Ch. 14 - The GDPR and International Privacy

Question 1

GDPR Fines

Answer 1

1) based on an organization’s revenue
2) rendering a substantial impact
3) regardless of its size.

Question 2

Territorial scope of GDPR

Answer 2

Territorial scope relies on three criteria as set out in Article 3 of the GDPR. Only one of these criteria must be met for the GDPR to be applicable.

1) Processing of personal data when a controller or processor is established in the EU (regardless of whether or not the actual processing takes place in the EU)
2) Processing of personal data of data subjects in the EU relating to offering goods or services or monitoring behavior (regardless of whether or not the controller or processor is established in the EU)
3) Processing of personal data by a controller not established in the EU but in a place where member state law applies

Question 3

Material scope of GDPR

Answer 3

Activities must also fall within the material scope of the GDPR, as set out in Article 2.

Activities include:
1) Processing personal data wholly or partly by automated means. This is any processing
operation performed without or partly without human intervention. It should not be confused with automated decision-making, which has rigid restrictions under the GDPR.
2) The material scope also covers personal data that forms part of a filing system. This applies even if the processing is not conducted by automated means.

Question 4

GDPR processing definition

Answer 4

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

Question 5

Consumer rights under GDPR

Answer 5

1) Notice/be informed
2) Withdraw consent
3) erasure of personal data (right to be forgotten)
4) access and correction
5) restriction of processing
6) Request a copy of their personal data
7) right to object to processing
8) Right not to have decisions based solely on
9) automated decision making
10) Data portability

Question 6

Rights/obligations of orgs under GDPR

Answer 6

1. Provide notice to process personal data
2. Provide notification of breaches (sometimes)
3. Conduct DPIAs (sometimes)
4. Consult regulators before processing (sometimes)
5. Follow rules for processing children’s data
6. Implement data protection by design and by default
7. Ensure compliance of data transfers
8. Take responsibility for vendor processing
9. Maintain appropriate data security
10. Keep records and demonstrate compliance
11. Appoint a DPO (sometimes)

Question 7

Rights/obligs of regulators under GDPR

Answer 7

1) Enforce penalties up to 20 million pounds or 4% of total revenue
2) Impose temporary processing bans

Question 8

Mechanisms that allow orgs to transfer personal data across borders - out of EU

Answer 8

• Adequacy decisions - of a legal regime or an agreement companies can sign on to (Privacy Shield was an adequacy agreement)
• Ad hoc contracts - must receive prior supervisory approval, so not as helpful
• Standard Contractual Clauses (SCCs) aka model clauses =

• Binding Corporate Rules (BCRs)
Legally binding internal corporate privacy rule for transferring personal information within a corporate group - reqs approval from supervisory auth.

• And codes of conduct or self-certification mechanisms - like self-regulatory programs

Question 9

Privacy Shield Process

Answer 9

Commit to the U.S. Department of Commerce to adhere to the Privacy Shield
Principles
• Publicize that commitment
• Publicly disclose the organization’s privacy policy
• Implement the Principles
• And annually renew the certification, including the verification of ongoing compliance
with the Principles.

Question 10

Privacy Shield Principles

Answer 10

Notice
• Choice
• Accountability for onward transfers (to countries outside the European Economic Area) and vendor agreements - ensure PS compliance
• Security
• Data integrity and purpose limitation
• Access
• And recourse, enforcement and liability

Note: PS reviewed annually by EU and Dept of Commerce

Question 11

Privacy Shield: Notice and Choice Principle

Answer 11

- mandated information to data subjects:
controller identity
dets re. recourse
ability to complain 
notice of PS list location

Question 12

Privacy Shield: Recourse Mechanism

Answer 12

1. Complaint follow internal process.
2. If not resolve, then to to independent dispute resolution provider - either appoint one or default to the European supervisory authority (must be latter for HR data)
3. If still not resolved, go to binding arbitration.

4.

Question 13

Privacy Shield: Limits on Surveillance

Answer 13

US committed to no more bulk surveillance of individuals, unless for international crime or terrorism.

Question 14

GDPR Accountability

Answer 14

Article 24(1) of the GDPR mandates that the controller have a data protection program. It
states should be risk based, taking into account "the nature, scope, context and purposes of processing as well as
the risks of varying likelihood and severity for the rights and freedoms of natural persons." 

In practice, this means:

• Implementing data protection by design and data protection by default
• Conducting data protection impact assessments
• Maintaining data processing records
• And possibly needing to appoint a data protection officer

Question 15

DPO role

Answer 15

• Must have one if core activities involve processing
  personal data on a large scale, or who consistently process highly sensitive data or data
  relating to criminal convictions and offenses,

Art29WP reccs erring on side of appointing DPO

must be filled with someone “designated on the basis of professional
qualities” with “expert knowledge of data protection law and practices

Tasks:

1. Work with regulators to ensure compliance.
2. train staff on proper data-handling practices
3. keep informed upon changes in law and tech.
4. Build, implement and manage privacy programs.

.

Question 16

Data Breach Notification to Supervisory Authority under GDPR

Answer 16

• without undue delay, and within 72 hours of becoming aware of it if likely to result in risk to rights and freedoms of natural persons.
• notification should include:

categories of affected data subjects

approx # of data subjects and records impacted

categories of affected records

name/contact info of DPO or other contact

descrip of likely consequences

measures taken or will be in response

(also should document)

Question 17

Notification of Breach to Data Subject under GDPR

Answer 17

• without undue delay &
  in clear and plain langauge if likely to result in high risk to rights and freedoms of the individuals.
• Notification may not be required if
  prior safeguards taken to render unintell.

post breach actions mitigated greatly the risk

notice requires disproportionate effort

(superv auth may notify even if org declines to)

Question 18

Processor obligations

Answer 18

• support controller in their compliance
• record-keeping reqs.
• inform controller of data breach

Question 19

The processing of personal data will be considered lawful only to the extent to which which legal grounds are met?

Answer 19

Consent, contract performance, legal obligation, vital interest of individuals, public interest, legitimate interests.

CCLVPL

Cats courting lovely Venetian penguins. love!

Question 20

When is legitimate interest permitted as a lawful ground for the processing of personal data?

Answer 20

Where processing is necessary for the purposes of legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interest of fundamental rights and freedoms of the data subject which require protection of personal data, particular where the data subject as a child.

Question 21

The GDPR expressly grants to member states the right to determine more specific legal requirements to ensure lawful and fair processing of personal data in specific processing situations. What are these situations?

Answer 21

Employer – employee relationships; allowing member states to define the age of minors; to protect genetic or biometric data; or for statistical, historical or scientific purposes.

Question 22

Do data controllers have a duty to inform for processing where the data subject is already aware and data was obtained directly from the data subject?

Answer 22

No

Question 23

Do data controllers have the obligation to provide information when personal data is collected from other sou

Answer 23

No where
- provided the information will involve a disproportionate effort or can be considered impossible;
– to protect the data subject’s legitimate interest, in which case, the disclosure is expressly governed by the applicable law; and
– to preserve the confidentiality of the information, also regulated by the laws to which the data controller is subject.

Question 24

What does the data minimisation principal require in terms of concepts?

Answer 24

Necessity and proportionality.

Question 25

When collecting data for statistical or historical purposes what level of accuracy must Controllers maintain?

Answer 25

The controller only needs to maintain the personal data as originally collected.

Question 26

What conditions must a data subject’s consent meet?

Answer 26

Free seals in Uruguay

• Freely given
• Specific
• Informed
• Unambiguous indication of wishes

Question 27

What is the minimum age under article 8 GDPR, where a controller relies on consent as the legitimate processing criterion for information society services to be offered directly to a child?

Answer 27

16. But in some states it varies (eg. UK it is 13)

Question 28

Does a legal obligation imposed on the controller by a third party country meet the requirements of processing for compliance with a legal obligation?

Answer 28

Recital 45 of the GDPR makes it clear that obligations imposed by controllers by third party countries do not fall within this criterion. In all cases, this criterion is interpreted narrowly.

Question 29

Can a controller rely on the fact that processing is necessary where official authority is vested in a third party to whom the data is disclosed?

Answer 29

No. Removed in the GDPR. Only where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Question 30

Can public authorities rely on the legitimate interests ground to justify processing?

Answer 30

No. Recital 47 explains that it is for the legislator to provide by law for the legal basis for public to process personal data.

Question 31

For non-public authorities what are the examples where legitimate interests will be established?

Answer 31

• Recital 47: to prevent fraud
• Recital 48: The sharing of personal data within a group of undertakings or institutions affiliated to the central body for internal administrative purposes such as processing client or employer personal data
• Direct marketing
• Recital 49: to ensure network and information security

Question 32

In the UK, what two tests should a controller follow for the legitimate interests criterion?

Answer 32

1. Establishing the legitimacy of the interest pursued

2. Ensuring that the processing is not unwarranted in any particular case through prejudice to the individual concerned

Question 33

What is the shift in the treatment of legitimate processing criteria under the GDPR?

Answer 33

Under the Directive, the controller does not have to document which legitimate criterion it is relying on when processing personal data, nor is it required to communicate the criterion to the data subject.

Under the GDPR, A controller is required to specify in the privacy notice the legal basis for the processing and when relying on the legitimate interest ground must describe the legitimate interests pursued.

Question 34

Our photographs considered to be sensitive data?

Answer 34

Photographs should not systemically be considered to be processing sensitive data since they are covered by the definition of biometric data only when processed through a specific technical means that allows the unique identification or authentication of an individual.

Question 35

Which are the categories of sensitive data?

Answer 35

1. Racial or ethic origin
2. Political opinions
3. Religious or philosophical beliefs
4. Trade union membership
5. Genetic and biometric data (added by GDPR)
6. Health
7. Sex life or sexual orientation

RPRTGHS

Real phillipines rabbits took grace’s heavy spade

Question 36

For foundations, associations, or any other not– for – profit bodies, they must still process sensitive data in compliance with the requirements of the GDPR even if they make use of the criterion. What are these?

Answer 36

The bodies must assess sensitive data
1) in the course of the legitimate activities
2) with appropriate safeguards and
3) in connection with their specific purposes.
In addition, they may only disclose sensitive data outside the organisation with the explicit consent of the relevant data subject.

Question 37

Previously under the Directive, member states had a greater degree of freedom to establish the exemptions for whether the assessing of sensitive data is a substantial public interest, requiring only that these further exemptions are subject to suitable safeguards. The GDPR adds additional requirements to such laws. What are they?

Answer 37

1. Proportionate to the aim pursued

2. Show respect for the essence of the right to data protection

Question 38

In the UK, a statutory instrument has set out for the criteria for possessing sensitive personal data in the substantial public interest. What is this criteria?

Answer 38

Processing is permitted when it is necessary for the purposes of preventing or detecting any unlawful act or to discharge any function designed to protect the public against dishonesty, seriously improper conduct or mismanagement in the administration of any organisation or association.

Question 39

What is the difference between the GDPR from the directive with regard to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes?

Answer 39

The directive dispenses with the obligation to provide notice to data subjects where personal data was not collected directly from them, as well as provides an exemption from the data subject’s rights of access.

Article 9 of the GDPR now provides a specific criterion for controllers involved in archiving, historical or scientific research, or processing for statistical purposes.

In order to rely on this criterion, it is necessary that the processing must have appropriate safeguards in accordance with article 89(1) and must be necessary for one of those purposes based on EU member state law which must be proportionate, respect the essence of the right to data protection and provide for suitable safeguards.

Question 40

How is data on criminal convictions and offences or related security measures treated under the GDPR?

Answer 40

Article 10 of the GDPR requires that such data be processed only ‘ under the control of an official authority or when the processing is authorised by union or member state law providing for appropriate safeguards for the rights and freedoms of data subjects’.

Question 41

What are binding safe processor rules?

Answer 41

Self – regulatory principles similar to binding corporate rules for processors that are applicable to customer personal data. Once the supplier’s BSPR are approved, a supplier gains “safe processor” status and its customers would be able to meet the EU data protection directive‘s requirements for international transfers in a similar manner as BCR are allowed. BSPR are currently being considered as a concept by the article 29 working party and national authorities.

Question 42

What is the position for research under the GDPR?

Answer 42

Organisations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data (article 6(4); recital 50).

As long as they implement appropriate safeguards these organisations also may overwrite a data subject’s right to object to processing and to seek the erasure personal data (article 89).

Additionally, the GDPR may permit organisations to process personal data for research purposes without the data subjects consent. In isolated cases, these organisations may be able to transfer personal data to third countries for research purposes, without any other transfer mechanism in place.

Question 43

How can research be a basis for processing?

Answer 43

Where a controller collects personal data under lawful basis, such as consent, article 6 (4) allows it to process the data for a secondary research purpose.

Research however, is not explicitly designated as a lawful basis for possessing, but, in some cases, it may qualify under article 6(1)(f) as a legitimate interest of the controller.

Thus, while the GDPR explicitly permits repurposing collected data for research, it to me also permits the controller to collect personal data initially for research purposes, without requiring the data subject’s consent.

Question 44

How can researchers make third party transfers on the basis of the legitimate interest ground?

Answer 44

The transfer may be based on this ground only if it’s not repetitive, it concerns a limited number of data subjects, and‘ the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards”.

Moreover, the controller must inform the data subject as well as the data protection authority of the relevant member states of the international transfer.

Question 45

Can further processing of research be done if it impacts individuals?

Answer 45

Under the Directive, further processing for research was permissible only if member states furnished suitable safeguards that in particular rule out the use of the data in support of measures or decisions regarding any particular individual.

The GDPR eliminates this restriction, thereby allowing for the processing for research that impacts individuals. however, the GDPR also creates additional safeguards to protect individuals from this type of processing.

Article 35(2)(a) requires a DPIA where there is profiling.

Question 46

Under what condition is processing sensitive employee data acceptable?

Answer 46

The processing is necessary for the data controller to carry out their obligation in the field of employment law.

GDPR 9(2)(b) provides that processing of sensitive employee data is acceptable when the condition of processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller.

The GDPR allows the processing of sensitive employee data if the controller has explicit consent from the data subject and the business obligation of the controller are justifiable reasons to process this sensitive information.

It is also acceptable if the data subject has given explicit consent to the processing of those personal data for one on one specific purposes.

Question 47

Which processing principle requires the controller to explicitly describe the reason for which the data will be processed?

A. Purpose limitation
B. Integrity and confidentiality
C. Data minimisation
D. Storage limitation

Answer 47

<p>B ?</p>

Question 48

As Bicsma’s DPO, you realize that My Can of Bicsma’s Privacy Notice is very basic. It only describes what categories of personal data Bicsma collects from its customers, and how Bicsma uses thatdata to deliver orders, answer inquiries and send newsletters.
List 4 more content elements you would include in the Privacy Notice.

Answer 48

Correct answers may include:

• A description of the data subject’s rights
• An overview of how data subjects can submit requests and complaints
• The contact details of Bicsma’s DPO
• The (categories of) recipients of the personal data
• Whether or not the personal data will be transferred to an entity outside the EU/EEA (if yes, reference to adequacy decision or safeguards)
• A description of the technical and organizational security measures
• The data retention periods per processing purpose/personal data category

Question 49

‘Informed consent’ is a lawful basis to process personal data under the General Data Protection Act (GDPR). The purpose of the processing for which consent is given should be documented. At what time in the process should the data subject’s consent be obtained?

A) After the purpose specification is presented and before personal data is collected.
B) Before the purpose specification is conceived and presented.
C) Before the personal data is processed.
D )Before the personal data is published or disseminated.

Answer 49

A) Correct. Consent can only be informed after the purpose specification is presented to the data subject.See:GDPR recitals (32), (42).
B) Incorrect. Consent can only be informed after the purpose specification is presented to the data subject.
C) Incorrect. Collection of personal data is ‘processing’ and as such needs informed consent of the data subject.
D) Incorrect. Publishing and dissemination of personal data are ‘processing’ and as such need informed consent of the data subject

Question 50

In order for personal data processing to be lawful, what is always a requirement?

A) A code of conduct must be in place, describing what the processing exactly entails.
B) The processing must be reported to and allowed by the supervisory authority.
C) There must be a legitimate ground for the processing of personal data.

Answer 50

A) Incorrect. Codes of conduct may be a means to harmonize controller-processor contracts.
B) Incorrect. Prior consultation is only obligatory when a DPIA indicates a high risk. (GDPR Article 36)
C) Correct. Processing is lawful only when a legitimate purpose exists. (Literature: A, Chapter 3; GDPR Article 6)

Question 51

When is the DPO a required role?

Answer 51

When the core activities of the controller or processor are:
• Processing activities that require “regular and systematic monitoring” of data subjects on a “large scale”
• Processing sensitive data (or personal data relating to criminal convictions/offences) on a “large scale”
• Processing by public bodies, other than courts acting in judicial capacity

A DPO appointed voluntarily is still subject to GDPR requirements

Question 52

How can security be best described to privacy?

Answer 52

Privacy needs security, but security is not only about privacy?

Question 53

A merger between the US based company and affiliates in Asia and Canada is planned to take place. As a privacy office, what considerations would you bring to the CEO’s attention?

Answer 53

Data flow mapping. It is a great way to see which data you have and where it is going and coming from, so a great way to see which requirements you have to comply w/ for which data

Question 54

What is one of the important considerations for companies selling to consumers internationally?

Answer 54

Whether they actively target customers in other countries. When targeting different countries, different legislation could apply, which needs to be checked

Question 55

What are the DPO’s responsibilities?

Answer 55

To monitor compliance with the GDPR 
• Advise controller and processors 
• Manage risk 
• Cooperate with supervisory authorities
 • Communicate with data subjects and supervisory authorities 
• Exercise professional secrecy

Question 56

examples of business activities that would cause a U.S. organization to fall under the scope of the GDPR

Answer 56

U.S. company offers a consumer cloud service in the EU

• U.S. company expresses its intention to deal with EU users (e.g., offering services via a European domain, local currency payment, shipment to the EU, local telephone hotline numbers)
• “U.S. company (Company A, the processor) offers data hosting services to another U.S. company (Company B, the controller). At face value, this arrangement would not be caught by the GDPR. However, if Company B (the controller) also acts on behalf of other legal entities within a group, and if personal data is transferred from these group legal entities to Company A (the processor), the arrangement may be caught by the GDPR. If one such group legal entity has an establishment in the EU (see no. 2 above), the GDPR comes into play via Article 3, Section 1.”
• The processor is a sub-processor of a principal processor based in the EU

Question 57

How do the CCPA and GDPR different?

Answer 57

<p>• Definitions of key terms and concepts (e.g., controller)</p>

<p>• No definition of sensitive data under the CCPA</p>

<p>• No private right of action—except for data breaches—under the CCPA</p>

Question 58

What is a Data Protection Officer (DPO)?

Answer 58

A staff member or contractor tasked with ensuring and demonstrating compliance with EU data protection law; an expert in data protection law and practices.

Question 59

When is the DPO a required role?

Answer 59

When the core activities of the controller or processor are:
• Processing activities that require “regular and systematic monitoring” of data subjects on a “large scale”
• Processing sensitive data (or personal data relating to criminal convictions/offences) on a “large scale”
• Processing by public bodies, other than courts acting in judicial capacity

A DPO appointed voluntarily is still subject to GDPR requirements

Question 60

What are the organization’s responsibilities in relation to the DPO role?

Answer 60

<p>Communication with/involvement of the DPO in all issues related to personal data protection</p>

<p>• DPO access to personal data and processing operations</p>

<p>• Resources to help carry out tasks</p>

<p>• Safeguards to enable the DPO to perform tasks independently</p>

<p>• DPO reports to the highest levels of management</p>