Fair Processing Information & Third Country Data Transfers

Question 1

What is fair processing information?

Answer 1

Information controllers provide to data subjects about how their personal data is processed.

Question 2

What legal effects can result from ADM?

Answer 2

Outcomes impacting rights or obligations.

Examples: credit scoring or benefits eligibility

Question 3

When must notice be provided for secondary processing?

Answer 3

• Before the new processing begins, and
• With enough time for data subjects to object

Question 4

What are the controller’s obligations regarding notice?

Answer 4

• To provide information
• Explicitly bring processing activities to the data subject’s attention

Question 5

What are the qualities of fair processing information?

Answer 5

• Concise
• Transparent
• Intelligible
• Easily accessible
• Plain language
• Accurate
• Up to date

Question 6

What are acceptable mediums for providing notice?

Answer 6

• Written
• Electronic means (e.g., website)
• Orally (e.g., phone at request)

Question 7

What are examples of excessive requests?

Answer 7

• Repetitive
• Abusive
• Intended to disrupt the organization

Question 8

What visual formats can be used in notices?

Answer 8

• Diagrams
• Cartoons
• Graphics
• Video
• Audio

Question 9

What are the requirements for visual notices?

Answer 9

They must simplify communication and be machine readable.

Question 10

What must a user do before an organization stores or accesses data on their terminal equipment?

Answer 10

Provide consent

Question 11

What does ‘similar technology’ include under the ePrivacy Directive?

Answer 11

• Tracking pixels
• Web beacons
• Tracking links
• Device fingerprinting
• IP tracking

Question 12

What is a layered notice?

Answer 12

• Top layer presents a summary of key info like controller, purpose, rights
• Bottom layer provides legal details

Question 13

What is a just-in-time notice?

Answer 13

Provided at the point of collection.

Question 14

What is a dashboard notice?

Answer 14

Web-based interface allowing users to toggle privacy options, e.g., social media settings.

Question 15

What are key requirements for the Data Protection Officer (DPO)?

Answer 15

• Involvement in privacy and related efforts
• Independence
• Direct access to top management
• Access to processing operations
• Technical expertise

Question 16

Who must the DPO report to?

Answer 16

The highest management level

Question 17

What is the role of the DPO in relation to supervisory authorities?

Answer 17

• Cooperate
• Serve as their point of contact

Question 18

What is considered a ‘third country’ under the GDPR?

Answer 18

Any country outside the EU/EEA

Question 19

What is considered a ‘transfer’ under GDPR?

Answer 19

When personal data is intentionally sent or made accessible by a GDPR-subject organization to a third country or international organization.

Examples: using US-based cloud storage, outsourcing IT to Ukraine, using US email service for newsletters

Question 20

What is considered ‘transit’ under GDPR?

Answer 20

Passage of personal data through an intermediary without access or processing ability.

Example: email routed through US infrastructure with no access by intermediary

Question 21

What are the 3 factors to consider for adequacy?

Answer 21

1. Rule of law and human rights
2. Independent supervisory authorities
3. International commitments

Question 22

What framework guides the Commission’s adequacy decision?

Answer 22

The WP29’s Adequacy Referential

Question 23

What is the designation procedure for adequacy?

Answer 23

• Commission drafts proposal
• EDPB issues opinion
• Member states approve
• Commission adopts act

Question 24

How often are adequacy decisions reviewed?

Answer 24

At least every 4 years.

Question 25

What prompted **scrutiny** of **Safe Harbor**?

Answer 25

Edward **Snowden’s 2013 leaks** revealing NSA surveillance programs.

Question 26

Who is **Max Schrems**?

Answer 26

An Austrian **privacy advocate** who filed a complaint that led to the **Schrems I** decision.

Question 27

What **year** did the EU-US Privacy Shield go into effect?

Answer 27

2016

Question 28

What was the **Privacy Shield** intended to ensure?

Answer 28

That EU individuals could **exercise privacy rights** when their data was processed in the US.

Question 29

Which **agencies regulated businesses** under the Privacy Shield?

Answer 29

* FTC * Department of Transportation

Question 30

What is **Executive Order 14086**?

Answer 30

Addressed Schrems II concerns and reformed US surveillance practices. ## Footnote Issued in October 2022

Question 31

What **features** does the **EU-US Data Privacy Framework** introduce?

Answer 31

* Surveillance limited to necessity and proportionality * New data protection review court

Question 32

What are **Standard Contractual Clauses** (SCCs)?

Answer 32

Standardized, pre-approved contractual terms **permitting lawful transfer** of personal data from EU/EEA to third countries

Question 33

Who can **approve** a set of Standard Contractual Clauses?

Answer 33

* European Commission * A supervisory authority (subject to Commission approval)

Question 34

What is the **purpose** of **modular SCCs**?

Answer 34

To allow organizations to choose modules based on their **specific transfer roles** and responsibilities.

Question 35

What are the **4 SCC modules**?

Answer 35

1. Controller-to-controller 2. Controller-to-processor 3. Processor-to-processor 4. Processor-to-controller

Question 36

What **assessment** must accompany SCC use?

Answer 36

Transfer Impact Assessment | (TIA)

Question 37

What are the **steps** of a Transfer Impact Assessment? | (TIA)

Answer 37

* Know your transfer * Identify transfer tools * Assess tool’s efficacy * Adopt and implement supplementary measures * Re-evaluate periodically

Question 38

What is a **code of conduct** under GDPR?

Answer 38

A **voluntary** set of **sector-specific rules** developed by associations to aid compliance and d**emonstrate accountability**.

Question 39

Who must approve a GDPR **code of conduct**?

Answer 39

A competent **supervisory authority**

Question 40

What is the **process** for developing **a code of conduct**?

Answer 40

* Drafted by associations * Submitted to supervisory authority * Recognized by the European Commission for EU-wide validity

Question 41

What is the role of a **monitoring body** in a code of conduct?

Answer 41

**Ensure compliance oversight** and be accredited by the supervisory authority.

Question 42

What is a **certification mechanism** under GDPR?

Answer 42

A **voluntary**, formal process for **demonstrating compliance** with GDPR criteria.

Question 43

Who **assesses compliance** in a certification mechanism?

Answer 43

Accredited, **independent certification bodies**.

Question 44

What are the **steps** in the **certification process**?

Answer 44

* Preparation and gap analysis * Select scheme * Apply * Audit * Certification decision * Monitoring and renewal

Question 45

What are **examples** of well-known **certification schemes**?

Answer 45

* EuroPriSe * Europrivacy * EU GDPR Institute Certification

Question 46

What are **Binding Corporate Rules** (BCRs)?

Answer 46

Legally binding data protection policies for **multinational organizations** allowing lawful **intra-organizational** data transfers. ## Footnote Key: intra-organizational

Question 47

What is the '**consistency mechanism**' in BCRs?

Answer 47

A formal process where **DPAs cooperate** to ensure **GDPR is consistently applied** across the EU.

Question 48

**Who** must approve BCRs before use?

Answer 48

Data Protection Authorities | (DPAs)

Question 49

What is a **derogation** under GDPR?

Answer 49

An **exception** allowing personal data transfer to a third country **without adequacy decision or safeguards**.

Question 50

What are the **permissible conditions** for using derogations?

Answer 50

* Consent * Contract performance * Substantial public interest * Legal claims * Vital interests * Public registers * Non-repetitive transfer

Question 51

What qualifies as a **public register**?

Answer 51

Official record under EU/member state law accessible by the public. ## Footnote E.g., land titles, criminal records

Question 52

What is a **non-repetitive transfer**? | (NRT)

Answer 52

A limited, **one-off transfer** supported by compelling legitimate interests not overridden by data subject rights.

Question 53

What is the **objective** of **EDPB Guidelines 1/2024**?

Answer 53

To clarify **appropriate uses of legitimate interest** under Article 6(1)(f) GDPR and guide balancing assessments.