Full CIPP/E exam
Study online at https://quizlet.com/_6e47p8
1. Accountability The implementation of appropriate *technical and organisational measures* to
ensure and be able to *demonstrate* that the handling of personal data is
performed in accordance with relevant law, an idea codified in the EU General
Data Protection Regulation and other frameworks, including APEC's Cross Border
Privacy Rules. Traditionally has been a *fair information practices principle*, that
due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other
fair use principles.
2. Accuracy Organizations must take every *reasonable* step to ensure the data processed is
this and, where *necessary*, kept up to date. Reasonable measures should be
understood as implementing processes to prevent inaccuracies during the data
collection process as well as during the ongoing data processing in relation to
the specific use for which the data is processed. The organization must consider
the type of data and the specific purposes to maintain the accuracy of personal
data in relation to the purpose. Also embodies the responsibility to respond to
data subject requests to correct records that contain incomplete information or
misinformation.
3. Adequate Level A transfer of personal data from the European Union to a third country or an
of Protection international organisation may take place where the European Commission has
decided that the third country, a territory or one or more specified sectors within
that third country, or the international organisation in question, ensures this by
taking into account the *following elements*: *(a)* the rule of law, respect for
*human rights* and fundamental freedoms, both *general and sectoral legisla-
tion*, data protection rules, professional rules and security measures, effective
and *enforceable data subject rights* and *effective administrative and judicial
redress* for the data subjects whose personal data is being transferred; *(b)* the
existence and *effective* functioning of independent *supervisory authorities*
with responsibility for ensuring and enforcing compliance with the data protection
rules; (c) the *international commitments* the third country or international
, Full CIPP/E exam
Study online at https://quizlet.com/_6e47p8
organisation concerned has entered into in relation *to the protection of personal
data*.
4. Annual Reports The requirement under the GDPR that the European Data Protection Board and
each supervisory authority *periodically report on their activities*. The supervisory
authority report should include infringements and the activities that the authority
conducted under their Article 58(2) powers. The EDPB report should include
*guidelines, recommendations, best practices and binding decisions*. Addition-
ally, the report should include the protection of natural persons with regard to
processing in the EU and, where relevant, in third countries and international
organisations. Shall be *made public and be transmitted to the European Par-
liament, to the Council and to the Commission*.
5. Anonymous In- In contrast to personal data, this is not related to an identified or an identifiable
formation natural person and *cannot be combined with other information to re-identify
individuals*. It has been rendered unidentifiable and, as such, is not protected
by the GDPR.
6. Anti-discrimina- *indications of special classes* of personal *data*. If there exists law protecting
tion Laws against discrimination based on a class or status, it is likely personal information
relating to that class or status is *subject to more stringent* data protection
regulation, under the GDPR or otherwise.
7. Appropriate The GDPR refers to these in a number of contexts, *including* the *transfer* of
Safeguards personal data *to third countries* outside the European Union, the processing
of *special categories* of data, *and* the processing of personal data in a *law
enforcement* context. This generally refers to the application of the general data
protection principles, in particular purpose limitation, data minimisation, limited
storage periods, data quality, data protection by design and by default, legal
basis for processing, processing of special categories of personal data, measures
to ensure data security, and the requirements in respect of onward transfers to
bodies not bound by the binding corporate rules. This *may* also *refer to* the
use of *encryption or pseudonymization*, *standard* data protection *clause*s
, Full CIPP/E exam
Study online at https://quizlet.com/_6e47p8
adopted by the Commission, contractual clauses authorized by a supervisory
authority, or *certification schemes* or *codes of conduct* authorized by the
Commission or a supervisory authority. Should ensure compliance with data pro-
tection requirements and the rights of the data subjects appropriate to processing
within the European Union.
8. Appropriate The GDPR requires a *risk-based approach* to data protection, whereby orga-
Technical and nizations *take into account* the *nature*, *scope*, *context and purposes* of
Organizational processing, as well as the risks of varying *likelihood* and *severity to* the *rights
Measures and freedoms* of natural persons, and institute policies, controls and certain
technologies to mitigate those risks. These might help meet the obligation to
keep personal data secure, including technical safeguards against accidents and
negligence or deliberate and malevolent actions, or involve the implementation
of data protection policies. These measures should be demonstrable on demand
to data protection authorities and reviewed regularly.
9. Article 29 Work- Was a European Union organization that functioned as an *independent advi-
ing Party sory body* on data protection and privacy and consisted of the collected data
protection authorities of the member states. It was *replaced by* the similarly
constituted European Data Protection Board (*EDPB*) on May 25, 2018, *when*
the *GDPR went into effect*.
10. Authentication The process by which an entity (such as a person or computer system) determines
whether another entity is who it claims to be. *is required* by the GDPR *when*
the data subject is *exercising certain rights*, such as the rights to *deletion or
rectification*, and might include supplying log-in details or biometric information.
However, the data controller should not be obliged to acquire additional informa-
tion in order to identify the data subject for the sole purpose of complying with
any provision of the Regulation.
11. Automated Pro- A processing operation that is performed without any human intervention. "Profil-
cessing ing" is defined in the GDPR, for example, as the automated processing of personal
data to evaluate certain personal aspects relating to a natural person, in particular
, Full CIPP/E exam
Study online at https://quizlet.com/_6e47p8
to *analyse or predict aspects concerning that natural person's performance
at work, economic situation, health, personal preferences, interests, reliability,
behaviour, location or movements*. Data subjects, under the GDPR, have a *right
to object* to such processing.
12. Availability Data is this if it is *accessible when needed* by the organization or data subject.
The GDPR requires that *a business* be able to ensure this of personal data and
have the ability to *restore it and access* to personal data in a *timely manner*
in the event of a physical or technical incident.
13. Background Organizations may want to verify an applicant's ability to function in the working
Screen- environment as well as assuring the safety and security of existing workers. Range
ing/Checks from checking a person's educational background to checking on past criminal
activity. *Employee consent requirements* for such checks *vary by member state
and may be negotiated with local works councils*.
14. Behavioral Ad- Most often done via automated processing of personal data, or profiling, the
vertising GDPR requires that *data subjects* be able to *opt-out of any automated pro-
cessing, to be informed of the logic involved in any automatic personal data
processing and, at least when based on profiling, be informed of the conse-
quences of such processing*. If cookies are used to store or access information for
the purposes of behavioral advertising, the ePrivacy Directive requires that data
subjects provide consent for the placement of such cookies, after having been
provided with clear and comprehensive information.
15. Binding Corpo- An appropriate safeguard allowed by the GDPR to facilitate *cross-border trans-
rate Rules fers* of personal data *between* the various *entities of a corporate group
worldwide*. They do so by ensuring that the same high level of protection of
personal data is complied with by all members of the organizational group by
means of a single set of binding and enforceable rules. Compel organizations
to be able to demonstrate their compliance with all aspects of applicable data
protection legislation and *are approved by a member state data protection
authority*. To date, relatively few organizations have had these approved.
Study online at https://quizlet.com/_6e47p8
1. Accountability The implementation of appropriate *technical and organisational measures* to
ensure and be able to *demonstrate* that the handling of personal data is
performed in accordance with relevant law, an idea codified in the EU General
Data Protection Regulation and other frameworks, including APEC's Cross Border
Privacy Rules. Traditionally has been a *fair information practices principle*, that
due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other
fair use principles.
2. Accuracy Organizations must take every *reasonable* step to ensure the data processed is
this and, where *necessary*, kept up to date. Reasonable measures should be
understood as implementing processes to prevent inaccuracies during the data
collection process as well as during the ongoing data processing in relation to
the specific use for which the data is processed. The organization must consider
the type of data and the specific purposes to maintain the accuracy of personal
data in relation to the purpose. Also embodies the responsibility to respond to
data subject requests to correct records that contain incomplete information or
misinformation.
3. Adequate Level A transfer of personal data from the European Union to a third country or an
of Protection international organisation may take place where the European Commission has
decided that the third country, a territory or one or more specified sectors within
that third country, or the international organisation in question, ensures this by
taking into account the *following elements*: *(a)* the rule of law, respect for
*human rights* and fundamental freedoms, both *general and sectoral legisla-
tion*, data protection rules, professional rules and security measures, effective
and *enforceable data subject rights* and *effective administrative and judicial
redress* for the data subjects whose personal data is being transferred; *(b)* the
existence and *effective* functioning of independent *supervisory authorities*
with responsibility for ensuring and enforcing compliance with the data protection
rules; (c) the *international commitments* the third country or international
, Full CIPP/E exam
Study online at https://quizlet.com/_6e47p8
organisation concerned has entered into in relation *to the protection of personal
data*.
4. Annual Reports The requirement under the GDPR that the European Data Protection Board and
each supervisory authority *periodically report on their activities*. The supervisory
authority report should include infringements and the activities that the authority
conducted under their Article 58(2) powers. The EDPB report should include
*guidelines, recommendations, best practices and binding decisions*. Addition-
ally, the report should include the protection of natural persons with regard to
processing in the EU and, where relevant, in third countries and international
organisations. Shall be *made public and be transmitted to the European Par-
liament, to the Council and to the Commission*.
5. Anonymous In- In contrast to personal data, this is not related to an identified or an identifiable
formation natural person and *cannot be combined with other information to re-identify
individuals*. It has been rendered unidentifiable and, as such, is not protected
by the GDPR.
6. Anti-discrimina- *indications of special classes* of personal *data*. If there exists law protecting
tion Laws against discrimination based on a class or status, it is likely personal information
relating to that class or status is *subject to more stringent* data protection
regulation, under the GDPR or otherwise.
7. Appropriate The GDPR refers to these in a number of contexts, *including* the *transfer* of
Safeguards personal data *to third countries* outside the European Union, the processing
of *special categories* of data, *and* the processing of personal data in a *law
enforcement* context. This generally refers to the application of the general data
protection principles, in particular purpose limitation, data minimisation, limited
storage periods, data quality, data protection by design and by default, legal
basis for processing, processing of special categories of personal data, measures
to ensure data security, and the requirements in respect of onward transfers to
bodies not bound by the binding corporate rules. This *may* also *refer to* the
use of *encryption or pseudonymization*, *standard* data protection *clause*s
, Full CIPP/E exam
Study online at https://quizlet.com/_6e47p8
adopted by the Commission, contractual clauses authorized by a supervisory
authority, or *certification schemes* or *codes of conduct* authorized by the
Commission or a supervisory authority. Should ensure compliance with data pro-
tection requirements and the rights of the data subjects appropriate to processing
within the European Union.
8. Appropriate The GDPR requires a *risk-based approach* to data protection, whereby orga-
Technical and nizations *take into account* the *nature*, *scope*, *context and purposes* of
Organizational processing, as well as the risks of varying *likelihood* and *severity to* the *rights
Measures and freedoms* of natural persons, and institute policies, controls and certain
technologies to mitigate those risks. These might help meet the obligation to
keep personal data secure, including technical safeguards against accidents and
negligence or deliberate and malevolent actions, or involve the implementation
of data protection policies. These measures should be demonstrable on demand
to data protection authorities and reviewed regularly.
9. Article 29 Work- Was a European Union organization that functioned as an *independent advi-
ing Party sory body* on data protection and privacy and consisted of the collected data
protection authorities of the member states. It was *replaced by* the similarly
constituted European Data Protection Board (*EDPB*) on May 25, 2018, *when*
the *GDPR went into effect*.
10. Authentication The process by which an entity (such as a person or computer system) determines
whether another entity is who it claims to be. *is required* by the GDPR *when*
the data subject is *exercising certain rights*, such as the rights to *deletion or
rectification*, and might include supplying log-in details or biometric information.
However, the data controller should not be obliged to acquire additional informa-
tion in order to identify the data subject for the sole purpose of complying with
any provision of the Regulation.
11. Automated Pro- A processing operation that is performed without any human intervention. "Profil-
cessing ing" is defined in the GDPR, for example, as the automated processing of personal
data to evaluate certain personal aspects relating to a natural person, in particular
, Full CIPP/E exam
Study online at https://quizlet.com/_6e47p8
to *analyse or predict aspects concerning that natural person's performance
at work, economic situation, health, personal preferences, interests, reliability,
behaviour, location or movements*. Data subjects, under the GDPR, have a *right
to object* to such processing.
12. Availability Data is this if it is *accessible when needed* by the organization or data subject.
The GDPR requires that *a business* be able to ensure this of personal data and
have the ability to *restore it and access* to personal data in a *timely manner*
in the event of a physical or technical incident.
13. Background Organizations may want to verify an applicant's ability to function in the working
Screen- environment as well as assuring the safety and security of existing workers. Range
ing/Checks from checking a person's educational background to checking on past criminal
activity. *Employee consent requirements* for such checks *vary by member state
and may be negotiated with local works councils*.
14. Behavioral Ad- Most often done via automated processing of personal data, or profiling, the
vertising GDPR requires that *data subjects* be able to *opt-out of any automated pro-
cessing, to be informed of the logic involved in any automatic personal data
processing and, at least when based on profiling, be informed of the conse-
quences of such processing*. If cookies are used to store or access information for
the purposes of behavioral advertising, the ePrivacy Directive requires that data
subjects provide consent for the placement of such cookies, after having been
provided with clear and comprehensive information.
15. Binding Corpo- An appropriate safeguard allowed by the GDPR to facilitate *cross-border trans-
rate Rules fers* of personal data *between* the various *entities of a corporate group
worldwide*. They do so by ensuring that the same high level of protection of
personal data is complied with by all members of the organizational group by
means of a single set of binding and enforceable rules. Compel organizations
to be able to demonstrate their compliance with all aspects of applicable data
protection legislation and *are approved by a member state data protection
authority*. To date, relatively few organizations have had these approved.
