CIPP/E Part II: European Data Protection Law and Regulation
GDPR Article 5
Principles relating to the processing of personal data
GDPR Article 9
Processing of special categories of personal data is prohibited. However, there are a number of exceptions to the prohibition
Incident detection and response
Regular testing of technical and organisational measures assesses and evaluates their effectiveness. This also helps to ensure the ability to restore availability and access to personal data in a timely manner if it is lost
GDPR Article 15
Right of access by the data subject; provides data subjects with entitlements to certain information, obtainable from the controller upon request.
GDPR Article 17
Right to erasure; the right to be forgotten
GDPR Article 16
Right to rectification; Right to rectification without undue delay - generally within 1 month.
GDPR Article 10
States that processing of such personal data 'shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects'. In addition, 'Any comprehensive register of criminal convictions shall be kept only under the control of official authority'.
True (a processor must have consent from the controller to engage any sub-processors if allowed to same data protection obligations must be imposed on the sub)
T/F: A processor shall not engage a sub-processor without the prior written authorization of the controller
True (if controllers plan to transfer personal data internationally, they must tell data subjects of the existence or absence of an adequacy decision)
T/F: Controllers are obligated to inform data subjects about data transfers
True (once data is being used for a new purpose controllers must notify data subjects of this and provide all relevant information)
T/F: Even if a controller obtained data from an indirect source; if a controller later wants to process personal data for a different purpose, data subjects must be provided with all relevant information, including the new purpose, prior to processing.
True (It should be free of charge unless the request by the data subject is excessive)
T/F: Notice and access to personal data must be provided free of charge unless the data subject's request is unfounded or excessive?
True (The GDPR endorses the use of standardised icons within privacy notices to communicate required information)
T/F: Rectial 60 of the GDPR endorses the use of standardized icons to communicate required information?
True (information must be easily accessible, and in intelligible clear and plain language)
T/F: When communicating to individuals about what's going to happen to their information you must take context into account and your message should be understood by the audience you are actually collecting and using data from. (even if it is children)
GDPR Article 32
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
Article 9 (1) of the GDPR
'Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited'
Article 4(8) of the GDPR
'processes personal data on behalf of the controller'. A processor's activities must be transparent to the controller, and any decisions that determine where personal data is processed or by whom must rely on approval from the controller.
Legitimate interests
(unless overridden by the interests, rights or freedoms of the data subject, in particular where the data subject is a child) This has often been used as a safety net in the absence of another lawful basis for processing personal data, and while it may still prove a more realistic option than consent, it should be used with caution.
Layered Privacy Notice
- Contains multiple layers of increasingly detailed notices - Top: short notice w/ key elements - Middle: Condensed notice - Bottom: Full notice
Options for derogations
- Explicit consent for the data subject - Necessary for the performance of a contract with the data subject - Public interest recognised by EU or member state law only - Establishment, exercise or defence of legal claims (covers international litigation scenarios) - Protection of vital interests (designed for emergency situations) - Transfer from a register of public information - Legitimate interests of the controller (transfer must be nonrepetitive and concern a limited number of individuals)
Direct Collection Requirements
- Identity and contact details of the controller and DPO - Purpose and legal basis of processing - Recipients - Intention to transfer data to a third country or international organization - Legal basis for intended international transfers - Legitimate interests of the controller (if used as legal basis for collection) - Storage period/criteria used to determine - Data Subject Rights - Whether the provision of personal data is a statutory or contractual requirement - Info about the use of automated decision-making
Reasons why information may not have to be provided to data subjects whose data was collected indirectly
- data subject already has the info - if information provision is impossible or requires disproportionate effort - National/EU laws require obtaining or disclosing data and provide appropriate measures to protect individuals' interest - If national or EU laws require that the personal data remain secret
The Three Criteria of Territorial Scope
1. processing of personal data when a controller or processor is established in the EU 2. processing the personal data of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU 3. processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law
direct marketing, public interest/legitimate interest, research/statistical purposes
3 Valid reasons for the right to object
Public Interest
A controller may be required to process personal data in the public interest, and member state legislation may determine what tasks fall within the public interest. Examples include the administration of justice, tax collection, and research and statistical purposes, such as census.
Privacy Notice
A statement made to a data subject that describes how the organisation collects, uses, retains and discloses personal data. (a.k.a privacy statement/fair processing statement/privacy policy)
Management and Worker Buy-in
An organisation should foster a culture of risk awareness and respect for personal data throughout the entire employment lifecycle (from hiring and on-boarding through termination).
data processing
Any operation or set of operations which is performed on personal data
Reliance on international agreements
Appropriate safeguard where two countries may enter into an agreement between themselves to provide for the protection of personal data
Standard Contractual Clauses (SCCs)
Approved codes of conduct and certification mechanisms: Provisions within the GDPR encourage industries to create their own codes of conduct and certification mechanisms that will be reviewed by the European Data Protection Board. If approved, companies may adhere to them and be considered safe to receive transfers of personal data from the EU.
Personal Data
Article 4(1) of the GDPR defines it as 'Any information relating to an identified or identifiable natural person'
freely given, specific, informed, unambiguous
Consent must be?
Physical Environment (security)
Considerations may include sophisticated entry control systems, video surveillance, and lock-and-key and clean-desk policies.
integrity
Controls are in place to ensure data is accurate and complete
Resilience
Data is able to withstand and recover from errors or threats
availability
Data is accessible when needed for a business activity
Just in Time Notice
Delivered at or right before a user accepts a service or product, helping to facilitate meaningful choice. May also be given when previously collected data is to be used for a new purpose
Adware, web cookie, web beacon, digital fingerprint
Examples of behavioral profiling
Activities outside the scope of EU law, Law enforcement and public security, purely personal or household activities
Exclusions to the material scope of the GDPR
Exceptions to the prohibition of the processing of special data
Explicit Consent, Context of Employment, Vital Interest of the Individual; Political, Philosophical and Religious Purposes; Made public by Data Subject, legal claims, Substantial Public Interests, Medicine and Social Healthcare, Public Health, Public archives or scientific or historical research or statistical purposes
Confidentiality, Integrity, Availability, Resilience
Four Main Attributes of Security Controls
Within one month (or upon first communication with the data subject when personal data is used to communicate)
How long is the information provision to data subjects whose data was collected indirectly?
Protection of vital interests
If personal data must be processed to ensure an individual's survival, a controller may rely on vital interests for lawful processing. This basis for processing should only be used in an emergency situation and if no other option is available.
Appropriate safeguards
In the absence of an adequacy decision, these may be used to legally transfer data internationally; legal tools designed to ensure recipients of personal data who are outside the EEA are bound to continue to protect personal data to a European-like standard
confidentiality
Individuals, entities, systems or applications access data on a need-to-know basis
GDPR Article 13
Information to be provided where personal data are collected from the data subject. Notice is not required if data subjects already have the information. (i.e If personal data is collected from an indirect source)
Ad hoc contractual clauses
Must have supervisory authority authorization. They allow for individual tailoring to a company's needs. Provisions for such clauses may differ at the member state level
Reasons for Data Subjects to request erasure
Personal data is no longer necessary for the purpose for which it was collected, If the processing is based on consent, and the data subject withdraws that consent, If the processing is based on the controller's legitimate interest, and the data subject objects to the processing, and the controller is unable to demonstrate that its legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject, If the processing is unlawful, If the personal data must be erased for compliance with EU or member state law, if consent was given when the data subject was a child
GDPR Article 28
The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject
Data Subject
The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store.
Adequacy decisions, appropriate safeguards, derogations
The landscape of international data transfers is comprised of?
Compliance with a legal obligation
This option is also meant to be interpreted narrowly. It applies to legal obligations required by EU and member state laws only. It does not include legal obligations of contracts or those of third countries (outside the EU)
GDPR Article 12
Transparent information, communication, and modalities for the exercise of the rights of the data subject. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally
lawfulness, fairness and transparency of processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability
What are the GDPR processing principles?
consent, performance of a contract, compliance with a legal obligation, vital interests of the data subject, public interest/exercise of official authority of the controller, legitimate interest
What are the SIX lawful grounds for controllers to rely on to process personal data?
A country outside the EEA
What is a third-country?
When the data processing is based on the user's consent or on a contract and the data processing is carried out by automated means
When does the right to data portability apply?
Direct Collection
When the data collected comes from the data subject to whom the information relates
European Commission
Who determines adequacy?
supervisory authority and data subjects
Whom must a processor notify if a personal data breach occurs that is likely to result in a risk for the rights and freedoms of natural persons
Controller
Whom must a processor notify if a personal data breach occurs?
Reasons to request restriction of data
accuracy of data contested by data subject; processing is unlawful but data subject prefers restriction over erasure; controller no longer needs the personal data but data subject needs it saved; data subject objects processing, pending the controller's attempt to verify legitimate grounds
Right to data portability
allows data subjects to 'obtain and reuse "their" data for their own purposes and across different services'; allows the data subject to receive personal data concerning them that they provided to the controller. The data may be transferred directly to the data subject for storage on a private device, another controller or a trusted third party.
Supervisory Authority
an entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction
Data Controller
an organization or individual that decides how and why personal data is processed
Data Processor
an organization or individual that processes information on behalf of the data controller
Profiling
automatic processing of personal data for the purpose of evaluating, analysing or predicting personal aspects of a natural person
Adequacy Decision
based on assessments of third-country laws; determinations that certain third countries adequately protect EU data because their laws have achieved a European level of protection; , transferring personal data to these countries does not require additional safeguards
consent
common basis used to lawfully process personal data; however, under the GDPR, additional conditions must be met to use this option.
Right to Erasure
data subjects may, in some circumstances, request that their personal data be erased and, therefore, no longer processed.
GDPR Article 4(12)
defines a 'personal data breach' as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
GDPR Article 4(2)
defines processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Binding Corporate Rules (BCRs)
designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company; If competent supervisory authorities sign off on rules, a company is considered free to transfer personal data within their organisation around the world
Article 4(7) of the GDPR
distinguishes the controller as the individual or body who, 'alone or jointly with others, determines the purposes and means of the processing of personal data', and this distinction leads to greater legal obligations
Integrity and confidentiality
ensuring personal data is secure
Example of Personal Data Elements
gender, age and date of birth, marital status, citizenship, languages spoken and veteran status; may relate to an individual's employment or association with an organization, such as physical addresses, phone numbers, email addresses, internal identification numbers, government-issued identification numbers and identity verification information.
GDPR Article 2
material scope; activities must fall within processing personal data wholly or partly by automated means; or processing, other than by automated means of personal data, that forms part of a filing system
Pseudonymous data
not fully anonymous data; It has undergone a process that has detached the aspects of the data attributed to a specific individual, similar to creating an alias for a person's name, yet the personal data is still retrievable; typically a security measure that makes the use of the data less risky; still subject to EU data protection laws
anonymous data
not related to an identified or an identifiable natural person. It has been rendered unidentifiable and, as such, is not protected by the GDPR.
indirect collection
personal data is obtained from an indirect source, such as the news media or public records
Personal Data Elements
pieces of data that happen to be personal information
Accuracy
processing complete and up-to-date personal data
performance of a contract
processing is necessary to perform the contract (and the data subject is a party to the contract) or if the data subject requests the processing in order to enter into a contract
Data minimisation
processing only personal data that is relevant and necessary for the purpose.
Accountability
processing personal data responsibly and demonstrating compliance with EU and member state data protection laws; ability to demonstrate that a data protection programme has been implemented and is run in compliance with the law
Automated Processing
prohibition on automated processing that applies to decisions that are based solely on automated processing without human intervention in a way that produces legal or similarly significant effects
Policy Framework
repository of all the organisation's rules for confidentiality and security. It contains security objectives and scope; security principles, standards and compliance requirements; and roles and responsibilities. The policy should be approved by management, communicated to all employees and relevant external parties, and reviewed periodically
Purpose limitation
requires collecting and processing personal data for the specified purpose only. To determine if personal data may be processed further, use a compatibility test to look for links between purposes, nature of the data, method of collection, consequences of secondary uses and safeguards.
Transparency obligation
requires data controllers to communicate with data subjects using an intelligible and easily accessible form, clear and plain language, and concise communication
Lawfulness, fairness and transparency of processing
requires honest practices, such as communicating openly with data subjects about personal data processing activities.
Storage limitation
retaining only personal data that is relevant and necessary for the purpose
GDPR Article 21
right to object the processing of personal data; not absolute; only available if the grounds for data processing fall into one of three catergories
GDPR Article 18
right to restriction; allows for personal data to continue being stored without being further processed
Information Technology
robust IT security measures; include protection mechanisms, such encryption, antivirus and antispam technology, firewalls, identity and access management, incident detection, data loss prevention, two-factor authentication, IP log management, and regular security code peer review
Special Categories of Data
sensitive because its processing has a more profound impact on individuals' privacy rights; it has a higher standard of protection; personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic or biometric data for the purpose of uniquely identifying a natural person; and data concerning health, sex life or sexual orientation
Derogation
should be used as a last resort for international transfers of data; is an exemption from the prohibition on transferring personal data outside the EEA; for limited circumstances and allow organisations to transfer personal data across borders under very specific conditions
GDPR Article 3
territorial scope; relies on 3 criteria and just needs to be met for the GDPR to be applicable
Security Controls
the actual processes used to ensure the security of an information system, must function properly, and the system must provide prompt notification if a control fails
GDPR Article 22
the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects; strictest for decisions involving children
Restriction
the marking of stored personal data with the aim of limiting their processing in the future; provides an alternative to erasure in circumstances where storing personal data is legally required
GDPR Article 48
third-country court, tribunal or administrative authority orders for personal data may not be authorised, unless the request is made under the basis of EU or member state law, or through a mutual legal assistance treaty that is enforced in the EU