Data Protection Principles Overview

Questions and Answers

What is a primary characteristic of digital contracts?

• They always require a physical signature.
• They can only be created by consumers.
• They must be conducted in person.
• They are entirely negotiated and concluded through digital resources. (correct)

Which type of contract relates specifically to the provision of software assistance?

• Purchase agreement
• License contract
• Sale contract
• Service contract (correct)

In e-commerce, what does the term B2C refer to?

• Business to Contractor
• Buyer to Consumer
• Business to Consumer (correct)
• Business to Company

Which role does the provider of payment services play in online purchases?

They facilitate the transaction. (C)

What are the legal issues in digital contracts affected by?

Whether the contract is between business entities or between businesses and consumers. (D)

What type of contract can include both hardware and software elements?

Sales contract (C)

Which of the following is NOT typically involved in the online purchase process?

Physical store manager (A)

What basic question arises in the legal perspective during online transactions?

Is law capable of providing solutions to the legal issues involved? (A)

What action may the Data Protection Authorities take for a likely infringement of data protection rules?

Issue a warning (D)

What is the maximum monetary fine that can be imposed for a serious infringement under GDPR?

€20 million or 4% of annual turnover (D)

Which factor is NOT considered by the supervisory authority when deciding on corrective measures for data loss?

The company's financial stability (B)

In case of data loss due to a cyber-attack, what may the supervisory authority evaluate?

The nature of the personal data affected (B)

What may the DPA choose to impose alongside or instead of a reprimand during an infringement case?

Temporary ban on processing (C)

What is the importance of ensuring that fines are 'effective, proportionate and dissuasive'?

To prevent future data breaches (C)

What might be a relevant factor in assessing the severity of an IT system deficiency?

How long the IT infrastructure was vulnerable (C)

What type of data loss scenario is considered in the context described?

Cyber-attack resulting in data exposure (C)

What approach ensures that privacy and data protection principles are integrated from the beginning of data processing operations?

Data protection by design (B)

Which of the following is an example of data protection by default?

Limiting the accessibility of user profiles by default (B)

When must a company notify the supervisory authority about a data breach?

Within 72 hours of becoming aware of it (C)

What is a common first step for companies concerning data protection principles?

Designing data processing operations with measures in place (D)

What should a company do if a data breach poses a high risk to individuals affected?

Inform the affected individuals, unless effective protection measures are available (D)

What situation describes a data breach?

A hospital employee publicly shares patient data without authorization (B)

What technique helps protect data confidentiality during processing?

Pseudonymisation of data (A)

What principle emphasizes processing only the necessary personal data?

Data minimization (A)

What action must a hospital take upon discovering a data breach?

Notify the supervisory authority and inform the patients (B)

Under what condition can a hospital be exempt from notifying patients after a data breach?

If technical protection measures like data encryption were in place (C)

When is a company required to appoint a Data Protection Officer (DPO)?

When its core activities involve large-scale processing of sensitive data (A)

What is one of the primary roles of a Data Protection Officer?

To advise on data protection obligations and monitor compliance (C)

In which situation are public administrations required to appoint a DPO?

Always, except for courts performing judicial functions (A)

How should a DPO report to the company they work for?

Directly to the highest level of management (B)

Which of the following does NOT represent a responsibility of a DPO?

Make binding decisions on data requests (C)

What is considered a technical protection measure in data management?

Encrypting sensitive data (B)

Flashcards

IT Contracts

Contracts where the object of the agreement is software, hardware, or IT services.

Digital Contracts

Contracts that are entirely negotiated and concluded using digital tools, like online platforms or email.

E-commerce

The process of buying and selling goods and services online.

B2B Contracts

Contracts between businesses, like a company buying software from another company.

B2C Contracts

Contracts between businesses and consumers, like buying something online from a retailer.

International Law

Different legal systems that might apply when a transaction involves multiple countries and actors.

Contractual Complexity

The legal issues that arise when a transaction involves multiple contracts and parties.

Law's Applicability

The question of whether existing laws adequately address the legal issues of online transactions.

Data Protection by Design

Incorporating privacy safeguards into the very design of data processing systems, ensuring data protection from the outset.

Data Protection by Default

Setting default privacy settings to the most protective level, minimizing data access and ensuring that personal information isn't easily shared with an unlimited audience.

Pseudonymization

The use of pseudonyms or anonymous identifiers when collecting and processing personal data, protecting the actual identity of individuals.

Data Breach

A security incident that results in unauthorized access, disclosure, alteration, or destruction of personal data under a company's responsibility.

Data Breach Notification (72 hours)

The legal obligation for a company to report a data breach to the relevant supervisory authority within 72 hours of becoming aware of it, if the breach likely poses a risk to individual rights and freedoms.

Data Processor Notification

The responsibility of a data processor (e.g., a service provider) to notify the data controller (e.g., the company owning the data) about any data breaches that occur within their processing activities.

Individual Notification of High Risk Data Breach

The responsibility of a company to inform affected individuals about a data breach that poses a high risk to their rights and freedoms, unless effective technical and organizational measures mitigate that risk.

Data Protection Accountability

The principle of accountability in data protection, where a company is responsible for demonstrating that it has implemented appropriate technical and organizational measures to protect personal data.

Data Protection Officer (DPO)

A Data Protection Officer (DPO) is required for organizations that process sensitive data on a large scale, regularly monitor individuals, or are public administrations. They provide expertise and oversight on data protection.

Data Breach Notification for Hospitals

Hospitals are required to inform supervisory authorities and patients within a specific timeframe if a data breach involving sensitive information occurs. This applies to data such as patient medical records, pregnancy status, or cancer diagnoses.

Exemption from Patient Notification in a Data Breach

If an organization can prove they have implemented appropriate technical and organizational safeguards to protect data, such as encryption, they might not need to notify patients in case of a data breach.

DPO as a Contact Point for Individuals

The DPO acts as a point of contact for individuals whose data has been processed, helping them exercise their privacy rights related to their personal information.

DPO's Role in Data Protection Training & Compliance

The DPO provides guidance and advice to the organization on complying with data protection laws, ensuring all employees understand their responsibilities.

DPO's Independence and Reporting

The DPO's role is independent and they report directly to the highest management level, ensuring they are free to fulfill their duty without undue influence.

Monitoring Individuals in Data Protection Law

Monitoring individuals includes any form of tracking or profiling, encompassing online activities such as behavioral advertising.

DPO's Role in Ensuring Data Protection Compliance

The DPO plays a crucial role in ensuring an organization's compliance with data protection legislation, encompassing training, audits, and awareness-raising initiatives.

GDPR Warning

A formal warning issued to a company or individual for potential GDPR violation. It signifies a preliminary step towards more serious action if the non-compliance persists.

GDPR Reprimand

A reprimand is a formal criticism or censure issued by a data protection authority for a confirmed GDPR violation. It serves as a public statement of disapproval and can be a significant reputational hit.

GDPR Processing Ban

A temporary or permanent ban on processing personal data, imposed on a company for violating GDPR rules. This aims to prevent further damage by halting data processing activities.

GDPR Fine

A monetary penalty levied by a Data Protection Authority (DPA) upon a company for violating GDPR regulations. The maximum fine is €20 million or 4% of the company's global annual turnover, whichever is higher.

GDPR Infringement Factors

Determining factors used by the supervisory authority when assessing the severity of a GDPR violation and deciding the appropriate corrective action. These factors include the nature, gravity, duration, intentionality, and mitigating actions taken by the company.

Effectiveness, Proportionality, and Dissuasive Fines

A key obligation under GDPR, ensuring that data protection measures are effective, proportional to the potential risk, and deter further violations. Fines should act as a strong deterrent to prevent future breaches.

Appropriate Technical Measures

The use of appropriate technical safeguards and security measures by companies to protect personal data from unauthorized access, use, or disclosure. This includes measures to prevent cyberattacks and data breaches.

Sensitive Data Breaches

Situations where sensitive personal data, like financial information, health details, or political opinions, is affected by a data breach, leading to higher potential consequences and stricter sanctions.

Study Notes

Data Protection by Design & Default

• Companies should implement technical and organizational measures to protect personal data from the start.
• These measures should be in place by default, for example, by only processing necessary data, with limited storage periods, and limited access. This aims to keep personal data from being accessible to too many people.

Pseudonymisation

• Using pseudonyms is an example of privacy by design, creating conditions to protect data confidentiality.
• This method of protecting data is applied shortly after data collection, regardless of the means used.

Data Breach Notification

• A data breach is a security incident that breaks confidentiality, availability, or integrity of data for which a company is responsible.
• If likely to affect an individual's rights or freedoms, the company must notify the supervisory authority within 72 hours.
• If the company is a data processor, the data controller must also be notified.
• If the breach poses a high risk, those affected should also be informed immediately about protection measures that are in place or what other measures are in place.

Data Protection Officer (DPO)

• A company must appoint a DPO if its activities involve sensitive data or large-scale monitoring of individuals (e.g., hospitals, security companies).
• DPOs inform staff, monitor compliance with data protection laws, and handle requests regarding data processing and rights from individuals.
• The DPO reports directly to the highest management level of the company.

Sanctions for Non-Compliance

• Data Protection Authorities (DPAs) can issue warnings, reprimands, temporary or permanent bans on data processing, and fines up to 20 million euros or 4% of annual worldwide turnover.
• Fines must be effective, proportionate, and dissuasive, considering the nature, gravity, and duration of the offense.

Online Household Material Sales and Data Breaches

• When a company sells goods online and experiences a cyber attack that exposes customer data, the supervisory authority will consider several factors, including:
  • The severity of the IT system deficiency.
  • The length of time the IT system was exposed to risk.
  • Past tests for preventing attacks.
  • The number of customers whose data was compromised and the type of data lost, including sensitive data.

eContracts

• Contracts related to information technology can take various forms, including standard software/licenses, tailor-made software, IT devices, software/hardware assistance, and digital contracts.
• E-commerce encompasses the legal and commercial issues connected to online digital technologies in contracts, specifically in B2B transactions and B2C transactions.
• Many parties (e.g., website owner, server owner, manufacturer/supplier, payment provider, carrier) are involved in online sales; legal issues arise during the transaction process.