CIPP/E - data subject rights question n answers graded A+

CIPP/E - data subject rights Article 12 (3) - correct answers Sets out the relevant time window for responding to a subject right request: one month, starting with receipt of the request, which can be extended by two further months for cases of specific situations and/or especially complex requests Article 12(1) - correct answers Requires that any information communicated by the organisation by provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Right to information (about personal data and processing) - correct answers data subjects have the right to be provided with certain pieces of information that describe their relationship with the controller under Article 13 and 14 Article 15 - correct answers Right of access - the data subject has a right to obtain from the controller confirmation as to whether or not personal data that concerns them is being processed. Rights of access - the data subject is entitled to receive the following: - correct answers 1. The purpose of the processing 2. The categories of p.d. concerned 3. The recipients or categories of recipient to whom the p.d. have been or will be disclosed, in particular the recipients in third countries or international organisations 4. Where possible, the envisaged period for which the p.d. will be stored or, if not possible, the criteria used to determine that period 5. the existence of the right to request from the controller rectification, erasure, restriction of processing of p.d. or to object to such processing 6. the right to lodge a company with the supervisory authority 7. where the p.d. is not collected from the data subject, any available information as to their source. 8. The existence of automated decision-making, including profiling In cases of reasonable doubt about the identity of the individual making the request - correct answers the processes must be temporarily paused while the organisation approaches the requesting party asking for more information to confirm who the requesting party is (must be proportionate) Where the data subject is a child - correct answers their maturity must be assessed prior to disclosure for an access request in terms of whether they mature enough to understand their rights. If so, the controller may respond directly. Access requests via proxies - correct answers it is of vital importance that the organisation only disclose information if it has been sufficiently ensured that the third party making the request is in fact entitled to act on behalf of the individual. The organisation should retain proof of the entitlement of the proxy. As this constitutes new data processing, the individual acting on behalf of the data subject should be adequately informed If the organisation considers a subject access request to be manifestly unfounded or excessive - correct answers it can either request a 'reasonable fee' to deal with the request or refuse to deal with the request at all. The decision and assessment needs to be documented WP29 states that - correct answers the right to rectification might apply where for example an individual is placed into a category that says something about their ability to perform a task and that profile is based on incorrect information. Right to rectification - correct answers data subjects have this right to rectification of inaccurate personal data and controllers must ensure that inaccurate or incomplete data is erased, amended or rectified. processes for requests for rectification - correct answers any individual may make a request for rectification either verbally or in writing and the organisation must react within one calendar month of receipt. Only in limited circumstances can a request be refused. the organisation should restrict the processing of the data in question whilst it is verifying its accuracy Where organisations have previously disclosed personal data to third parties - correct answers it must contact them and inform them of the rectification. Where this proves disproportionate or impossible, the decision should be well documented. If a decision is taken to reject a rectification request - correct answers the individual must be informed without undue delay about the organisation's reasons for not acting as directed, their right to make a complaint to the supervisory authority and their ability to seek to enforce this right through a judicial remedy