Certification Exam Flashcards

Question

Special categories of personal data

Answer 1

Article 9(1): racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union memberships; genetic data; biometric data; health data; sex life or orientation

Answer 2

Article 10: processing of such personal data "shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedom of data subjects

Answer 3

Data subject: individual about whom personal data is processed Data controller: organization or individual that decides how and why personal data is processed Data processor: organization or individual that processes information on behalf of data controller Supervisory Authority (SA): data protection authority, entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction

Answer 4

Controller or processor: may be a natural personal, legal entity, public authority, agency or other body Controllers and processors: have accountability obligations under GDPR, including keep records that can be provided to SAs; share responsibilities for personal data security and must ensure compliance with int'l data transfer rules; subject to large administrative fines if their obligations are not met and can be subject to compensation claims from individuals. Distinction: Article 4(7) - controller is the individual or body who "alone or jointly with others determines the purposes and means of the processing of personal data." Article 4(8): a processor processes personal data on behalf of the controller; activities must be transparent to the controller, and any decisions that determine where personal data is processed or by whom must relay on approval from controller.

Answer 5

Article 4(2) of GDPR: any operation performed upon data, and it comprises the many possible actions in the data lifecycle.

Answer 6

OECD - most widely recognized framework for fair info practices Collection limitation: limits to collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Data quality: personal data should be relevant to the purposes for which they are to be used and should be accurate, complete and up to date. Purpose specification: purpose should be specified no later than at the time of data collection and subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Use limitation: personal data should not be disclosed, made available or otherwise used for purposes other than those specified in according with the purpose specification principle except with consent or authority of law. Security safeguards: protected by reasonable security safeguards against loss, unauthorized access, destruction, use, modification, disclosure of data Openness: general policy of openness about developments, practice and policies with respect to personal data. Individual participation: individual has rights Accountability: data controller shall be accountable for complying with measures which give effect to the principles stated above

Answer 7

Article 5 Lawfulness, fairness and transparency of processing - honest practices relating to processing activities Purpose limitation - requires collecting and processing for the specified purpose only. Data minimization - processing only personal data that is relevant and necessary for purpose Accuracy - processing complete and up to date personal data Storage limitation - retaining on personal data that is relevant and necessary for purpose Integrity and confidentiality - ensuring personal data is secure Accountability - processing personal data responsibly and demonstrating compliance with EU and MS DP laws

Answer 8

Territorial and material scope Territorial scope (Article 3) - one of these criteria must be met for the GDPR to be applicable: (1) when a controller or processor is established in the EU (regardless of whether the processing takes place in the EU) (2) processing personal data of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU (where the controller or processor is NOT established in the EU) (3) processing by a controller not established in the EU but in a place where MS law applies by virtue of public international law. Material scope (Article 2): data wholly or partly processed by automated means; any processing operation performed with or without or partly without human intervention; not to be confused with automated decision making; also covers processing, other than by automated means, of personal data that forms part of a filing system EXCLUSIONS to material scope: activities outside the scope of EU law (national security activities); law enforcement and public security; purely personal or household activities.

Answer 9

Six lawful grounds for controllers to rely on to process personal data (Article 6): (1) consent from data subject (2) performance of a contract (necessary to perform the contract and data subject is party to the contract, or if data subject requests the processing to enter into a contract (3) compliance with a legal obligation to which the controller is subject (4) protection of vital interests of the data subject or another natural person (emergency - no other options) (5) necessity for public interest or in the exercise of official authority of controller (administration of justice, tax collection, census) (6) as necessary of legitimate interests of the controller or a third party *unless overridden by interests, rights or freedoms of the data subject (child)

Answer 10

Provides the controller with permission to process the personal data for a specific purpose; must be clearly distinguishable from other matters, intelligible, clear and plain language; must keep records of consent. FREELY GIVEN; data subjects must be able to choose to have their personal data processed and must be able to withdraw consent at any time (as easily as giving consent) SPECIFIC: informed of all intended purposes for processing; if another arises, may be required to obtain additional consent INFORMED: to be legitimate, data subjects must be informed, at least, of the controller's identity, purpose for processing, and information about how processing may affect data subjects; communicated in understandable language and form UNAMBIGUOUS: unambiguous indication of wishes (wishes must be absolutely clear); positive, affirmative action (checking opt-in or choosing technical settings); no silence or pre-ticked boxes or inactivity. CHILDREN: more rigorous; must be given by a parent or guardian when child is under 16 (or under 13 in some MS)

Answer 11

CONTROLLERS: burden is on the controller to show that data subjects' fundamental rights and freedoms have not been compromised (legitimate interest exists, processing is necessary for legitimate interest, inform data subjects, balance legitimate interest with rights of data subjects, uphold fundamental rights and freedoms of data subjects CONTROLLER DATA SUBJECT RELATIONSHIP: fraud prevention, direct marketing, sharing personal data within group for internal administrative purposes, information security Public authorities may NOT rely on legitimate interest as a grounds for processing personal data

Answer 12

General starting point - processing of personal data is prohibited; number of exceptions to the prohibition; controller must ensure it meets one of the six bases for lawfully processing personal data Explicit consent: required under Article 9 (differs from Article 6), must be explicit. must still be unambiguous, freely given, specific and informed, but it must be a clear affirmative act by the data subject In the context of employment: applies when processing of special categories is necessary for controller to comply with legal obligation under employment, SS and social protection laws; relevant when data subjects are candidates, employees and contractors Vital interests of the individual: similar to Article 6, except controller must be able to demonstrate that it is not possible to obtain consent; controller is expected to attempt to seek consent. Political, philosophical and religious purposes: covers particular foundations, associations, not for profit bodies and any foundation, association or not for profit body with trade union aim; processing of special categories of data about members of the org, former members or those with regular contact with org; appropriate safeguards Sensitive data manifestly made public by data subject: interviews, social networking sites Establishment, exercise or defense of legal claims Substantial public interest: reason for processing special categories of data in the public interest be balanced with the data subject's rights to data protection; safeguard data Medicine and social healthcare Public health: required for public health reasons Public archives or scientific historical research or statistical purposes: requires further interpretation from MS law; proportionate to the purpose and respect data subject rights; safeguards

Answer 13

confirmation of processing (is or was processed); purpose of processing (why); categories of data processed (what); recipients or categories of recipients of data (who); retention period/criteria to determine period (when); information about data subject rights to: rectification, erasure, restriction, object to processing, and lodge complaints; source of personal data (when not collected from data subject); existence of automated decision making (logic, signification and envisaged consequences); appropriate safeguards for data transferred to third country or int'l org

Answer 14

Right to obtain and reuse data for own purposes; allow data subjects to receive personal data concerning them that they provided to the controller; structured, commonly used, machine readable format; applies when processing is based on prior consent or performance of the contract to which data subject is a party AND data provided by data subject, not data derived from data provided by him AND transferring data does not adversely affect the rights and freedom of others

Answer 15

Right to be forgotten (Article 17) Data subjects may, in some circumstances, request that personal data be erased and, therefore, no longer processed. May be requested under these circumstances: no longer necessary for the purpose for which it was collected; data subject has withdrawn consent (when processing was based on consent); if based on controller's legitimate interests, data subject objects, and controller is unable to demonstrate that its legitimate interest overrides the interests or fundamental rights and freedoms of data subject; if processing is unlawful; if personal data must be erased for compliance with EU or MS law; if consent was given when data subject was a child, consent may be withdrawn even if the individual is no longer a child Right to be forgotten also applies when data has been made public by the controller; original controller must take reasonable steps to inform other controllers processing personal data to erase any links to or copies or replications of the personal data. May prove difficult - determine all of the data's recipients (when posted on internet, for instance); informing all other controllers; objections from controllers based on fundamental right to freedom of expression and information.

Answer 16

Compliance with EU or MS law for a task public interest or official authority; public health purposes; archiving in public interest, scientific or historical research, or statistical purposes; establishment, exercise or defense of legal claims.

Answer 17

Defined in Article 4(3): Marking of stored personal data with the aim of limiting their processing in the future Set out in Article 18 (new) - differs from erasure because it allows for personal data to continue being stored without being further processed Provides an alternative to erasure in circumstances where storing the personal data is legally required, ensures the protection of another person's right, or is in the public interest Possible methods: making personal data temporarily unavailable; noting restriction; moving data to separate system; temporarily blocking website; using data under narrow conditions Data subjects may request restriction for: accuracy of data is contested and controller needs time to verify accuracy; processing is unlawful, but data subject prefers restriction to erasure; controller no longer needs personal data but data subject needs it to be saved for the establishment, exercise or defense of legal claims; data subject objects to processing, pending the controller's attempt to verify legitimate grounds.

Answer 18

Article 21 - right is not absolute; only available if the grounds for data processing falls into one of three categories: (1) direct marketing - absolute and should cause the controller to cease processing, including profiling (2) public interest or legitimate interests: based on grounds related ton the individual's particular situation; controller then has burden to demonstrate that it has compelling legitimate interests for processing that override the subject's individual interests rights and freedom (3) research or statistical purposes: on grounds relating to their particular situation; overridden if processing is necessary for the performance of a task carried out in the public interest.

Answer 19

Article 22: data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects (without human intervention in a way that produces legal or similarly significant effects (strictest for decisions involving children) Profiling is the automated processing of personal data for the purpose of evaluating, analyzing or predicting personal aspects of a natural person. Exceptions: authorized by MS or EU law; necessary to enter into or perform a contract between processor and data subject; based on data subject's explicit consent; certain decisions based on special categories of data.

Answer 20

Requires data controllers to communicate with data subjects using an intelligible and easily accessible form (Article 12(1)); clear and plain language; concise communication. Notice and access to personal data must be free of charge, unless the data subject's request is unfounded or excessive

Answer 21

Also called privacy statement, fair processing statement or privacy policy Statement made to a data subject that describes how the organization collects, uses, retains and discloses personal data; must contain certain information. Creative solutions for making privacy notices more concise and easier to navigate: layered privacy notices, just in time notices, standardized icons.

Answer 22

Contains multiple layers of increasingly detailed notices (up to 3 layers), so long as the sum total meets the legal requirements. Top layer contains the short notice (key elements); second and third layer may contain a condensed notice followed by a full notice, or a full notice followed by FAQs and additional links.

Answer 23

Delivered at or right before a user accepts a service or product, helping to facilitate meaningful choice; or given when previously collected data is to be used for a new purpose.

Answer 24

Recital 60 endorses the use of standardized icons with privacy notices to communicate required information; challenge - design icons readable by humans and computers that accurate reflect the meaning of abstract, complex messages. Recital 166 delegates decisions about development of standardized icons to the European Commission.

Answer 25

If data is obtained from indirect source (news media or public records), provisions of info (data privacy statement) may happen after collection but prior to processing. If a controller later wants to process the data for a different purpose, subjects must be provided with all relevant information, including the new purpose, prior to processing

Answer 26

DS must be provided with the identity and contact details of collection and DPO; purpose and legal basis of processing; recipients of personal data; intention to transfer data to third country or int'l org; legal basis for intended int'l transfer; legitimate interests of controller (if used for legal basis); storage period or criteria used to determine length of storage; subjects' right to withdraw consent, to request access, to rectification or restriction of processing, and to lodge a complaint; statutory or contractual requirement, as well as obligations to provide the data and consequences of failing to do so; info about use of automated decision making.

Answer 27

Source of data and categories of personal data must be provided to the DS, in addition to all info required for direct collection; should happen within a reasonable period after obtaining data (no more than 1 month) or upon first communication with the data subject when used to communicate. Info may not have to be provided to the DS whose data was collected indirectly: (1) if DS already has the info; (2) if info provision is impossible or requires disproportionate effort or would render impossible or seriously impair the purpose of the processing; (3) if national or EU laws require obtaining or disclosing data and provide appropriate measures to protect individuals' interests; or (4) if national or EU laws require that the personal data remain secret.

Answer 28

GDPR - ensure the free flow of personal data between MS; also recognizes that transfers from a member state to a third country (outside the EEA) or an int'l org require special considerations. provisions for int'l data transfers also apply to onward transfers from one third country or int'l organization to another outside the EEA. In other words, if personal data is to be transferred outside the EEA, it still must be protected to an adequate standard.

Answer 29

(1) Adequacy decisions (2) Appropriate safeguards (3) Derogations

Answer 30

Based on assessments of third country law; determinations that certain third countries adequately protect EU data; laws have achieved a European level of protection, transferring personal data to these countries does not require additional safeguards. European Commission makes adequacy decisions; reviewed every four years and may be overturned, repealed, suspended or amended. Criteria: respect o the rule of law; access to justice; international human rights standards; general and sectoral laws; case law; effective and enforceable rights for individuals, including effective administrative and judicial redress; data protection rules, professional rules and security measures, including specific rules for onward transfers; and other int'l commitments and obligations.

Answer 31

Enacted 23 May 2018

Answer 32

In the absence of adequacy decisions, may be used to legally transfer personal data internationally. Legal tools designed to ensure recipients of personal data who are outside EEA are bound to continue to protect personal data to a European like standard; mechanisms that can be used by recipients to commit to protecting personal data and facilitate ongoing, systematic int'l data transfers. Intended to provide enforcement and effective rights to individuals; require pre-approval from a SA: Binding Corporate Rules (BCRs): designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company; if competent SA signs off, company is considered free to transfer personal data with their organization; min reqs: application of GDPR principles; different versions for controllers and processors. Standard Contractual Clauses: model clauses, adopted by the Commission or adopted by a national supervisory authority and then approved by the Commission; standard form that is non-negotiable; once signed, company outside the EEA is considered safe to receive personal data from the EU; most commonly used tool for appropriate safeguards. Approved codes of conduct and certification mechanisms: provisions with GDPR encourage industries to create their own codes of conduct and certification mechanisms that will be reviewed by the EDPB, and if approved, companies may adhere to them and be considered safe to receive data transfers from the EU. Ad Hoc contractual clauses: must have SA authorization; allow for individual tailoring to a company's needs; provisions may differ at MS level. Reliance on int'l agreements: two countries may enter into an agreement between themselves to provide for the protection of personal data; eg, passenger name records (airlines) to transfer passenger data between EU and US, for example.

Answer 33

No adequacy decision and no appropriate safeguards, derogation is last option Basically an exemption from the prohibition on transferring personal data outside the EEA; for limited circumstances and under very specific conditions

Answer 34

Article 88 allows for MS to have more specific rules around processing employees' personal data. Rules must include suitable and specific measures to safeguard the data subject's: human dignity, legitimate interests, and fundamental rights, with particular regard for: transparency of processing, transfer of personal data within a group of undertakings or group of enterprises engaged in joint economic activity; and monitoring systems. Mix of EU data protection law with local law can make compliance relating to employment complicated; local employment law varies considerably across the EU.

Answer 35

Fulfillment of employment contract (bank account info to process salaries) Legal obligation (sharing salary info with tax authorities) Legitimate interests of the employer (migrating EE info from one system to another; cannot be adverse to EE rights and freedoms, cannot be used as grounds for processing special catagories of data) Consent (freely given consent is difficult to prove due to unequal distribution of power between EE and employer; processing may be unlawful or unfair under local law, even if the EE has consented

Answer 36

Employers must comply with one of the exceptions specified in Article 9 of the GDPR. First, explicit consent, which should be used as a last resort (freely given) May be necessary for employer to establish, exercise or defend legal claims May be necessary for controller to carry out obligations and exercise specific rights under employment, SS or social protection laws where authorized by EU or MS

Answer 37

Records that contain personal data should not be kept longer than necessary

Answer 38

Employers may also be obligated to communicate with a trade union or works councils; in certain jurisdictions, works councils may have considerable power over processing of EE personal data, requiring notification, consultation, and approval from works councils; trade unions and works councils may need to ensure they comply with GDPR, too.

Answer 39

MS data protection law may have specific requirements restricting use of employee monitoring systems EE rights and freedoms must be balanced against the rights of the employer, and alternatives to monitoring should always be considered; prevention may be a better option (block websites) Includes background checks, which are increasingly used for screening candidates Another form is data loss prevention (DLP) technology; used to protect IT infrastructure and confidential business information from external and internal threats, but involve processing EE and other third party personal data since they operate on networks and systems used by EE; overriding intention is preventing loss of an org's data. Personal data collected through monitoring must be: (1) held securely; (2) accessed only by those within the org with legitimate reason; and (3) deleted when no longer needed (may be business need to retain it). To monitor EE lawfully, an employer must ensure the monitoring is necessary (may require DPIA, any less intrusive options), proportional (data minimization), transparent (EE clearly informed)and legitimate (lawful grounds, fair processing)

Answer 40

Sarbanes Oxley 2002 - companies must have a system in place to receive anonymous complaints about potential wrongdoing, incl fraud, misappropriation of assets and material misstatements in financial reporting. Under EU law, strongly discourage anonymous reporting; some local DPAs will consider a whistleblower scheme illegal if it mentions the ability to make anonymous reports Under EU law, once a report is investigated and if it's unsubstantiated, should be deleted after fairly short period of time (3-6 mos) Diversion between MS about what can be reported through whistleblowing system - need to understand what may be reported legally in different countries. If an individual has been the subject of a WB report, you have to tell them they'v been the subject of a report, but you don't have to tell them immediately. if it's substantiated, you have to communicate that to them, and they have the ability to have access to the report and to seek any corrections to it that they think are inaccurate (still have to protect reporter's freedoms and private information Reports made in EU, transferred to non-EU country, that's an int'l transfer; may need model clauses or BCRs. if it's a third party service provider who's int'l, be sure they have model clauses.

Answer 41

Involves the observation of an individual or group of individuals, may be carried out openly or covertly, conducted in realtime or by access to stored material Include: social networks analysis and mapping, data mining and profiling, aerial surveillance, satellite imaging, telecommunications surveillance, CCTV cameras, biometric surveillance and geolocation technologies May need to be conducted in manner that overrides data subject rights, as recognized by Article 23 of GDPR, which permits MS or E law to restrict the rights granted in Chapter 3 (rights of data subject). Such a restriction must respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society May be conducted by public and state agencies for national security or law enforcement purposes (respect individual rights enshrined in Charter of Fundamental Rights, right to private and family life and protection of personal data) or private entities for their purposes (based on legitimate purposes, must comply with GDPR and national laws on confidentiality, privacy, data protection and other civil rights)

Answer 42

Communication surveillance traditionally - interception of postal services and human spies; however, surveillance of electronic communications is more prevalent today Personal data generated from e-comms is categorized as either the content of a communication or the metadata Metadata - data about data, information generated or processed as a consequence of a communication's transmission, also falls within the definition of personal data because it provides context to content and can be used to identify an individual

Answer 43

convo between parties in a call, words in an SMS message, email subject line, words in body of an email, attachments to an email

Answer 44

Traffic data - calling and called numbers in relation to a telephone call Location data - latitude, longitude and altitude of a user's equipment; direction of travel; level of accuracy of location info; identification of network cell (Cell ID) in which a user device is located at a certain time; time and location info was recorded Subscriber data - name, contact details and payment info of a subscriber

Answer 45

Also called Cookie Directive and Privacy & Electronic Communications Directive. Governs processing of location, content and traffic data over public communications network or publicly available communications system - data passing over public telephone or internet carries, or services that use a public communications network Collection of precise location-based data - requires opt-in consent (with the exception of carriers, who need data to provide service) Article 5(1) - confidentiality of the comms must be ensured and cannot be intercepted or disclosed to third parties unless there is consent from all users Article 15(1) - MS can introduce some exemptions if necessary for very limited purposes such as national security and law enforcement Access to traffic data is limited; however, telecom carriers can process traffic data for the purpose of conveying comms and possibly for some limited marketing activities with user's consent If data is passing over a private network (corp intranet) - ePrivacy rules do not apply; however, monitoring considerations are relevant One provision allows for interception of a comm when an org has a lawful business purpose for accessing data going through their public networks. MS may define lawful business purpose

Answer 46

Video surveillance of individuals, including CCTV, contains personal data (images) which are considered biometric data under GDPR; when collection such personal data, compliance considerations should include lawfulness (e.g., legitimate interest, defense of legal claims, public interest, public authority; consent likely not possible) biometric data is considered a special category of data, so processing can only be carried out if one of the permitted conditions specified in Article 9 applies data protection impact assessment - required if video surveillance is considered to be high risk or if it involves systematic monitoring of publicly accessible area or if it's included by the SA on a list of data processing ops that require DPIA prior checking - notify and in some circumstances seek authorization from local regulator proportionality - proportional to the purpose information provision - for overt video surveillance, comply with transparency requirement (sign posted) individual rights - individual may request copy of CCTV recording, may pose a challenge of protecting others' privacy measures to protect personal data and rights of individuals - staff training, CCTV policy, regular reviews to ensure compliance

Answer 47

Location based services (LBS) utilize information about location to delivery a wide array of applications and services; may be derived from satellite network generated data, cell based mobile network generated data, and chip card generated data Referred to as an identifier in definition of personal data (GDPR); if it can be used alone or in combination with other info to identify someone, it's personal data

Answer 48

Biometrics - personal data resulting from specific technical processing relating to the physiological, physical or behavioral characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (DNA, fingerprints, retina and eye patters, voice, gait) Main uses: Identification (who are you) and authentication (are you who you claim to be)

Answer 49

A communication, by whatever means of advertising or marketing material, directed toward specific individuals; messages that do not process personal data to communicate the marketing message or those that are purely service related in nature are not considered direct marketing Most complex area - consent requirements are difficult, but crucial Not only triggers data protection requirements but also other consumer protection regulatory requirements that vary from country to country; controllers must meet ALL national rules applicable to the direct marketing communications they send Often involves using data collected from devices (location data and cookies) No longer limited to postal mail and email, but can now be sent via third party platform messages, push messages and in-app messaging

Answer 50

Governed by GDPR and ePrivacy Directive GDPR - applies to all direct marketing comms, regardless of channel, incl online advertising targeted at individuals based on browsing history; gives individuals absolute right to object to any form of direct marketing at any time (already there under consent, but also allowed under legitimate interest) Direct marketers must meet these requirements: (1) lawful basis; (2) provide individuals with fair processing information; (3) appropriate technical and organizational measures to protect personal data; and (4) not exporting personal data outside EEA without adequate protection Some MS require controllers to amend their contact lists against national opt out registers before sending direct marketing ePrivacy Directive - applies to digital marketing comms - direct marketing communicated over electronic comm networks (phone, fax, email and message); also specifies rules that impact the use of online behavioral advertising Different rules for different channels under ePrivacy Directive; most forms of digital marketing require opt-in consent (other than face to face); limited exemption from opt-in - market own similar products and services, ability to opt out at time contact details are collected, and reminded of ability to opt out in each subsequent marketing comm

Answer 51

website advertising targeted at individuals based on the observation of their behavior over time; is increasingly occurring through third party advertising networks with relationships with partnering website publishers that enable them to place cookies on individuals' computers with unique identifiers; clearly defined in GDPR as personal data ePrivacy Directive will generally apply to OBA regardless of whether or not OBA info collected constitutes personal data; use of cookies to store or access information in an individual's computer is allowed only on the condition that the individual concerned has given their consent, having been provided with clear and comprehensive information

Answer 52

Provision of IT services over the internet; may provide infrastructure, platform, or application services, or a combination thereof Commonalities: (1) infrastructure shared among customers and accessible in numerous countries; (2) customer data transferred around the infrastructure, according to capacity; and (3) supplier determines location, security measures and service standards applicable to processing Challenging for cloud providers to determine whether GDPR applies; EU has no specific legislation regarding cloud computing, but the technology neutral GDPR set out controller and processor obligation May be considered a controller when: it determines substantial and essential elements of the means of processing (data retention periods); it processes data for its own purposes; determines aspects of processing outside the controller's instructions

Answer 53

Text file stored on a individual's computer by a website for later use; enables authentication of web visitors, personalization of web content and delivery of targeted advertising.

Answer 54

Services that find info on the internet; process large volumes of data, including IP addresses, cookies, user log file and third party web pages Determine the purpose and means of processing data about users - they are controllers, and are controllers of personal data contained in third party web pages. Search engines outside the EU are also likely subject to the GDPR in respect of their processing of personal data contained in third party web pages if they have an EU establishment whose activities are economically linked to the search engine's core activities

Answer 55

SNS - create opportunities for various parties and individuals to collect and use personal data; multiple controllers possible. SNS are controllers because they provide platforms for publishing and exchanging personal data as well as determining the use of personal information for advertising services Authors of apps designed for SNS platforms that provide services in addition to the SNS may also be controllers as well Users who act on behalf of an organization or knowingly extend access to personal data beyond selected contacts may also be controllers SNS providers should be open and transparent about processing of personal data by providing: (1) notice if the personal data will be used for marketing purposes; (2) notice if personal data will be shared with specific third parties; (3) explanation of any profiling conducted; (4) info about processing of sensitive personal data; (5) warnings about risks to privacy; and (6) warning that if an individual uploads a third party's personal data, such as photos, the consent of the third party should be obtained Special considerations for sensitive personal data, third party personal data and children's personal data: Sensitive personal data - explicit consent is required Third party personal data - if third party individuals' personal data is published, SNS must have a legal basis for processing that personal data Children's data - requires parental consent; processing on the grounds of legitimate interest may not be possible

Answer 56

The simulation of human intelligence created by machines and computers; AI can replace humans and act on its own to make automated decisions Provisions within GDPR affect the AI functions of automated decision making (Article 22 highlights subject rights in conjunction with profiling and automated decision making) Organizations implementing AI tech will want to ensure privacy regulations are being met in conjunction with the technology.

Answer 57

Security is very important to EU data protection law; often a prerequisite for achieving compliance with data protection principles Security in practice should take a holistic approach; considerations may include mgmt and worker buy-in, policy framework, physical environment, information technology, and incident detection and response.

Answer 58

Article 32: State of the art - most cutting edge technology is not necessarily the best choice for security; reflect upon consensus of security professionals/experts Cost of implementation - not required to choose the most expensive security controls, but should choose controls that reflect demonstrably good management decisions Appropriate technical and organizational measures - results that those measures should bring about might include pseudonymisation, encryption, confidentiality, integrity and resilience Level of security appropriate to risk - risk based approach based on risk assessment to determine controls for entire information lifecycle; controls are tighter and more sophisticated relating to vulnerable and special categories of data being processed

Answer 59

Confidentiality: individuals, entities, systems or applications access data on a need-to-know basis (access controls) Integrity: controls in place to ensure data is accurate and complete Availability: data is accessible when needed for a business activity Resilience: data is able to withstand and recover from errors or threats

Answer 60

A data processor is a third party that processes data on behalf of a controller; controller shall only use processors providing sufficient guarantees to implement appropriate technical and organization measures in such a manner that processing will meet the requirements of this Regulation and ensure protection of the rights of the data subject sufficient guarantees - covers assurance mechanisms such as appropriate checking and vetting of processor by supplier through a third party assessment of certification validations Processor contract due diligence: data protection knowledge; recent high profile breaches; recent and current investigations; accreditations; policy framework; sub-processors; governed by a contract or other legal ct under EU or MS law that is binding on the processor Contract may be based on SCCs identified by the EC or SA; must set out: subject matter and duration of processing, nature and purpose of processing, type of personal data, categories of data subjects, and obligations and rights of the controller

Answer 61

Personal data breach (Article 4(12)) - breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

Answer 62

Processor must inform controller without undue delay after becoming aware Depending on circumstances, controller must inform the SA and may be required to inform affected data subjects

Answer 63

Obligated to report to SA without undue delay (within 72 hours of becoming aware) if breach is likely to result in a risk for the rights and freedoms of natural persons. Notification should include: categories of affected data subjects, approximate number of data subjects and data records, name and contact details of the DPO or other POC, description of likely consequences of the breach, measures taken or to be taken in response to the breach

Answer 64

Should be notified without undue delay and in clear and plain language IF the breach is likely to result in a high risk to the rights and freedoms of those individuals. Notification may not be necessary if: (1) there was prior implementation of appropriate technical and organizational measures that rendered the personal data unintelligible or encrypted; (2) post breach actions greatly reduce the risk to the rights and freedoms of data subjects; or (3) individual notice requires disproportionate effort (in such case, equally effective public notification is still required). SA may still decide the controller needs to notify the data subjects

Answer 65

May 2018 first EU wide cybersecurity law not specifically concerned with personal data, it aligns with GDP/R and indirectly bolsters the security of personal data within orgs that are regulated by the Directive. Focuses: national capabilities, cross border collaboration and national supervision of critical sectors

Answer 66

Article 24(1) mandates that the controller have a data protection program in place based on the nature, scope, context and purpose of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons; implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation; measures shall be reviewed and updated where necessary. Risk based approach resulting in technical and nontechnical measures that can demonstrate compliance with the GDPR; continuously review and update. Processors also have obligations (though not named specifically), record keeping and duty to support controller in fulfilling obligations

Answer 67

Implementing data protection by design and data protection by default Conducting a DPIA Maintaining data processing records Possibly appointing a DPO

Answer 68

DPAs have the following audit rights: audit or inspect premises and processing equipment, data protection written systems, and data protection business operations DPAs can issue warnings or put a stop to business activity Regulators have the right to conduct audits

Answer 69

More familiar with "by default Begins prior to processing and incorporates data protection considerations into the planning phase. Sustains those considerations into the processing phase by limiting the collection, processing, storage and accessibility of personal data Orgs should build data protection into their products throughout their life cycle (at time of planning); necessary safeguards should be integrated into org's systems; GDPR highlights data minimization and pseudonymisation; program assesses the risks of a product and takes stems to mitigate those risks to meet the data protection by design requirements

Answer 70

Where a product or service provides users with multiple setting options, the most data protective settings should be the default. Users should have to opt into any setting that presents greater risks. By default, a product or service processes only the necessary personal data Considerations: purpose of processing, amount of personal data collected, extent of processing, storage period and accessibility

Answer 71

Main values: (1) help with incorporating data protection considerations into org planning and with demonstrating compliance to SAs When is a DPIA required? if processing is likely to entail a high risk to the rights and freedoms of natural persons Risks should be considered from the POV of the data subject and the SA Considerations: nature, scope, context, purpose, type of processing, and use of new technologies Use of new technologies whose consequences and risks are less understood may increase the need for DPIA Ex of processing that would require a DPIA: (1) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing; (2) processing on a large scale of special categories of data or of personal data relating to criminal convictions or offenses; (3) systematic monitoring of a publicly accessible area on a large scale Should include: (1) description of processing, incl purpose and legitimate interest; (2) necessity of processing, its proportionality and the risks that it poses to data subjects; and (3) measures to address those risks (by design and by default controls) When must a SA be contacted? high risk to data subjects that is not mitigated. SA will provide advice and can block processing activities within 8 weeks (or add'l 6 weeks for complex situations)

Answer 72

Useful tool to ensure that their EE are properly trained and follow GDPR reqs Purpose: explain to EE what can and cannot be done with data they are handling and to outline consequences of a policy breach Falls within the appropriate technical and org measures category and may be included as part of a larger data protection program Not required for all situations but should be used where proportionate in relation to processing activities GDPR does not specify contents, best practices - considerations: concise and understandable language; consider how metrics may be used to demonstrate results; ensure tasks are achievable, realistic, relevant and timely

Answer 73

Important aspect of accountability is being able to demonstrate compliance with the regulation - applies to both controllers and processors What triggers recording obligation: processing personal data for orgs of 250+ EEs; or regardless of size, if processing is likely to result in a high risk to the rights and freedoms of data subjects, is not occasional, or incl special categories of data or data relating to criminal convictions or offenses

Answer 74

Name/contact info of controller and DPO Purposes of Processing (not req'd by processor) Categories of data subjects, personal data and recipients of data (processor - cats of data) Int'l data transfers and measures put in place to ensure lawfulness How long the data is retained and timeline for deleting (not req'd by processor) General description of technical and org security measures

Answer 75

Staff member of contractor appointed by the controller or processor to ensure and demonstrate compliance with data protection law; must be an expert in data protection law and practices Required in certain circumstances (Article 37): (1) controller is public authority; (2) core activities of controller or processor include regular and systematic monitoring of data subjects on a large scale; (3) if core activities of controller or processor consist of large scale processing of special categories of personal data

Answer 76

Large scale - determined based on number of data subjects concerned, the volume or range of data items, the duration of processing and/or the geographical extent of processing Regular and systematic monitoring - all forms of tracking and profiling on the internet, including for purposes of behavioral advertising; not restricted to the online environment Tasks and responsibilities: (1) ensure compliance with regulation; (2) advise controller, processors and EEs who carry out processing of their data protection obligations; (3) manage risk; (4) be a point of contact with SA; (5) communicate with data subjects and the SA; provide advice on and monitor DPIA; exercise professional secrecy Should report to the highest level of management Controller or processor may not instruct the DPO with regard to their tasks or curtail their action

Answer 77

Process personal data within the territorial scope of the GDPR Article 3(2) - must designate a rep within the MS of the data subjects to whom that processing applies. Article 3(2) - processing of data subjects in the EU by controllers or processors not established in the EU where the processing activities are related to offering them goods or services or monitoring their behavior that takes place within the EU

Answer 78

Also known as data protection authorities, promote, monitor and enforce GDPR (1) promote awareness by helping orgs understand their obligations in an advisory capacity; (2) conduct investigations; (3) protection fundamental human rights by providing info to individuals; (4) draw up annual reports that explain data protection in their country; facilitate the free flow of personal data within the EU Three categories of power: (1) Investigate powers; (2) corrective powers; and (3) authorization and advisory

Answer 79

Primary regulator responsible for dealing with the cross-border processing activities of controller or processor, including coordination of operations of all supervisory authorities concerned.

Answer 80

Processing of personal data which takes place in the context of the activities of the establishments in more than one MS of a controller or processor in the Union where the controller or processor is established in more than one MS OR processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to affect data subjects in more than one MS Identifying LSA - place of central administration, unless decisions about purpose, means and implementation of processing occur at a different location; then that one will be the lead.

Answer 81

Mechanisms to support cooperation and consistency between SAs: Cooperation; mutual assistance (relevant info passed between SAs); joint operations (joint investigation and enforcement); consistency mechanism (collaborative process for adopting certain measures and ensuring consistent GDPR application); dispute resolution; urgency procedure (immediate adoption of provisional measures within a MS

Answer 82

Replaced Article 29 Working Party Rep of every MS's SA (31 member states of EEA); only reps from 27 EU MS may actively participate. Presided over by a Chair who is elected by the EDPB reps European Data Protection Supervisor (EDPS) and the Commission participate on the board, but EDPS has limited voting rights and the Commission has none EDPB must act independently; roles are to monitor for correct application of GDPR and oversee consistency mechanism; issue guidance and advice to Commission; an preside over dispute resolution process

Answer 83

20,000,000 Euros or 4% of total turnover (denying fundamental right to privacy) or 10,000,000 Euros or 2% of total turnover (data breaches)