PDPF Privacy and Data Protection Foundation Questions and Answers

Ascertain whether the breach may have resulted in loss or unlawful processing of personal data: Correct. The very first thing that needs to be done is ascertain that the security incident is in fact a personal data breach. (Literature: A, Chapter 5)

Assess the risk of adverse effects to the data subjects using a data protection impact assessment (DPIA): Incorrect. A DPIA is conducted when designing personal data processing operations. It is not a part of the procedure for a data breach.

Assess whether personal data of a sensitive nature has or may have been unlawfully processed. Incorrect. This is the next step if the incident proves to be a personal data breach - ascertain what type of data breach.

Report the breach immediately to all data subjects and the relevant supervisory authority. Incorrect. Whether the data breach needs to be reported and to whom depends on whether it is a data breach and if so, the type of data breach.

It is up to a supervisory authority to inspect and take measures to compel companies to conform to the GDPR.

According to paragraph 1 of Article 51.

1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

Chapter VI of the GDPR talks about laws on independent supervisory authorities.

Besides to what many persons think, the GDPR does not apply only to the EU, but to all member countries of the European Economic Area (EEA) that includes, in addition to the EU member countries, Iceland, Liechtenstein and Norway.

An offense to privacy, as any illegal processing of personal data is considered an offense.

A record of all intended processing together with the processing purpose(s) and legal justifications.

Incorrect. A record of all intended processing with the purpose(s) and legal justifications must be kept.

A record of data breaches with all relevant characteristics, including notifications. Incorrect. A record of data breaches must be kept.

A record of notifications sent to the supervisory authority regarding processing of personal data. Correct. Prior consultation of high-risk processing is obligatory, but there is no need for a separate record of notifications sent. (Literature: A, Chapter 6;GDPR Article 36(1))

A record of processors including personal data provided and the period this data can be retained. Incorrect. A record of processors and data provided must be kept.

Article 4 dealing with the GDPR Definitions says in its paragraph 7:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

When we talk about protection by design, we are considering data protection throughout the data lifecycle, from collection, processing, sharing, storage and deletion.

The lost reports did not contain personal data, in this case GDPR is not applicable and is a security incident.

Important

A data breach is whenever something that has not been planned with personal data happens, be it improper processing, improper sharing, loss of data, deletion, etc. In other words, personal data must be used for a specific purpose, respecting the life cycle of the same (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

Data breach categories:

Material: Loss of equipment or material with data, lost file folders, lost smartphones, etc.

Verbal: Indiscretion, shoulder surfing, intentional leakage of sensitive information, etc.

Digital (not material): Backdoors, incorrect coding, maladministration (e.g., patch management), insufficient security measures, card cloning etc.

The right to compensation. Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario.

The right to object to profiling. Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4)

The right to rectification. Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.

Yes, because the shopkeeper cannot identify the owner of the telephone. Incorrect. The issue is not whether the shopkeeper can identify the visitor, but that it is technically possible to do so.

Yes, because the visitor has automatically consented by connecting to the Wi-Fi. Incorrect. Consent must be an active, informed and free act of agreement to the processing. To see a MAC-address, the visitor does not need to be logged onto the Wi-Fi.

No, because the telephones MAC-address must be regarded as personal data. Correct. The phone’s signal is a unique code that can be linked to the owner of the phone. The data must be regarded as personal data, because it is technically possible to identify the visitor. (Literature: A, Chapter 3; GDPR Article 26 and 30)

No, because the telephone providers are the owners of the MAC-addresses. Incorrect. The shopkeeper is not allowed to keep the data or process it because it must be regarded as personal data. The telephone provider is not the owner of the MAC-address, nor is the telephone provider protected by the GDPR.

This is an issue that addresses two very important points – sensitive data and data from minors.

As these are, it is necessary to inform the Supervisory Authority and those responsible for the data subjects. Article 34 mentions:

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Recital 38 says:

Children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

The correct option is the responsibility of the Supervisory Authority, the others are the responsibility of the processor.

GDPR Article 3 decrees:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or;

b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Article 20 Right to data portability:

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Adequacy decision. Correct. The ruling is an adequacy decision regarding processing in third countries. (Literature: A, Chapter 7; GDPR Article 45 and Recitals (104) and (106)

Derogation. Incorrect. A derogation is for specific situations where a transfer is necessary, but there is no ruling permitting it. (Literature: GDPR Article 49(1)(q))

Legally binding contract. Incorrect. The ruling is an adequacy decision. A legally binding contract is between a processor and a controller.

Treaty superseding the GDPR. Incorrect. The ruling is an adequacy decision. It does not supersede the GDPR.

Collecting name and address information for a gymnastics club. Incorrect. Collecting is also considered processing data.

Creating a back-up of biometric data for data security purposes. Incorrect. Storage is also considered processing data.

Editing personal photographs before printing them at home. Correct. The GDPR is not applicable to home-use of your own photographs. (Literature: A, Chapter 1; GDPR Article 4)

Direct personal data. Incorrect. Both direct and indirect data are described.

Indirect personal data. Incorrect. Both direct and indirect data are described.

Pseudonymized data. Incorrect. Pseudonymized data cannot directly reveal information.

Special category personal data. Correct. This is a definition of special category personal data. (Literature: A, Chapter 1; GDPR Article 4)

Article 28 of the GDPR in its paragraph 3 mentions:

This contract or other normative act stipulates, inter alia, that the subcontractor:

a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c) takes all measures required pursuant to Article 32;

d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller ' s obligation to respond to requests for exercising the data subject ' s rights laid down in Chapter III;

f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

When a project includes technologies or processes that use personal data. Incorrect. Only for technologies and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory.

When processing is likely to result in a high risk to the rights of data subjects. Correct. For processing operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design mitigation measures. (Literature: A, Chapter 6; GDPR Article 35)

When similar processing operations with comparable risks are repeated. Incorrect. This is a case in which a DPIA does not need to be repeated.

Section: (none)

Explanation

Controller. Correct. The controller is responsible for adequate data security measures and must be able to demonstrate compliance with the GDPR. (Literature:A, Chapter 2)

Data protection officer (DPO). Incorrect. The DPO has expert knowledge and assists the controller or processor to monitor internal compliance.

Processor. Incorrect. The processor is the one who processes personal data according to the instructions of the controller. The controller remains ultimately responsible though.

Supervisory authority. Incorrect. The controller needs to demonstrate compliance with the GDPR if requested by the supervisory authority.

Here we have a very common catch in EXIN exams.

In this matter, the personal data that was breached included the email addresses. Although the group is a subject considered sensitive by the GDPR, only other participants who had registered took notice. As it does not present a high risk to data subjects, there is no need to notify the data subject as well. Only the

Supervisory Authority is enough. However, after notifying the Supervisory Authority, it may decide that the data subject should also be notified, but for that matter this is not considered.

Article 33 of the GDPR legislates on the topic “Notification of a personal data breach to the supervisory

authority”.

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Important

The deadline for notification of data breaches to the Supervisory Authority is generally charged in the EXIN exam. This period is 72 hours.

Here we have a very common catch in EXIN exams.

As stated “monthly a report is issued”. Therefore, the report issued and with the average number of cars for each day is known, there is no longer a need to keep the license plate records. The information on the average number of cars per day is already sufficient for the planning of rotating parking as well as sufficient for a future comparison. So, there is no need to keep personal data stored for 5 years.

You may be wondering if a license plate is personal data. The answer is yes. Any information that makes it possible to identify a person is considered personal data.

A real and interesting example was a wife who identified her husband’s car at a friend’s house through Google Maps. The license plates on Google Maps are erased for security, but the car had a specific sticker. See that the wife gathered two pieces of information: car model and sticker, to identify her husband. In isolation neither of these two is a personal data, but together they become, because it was possible to identify it.

Luckily for his wife, who discovered his affair with her friend.

Here is a catch between the options “Loss of personal data” and “Transfer of personal data outside the EU”.

A data breach is whenever something happens that has not been planned with the personal data, be it improper processing, improper sharing, loss of data, deletion, etc. That is, personal data must be used for a specific purpose, respecting the life cycle (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

The transfer of personal data outside the EU can also be considered a violation if there is no authorization from the data subject and if the destination country does not offer legislation like the GDPR. Although there is no specific legislation, the Supervisory Authority can authorize the transfer of data provided that the company in the destination country accepts standard contractual clauses for the processing of this data.

Article 46 of GDPR

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Article 58 of GDPR

3. Each supervisory authority shall have all of the following authorisation and advisory powers: to authorise contractual clauses referred to in point (a) of Article 46(3).

Verify that the processor has sufficient security guarantees that are essential for the Controller to remain in

compliance with the GDPR. Remember that the responsibility is always of the controller who must take care of the data of the data subjects that have been entrusted to him.

Recital 81 mentions the following:

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

Anonymized data is not under the scope of the GDPR, nor are data from deceased persons. Organizations that handle only this type of data do not need to conform to the GDPR.

Anonymized data reads data that is not possible to reverse in order to identify the data subject. There is also pseudonymized data, in which case it is possible to perform the reversal and identify the data holder.

This occurrence should be classified as a security vulnerability, as it does not state whether an incident occurred for this reason.

However, the failure in this procedure can allow an incident to occur if an unauthorized person has access to the workstation.

Vulnerability is the means by which an attack can cause an information security incident.

Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group.

Do not confuse " Compulsory Corporate Rules " with " Standard Contractual Clauses " . The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority.

Article 58 of GDPR

3. supervisory authority shall have all of the following authorisation and advisory powers:

a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36.

When there is a processor and an operator in EEA countries, the competent authority will be the location of the Controller, however the Supervisory authority of the Controller is considered to be a concerned Supervisory Authority (who has interests).

Therefore, the Processor Supervisory Authority evaluates and approves the rules of the contract, in accordance with Article 57 of the GDPR, and must notify the Controller Supervisory Authority.

In its Article 57, the GDPR legislates on the Responsibilities of the Supervisory Authority. In its first paragraph, items “r” and “s”:

r) Authorise contractual clauses and provisions referred to in Article 46(3);

s) Approve binding corporate rules pursuant to Article 47.

When we have a Regulation, such as the GDPR, all EU member states are obliged to follow it. The regulation is a law and Member States cannot create laws that oppose it. Unlike the Directives that set objectives to be achieved, however, each Member State is free to decide how to apply them in its country.

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

A decision on the safety of transferring personal data to a non-EEA country. Incorrect. This refers to adequacy decisions.

A measure to compensate for the lack of personal data protection in a third country. Incorrect. This refers to appropriate safeguards.

A set of agreements covering personal data transfers between non-EEA countries. Incorrect. The GDPR does not cover agreements between non-EEA countries.

A set of approved rules on personal data protection used by a group of enterprises. Correct. BCR are a set of rules approved by the supervisory authorities. (Literature: A, Chapter 3; GDPR Article 47)