Cipp/e Privacy book chapter 9+10+11 verified to pass 2023/2024

Cipp/e Privacy book chapter 9+10+11The right to access (article 12) - correct answers Member states shall guarantee that every data subject has the right to obtain from the controller, without constraint at reasonable intervals (average once per year) and without excessive delay or expense (1) a Description of the processing activities (purposes, categories of data, recipients or categories and the logic involved in automated decisions) and (2) Communication of the source and in a intelligible form. Information about the processing - correct answers Data subjects must be provided with accurate and full information, bearing I mind the circumstances of the collection. Where the processing is unusual or unobvious, a more detailed description may be required. Controllers could provide general description of the system rather than specific information. Communication of the data and the source of the data - correct answers Mostly is interpreted as a right to obtain a copy of the data. Controller can allow access to the data on the controller's premises or online. Exemption is when such a copy is not possible or would involve disproportionate effort ( the costs, the length of time, the difficulty, the size of the organization, the effect on the individual). Must be given in an intelligent form. This means explaining any codes or abbreviations, the information should be capable of being understood by the average person. A strict interpretation of the article would permit a controller to produce a summary of the information being processed rather than disclose the actual documents. The right to access (article 12) - exemptions - correct answers Article 13: when a restriction constitutes a necessary measure to safeguard: National law, defense, public security etc. The general right to object - correct answers (article 14): The data subject was justified in making the objection on compelling and legitimate ground, taking into account all of the circumstances surrounding his particular case. The right to object to direct marketing - correct answers Member states need to grant individuals the right (at no cost and without having to state his reasons) to either (1) Object to the processing of data for the purpose of direct marketing or (2) be informed of and expressly offered the right to object to any disclosures to third parties for the first time or the use of the data for direct marketing purposes. The right to object to e-marketing - correct answers The e-Privacy directive establishes a different regime regarding the use of the telephone, e-mail etc. requirements are generally much more stringent, for example: requiring opt-in. The right not to be subject to fully automates decisions (article 15) - correct answers Decisions made without human intervention, that have legal impact or otherwise significantly affect the individual. Exemptions are (1) relating to the entering into or the performance of contracts and (2) authorized by law. Article 17 - Security - correct answers The obligation to keep personal data secure, implement controls. Law does not require absolute security = a risk based approach. State of the art test - correct answers if a body of reasonably informed security professionals consider that a particular control is appropriate in particular circumstances, then the consensus should be considered by the controller in making a decisions on whether to apply it. Threat vectors, causes, of failure and risk assessments - correct answers data controllers should concentrate on the following factors when designing its controls = The management of confidentiality and security, The policy framework for confidentiality and security, Human factors, The physical environment, IT and electronic communications, Business processes and the supply chain, Incident detection and response, The controller should identify and understand the full information life cycle. What is appropriate? (1) the consensus of professional opinion (b) the threat landscape for their data and systems and (c) the information life cycle within their organization. - correct answers Getting management buy-in - correct answers the organization needs an appropriate management structure. The management team needs to be engaged and display key attributes. Security should be treated as a board-level issue, the board will foster a culture of risk awareness and respect for personal data. Getting organization/worker buy-in - correct answers The organization needs to be shaped toward a culture of risk awareness and respect for personal data. A program should embed and enforce the right cultural profile and behaviors in the workforce. Start with written policy framework.