CIPP/E QUESTIONS AND ANSWERS ALREADY GRADED A

CIPP/E QUESTIONS AND ANSWERS ALREADY GRADED A GDPR's Data Processing Principles (PLAIDS) 1) Purpose Limitation 2) Lawfulness, Fairness & Transparency 3) Accuracy 4) Integrity & Confidentiality 5) Data Minimization 6) Storage Limitation The six lawful grounds to process data 1) Consent 2) Contract Performance 3) Legal Obligation 4) Vital Interest of the Individual 5) Public Interest 6) Legitimate Interest The two concepts of Data Minimization 1) Necessity & 2) Proportionality 4 conditions for Consent (SIFU) 1) Specific 2) Informed 3) Freely Given 4) Unambiguous indication of wishes 5 conditions for consent to process Special Categories of Personal Data (SIFU-E) 1) Specific 2) Informed 3) Freely-Given 4) Unambiguous indication of wishes 5) Explicit that it's for special category, why, etc. Lindqvist - 2003 - European Court of Justice Merely uploading personal information within the EU onto a website that's available anywhere in the world is NOT a cross-border transfer. However, uploading other peoples information onto a page is a contravention of the Data Privacy Directive. Facebook v. Schrems - Oct. 6, 2015 case That because Facebook Ireland was sending data to the US under the Safe Harbor provisions, but Snowden revealed that the US wasn't complying with Safe Harbor, Safe Harbor should be revoked. The court ruled that Safe Harbor was invalid, which birthed the move to the Privacy Shield. Privacy Shield Feb. 29, 2016 - Privacy Shield Framework had more checks and balances so EU individuals could exercise their DSAR. - Companies self-certify The Seven Principles of Privacy Shield 1) Notice 2) Choice 3) Accountability of onward transfer 4) Security 5) Data Integrity and purpose limitation 6) Access 7) Recourse, enforcement, and liability Charter of Fundamental Rights A treaty that consolidates human rights within the EU. The treaty states that everyone has a right to protect their personal data, that data must be processed for legitimate and specified purposes and that compliance is subject to control by an authority. Convention 108 The first legally binding international instrument in the area of data protection. It requires signatories to take steps to ensure fundamental human rights with regard to the processing of personal information. Copland v. United Kingdom A case in which the European Court of Human Rights held that monitoring an applicant's e-mail at work was contrary to Article 8 of the Convention on Human Rights. Council of the European Union The main decision-making body of the EU, it has a central role in both political and legislative decisions. The council was established by the treaties of the 1950s, which laid the foundations for the EU. EU Data Protection Directive (95/46/EC) Was the most overarching in 1995 the general policy approved by the European Commission in 1995 (95/46EC) European Commission a. Proposes legislation b. Implements decisions c. Upholds EU treaties d. Enforces EU law w/CJEU e. Represents EU internationally f. Manages day-to-day EU business g. 28 members (commissioners) European Council (different from Council of European Union) A forum where heads of state meet four times a year to define priorities and set political direction for the EU. European Parliament The only EU institution whose members are directly elected by member states, Parliament has four responsibilities—legislative development, supervisory oversight of other institutions, democratic representation and budget development. Layered Notice A privacy notice designed to respond to problems with a excessively long notices. A short notice—the top layer—provides a user with the key elements of the privacy notice. The full notice—the bottom layer—covers all the intricacies in full. In Europe, the Article 29 Working Party recommends three layers: a short notice, a condensed notice and a full notice. Legitimate Interests of Controller One of several legitimate processing criteria required by the EU Data Protection Directive. This rather broad criteria states "Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject, which require protection under Article 1(1)." Google Spain SL (2014) A decision by the Court of Justice of the European Union (CJEU) that held a Internet search engine operator as responsible for the processing that it carries out of personal information which appears on web pages published by third parties Universal Declaration of Human Rights (UDHR) 1948, Art. 12 i. First international legal instrument announcing a right to privacy ii. Catalyst for other human rights instruments in Europe. iii. Recognized universal values and traditions of "the inherent dignity and the equal and inalienable rights of all members of the human race in the foundation of freedom, justice, and peace in the world." Charter of Fundamental Rights of the European Union (2000) i. Incorporated human rights protections (the original treaties of the European Communities did not contain any reference to human rights or their protection) ii. Became legally binding as EU primary law (Art 6(1) of TEU) when the Lisbon Treaty came into force in 2009. iii. respect for private and family life (Art. 7) iv. right to data protection (Art. 8) Council of Europe - Convention 108 (1981) a. CoE Convention 108 i. the 1st (and only) international legally binding instrument to specifically address data protection. ii. Protects individuals from abuse iii. Regulates trans-border flow of personal data A controller must notify the SA of a personal data breach if _____ The breach is likely to result in a risk to rights and freedoms of natural person (not just high risk for SA) Countries outside of EU with adequate protection a. Andorra b. Argentina c. Canada d. Faeroe Islands e. Guernsey f. Israel g. Isle of Man h. Jersey i. New Zealand Cross Border Data Transfer Adequate Guidelines 1. Safe jurisdictions 2. EU-US Privacy Shield 3. Model contracts 4. Binding Corporate Rules 5. Codes of conduct and certifications 6. Derogations DPO Tasks a. Advising colleagues b. Monitoring their organization's compliance w/ GDPR and other privacy laws. c. Training d. Raising awareness e. Running audits f. Advising on DPIAs/PIAs g. Co-operating w/ supervisory authorities Employee monitoring under The Directive i. Necessity -- the monitoring must be absolutely necessary for a specified purpose ii. Finality -- the data must be collected for a specified, explicit and legitimate purpose and not further processed in a way incompatible with those purposes iii. Transparency -- employer must be clear and open about monitoring activities a. Must provide notice to the employee b. Must notify supervisory authorities before processing c. Right of access iv. Legitimacy -- there must be a legitimate purpose as provided in the Directive v. Proportionality -- the personal data involved must be adequate, relevant and not excessive w/ regard to achieving the specified purpose. vi. Accuracy and Retention -- accurate data and appropriate retention periods vii. Security -- right of employer to protect its system against malware; may involve automated scanning of emails and network traffic. The e-Privacy Directive governs the processing of which types of data? - Traffic - Location - Content The EU Directive on Privacy and Electronic Communications (2002/58/EC) (e-Privacy Directive) i. Complements GDPR ii. Addresses requirements of new digital technologies and eases advance of electronic communications services iii. Security obligations iv. Duty to inform subscribers of risk (virus, malware, etc.) v. Confidentiality vi. Member States should prohibit wire-tapping, interception, surveillance, etc. of communications b. Unsolicited e-mail and other messages i. Use of email addresses for marketing purposes is prohibited ii. Opt-in only for unsolicited emails c. Cookies i. Exempts cookies that are "strictly necessary for the delivery of a service requested by the user" (e.g., shopping cart cookies) ii. Cookies allowed only if user: a) is provided notice about purpose, storage, access to the cookie information; and b) Gives consent (opt-in only). European Court of Justice (ECJ) a. Part of CJEU b. Highest court in EU c. 1 judge per member state (28) i. Normally hears cases in panels of 3, 5 or 15 judges d. Interprets EU law and ensures equal application across all EU member states The European Data Protection Board a. Will consist of heads of national supervisory authorities (or their representatives) the EDPS, and the WP29. b. An evolution of the WP29 i. Not merely an advisory committee ii. Will be an independent body of the EU iii. Primary role: contribute to the consistent application of the GDPR throughout the EU. It will: a. advise the Commission on the level of protection offered by third countries or international organizations b. promote cooperation between national supervisory authorities c. Issue guidelines, recommendations and statements of best practice (e.g., when a data breach is "likely to result in a high risk to the rights of freedoms of individuals") d. Encourage Codes of Conduct and Certification e. Conciliate and determine disputes between national supervisory authorities. iv. EDPB's views will have greater force and effect than WP29's did. Joint Controller accountability requirements i. When "two or more controllers jointly determine the processing and means of processing." ii. Required to create an agreement outlining respective duties to comply w/ GDPR. a. Agreement must be available to data subjects b. May designate one point of contact for data subjects iii. Data subjects are entitled to enforce their rights against either controller. iv. Each joint controller is individually liable for compliance w/ GDPR. Processing of special categories exceptions a) Explicit consent of data subject b) carrying out obligations and exercising specific rights c) protect vital interest of data subject or another person d) legitimate activities with appropriate safeguards e) personal data already made public by data subject f) establishment, exercise or defense of legal claims g) substantial public interest h) preventive or occupational medicine i) public interest in the area of public health j) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes When would consent NOT be needed from a child? Providing counselling services GDPR - Consent for Children Child must be 16 if relying on consent to collect their data. If under 16, only lawful if by their guardian. Some member states have it down to 13 yrs old Where can member states depart from GDPR? i. Article 14 - DSAR ii. Article 5 allows members states to curtail DSAR rights contained in Articles 12 - 21. iii. Article 83(8) allows member states to lay down rules on whether and to what extent fines may be imposed on public authorities and bodies established in their territories. iv. Member states can change age of consent to as low as 13. What are the functions of each EU institution? i. Legislative = Council of EU & EU Parliament ii. Policy making= EU Council & EU Commission iv. European Council - strategy , propose policy and agenda v. European Commission - design legislation vi. European Parliament - call for legislation Contract Clauses i. Standard clauses are pre-approved by Supervisory Authority ii. Ad Hoc clauses - need Supervisory Authority approval