CIPP/E GDPR Questions and Answers Rated A+

CIPP/E GDPR Questions and Answers Rated A+ Top 10 operational impacts of GDPR 1. Data Security and Breach Notification Standards 2. The Mandatory DPO 3. Data Subject Consent 4. Cross-border Data Transfers 5. Profiling and the Right To Object 6. The New Rights To Be Forgotten and to Data Portability 7. Clarifying Duties and Responsibilities of Controllers and Processors 8. 'Pseudonymization' of Personal Data 9. Codes of Conduct and Certifications 10. Complex Administrative Procedures and Hefty Fines Personal data any information relating to an identified or identifiable natural person ('data subject') Personal data breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed Special categories of data Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like Data Subject Consent The GDPR requires the data subject to signal agreement by "a statement or a clear affirmative action." How consent must be given Freely given, specific, informed and unambiguous by a statement or by a clear affirmative action. Affirmative actions signaling consent - ticking a box on a website - choosing technical settings for information society services - another statement or conduct that clearly indicates assent to the processing GDPR's new requirements for consent 1. the right to withdraw consent at any time and it shall be as easy to withdraw consent as to give it 2. consent is not freely given if there is a clear imbalance of power 3. consent must be specific to each data processing operation Explicit consent All situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing How photographs qualify as biometric data When they are processed through a specific technical means allowing the unique identification or authentication of a natural person Factors in determining data protection adequacy for cross-border transfer - the specific processing activities - access to justice - international human rights norms - the general and sectoral law of the country - legislation concerning public security, defense and national security - public order - criminal law Exceptions to transferring personal data outside the EU without adequate protections - Explicit consent - For the performance of a contract - Important reasons of public interest - Establishment, exercise or defense of legal claims - To protect vital interests where the data subject is physically or legally incapable of giving consent - Made from a register that is intended to provide information to the public Information provided to data subjects when their information is collected - that the controller intends to transfer personal data to a third country or international organization - that such transfer is pursuant to an adequacy decision by the Commission - reference to the appropriate or suitable safeguards and the means for the data subject to obtain them Profiling involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person Profiling examples Analyzing or predicting aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements Right to be forgotten Allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request Right to data portability Requires controllers to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the data subject so requests Disclosures a controller must make before collecting personal data - the identity of the controller - the purposes for processing - any recipients of personal data - how long the data will be stored - the right to withdraw consent at any time, - the right to request access, rectification or restriction of processing - the right to lodge a complaint with a supervisory authority Data protection by design and by default Controllers should design products with privacy in mind, rather than tacking it on as an afterthought, and that privacy-protective settings should be the default in any product Binding Corporate Rules Allow companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law Processors' duties to controllers - process data only as instructed by controllers; - use appropriate technical and organizational measures to comply with the GDPR - delete or return data to the controller once processing is complete - submit to specific conditions for engaging other processors Processors' records of processing to keep - contain contact information for the processor(s) and controller(s) - the categories of processing carried out for each controller - information on cross-border transfers if applicable - a general description of the implemented technical and organizational security measures Joint controllers when two or more controllers jointly determine the purposes and means of processing Pseudonymization the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately Direct identifiers Data that can be used to identify a person without additional information or with cross-linking through other information that is in the public domain Data protection principles - Lawfulness, fairness and transparency - Purpose limitation - Data minimisation - Accuracy - Storage limitation - Integrity and confidentiality - Accountability