Data Subject Rights (CIPP/E Certification Exam)2023/2024 passed

Data Subject Rights (CIPP/E Certification Exam)Data Subject Rights Under GDPR - correct answers Articles 12-14: Right of Transparent Communication and Information Article 15: Right of Access Article 16: Right of Rectification Article 17: Right to Erasure ("Right to be forgotten") Article 18: Right to Restriction of Processing Article 19: Obligation to Notify Recipients Article 20: Right to data portability Article 21: Right to object Article 22: Right to not be subject to automated decision-making (to profiling) Controller's Obligation to Verify Identity of Data Subjects - correct answers Controller must use all reasonable efforts to verify the identity of data subjects Where controller has reasonable doubts to data subject's identity, controller may request the provision of additional information to confirm it. However, the controller is not obligated to collected any additional personal data just to link certain pieces of data it holds to a specific data subject Timeframe for responding to data subject request (Article 12(3) - correct answers Controller should acknowledge receipt of request and confirm or clarify what is requested Then, the controller must respond without undue delay, or within one month of receipt, which can be extended by two further months for cases of specific situations and/or especially complex requests, or if subject makes multiple requests During the first month, controller decides whether it can act on thee users' request at all - if the organization decides not to proceed, it must inform the data subjects about this and advise them as to any opportunities to lodge complaints with regulators Right of Transparent Communication - correct answers Data subjects must have all the information they need in order to understand the nature of the processing and to exercise their statutory rights Information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language Right to Information - correct answers Data subjects have the right to bee provided with certain pieces of information that describe their relationship with the controller, including: 1) Controller's identity 2) Controller's contact details, 3) The reasons or purposes for processing personal data, 4) Legal basis for processing personal data, 5) Recipients of that data (especially if those reside in third countries) 6) Other relevant information to ensure fair and transparent processing of the data 7) The source of data if collected or obtained from a third party, in order to effectively enable the data subject to pursue their rights Right of Access (Information that a data subject is entitled to receive) - correct answers Whether or not personal data concerning them is being processed. If so, then data subject is entitled to receive the following information: 1) Purposes of processing 2) Categories of personal data concerned 3) Recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular, recipients in third countries or international organizations 4) Where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period 5) Existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing 6) The right to lodge a complaint with a supervisory authority 7) Where personal data is not collected from the data subject, any available information as to their source 8) Existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject Process when there is reasonable doubts about the identity of the individual making the request - correct answers Processes must be temporarily paused while the organization approaches the requesting party asking for more information However, it is important that the organization only request information that is necessary to confirm who the requesting party is. The key to this is proportionality Additional considerations when access request is about a child - correct answers Emphasize the use of especially clear and plain language when disclosing information to a child