CIPP/E STUDY GUIDE EXAM 2024/2025.

IAPP - AnswersInternational Association of Privacy Professionals - founded in 2000 GDPR - AnswersGlobal Data Privacy Regulation - May 2018 - states can make further legislation - stronger rights for online environment - SA have increased powers - broader application - anyone targeting EU cust - 173 recitals, 99 articles, 11 chapters Rational for Data Protection - AnswersIncrease in computers in 1970 and cross-border trade EEC - AnswersEuropean Economic Community Human Rights Declaration - Answers1948 after WWII - right to private and family life and freedom of expression (Art 12) - created by Council of EU, adopted by United Nations ECHR (Court) - AnswersEuropean Court of Human Rights - binding decisions - gives opinion on ECHR - personal info to be private but not absolute right ECHR - AnswersEuropean Convention on Human Rights - 1953 - created by Council of EU (not just EU) - open to member states (application) - like HRD, recognizes the need for balance - based on Universal Human Rights Declaration OECD - AnswersOrganization for Economic Cooperation and Development - 1980 - created OECD guidelines on transborder flow of personal data - membership extends beyond Europe - focused on economic growth, NOT BINDING OECD Guidelines - Answers(1) Collection Limitation (consent, fair, lawful) (2) Data Quality (complete, accurate, update-to-date) (3)Purpose Specification (specified at collection) (4) Use Limitation (consistent with purpose) (5) Security Safeguards (against loss, destruction, modification, unauthorized access) (6) Openness (use of info, Controller identity & loc) (7) Individual Participation (entitled to receive from Controller) (8) Accountability (controller complies with above) OECD Guidelines - Member state considerations - Answers- domestic processing & re-export of data - transborder flows are uninterrupted & secure - don't engage with other members unless guidelines are observed - member state can restrict if protection not provided - avoid laws to restrict TB data flows Convention 108 aka CoE Convention - Answers- 1981 - worldwide scope - Convention for the Protection of Individuals in regard to automatic processing (not profiling) of PD - first legally binding international instrument in the area of data protection. - requires signatories to take steps to ensure fundamental human rights with regard to the processing of personal information. - US was not signatory Global privacy day (1/28) - same as OECD except: (1) preserve info to identify person for no longer than needed (2) Special categories - race, religion, sex/health life, political views, criminal conv not auto processed without safeguards Transborder Special Rules - AnswersFor countries not signatory parties Mutual Assistance - Answersdesignate SA to oversee compliance Data Protection Directive - Answers- Direction 95/46/EC - not law, framework - 1995 - fragmented implementation across states - replaced by GDPR - only applied to Controllers - 78 recitals, 34 articles, 7 chapters Charter of Fundamental Rights of EU - Answers- 2000 in Nice - created by EU - Lisbon Treaty made this binding for EU states - Art 7 - private life, family, home, comm - Art 8 - separate right to data protection - promotes individual civil, political, economic, and social rights for European citizens - similar principles as ECHR but refers to protection of personal data Treaty of Lisbon - Answers- Treaty signed in 2007 that made the European Parliament the co-equal legislator for almost all European laws and also created the position of the president of the European Council - made Charter of Fundamental Rights binding - Amended EU Treaty Convention 108+ - AnswersAligns with GDPR ePrivacy Directive - Answers- 2002 aka Cookie Directive - Privacy & Electronic Communication Directive (2002/58/EC) - processing data across public communication network (doesn't apply to private network) - telecomm, faxes, internet, email - must get consent to store cookies EU Institutions - Answers1. European Parliament - Oversight - House of Rep - vote on legislation, elected by EU citizens 2. European Council - Direction - set priorities & political direction for EU 3. Council of EU - Decisions - Senate - minister from each state, main decision making body (works with Parliament) 4. European Commission - Executive - implements EU decisions, 1 commissioner per state, most active European Courts - Answers1. CJEU - Court of Justice of European Union - decision on EU laws - judicial body of EU 2. ECHR - European Court of Human Rights - not EU institution, intl court, applies ECHR Copeland vs UK - Answersmonitoring emails at work violates article 8 of ECHR Google Spain vs AEPD & Mario Costeja) - AnswersGoogle Spain sold advertising space to fund Google Search Engine - SE outside EEA whose activities are economically linked to SE core activities - Google had refused to address complaints mainly on the basis that Google entity responsible for the search engine was outside of the territorial scope of EU data protection law and, therefore, beyond the reach of the AEPD. - ECJ ruled SEs are also controllers of PD contained in 3rd party web pages - Mario - right to be forgotten - house foreclosure Weltimmo - AnswersRE company - how laws protect citizens in cross-border activity - Weltimmo found to be established in Hungary even though Slovakian company because: 1. website targeting Hungary & using language 2. Rep in Hungary for court 3. letter box in Hungary 4. Hungarian bank account Schrems - Answersinvalidated Safe Harbor for FB to transfer data to US GDPR Chapters - Answers1. General Provisions 2. Principles 3. DS Rights 4. Controller & Processor 5. Transfer of data to 3rd parties 6. Independent SA 7. Cooperation & Consistency 8. Remedies, liabilities, penalties 9. Provisions relating to specific process situations 10. Delegated acts and implementing acts 11. Final provisions Consent - AnswersFreely Given Specific Informed Unambiguous - cannot be bundled with T&Cs - clear and plain language - main criteria for legitimate processing