Data Protection Principles Overview

Questions and Answers

What is a primary characteristic of digital contracts?

They always require a physical signature.

They can only be created by consumers.

They must be conducted in person.

They are entirely negotiated and concluded through digital resources. (correct)

Which type of contract relates specifically to the provision of software assistance?

Purchase agreement

License contract

Sale contract

Service contract (correct)

In e-commerce, what does the term B2C refer to?

Business to Contractor

Buyer to Consumer

Business to Consumer (correct)

Business to Company

Which role does the provider of payment services play in online purchases?

They facilitate the transaction.

What are the legal issues in digital contracts affected by?

Whether the contract is between business entities or between businesses and consumers.

What type of contract can include both hardware and software elements?

Sales contract

Which of the following is NOT typically involved in the online purchase process?

Physical store manager

What basic question arises in the legal perspective during online transactions?

Is law capable of providing solutions to the legal issues involved?

What action may the Data Protection Authorities take for a likely infringement of data protection rules?

Issue a warning

What is the maximum monetary fine that can be imposed for a serious infringement under GDPR?

€20 million or 4% of annual turnover

Which factor is NOT considered by the supervisory authority when deciding on corrective measures for data loss?

The company's financial stability

In case of data loss due to a cyber-attack, what may the supervisory authority evaluate?

The nature of the personal data affected

What may the DPA choose to impose alongside or instead of a reprimand during an infringement case?

Temporary ban on processing

What is the importance of ensuring that fines are 'effective, proportionate and dissuasive'?

To prevent future data breaches

What might be a relevant factor in assessing the severity of an IT system deficiency?

How long the IT infrastructure was vulnerable

What type of data loss scenario is considered in the context described?

Cyber-attack resulting in data exposure

What approach ensures that privacy and data protection principles are integrated from the beginning of data processing operations?

Data protection by design

Which of the following is an example of data protection by default?

Limiting the accessibility of user profiles by default

When must a company notify the supervisory authority about a data breach?

Within 72 hours of becoming aware of it

What is a common first step for companies concerning data protection principles?

Designing data processing operations with measures in place

What should a company do if a data breach poses a high risk to individuals affected?

Inform the affected individuals, unless effective protection measures are available

What situation describes a data breach?

A hospital employee publicly shares patient data without authorization

What technique helps protect data confidentiality during processing?

Pseudonymisation of data

What principle emphasizes processing only the necessary personal data?

Data minimization

What action must a hospital take upon discovering a data breach?

Notify the supervisory authority and inform the patients

Under what condition can a hospital be exempt from notifying patients after a data breach?

If technical protection measures like data encryption were in place

When is a company required to appoint a Data Protection Officer (DPO)?

When its core activities involve large-scale processing of sensitive data

What is one of the primary roles of a Data Protection Officer?

To advise on data protection obligations and monitor compliance

In which situation are public administrations required to appoint a DPO?

Always, except for courts performing judicial functions

How should a DPO report to the company they work for?

Directly to the highest level of management

Which of the following does NOT represent a responsibility of a DPO?

Make binding decisions on data requests

What is considered a technical protection measure in data management?

Encrypting sensitive data

Study Notes

Data Protection by Design & Default

• Companies should implement technical and organizational measures to protect personal data from the start.
• These measures should be in place by default, for example, by only processing necessary data, with limited storage periods, and limited access. This aims to keep personal data from being accessible to too many people.

Pseudonymisation

• Using pseudonyms is an example of privacy by design, creating conditions to protect data confidentiality.
• This method of protecting data is applied shortly after data collection, regardless of the means used.

Data Breach Notification

• A data breach is a security incident that breaks confidentiality, availability, or integrity of data for which a company is responsible.
• If likely to affect an individual's rights or freedoms, the company must notify the supervisory authority within 72 hours.
• If the company is a data processor, the data controller must also be notified.
• If the breach poses a high risk, those affected should also be informed immediately about protection measures that are in place or what other measures are in place.

Data Protection Officer (DPO)

• A company must appoint a DPO if its activities involve sensitive data or large-scale monitoring of individuals (e.g., hospitals, security companies).
• DPOs inform staff, monitor compliance with data protection laws, and handle requests regarding data processing and rights from individuals.
• The DPO reports directly to the highest management level of the company.

Sanctions for Non-Compliance

• Data Protection Authorities (DPAs) can issue warnings, reprimands, temporary or permanent bans on data processing, and fines up to 20 million euros or 4% of annual worldwide turnover.
• Fines must be effective, proportionate, and dissuasive, considering the nature, gravity, and duration of the offense.

Online Household Material Sales and Data Breaches

• When a company sells goods online and experiences a cyber attack that exposes customer data, the supervisory authority will consider several factors, including:
  • The severity of the IT system deficiency.
  • The length of time the IT system was exposed to risk.
  • Past tests for preventing attacks.
  • The number of customers whose data was compromised and the type of data lost, including sensitive data.

eContracts

• Contracts related to information technology can take various forms, including standard software/licenses, tailor-made software, IT devices, software/hardware assistance, and digital contracts.
• E-commerce encompasses the legal and commercial issues connected to online digital technologies in contracts, specifically in B2B transactions and B2C transactions.
• Many parties (e.g., website owner, server owner, manufacturer/supplier, payment provider, carrier) are involved in online sales; legal issues arise during the transaction process.

Description

This quiz covers the fundamental principles of data protection, including design by default, pseudonymisation, and data breach notifications. Learn how organizations can safeguard personal data through various measures and understand the responsibilities involved in data breaches.