GDPR Flashcards
What are examples of instances where member states may make further legislative provisions in addition to the GDPR?
1) Where there are already sector specific laws in place, for example, in relation to the processing of employee data
2) archiving purposes in the public interest, scientific or historical research purposes, statistical purposes
3) processing of “special categories of personal data”
4) processing in compliance with a legal obligation
When did the GDPR come into force?
24 May 2016, will apply from 25 May 2018
How does the GDPR vary from the directive in terms of processing?
The references found in the directive to EU based processing equipment no longer applies in the GDPR.
Instead, the applicability of the GDPR to organisations not established in the EU will be determined by the location of the data subject.
The regulation will apply where the use of personal data by a business relates to the offering of goods or services to individuals in the EU, irrespective of whether payment is required for the monitoring of those individuals behaviour in the EU.
Significantly, recital 24 of the GDPR clarifies that tracking data subjects on the Internet to analyse or predict their personal preferences will trigger the application of the GDPR.
This measure represents a massive widening of the application of the rules, as it makes most every website that drops tracking cookies or app that retrieves usage information subject to the GDPR
What is the right to portability?
The right to portability introduces the right for people to receive information they have provided to businesses in a structured, commonly used and machine-readable format when the information was originally obtained from an individual based on their consent or as part of the contract.
There will also be a general right to have that data transmitted from one business to another with technically feasible in certain circumstances.
What is the range of measures that may be used to legitimise transfers under the GDPR?
(1) Binding corporate rules
(2) Standard contractual clauses adopted by the commission
(3) Standard contractual clauses adopted by a DPA and approved by the commission
(4) An approved code of conduct
(5) An approved certification mechanism
(6) Other contractual clauses authorised by a DPA in in accordance with the so-called consistency mechanism
What is the reporting requirement under the GDPR?
72 hours of becoming aware of it unless the breach is unlikely to result in a risk for the rights and freedoms of natural persons. If the risk of harm to individuals is high then individuals must be notified as well.
What rights do individuals have under the GDPR?
Individuals have the right to compensation for breaches for material or immaterial damage.
They are also afforded judicial remedies against decisions of a DPA which concern them, to compel a DPA to act on the complaint and against data controllers and processes that breach their rights by failing to comply with the GDPR.
These rights can be exercised by consumer bodies on behalf of individuals.
