IAPP Glossary for CIPP/E

Question 1

Accountability

Answer 1

Afair information practicesprinciple, it is the idea that whenpersonal informationis to be transferred to another person or organization, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with other fair use principles.

Question 2

Adequate Level of Protection

Answer 2

A label that the EU may apply to third-party countries who have committed to protect data through domestic law making or international commitments. Conferring of the label requires a proposal by theEuropean Commission, anArticle 29 Working GroupOpinion, an opinion of the article 31 Management Committee, a right of scrutiny by theEuropean Parliamentand adoption by the European Commission.

Question 3

Adverse Action

Answer 3

Under theFair Credit Reporting Act, the term “adverse action” is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. Such an action requires that the decision maker furnish the recipient of the adverse action with a copy of the credit report leading to the adverse action.

Question 4

Annual Reports

Answer 4

The requirement under theEuropean Data Protection Directivethat member state data protection authorities report on their activities at regular intervals.

Question 5

Antidiscrimination Laws

Answer 5

Refers to the right of people to be treated equally.

Question 6

Article 29 Working Party

Answer 6

AEuropean Unionorganization that functions as an independent advisory body on data protection and privacy. While EU data protection laws are actually enforced by the nationalData Protection Authoritiesof EU member states.

Question 7

Authentication

Answer 7

The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. Authentication identified as an individual based on some credential; i.e. a password,biometrics, etc. Authentication is different fromauthorization. Proper authentication ensures that a person is who he or she claims to be, but it says nothing about theaccess rightsof the individual.

Question 8

Background Screening/Checks

Answer 8

Verifying an applicant’s ability to function in the working environment as well as assuring the safety and security of existing workers. Background checks range from checking a person’s educational background to checking on past criminal activity.

Question 9

Behavioral Advertising

Answer 9

The act of tracking users’ online activities and then delivering ads or recommendations based upon the tracked activities. The most comprehensive form of targeted advertising. By building a profile on a user through their browsing habits such as sites they visit, articles read, searches made, ads previously clicked on, etc., advertising companies place ads pertaining to the known information about the user across all websites visited. Behavioral Advertising also usesdata aggregationto place ads on websites that a user may not have shown interest in, but similar individuals had shown interest in.

Question 10

Binding Corporate Rules

Answer 10

Legally binding internal corporate privacy rules for transferring personal information within a corporate group. BCRs are typically used by corporations that operate in multiple jurisdictions, and they are alternatives to theU.S.-EU Safe Harborand Model Contract Clauses. BCRs must be approved by the EUdata protection authoritiesof the member states in which the corporation operates.

Question 11

Binding Safe Processor Rules

Answer 11

Self-regulatory principles (similar toBinding Corporate Rules) for processors that are applicable to customer personal data. Once a supplier’s BSPR are approved, a supplier gains ”safe processor” status and its customers would be able to meet theEU Data Protection Directive’srequirements for international transfers in a similar manner as BCR allow. BSPR are currently being considered as a concept by theArticle 29 Working Partyand national authorities.

Question 12

Biometrics

Answer 12

Data concerning the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique and gait.

Question 13

Bodily Privacy

Answer 13

One of the four classes of privacy, along withinformation privacy,territorial privacyandcommunications privacy. It focuses on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches.

Question 14

Breach Disclosure

Answer 14

The requirement that adata controllernotify regulators and victims of incidents affecting theconfidentialityand security ofpersonal data. It is a transparency mechanism highlights operational failures, this helps mitigate damage and aids in the understanding of causes of failure.

Question 15

Bundesdatenschutzgesetz

Answer 15

A German national data protection law that including specific requirements for data services outsourcing agreements. The legislation contains ten specific requirements for outsourcing agreements: (1) Subject and duration of work; (2) the extent, type and purpose of data processing; (3) technical and organizational measures to be taken under section 9; (4) the rectification, erasure and blocking of data; (5) the processor’s section 4 obligations, particularly with regard to monitoring; (6) rights regarding subcontracting; (7) the controller’s monitoring rights; (8) the subcontractor’s notification obligations; (9) the extent of the controller’s authority to issue instructions to the processor; (10) the return and/or erasure of data by the processor at the conclusion of the work.

Question 16

Charter of Fundamental Rights

Answer 16

A treaty that consolidates human rights within theEU. The treaty states that everyone has a right to protect theirpersonal data, that data must be processed for legitimate and specified purposes and that compliance is subject to control by an authority.

Question 17

Children’s Online Privacy Protection Act (COPPA) of 1998

Answer 17

A U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13. COPPA requires these website operators: to post aprivacy policyon the homepage of the website; provide notice about collection practices to parents; obtain verifiable parentalconsentbefore collecting personal information from children; give parents a choice as to whether their child’spersonal informationwill be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information andopt outof future collection or use of the information, and maintain theconfidentiality, security and integrity of personal information collected from children.

Question 18

Choice

Answer 18

An individual’s ability to determine whether or how theirpersonal informationmay be used or disclosed by the entity that collected the information. Also, the ability of an individual tolimitcertain uses of their personal information. For example; an individual may have choice about whether to permit a company to contact them or share their data with third parties. Can be express or implied.

Question 19

Closed Circuit Television

Answer 19

Systems of cameras, monitors and recording equipment that are not used for broadcasting but are connected to a closed network by cables. CCTV is used primarily forvideo surveillanceof premises.

Question 20

Cloud Computing

Answer 20

The storage of information on the Internet. Although it is an evolving concept, definitions typically include on-demand accessibility, scalability, and secure access from almost any location. Cloud storage presents unique security risks.

Question 21

Collection Limitation

Answer 21

Afair information practicesprinciple, it is the principle stating there should be limits to the collection ofpersonal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge orconsentof the data subject.

Question 22

Commercial Activity

Answer 22

UnderPIPEDA, “commercial activity” means any particular transaction, act or conduct, or any regular course of conduct, that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Non-profit associations, unions and private schools are likely to be found to exist outside of this definition.

Question 23

Communications Privacy

Answer 23

One of the four classes of privacy, along withinformation privacy,bodily privacyandterritorial privacy. It encompasses protection of the means of correspondence, including postal mail, telephone conversations, electronic e-mail and other forms of communicative behavior and apparatus.

Question 24

Comprehensive Laws

Answer 24

Laws that govern the collection, use and dissemination ofpersonal informationin the public and private sectors.

Question 25

Computer Forensics

Answer 25

The discipline of assessing and examining an information system for relevant clues even after it has been compromised by an exploit.

Question 26

Confidentiality

Answer 26

The obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information.

Question 27

Consent

Answer 27

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. If an individual has choice (see Choice) about the use or disclosure of his or her information, consent is the individuals’ way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out. (1) Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties. According to the EU Data Protection Directive, explicit consent is required for processing of sensitive information. Further, data controllers cannot infer consent from non-response to a communication. (2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Question 28

Convention 108

Answer 28

The first legally binding international instrument in the area of data protection. It requires signatories to take steps to ensure fundamental human rights with regard to the processing of personal information.

Question 29

Cookie

Answer 29

A small text file stored on a client machine that may later be retrieved by a web server from the machine. Cookies allow web servers to keep track of the end user’s browser activities, and connect individual web requests into a session. Cookies can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their user name and password already. Cookies may be referred to as "first-party" (if they are placed by the website that is visited) or "third-party" (if they are placed by a party other than the visited website). Additionally, they may be referred to as "session cookies" if they are deleted when a session ends, or "persistent cookies" if they remain longer.

Question 30

Cookie Directive

Answer 30

Additions to the e-Privacy Directive where websites could allow users to opt out of cookies, such as by selecting a setting on their web browsers. Under the revision, member states are required to pass legislation that gives users the ability to opt in before cookies are placed on their computers.

Question 31

Copland v. United Kingdom

Answer 31

A case in which the European Court of Human Rights held that monitoring an applicant's e-mail at work was contrary to Article 8 of the Convention on Human Rights.

Question 32

Council of the European Union

Answer 32

The main decision-making body of the EU, it has a central role in both political and legislative decisions. The council was established by the treaties of the 1950s, which laid the foundations for the EU.

Question 33

Court of Justice of the European Union

Answer 33

The Court of Justice is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. The court is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions. Based in Luxembourg, the Court was set up in 1951, and was originally named the Court of Justice of the European Communities. The court is frequently confused with the ECHR, which oversees human rights laws across Europe, including in many non-EU countries, and is not linked to the EU institutions.

Question 34

Customer Access

Answer 34

A customer’s ability to access the personal information collected on them as well as review, correct or delete any incorrect information.

Question 35

Customer Information

Answer 35

In contrast to employee information, customer information includes data relating to the clients of private-sector organizations, patients within the healthcare sector and the general public within the context of public-sector agencies that provide services.

Question 36

Data Breach

Answer 36

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

Question 37

Data Controller

Answer 37

An entity that has the authority over the processing of personal information. This entity is the focus of most obligations under privacy and data protection laws. It controls the use of personal data by determining the purposes for its use and the manner in which the data will be processed. The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership.

Question 38

Data Elements

Answer 38

The different types of personal information processed by data processors. Typical data elements include name, date of birth and numerical identifiers. Organizational data elements tied to both individuals as well as organizations include business addresses, business phone numbers, business e-mail addresses and related information.

Question 39

Data Processing

Answer 39

Any operation or set of operations which is performed on personal data, such as collecting; recording; organizing; storing; adapting or altering; retrieving; consulting; using; disclosing by transmission, dissemination or otherwise making the data available; aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means.

Question 40

Data Processor

Answer 40

An individual or organization that processes data on behalf of the data controller. Although they are often third-party providers, a data controller can also be a data processor.

Question 41

Data Protection Authority

Answer 41

An official or body that ensures compliance with data protection laws and investigates alleged breaches of the laws’ provisions.

Question 42

Data Protection Commissioner

Answer 42

The person responsible for the enforcement and monitoring of compliance with data protection legislation, including Data Protection Acts. Commissioners are also responsible for investigating breaches of the legislation and prosecuting the senders of spam e-mails and text messages pursuant to SI 535/2003. Only one such prosecution has occurred to date. In the UK, this function is carried out by the Information Commissioner.

Question 43

Data Protection Directive

Answer 43

See EU Data Protection Directive

Question 44

Data Quality

Answer 44

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

Question 45

Data Recipient

Answer 45

A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.

Question 46

Data Retention Directive

Answer 46

This directive is designed to align the rules on data retention across the EU member states. It applies to traffic and location data but not to the actual content of communications of both individuals and organizations.

Question 47

Data Subject

Answer 47

The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store.

Question 48

De-identification

Answer 48

An action that one takes to remove identifying characteristics from data. De-identified data is information that does not actually identify an individual. Some laws require specific identifiers to be removed (See HIPAA 165.514(b)(2)). Hashing is not enough to de-identify data

Question 49

Derogation

Answer 49

The action by which an EU member state may deviate from certain directives, instead relying upon the domestic laws of member states.

Question 50

Direct Marketing

Answer 50

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

Question 51

Do Not Track

Answer 51

A proposed regulatory policy, similar to the existing Do Not Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.

Question 52

Durant v. Financial Services Authority

Answer 52

A court case in which the Court of Appeal of the United Kingdom narrowed the definition of personal data. It established a two-stage test; the information must be biographical in a significant sense and the individual must be the focus of the information.

Question 53

Electronic Communications Data

Answer 53

Consists of three main categories of personal data: the content of a communication, traffic data, and location data.

Question 54

Electronic Communications Network

Answer 54

Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals; networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.

Question 55

Electronic Communications Service

Answer 55

Any service which provides to users thereof the ability to send or receive wire or electronic communications.

Question 56

Employee Personal Data

Answer 56

A high level of protection is required for employee personal data in the EU. The notice and choice principles of the EU Directive should be honored for all employee data, meaning that an employee should be given notice of the company’s intent to share the information and give the employee the choice not to share this information.

Question 57

Encryption

Answer 57

The process of obscuring information, often through the use of a cryptographic scheme in order to make the information unreadable without special knowledge; i.e., the use of code keys.

Question 58

Established Service Provider

Answer 58

Under the E-Commerce Directive, an established service provider is a service provider who effectively pursues an economic activity using a fixed establishment for an indefinite period. The presence and use of the technical means and technologies required to provide the service do not, in themselves, constitute an establishment of the provider.

Question 59

EU Data Protection Directive

Answer 59

Several directives deal with personal data usage in the EU, but the most overarching is the general policy approved by the European Commission in 1995 (95/46EC) which protects individuals’ privacy and personal data use. The Directive was adopted in 1995, became effective in 1998 and protects individuals’ privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. The Directive imposes an onerous set of requirements on any person that collects or processes data pertaining to individuals in their personal or professional capacity. It is based on a set of data protection principles, which include the legitimate basis, purpose limitation, data quality, proportionality and transparency principles, data security and confidentiality, data subjects’ rights of access, rectification, deletion and objection, restrictions on onwards transfers, additional protection where special categories of data and direct marketing are involved and a prohibition on automated individual decisions. The Directive applies to all sectors of industry, from financial institutions to consumer goods companies, and from list brokers to any employer. The Directive’s key provisions impose severe restrictions on personal data processing, grant individual rights to “data subjects” and set forth specific procedural obligations including notification to national authorities. This was followed in 1997 by a more specific directive for the telecom sector (97/66/EC), which was replaced in mid-2002 by the European institutions to adapt it to new technologies and business practices (2002/58/EC). The Directive has been supplemented by additional directives including a specific provision for e-commerce. This directive will be replaced by the General Data Protection Regulation.

Question 60

EU Data Retention Directive

Answer 60

See Data Retention Directive

Question 61

European Commission

Answer 61

The executive body of the European Union. Its main function is to implement the EU’s decisions and policies, along with other functions. It is also responsible for making adequacy determinations with regard to data transfers to third-party countries.

Question 62

European Convention for the Protection of Human Rights and Fundamental Freedoms

Answer 62

A European convention that sought to secure the recognition and observance of the rights enunciated by the United Nations. The Convention provides that “(e)veryone has the right to respect for his private and family life, his home and his correspondence.” Article 8 of the Convention limits a public authority’s interference with an individual’s right to privacy, but acknowledges an exception for actions in accordance with the law and necessary to preserve a democratic society.

Question 63

European Convention on Human Rights

Answer 63

An international treaty among European states to protect human rights and fundamental freedoms. It applies only to member states.

Question 64

European Council

Answer 64

A forum where heads of state meet four times a year to define priorities and set political direction for the EU.

Question 65

European Court of Human Rights

Answer 65

An international court that oversees the European Convention on Human Rights and Fundamental Freedoms of 1950. The court is based in Strasbourg, France, and was set up in 1959.

Question 66

European Data Protection Supervisor

Answer 66

The EDPS is the data protection regulator for the EU as an entity. Established by EU regulation, the EDPS ensures that the institutions of the EU; i.e., the commission, council, Parliament, etc., respect the fundamental rights and freedoms of individuals, particularly their rights to privacy. Specifically, the job of the EDPS is to ”monitor the application of the provisions of this Regulation to all processing operations carried out by a Community institution or body.”

Question 67

European Economic Area

Answer 67

An economic region that includes the European Union (EU) and Iceland, Norway and Liechtenstein—which are not official members of the EU but are closely linked by economic relationship. Non-EU countries in the EEA are required to adopt EU legislation regarding the single market.

Question 68

European Economic Community

Answer 68

Created by the Treaty of Rome, the EEC was a predecessor to the European Union that promoted a single economic market across Europe.

Question 69

European Parliament

Answer 69

The only EU institution whose members are directly elected by member states, Parliament has four responsibilities—legislative development, supervisory oversight of other institutions, democratic representation and budget development.

Question 70

European Union

Answer 70

The European Union replaced the EEC, created by the Treaty of Rome, the EEC promoted a single economic market across Europe. The EU is comprised of 28 member states including Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. Candidates include the Former Yugoslav Republic of Macedonia, Iceland, Montenegro, Serbia and Turkey.

Question 71

EU-U.S. Safe Harbor Agreement

Answer 71

An agreement between the EU and U.S. under which data may be exported to the U.S. in compliance with the EU Directive on Data Protection. Within a safe harbor agreement a data processor must abide by seven principles that and self-certify the compliance with to the Department of Commerce. These principles are notice, choice, consent to onward transfer, security, integrity, access, and enforcement. Certifying oneself as abiding by the Safe Harbor Framework without full compliance may be considered a deceptive trade practice under section 5 of the FTC Act. In 2015, the European Court of Justice invalidated Safe Harbor. The EU and the U.S. have a new agreement called the EU-U.S. Privacy Shield. Reference(s) in IAPP Certification Textbooks: F39-41; US19; C114; E295

Question 72

Factortame

Answer 72

A 1989 case brought before the European Court of Justice which established the precedence of EU law over national laws of member states in areas where the EU has competence.

Question 73

Fair Credit Reporting Act, The

Answer 73

One of the oldest U.S. federal privacy laws still in force today. It was enacted in 1970 to mandate accurate and relevant data collection, give consumers the ability access and correct their information, and limit the use of consumer reports to permissible purposes, such as employment and extension of credit or insurance.

Question 74

Fairness

Answer 74

One of two requirements established by the EU Data Protection Directive for the processing of personal data. In order to be considered fair, the data controller must provide specific information to the data subject prior to processing.

Question 75

Federal Trade Commission

Answer 75

The United States' primary consumer protection agency, the FTC collects complaints about companies, business practices and identity theft under the FTC Act and other laws that they enforce or administer. Importantly, the FTC brings actions under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.

Question 76

Four Classes of Privacy

Answer 76

Four main areas of privacy are of particular interest with regard to data protection and privacy laws and practices: information privacy, bodily privacy, territorial privacy, and communications privacy.

Question 77

Freely-Given Consent

Answer 77

Consent that is given when the data subject has a genuine choice and there is no risk of coercion, deception, or intimidation if the data subject does not consent.

Question 78

Gaskin v. United Kingdom

Answer 78

A court case in which it was decided the restriction of an applicant’s access to their file was contrary to article 8 of the European Convention on Human Rights.

Question 79

GET Method

Answer 79

The GET and POST HTML method attributes specify how form data is sent to a web page. The GET method appends the form data to the URL in name/value pairs allowing passwords and other sensitive information collected in a form to be visible in the browser’s address bar, and is thus less secure than the POST method.

Question 80

Global Privacy Enforcement Network

Answer 80

GPEN aims to promote cross-border information sharing as well as investigation and enforcement cooperation among privacy authorities around the world. Another cross-border enforcement cooperation effort is the Asia-Pacific Economic Cooperation

Question 81

Haralambie v. Romania

Answer 81

A court case claiming that the Romanian government violated Article 8 of the European Convention on Human Rights by placing of obstacles in the way of an applicant when he sought access to the file on him drawn up by the Communist government's secret service.

Question 82

Individual Participation

Answer 82

A fair information practices principle, it is the principle that an individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have data relating to him communicated to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Question 83

Information Life Cycle

Answer 83

Collection, processing, use, disclosure, retention, and destruction.

Question 84

Information Privacy

Answer 84

One of the four classes of privacy, along with territorial privacy, bodily privacy, and communications privacy. The claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

Question 85

Information Security

Answer 85

The protection of information for the purposes of preventing loss, unauthorized access and/or misuse. It is also the process of assessing threats and risks to information and the procedures and controls to preserve confidentiality, integrity and availability of information.

Question 86

International Data Transfers

Answer 86

The transmission of personal information from one jurisdiction to another. Many jurisdictions, most notably the European Union, place significant restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have “adequate” data protection practices.

Question 87

Internet Service Provider

Answer 87

A company that provides Internet access to homes and businesses through modem dial-up, DSL, cable modem broadband, dedicated T1/T3 lines or wireless connections.

Question 88

ISO 27002

Answer 88

The ISO (International Organization for Standardization) 27002 standard is a code of practice for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".

Question 89

Law Enforcement Authority

Answer 89

A body sanctioned by local, regional or national governments to enforce laws and apprehend those who break them. In Europe, public law enforcement authorities are governed by strict rules of criminal procedure designed to protect the fundamental human right to privacy enshrined in Article 8 of the European Convention on Human Rights (ECHR).

Question 90

Lawfulness

Answer 90

According to the EU Data Protection Directive, processing of personal data must meet two specific requirements; fairness and lawfulness. Lawfulness suggests a community-wide set of norms enforceable by the intervention of the state. In order to be lawful, processing must meet all legal requirements.

Question 91

Layered Notice

Answer 91

A privacy notice designed to respond to problems with a excessively long notices. A short notice—the top layer—provides a user with the key elements of the privacy notice. The full notice—the bottom layer—covers all the intricacies in full. In Europe, the Article 29 Working Party recommends three layers: a short notice, a condensed notice and a full notice.

Question 92

Layered Security Policy

Answer 92

A layered approach defines three levels of security policies. The top layer is a high-level document containing the controller’s policy statement. The next layer is a more detailed document that sets out the controls that will be implemented to achieve the policy statements. The third layer is the most detailed and contains the operating procedures, which explain how the policy statements will be achieved in practice.

Question 93

Legitimate Interests of Controller

Answer 93

One of several legitimate processing criteria required by the EU Data Protection Directive. This rather broad criteria states “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject, which require protection under Article 1(1).”

Question 94

Legitimate Processing Criteria

Answer 94

To process data in compliance with EU data protection law, a controller must be able to base the processing activity on at least one legitimate criteria derived from the Data Protection Directive. These criteria are consent, necessity, contract requirement, legal obligation, protection of data subject, public interest and legitimate interests of the controller.

Question 95

Lindqvist Judgement

Answer 95

A case in which the European Court of Justice ruled that a woman who identified and included information about fellow church volunteers on her website was in breach of the Data Protection Directive 95/46/EC. The ECJ held that the creation of a personal website was not a personal activity allowing the woman to be exempted from the data protection rules.

Question 96

Location-Based Service

Answer 96

Services that utilize information about location to deliver, in various contexts, a wide array of applications and services, including social networking, gaming and entertainment. Such services typically rely upon GPS, RFID or similar technologies in which geolocation is used to identify the real-world geographic location of an object, such as a cell phone or an Internet-connected computer terminal.

Question 97

Madrid Resolution

Answer 97

A resolution that was adopted by the International Conference of Data Protection and Privacy Commissioners, consisting of 80 data protection authorities from 42 countries around the world, including members of the Article 29 Working Party. Principles include: lawfulness and fairness; purpose specification; proportionality; data quality; openness; accountability.

Question 98

Members of the European Parliament

Answer 98

MEPs have the right to propose written and oral questions to the European Council and the European Commission providing another layer of oversight in the legislative process.

Question 99

Multi-Factor Authentication

Answer 99

The authentication of a user by multiple means. This is typically accomplished by a requirement for both a password and at least one other form of authentication such as a pass card, biometric scan or an "out of band" means such as a phone call.

Question 100

Notification (EU)

Answer 100

(Three-fold purpose) The process by which information about data controllers and their personal dataprocessing operations comes to be included in a publicly-accessible register maintained by the relevant national DPA.

Question 101

OECD Guidelines

Answer 101

(1)The Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. (2)The Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. (3)The Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. (4)The Use LimitationPrinciple. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 8 (below) except a) with the consent of the data subject; or b) by the authority of law. (5)The Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. (6)The Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. (7)The Individual Participation Principle. An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial, and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.(8) The Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

Question 102

Omnibus Laws

Answer 102

Laws in which the government has defined requirements throughout the economy including public-sector, private-sector and health-sector.

Question 103

Online Behavioral Advertising

Answer 103

Websites or online advertising services that engage in the tracking or analysis of search terms, browser or user profiles, preferences, demographics, online activity, offline activity, location data, etc., and offer advertising based on that tracking.

Question 104

Openness

Answer 104

A fair information practices principle, it is the principle that there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Question 105

Opinion 1/2003

Answer 105

An Article 29 Working Party opinion on the storage of traffic data for billing purposes that recommends that telecommunications service providers ordinarily store personal traffic data for a maximum period of three to six months, except for disputed cases, where data may be processed for longer. Link to text of: Opinion 1/2003

Question 106

Opinion 1/2008

Answer 106

Reference(s) in I | APP Certification Textbooks: E91

Question 107

Opinion 1/2010

Answer 107

Link to text of: Opinion 1/2003

Question 108

Opinion 2/2010

Answer 108

Return to top

Question 109

Opinion 4/2007

Answer 109

add

Question 110

Opt-Out

Answer 110

Opinion 1/2008

Question 111

Outsourcing

Answer 111

An Article 29 Working Party opinion that advises search engine providers to keep data for a maximum period of six months and to provide justifications for such retention periods. Therefore, when search engine providers intend to keep data for longer than six months, the Article 29 Working Party recommends they demonstrate comprehensively that it is strictly necessary for the service.

Question 112

Perimeter Controls

Answer 112

Reference(s) in IAPP Certification Textbooks: E91

Question 113

Personal Data

Answer 113

Link to text of: Opinion 1/2008

Question 114

Personal Information

Answer 114

Return to top

Question 115

Policy Framework

Answer 115

add

Question 116

Postal Marketing

Answer 116

Opinion 1/2010

Question 117

Privacy by Design

Answer 117

A 2010 Article 29 Working Party opinion on the concepts of "controller" and "processor" that provides assistance to organisations operating in the European Union when engaging service providers and when acting as a service provider. The distinction between controller and processor is crucial as it determines who is responsible for compliance with data protection law and dealing with data subjects’ rights, the applicable law and the enforcement actions of data protection authorities.

Question 118

Privacy Notice

Answer 118

Link to text of: Opinion 1/2010

Question 119

Privacy Officer

Answer 119

Return to top

Question 120

Privacy Policy

Answer 120

add

Question 121

Public Law Enforcement Authorities

Answer 121

Opinion 2/2010

Question 122

Purpose Limitation

Answer 122

An Article 29 Working Party on online behavioural advertising adopted on 22 June 2010, the Article 29 Working Party states that Article 6(1)(e) requires data to be deleted when it is no longer necessary for the purpose for which the data was collected. Compliance with this principle requires limiting the storage of information. Accordingly, it states that companies must specify and respect express timeframes under which data will be retained. Pursuant to this, information about users’ behaviour has to be eliminated if it is no longer needed for the development of a profile.

Question 123

Purpose Specification

Answer 123

Reference(s) in IAPP Certification Textbooks: E91

Question 124

Radio-Frequency Identification

Answer 124

Link to text of: Opinion 2/2010

Question 125

Rectification

Answer 125

Return to top

Question 126

Re-identification

Answer 126

add

Question 127

Right Not To Be Subject to Fully Automated Decisions

Answer 127

Opinion 4/2007

Question 128

Right To Be Forgotten

Answer 128

An Article 29 Working Group opinion the concept of personal data, the European Union aimed for a ‘wide notion’ of the concept of personal data so as to include all information concerning an identifiable individual. On that basis, the concept embraces considerable amounts of information, even where the link between such information and an identifiable individual is tenuous.

Question 129

Right to Object

Answer 129

Link to text of: Opinion 4/2007

Question 130

Right to Rectification, Erasure or Blocking

Answer 130

Return to top

Question 131

Safe Harbor

Answer 131

add

Question 132

Security Safeguards

Answer 132

Opt-In

Question 133

Six Major European Union Institutions, The

Answer 133

One of two central concepts of choice. It means an individual makes an active affirmative indication of choice; i.e., checking a box signaling a desire to share his or her information with third parties.

Question 134

SPAM

Answer 134

Reference(s) in IAPP Certification Textbooks: F16; US38-40; C116-117; E136; G171

Question 135

Special Categories of Data

Answer 135

Associated term(s): Choice; Consent; Opt-Out

Question 136

Standard Model Clauses

Answer 136

Return to top

Question 137

Traffic Data

Answer 137

add

Question 138

Transit

Answer 138

Opt-Out

Question 139

Treaty of Lisbon

Answer 139

One of two central concepts of choice. It means that an individual’s lack of action implies that a choice has been made; i.e., unless an individual checks or unchecks a box, his or her information will be shared with third parties.

Question 140

Unambiguous Consent

Answer 140

Reference(s) in IAPP Certification Textbooks: F16; US38-40; C116-117; E136

Question 141

Universal Declaration of Human Rights

Answer 141

Associated term(s): Choice; Consent; Opt-In

Question 142

Use Limitation

Answer 142

Return to top

Question 143

WebTrust

Answer 143

add

Question 144

Works Councils

Answer 144

Organization for Economic Cooperation and Development