject rights ii. The only legally binding international instrument in the data protection field. iii. Ratified by ALL EU Member States
Subcontractor accountability requirements
i. Processors are prohibited from enlisting another processor (sub-processor) w/o controller's written permission. ii. Controllers retain the right to object to the addition/replacement of processors iii. Sub-processors are subject to the same requirements under GDPR and are bound by any contracts w/ the controller.
When is a DPO required?
• The core activities include regular and systematic monitoring on a large scale • NOTE: Remember the 3 criteria: o Public Authority o Regular and System Monitoring on Large Scale o Large Scale processing of special categories of data
What's needed for processor to engage sub processor
• Written confirmation from controller and assurance that processor is up to technical and organization measures
Which criteria are used to identify personal data?
○ any information ○ relating to ○ an identified or identifiable ○ natural person