Full CIPP/E exam study guide questions and answers

Accountability The implementation of appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles. Accuracy Organizations must take every reasonable step to ensure the data processed is this and, where necessary, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation. Adequate Level of Protection A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures this by taking into account the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, both general and sectoral legislation, data protection rules, professional rules and security measures, effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is being transferred; (b) the existence and effective functioning of independent supervisory authorities with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the international commitments the third country or international organisation concerned has entered into in relation to the protection of personal data. Annual Reports The requirement under the GDPR that the European Data Protection Board and each supervisory authority periodically report on their activities. The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include guidelines, recommendations, best practices and binding decisions. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations. Shall be made public and be transmitted to the European Parliament, to the Council and to the Commission. Anonymous Information In contrast to personal data, this is not related to an identified or an identifiable natural person and cannot be combined with other information to re-identify individuals. It has been rendered unidentifiable and, as such, is not protected by the GDPR. Anti-discrimination Laws indications of special classes of personal data. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is subject to more stringent data protection regulation, under the GDPR or otherwise. Appropriate Safeguards The GDPR refers to these in a number of contexts, including the transfer of personal data to third countries outside the European Union, the processing of special categories of data, and the processing of personal data in a law enforcement context. This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This may also refer to the use of encryption or pseudonymization, standard data protection clauses adopted by the Commission, contractual clauses authorized by a supervisory authority, or certification schemes or codes of conduct authorized by the Commission or a supervisory authority. Should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the European Union. Appropriate Technical and Organizational Measures The GDPR requires a risk-based approach to data protection, whereby organizations take into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly. Article 29 Working Party Was a European Union organization that functioned as an independent advisory body on data protection and privacy and consisted of the collected data protection authorities of the member states. It was replaced by the similarly constituted European Data Protection Board (EDPB) on May 25, 2018, when the GDPR went into effect. Authentication The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. is required by the GDPR when the data subject is exercising certain rights, such as the rights to deletion or rectification, and might include supplying log-in details or biometric information. However, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of the Regulation. Automated Processing A processing operation that is performed without any human intervention. "Profiling" is defined in the GDPR, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Data subjects, under the GDPR, have a right to object to such processing. Availability Data is this if it is accessible when needed by the organization or data subject. The GDPR requires that a business be able to ensure this of personal data and have the ability to restore it and access to personal data in a timely manner in the event of a physical or technical incident. Background Screening/Checks Organizations may want to verify an applicant's ability to function in the working environment as well as assuring the safety and security of existing workers. Range from checking a person's educational background to checking on past criminal activity. Employee consent requirements for such checks vary by member state and may be negotiated with local works councils. Behavioral Advertising Most often done via automated processing of personal data, or profiling, the GDPR requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information. Binding Corporate Rules An appropriate safeguard allowed by the GDPR to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. Compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and a