Module 3 Flashcards
(21 cards)
European Union’s General Data Protection Regulation (or GDPR)
is significant for U.S. companies, as many must comply with its privacy requirements. Fines for violating those requirements are based on an organization’s revenue, rendering a substantial impact, regardless of its size
GDPR Territorial scope
1 when a controller or processor is established in the EU (regardless of whether or not the actual processing takes place in the EU)
2 data subjects in the EU relating to offering goods or services or monitoring behavior (regardless of whether or not the controller or processor is established in the EU)
3 by a controller not established in the EU but in a place where member state law applies
GDPR Material scope
1 wholly or partly by automated means. This is any processing operation performed without or partly without human intervention.
2 that forms part of a filing system. This applies even if the processing is not conducted by automated means.
GDPR Cross-border data transfers
Adequacy decisions, Ad hoc contracts, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), codes of conduct or self-certification mechanisms
Adequacy decisions
another country’s data protection laws “adequate” to safeguard its own data. Privacy Shield, the agreement between the EU and the U.S., is an example of an adequacy agreement.
Ad hoc contracts
may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus may be a less attractive option for controllers.
Standard Contractual Clauses
also known as a model clause (language written into a contract) may be a way for organizations to facilitate cross-border transfers.
Binding Corporate Rules
are legally binding internal corporate privacy rules for transferring personal information within a corporate group. They are typically used by corporations that operation in multiple jurisdictions. Under the GDPR, BCRs require approval from a supervisory authority.
Codes of conduct/self-certification mechanisms
to demonstrate to regulators and consumers that a company adheres to certain information privacy standards. Like codes of conduct, certification is available to controllers and processors outside the EU, provided they demonstrate, by contractual or other legally binding instruments, their willingness to adhere to the mandated data protection safeguards.
EU-U.S. Privacy Shield
is a voluntary, self-certification program. To qualify, an organization must fall under the authority of the U.S. Federal Trade Commission or another U.S. agency.
intended to assure adequate protection of the personal data of data subjects in the EU.
The Privacy Shield requirements
Commit to the U.S. Department of Commerce to adhere to the Privacy Shield Principles
• Publicize that commitment
• Publicly disclose the organization’s privacy policy
• Implement the Principles
• And annually renew the certification, including the verification of ongoing compliance with the Principles.
The Privacy Shield Principles are
Notice • Choice • Accountability for onward transfers (to countries outside the European Economic Area) and vendor agreements • Security • Data integrity and purpose limitation • Access • And recourse, enforcement and liability
data protection officer (or DPO).
whose core activities involve processing personal data on a large scale, or who consistently process highly sensitive data or data relating to criminal convictions and offenses
Work closely with regulators to help ensure compliance
• Train staff on proper data-handling practices
• Keep informed upon changes in law and technology
• Build, implement and manage privacy programs
Data breach notification obligations
The controller is obligated to notify the supervisory authority of a personal data breach without undue delay (and within 72 hours of becoming aware of it) if the breach is likely to result in a risk for the rights and freedoms of natural persons.
Data subjects - Breach
should be notified of a personal data breach without undue delay and in clear and plain language if the breach is likely to result in a high risk to the rights and freedoms of those individuals.
True or false? An organization that does not process personal data that forms part of a filing system, nor processes personal data by automated means, but does process personal data in a place where member state law applies is subject to the GDPR.
False
The EU-U.S. Privacy Shield is what type of cross-border data transfer mechanism?
Adequacy decision
Name 3 Principles of the EU-U.S. Privacy Shield?
Notice
Accountability for onward transfers
Data integrity and purpose limitation
True or false? Under the GDPR, both controllers and processors have record-keeping obligations.
True
Name 4 data subject rights under the GDPR?
Data portability
Rectification of inaccurate or incomplete personal data Erasure
Restriction of processing
True or false? Under the GDPR, the controller is obligated to notify the supervisory authority of a personal data breach without undue delay (and within 72 hours of becoming aware of it) if the breach is likely to result in a risk for the rights and freedoms of natural persons.
True.
