Week 10

Questions and Answers

What is the timeframe for notifying a supervisory body in the event of a breach?

• Within 1 week
• Within 24 hours
• Within 1 month
• Within 72 hours (correct)

What is the maximum fine for breaching the requirement to implement technical safeguards?

• €100,000,000
• €20,000,000 (correct)
• €50,000,000
• €10,000,000

Which of the following is NOT a provision of the US Privacy Act of 1974?

• Ensures agencies properly collect, maintain, and use personal info
• Establishes a universal data protection authority (correct)
• Permits individuals to determine records kept
• Creates a private right of action for individuals

What is the purpose of an organizational data protection and privacy policy?

To comply with legislation and regulations (B)

What is a consequence of non-compliance with the GDPR?

Individuals can claim compensation (D)

What is the purpose of breach notification?

To inform supervisory bodies of a breach (C)

What is the percentage of worldwide annual turnover that can be imposed as a fine for non-compliance?

4% (B)

What is required for compliance with the GDPR?

Appropriate management structure and control (D)

According to the GDPR, what is the main criterion for determining whether a natural person is identifiable?

The objective factors, including available technology (C)

What is the term used to describe the process of assigning a pseudonym to personal data?

Pseudonymisation (A)

What is the key principle of data protection according to the GDPR?

The principles of data protection apply to any information concerning an identified or identifiable natural person (A)

What is 'data processing' as defined by the GDPR?

Any operation or set of operations performed upon personal data (D)

What is NOT considered to be information on an identifiable natural person?

Anonymous information (A)

What factors should be taken into account when determining whether a natural person is identifiable?

All objective factors, including available technology (D)

What is NOT an example of data processing according to the GDPR?

Data encryption (C)

What is the purpose of pseudonymisation according to the GDPR?

To make data difficult to attribute to an individual (D)

When establishing jurisdiction, a Member State shall ensure that it has jurisdiction where:

the offence is against an information system on its territory (A)

A Member State shall inform the Commission in which of the following scenarios?

when the offence is committed outside its territory (B)

What is a key element in the humanist justification of child pornography regulation?

the pictures constitute a human rights violation (A)

What is a layer of protection mentioned in the context of child pornography regulation?

UN Convention for the rights of children (D)

What is an economic justification for regulating child pornography?

the pictures create a market (C)

Where must a Member State establish jurisdiction if an offender commits an offence while physically present on its territory?

regardless of whether the offence is against an information system in the territory (D)

What was the main concern of the Court in the case of K.U.v Finland?

The protection of children and vulnerable individuals from criminal acts (A)

What was the nature of the advertisement posted on the internet dating site?

A sexual advertisement targeting a 12-year-old boy (D)

What was the reason for the internet service provider's refusal to identify the person responsible?

Breach of confidentiality (C)

Which article of the Convention was violated according to the Court's decision?

Article 8 (C)

What was the expectation of the Court regarding the legislature's role?

To establish a framework for reconciling confidentiality with crime prevention (D)

What was the outcome of the Court's decision in the case of K.U.v Finland?

There was a violation of Article 8 of the Convention (A)

What is the minimum age of a person considered a 'child' according to the article?

18 years (C)

What is the minimum punishment for knowingly obtaining access to child pornography?

1 year imprisonment (D)

What is the maximum punishment for distribution of child pornography?

2 years imprisonment (B)

Can Member States decide not to punish cases where child pornography is produced solely for private use?

Yes, they have the discretion to do so (C)

What is the minimum punishment for production of child pornography?

3 years imprisonment (A)

Can Member States decide not to punish cases where the person in the child pornography was 18 years or older at the time of depiction?

Yes, they have the discretion to do so (C)

What is the punishment for offering or supplying child pornography?

2 years imprisonment (C)

Is it mandatory for Member States to punish all cases of child pornography?

No, Member States have discretion in some cases (A)

Flashcards are hidden until you start studying

Study Notes

Breach Notification and Incident Response

• In the event of a breach that compromises individuals' data, a supervisory body must be notified within 72 hours.
• Penalties for non-compliance include heavy administrative fines and allowing individuals to claim compensation from companies that did not comply with the GDPR's requirements.

US Privacy Law

• The Privacy Act of 1974 permits individuals to:
  • Determine records kept
  • Forbid records being used for other purposes
  • Obtain access to records
  • Ensure agencies properly collect, maintain, and use personal information
  • Creates a private right of action for individuals
• The US has a range of other privacy laws.

Organizational Response

• An organizational data protection and privacy policy should be developed and implemented.
• The policy should be communicated to all persons involved in the processing of personal information.
• Compliance with this policy and all relevant data protection legislation and regulations requires appropriate management structure and control.

GDPR Definitions

• Personal data refers to any information concerning an identified or identifiable natural person.
• Identification can be direct or indirect, using all means reasonably likely to be used.
• The principles of data protection do not apply to anonymous information.

Data Processing

• "Processing" means any operation or set of operations performed upon personal data or sets of personal data.
• Examples include collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, and erasure.

Child Pornography Regulation

• The UN Convention for the Rights of Children (1990) and the EU law provide a legal framework for regulating child pornography.
• The Budapest Convention (2001) and the EU Directive 2011/92 provide additional legal frameworks.
• Child pornography is punishable by imprisonment, with varying terms depending on the offense.

Limits of Protection

• Member States have discretion to decide whether certain articles apply to cases involving child pornography.
• Questions arise regarding the real age of participants in virtual pictures.