Module 5: Privacy & Data protection

Question 1

What is the right to privacy?

Answer 1

The right to be let alone; Freedom from any unauthorized intrusion or interference by public and private bodies into private life.

Question 2

What is the right to data protection?

Answer 2

Based on the concept of personal data; ensures that individuals have control over their personal data and how it is collected, used, and shared.

Question 3

What is the GDPR?

Answer 3

The General Data Procection Regulation. Applies to the processing of personal data wholly or partly by automated means.

Question 4

What is processing of personal data?

Answer 4

Any operation (or set of operations) which is performed on personal data (or on sets of personal data).

Question 5

What is personal data?

Answer 5

Any information relating to an identified or identifiable natural person (‘data subject’).

(no deceased person)

Question 6

What is pseudonomynous data?

Answer 6

The processing of personal data in such a way that this data can no longer be attributed to a specific individual, without the use of additional information.

Question 7

How does pseudonymisation differ from anonymisation?

Answer 7

Anonymisation processes the data so that it irreversibly can’t be related to an identifiable individual in any way.
Anonymous data isn’t personal, but pseudonomynous data is!

Question 8

What are exceptions to the GDPR?

Answer 8

1. With an activity which falls outside the scope of EU law.
2. By the Member States when performing Common Foreign and Security Policy activities.
   3. By a natural person in the course of a purely personal or household activity.
3. By competent authorities for the purposes of the prevention, investigation, detection
   or prosecution of criminal offences or the execution of criminal penalties, including
   the safeguarding against and the prevention of threats to public security

Question 9

What is the territorial scope of the GDPR?

Answer 9

The GDPR still applies if:
1. It is linked to an EU establishment, even if processing happens outside the EU.
2. Non-EU established organizations are subject to the GDPR where they process
personal data concerning EU data subjects in connection with the offering of
goods or services or monitoring their behavior within the EU.

Question 10

What counts as an EU establishment?

Answer 10

When it exercises a real and effective activity through stable arrangements in the EU.

Question 11

What is a controller?

Answer 11

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Question 12

What is a processor?

Answer 12

A natural or legalperson, public authority, agency or other body which processes personal data on behalf of the controller.

Question 13

What is a Data Protection Officer?

Answer 13

Impartial figure that advices that processing is done safely and complies to the GDPR.

Question 14

What are Data Protection Authorities?

Answer 14

Enforce compliance to GDPR.

Question 15

What are the 7 Data protection principles?

Answer 15

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Question 16

What does Lawfulness, transparency and fairness entail?

Answer 16

1. Lawfulness: a legal ground is required to justify the processing of personal data.
2. Transparency: data subjects need to be informed about how their personal data are processed in clear and simple language.
3. Fairness: personal data must be processed in a transparent and even ethical manner.

Question 17

What does Purpose limitation entail?

Answer 17

Data controllers must determine, in advance of any processing, why they want to process certain personal data.

Question 18

What does Data minimisation entail?

Answer 18

Data controllers should use as few personal data as possible for a specific purpose.
Irrelevant data should be deleted ASAP!

Question 19

What does Accuracy entail?

Answer 19

Data controllers must make sure that the personal data they process are accurate and up to date.

Question 20

What does Storage limitation entail?

Answer 20

Data controllers need to establish time limits for keeping the data and erasing them permanently when they are no longer necessary (data retention).

Question 21

What does Integrity and confidentiality entail?

Answer 21

Data controllers need to make sure that the processing of personal data ensures adequate security, by putting in place technical and organizational measures.
Data breach must be notified to Authority and sometimes subjects!

Question 22

What does Accountability entail?

Answer 22

Data controllers are responsible for compliance with data protection law rules and must be able to demonstrate compliance (for example by keeping a record of all processing activities).
Risk assessment is needed!

Question 23

What are 6 legitimate grounds for processing personal data?

Answer 23

1. Consent
2. Contract (processing must be necessary for fulfilling the contract!)
3. Legal obligation
4. Vital interests (to save the life of a data subject, like needing blood type)
5. Public interest
6. Legitimate interest (eg preventing fraud, security)

Question 24

What are the 5 requirements for valid consent?

Answer 24

1. Freely given
2. Specific (granular consent is also possible)
3. Informed
4. Unambiguous (no reasonable doubt)
5. Provable

Question 25

What is special personal data? | And how does it differ from 'normal' personal data?

Answer 25

Sensitive data that *reveal* religious beliefs, political beliefs, trade union membership, race/ethnic origin, sex life or sexual orientation, health data, biometric data, genetic data. **Processing this data is prohibited unless there is explicit consent!**

Question 26

What are 3 important questions when determining **legitimate interest**?

Answer 26

1. Is it **actually** legitimate? (eg. security, fraud prevention, research) 2. Is processing **necessary** to achieve this interest? (or can it be done without personal data) 3. Does the interest **override** the interest of the data subject (eg. positive / negative, high risk)

Question 27

What is the most important job of a Data controller?

Answer 27

**Assessing the risk** of processing and making sure all appropriate measures are in place. Basically upholding the **7 data protection principles**

Question 28

What are the 8 **data subject rights**?

Answer 28

1. Right to be informed 2. Right of access (confirmation if data is processed and how) 3. Right to rectification (of inaccurate data) 4. Right to be forgotten 5. Right to restrict processing (temporarily) 6. Right to data portability (transferring to different controller, eg. Apple Music to Spotify) 7. Right to object to processing 8. Rights in relation to **automated decision making** and **profiling**

Question 29

What are exceptions for the **right to be forgotten**?

Answer 29

Legal obligation/ reasons, **public interest**, archiving/ scientific purposes.

Question 30

What are the 2 conditions for **right to data portability**?

Answer 30

1. Processing has to be based on **consent** or **contract** 2. Processing has to be **automated**

Question 31

What are requirements to allow **International data transfers**?

Answer 31

**Adequacy decision** OR **appropriate safeguards** (in absence of the first)

Question 32

What are **adequacy decisions**?

Answer 32

Countries need to have **essentially equivalent** data protection laws as the EU. Companies based in those countries have free flow of personal data. **Needs to be issued by the EU!**

Question 33

Name Appropriate safeguards

Answer 33

1. Binding corporate rules (approved by Data Protection Authority) 2. Standard data protection clauses (needs to be approved) 3. Approved code of conducts 4. Approved certification mechanism