Cipp/E Privacy book chapter 12+13 correctly answered graded A+ 2023/2024

Cipp/E Privacy book chapter 12+13International data transfers - correct answers Article 25 bans the transfer of personal data to any country outside the EU economic Area unless that third country ensures an adequate level of privacy protection. The main aim of the Directive is to create a framework that protects and shields individual's personal information from misuse and abuse. Therefore blocks any attempts to weaken the protection. Scope of data transfers - correct answers A transfer under article 25 must have some substantive processing operation on personal data in the third country. Examples of not subject international data transfers (article 25) - correct answers Technical rerouting of packet-switch technology (such as Internet, e-mail and web pages). Electronic access to personal data by travelers (log on PC in the EU to access data from foreign airport). Meaning of an 'adequate level of protection' - correct answers The adequacy must be assessed on a case by case basis in the light of all the circumstances surrounding he data transfer. Consider (1) The nature of the data (2) The purpose and duration of the processing (3) The countries involved (4) The rules of law in force in the third country and (5) The professional rules and security measures in the third country. Procedure to designate countries with adequate protection - correct answers Proposal EC, opinion 29 WP, opinion Management Committee, 30 day right of scrutiny for the EP, adoption of the decision by the EC. Countries who are adequate - correct answers Switzerland, Hungary, Canada, Argentina, Guernsey, Isle of Man, Jersey, The Faroe Islands, Andorra and Israel. Safe Harbor - correct answers Because of the legal-free approach in the US and the large volume of data countries between the EU and the US, the European Commission issues in 2000 a self-regulatory framework that process adequate protection for personal data. It is entirely voluntary. Organizations must comply with the requirements and publicly declare that they do so. They need to self-certify annually to the US department of Commerce. EU model contracts - correct answers 2004 Data transfers within a multinational corporate group - BCR - correct answers : Must apply generally throughout the corporate group irrespective of the location or the nationality of the individuals. - 29 WP two elements: binding nature and legal enforceability. Other requirements of BCR (1) System that guarantees awareness and implementation (2) self-audits or external supervision (3) system by which individuals can complain at complain-handling department (4) clear duties of cooperation with DPA (5) provisions on liability and jurisdiction (6) Individuals will be entitled to take actions and choose jurisdiction (7) individuals must be made aware that data is being communicated to other members and (8) the BCR must be readily accessible. Data transfers to service providers - correct answers In 2001 the EC adopted a second decision setting out standard contractual clauses for the transfer of personal data to data processors in third countries. In 2010 an updated version and replaced the original. Relying on derogations - correct answers (1) consent, (2) Contract performance (at the individual's request or in her interests and the transfer is necessary for the performance of the contract) and (3) Substantial public interest (situations where the transfer is necessary for reasons of crime prevention and detection, national security and tax collection), (4) Legal claims, (5) Vital interests and (6) Public registers. Supervision and enforcement - correct answers Tools: (1) licensing and registration (2) the ability to impose conditions on how an entity operates (3) access to information and transparency requirements, (4) ability to impose sanctions and penalties and (5) power to the courts, the markets and the citizens. Administrative supervision - correct answers (1) Creating independent national regulators, (2) Embedding the regulators in national law making, (3) Regulators' core powers (Investigation powers, intervention, to engage in legal proceedings), (4) Receiving and dealing with complaints, (5) Annual reports, (6) Jurisdiction and international cooperation, (7) Professional secrecy.