Accountability Requirements Flashcards
Who published the standard setting out the numbers of specific requirements for ‘Privacy Governance Procedures’?
The French data protection authority, CNIL
What is article 5(2) which is a new addition for the GDPR?
Specifies that the data controller is responsible for complying with the six principles outlined in article 5(1) but also crucially that the data controller must be able to demonstrate its compliance with the six principles.
What are the technical and organisational measures that a data controller is required to implement as part of its overall approach to protect the rights and freedoms of individuals with respect to the processing of their personal data?
Data protection by design and by default
Who developed the privacy by design concept and how many foundational principles of privacy by design are there
Former Information and Privacy Commissioner of Ontario established seven principles
What is the privacy by default obligation introduced by the GDPR?
This requires companies to implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each plus specific purpose of the processing are processed.
It is possible that in future, a data controller will be able to demonstrate compliance with the privacy by design and privacy by default obligations by becoming certified under certification mechanism approved by an authority. What is this authority?
European data protection board
Article 25 provides that an approved certification mechanism – created pursuant to article 42 of the regulation – may be used as an element to demonstrate compliance. However these certification mechanisms have remained only theoretical.
There is an exemption to the record keeping requirements for companies that employ fewer than 250 people. However this does not apply when:
If the processing:
(1) is likely to result in the risk to the rights and freedoms of data subjects;
(2) is frequent and not occasional
(3) involves special categories of data
(4) applies to data relating to criminal convictions and offences
Under article 35(7) of the regulation, the DPIA must contain and document at least the following:
(1) A systematic description of the envisaged processing operations and the purposes of the processing, including any legitimate interest pursued by the controller
(2) an assessment of the necessity and proportionality of the processing operations in relation to the purposes
(3) an assessment of the risk to the rights and freedoms of individuals
(4) The measures adopted to address the risk, including safeguards, security measures and mechanisms to ensure the protection of personal data
How long can a DPA consider a referral by a data controller?
Up to 8 weeks. There is an option to extend this period for an additional six weeks and inherent power to suspend the timetable if the DPA is waiting to receive information from the data controller.
When must data controllers and processors designate a DPO?
- Where processing is carried out by a public authority
- if the core activities of the controller or processor consist of regular and systematic monitoring of individuals on a large scale
- If the core activities consisted of processing special categories of personal data on a large scale
What does core activities mean?
According to WP29 guidance, Core activities are key operations necessary to achieve the Controller’s or Processor’s goals.
What article sets out the tasks of the data protection officer?
Article 39
