GDPR Compliance Quiz

Questions and Answers

What is the purpose of a DPIA under Article 35 of GDPR?

• To ensure data is never shared
• To eliminate all risks associated with data processing
• To provide indispensable proof of compliance with due diligence (correct)
• To design data applications

Employees are exempt from the right of data protection according to GDPR.

False (B)

What should be done in case of changes in the data processing process according to GDPR?

The DPIA should be updated.

A Data Protection Officer (DPO) must be appointed for authorities or public bodies and companies with ______ core activities, such as systematic monitoring.

specific

Match the following aspects with their descriptions:

DPIA = Basis for decision and compliance proof DPO = Mandatory for specific organizations Updating DPIA = Required after unforeseen risks Employee data protection = Equal rights for all individuals

What was the main purpose for using GPS tracking in company-owned vehicles according to the decision dated 8 August 2018?

Protection of company property (D)

The consent for GPS tracking was considered voluntary according to the decision from November 2018.

False (B)

What was regarded as an adequate price for a subscription without cookies in the November 2018 decision?

EUR 6

According to the GDPR, consent to data processing must be _______ to be considered valid.

voluntary

Match the following terms to their descriptions:

GPS Tracking = Monitoring vehicle usage and location Cookies = Data stored to improve user experience on websites Voluntary Consent = Freely given approval without coercion DPA = Data Protection Authority

According to the decision on cookies, which of the following is NOT a condition for valid consent?

Substantial discounts for consenting users (D)

Considerable negative consequences for refusing data processing can indicate non-voluntariness of consent.

True (A)

How many days of storage were mandated for GPS tracking according to the DPA?

93 days

What is an example of entities included under 'bodies governed by public law' according to the directive discussed?

Public service agencies (A)

Under GDPR, a person's request for the right to erasure must be fulfilled within 3 months.

False (B)

What is the maximum time frame for notifying the data protection authority after a data breach?

72 hours (A)

Data subjects must be notified of breaches that could result in high risk.

True (A)

What is the right that allows individuals to obtain a copy of their personal data and information regarding how it is processed?

Right to access

What details must be included when notifying about a data breach?

description of the breach, categories and number of data subjects affected, contact details of the data protection officer

The 'right to be forgotten' falls under the __________ rights in GDPR.

rights of the data subject

In case of a data breach, immediate notification should include the description of the breach and the __________ of the data protection officer.

contact details

Match the following GDPR rights with their descriptions:

Right to erasure = Request to delete personal data Right to rectification = Request for correction of inaccurate data Right to data portability = Request to transfer personal data to another service Right to object = Request to stop processing personal data

Match the following breach notification components with their descriptions:

Description of the breach = Nature of the incident Categories of affected data subjects = Groups impacted by the breach Number of data subjects = Count of individuals involved Contact details of the data protection officer = Who to reach for further information

What is the primary function of the tool developed by Super Profiling Limited?

To monitor website traffic and user behavior (A)

The tool uses cookies for tracking user behavior.

False (B)

What legal compliance does the customer inquire about for using the tool?

GDPR compliance

Angsty's tablet lacks encryption and has the PIN glued to the ______.

back

Match the type of employee to their role in Super Profiling Limited:

Programmer = Develops software tools Assistant = Supports managerial tasks Marketing specialist = Handles advertising strategies Lawyer = Ensures legal compliance

What skepticism does Angsty express regarding Sly's plan?

It could violate employee privacy laws. (A)

Careful is responsible for the legal advice required for GDPR compliance.

True (A)

What should Angsty do with his lost tablet?

Report the loss and secure data access

Which of the following are considered technical measures under GDPR for preventing data breaches? (Select all that apply)

Rapid recovery access in case of an incident (C), Pseudonymization and encryption (D)

Organizations must notify data subjects whenever a data breach occurs, regardless of the risk level.

False (B)

What is the maximum time frame for evaluating the risk after becoming aware of a data breach?

72 hours

The __________ of systems and services is critical to ensure the confidentiality and integrity of data.

availability

Match the following GDPR measures with their descriptions:

Pseudonymization = A technique that replaces personal identifiers with artificial identifiers. Data breach notification = Informing affected individuals of a breach when there is high risk. BYOD = Bring Your Own Device policy regarding employee device usage. Disaster recovery = Strategies to recover data after an incident or disaster.

Which organization standards are mentioned as benchmarks for best practices in technical measures?

ISO/IEC 27000 (C), ÖNORMEN (D)

Awareness training for personnel is vital for maintaining data secrecy and compliance with GDPR.

True (A)

List one example of a general security measure that organizations must implement under GDPR.

Access control

Flashcards

Data Protection Impact Assessment (DPIA)

A process to assess the risks associated with processing personal data and implement appropriate safeguards.

Designation of a Data Protection Officer (DPO)

Mandatory for organizations with extensive or sensitive data processing activities, and for public authorities.

Employee Data Protection

Employees have the same data protection rights as any other individual.

DPIA (GDPR)

An analysis conducted to identify and assess risks associated with specific data processing activities.

DPIA Result

A document summarizing the results of a DPIA.

Public Authorities (GDPR)

Entities performing tasks in the general interest, funded or supervised by public bodies.

Right to Access (GDPR)

The right to request a copy of your personal data held by an organization, including information about the processing purposes and legal basis.

Right to Rectification (GDPR)

The right to request the correction of inaccurate or incomplete personal data.

Right to Erasure (GDPR)

The right to request the deletion of personal data in certain circumstances, such as when processing is no longer necessary.

Right to Restriction of Processing (GDPR)

The right to restrict the processing of personal data in certain situations, such as when you contest the accuracy of the data.

GPS Tracking Consent

A practice where employees are required to consent to the use of GPS tracking in company vehicles due to security and administrative purposes. However, the data is stored for an extended period, potentially enabling performance profiling, raising concerns about voluntariness of consent.

Pay or OK Consent

A scenario where website visitors are presented with a choice: consent to marketing cookies or pay for a subscription to access content without cookie-based tracking.

GPS Tracking Consent - DPA Ruling

The Data Protection Authority (DPA) ruled that consent for GPS tracking in company vehicles was not voluntary because there was no clear benefit for employees and data was stored for an extended period, enabling profiling.

Pay or OK Consent - DPA Ruling

The DPA found that consent for cookies through a "pay or OK" model can be voluntary if the conditions are met, emphasizing the need for transparency and alternatives.

Essential Parameters for Cookie Consent

The DPA outlined several essential parameters for cookies consent, including transparent information, reasonable pricing for data-free alternatives, and the ability to revoke consent.

Technically Necessary Cookies

Cookies that are essential for the website to function correctly, providing basic functionalities like navigation, language settings, and login.

Marketing Cookies

Cookies that are not essential for the website's core functionality but collect data for marketing and user profiling purposes.

PURE Subscription

A subscription model where users pay to access content without having their data processed by cookies.

Data breach risk level

The level of risk associated with a data breach, considering factors like unauthorized disclosure, loss, or other harm to data.

Data subjects and data affected

The specific types and quantities of data that were compromised in a breach, including categories and number of data subjects.

Description of a data breach

Details on the nature of the data breach, including the method and scope of the breach.

Imminent harm

The likelihood of immediate harm or the need for data subjects to take action due to the breach.

Data protection officer contact details

The contact details of the data protection officer responsible for handling data breach notifications.

Technical Measures for Data Security (GDPR)

Technical measures, like encryption and pseudonymization, designed to secure systems and prevent data breaches. They focus on maintaining confidentiality, integrity, and availability of data.

Organizational Measures for Data Security (GDPR)

Organizational measures, including security training and policies, to prevent data breaches. This includes establishing rules for devices used in the workplace and managing sensitive information access.

Encryption

The process of converting data into an unreadable format, making it unintelligible without a decryption key.

Pseudonymization

Replacing sensitive data with a surrogate, such as a code, to prevent direct identification of individuals while preserving data usability.

Data Breach Risk Assessment (GDPR)

The obligation to assess the potential harm caused by a data breach within 72 hours of discovery, and to consider notifying data subjects and authorities accordingly.

Data Breach Notification (GDPR)

The responsibility to inform authorities and affected individuals about a data breach, based on determined risk levels.

Data Recovery and Business Continuity (GDPR)

The ability to restore access to data and systems after a data breach or security incident.

What is Super Profiling's tool?

A tool that uses an "online fingerprint" to track website visitors' behavior, including click rates, surfing patterns, and mouse movements.

What is the GDPR?

A data protection regulation aimed at protecting the personal data of individuals within the European Union.

What must the customer do to use Super Profiling's tool in a GDPR-compliant way?

The company must ensure its tool operates in a way that complies with the GDPR, including obtaining consent for data processing and providing transparent information about data usage.

What is a Data Protection Impact Assessment (DPIA)?

A system where data processing activities are reviewed to identify and assess risks related to personal data.

What is data encryption?

A process of encrypting sensitive data to prevent unauthorized access.

What is a DPIA report?

A document outlining the results of a DPIA, including potential risks, mitigation measures, and compliance requirements.

Who is a data protection officer (DPO)?

A designated individual responsible for ensuring the compliance of data processing activities with the GDPR.

What is employee monitoring?

The act of tracking and monitoring employee activities while at work, including their work habits, productivity, and online behavior.

Study Notes

Computer Science and Law Course Content

• Course Dates: Fall/Winter Term 2024-25
• Instructor: Natascha Windholz, Krems
• University: University of Applied Sciences
• Introduction to Law: October 3, 2024
• Contract and Liability Law: October 3, 2024
• Intellectual Property Law: October 10, 2024
• Data Protection Law: October 23, 2024
• Case Study: November 5, 2024
• Cybersecurity Law: November 7, 2024
• AI Law: November 28, 2024 (Case study)
• Various IT Laws (e-Commerce, consumer law, data related acts, platform law): December 5, 2024
• Q&A Session: December 5, 2024
• Exam: December 19, 2024

Data Protection

• The term "data protection" is misleading, it protects the individual "behind" the data. Privacy is the "right to be left alone."
• EU Law:
  • General Data Protection Regulation (GDPR)
  • Directive on privacy and electronic communications (e-Privacy Directive)
• National Law (Austria):
  • Austrian Data Protection Act (DSG)
  • Austrian Telecommunication Act (TKG)

GDPR: Overview

• Applicable since: May 25, 2018
• Objectives (Art 1 GDPR):
  • Protection of natural persons regarding personal data processing.
  • Establishing rules relating to the free movement of personal data.
• Elimination of previous notification and approval requirement:
  • No prior review by data protection authority (DPA).
  • Shift of responsibility to the company with subsequent ex post audit by DPA.
• Penalty powers of the DPA:
  • High penalties for violations: up to EUR 20 million / 4% of worldwide annual turnover of the previous fiscal year (higher value applies).

GDPR: Territorial Scope

• Processing by establishment in EU: GDPR applies.
• Processing by establishment outside EU, regarding goods/services offered or behavior monitored to EU data subjects:
  • GDPR + law of the country of domicile.

GDPR: Territorial Scope (Art 3 GDPR)

• Controller with registered office in EU: GDPR + law of the country of domicile (e.g. Facebook (Ireland), Google (Ireland), Xing (Germany)).
• Controller based in a third country: GDPR + possibly several national Data Protection Acts (depends on orientation) (e.g. Twitter/X (USA)).
• Controller based in Austria: GDPR + DSG.

GDPR: Material Scope (Art 2, 4 para 1 and 2 GDPR)

• Processing: Any handling of data (e.g., collect, record, organize).
• Personal data: Any information relating to an identified or identifiable natural person (e.g., dynamic IP address).
• Natural persons only: Legal persons are excluded from protection.
• Business data protection: Trade Secrets Directive protects business data.
• ePrivacy Regulation under negotiation: addresses issues regarding spam and cold calling.

GDPR: Personal/Pseudonymous/Anonymous Data

• Pseudonymization (Art 4 para 5 GDPR): Processing personal data in a way that it can no longer be attributed to a specific data subject without additional information. This information is kept separate and subject to technical and organizational measures.
• Anonymization (Recital 26): Information that does not relate to an identified or identifiable natural person, or has been rendered anonymous. High standards are difficult to achieve in practice.

GDPR: Material Scope > "Sensitive" Data

• Special categories of personal data:
  • Data relating to criminal convictions and offences (Art 10 GDPR).
  • Sensitive data (Art 9 GDPR)
• Broad definition of sensitive data: Personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data for uniquely identifying a natural person; data concerning health; data concerning sex life or sexual orientation.

GDPR: Fundamental Questions

• WHO processes?
• WHICH data from WHOM?
• WHAT purposes?
• WHAT legal basis?

GDPR: Key Roles and Responsibilities

• Data Subject: Natural person whose personal data are processed (e.g., customers, suppliers).
• Controller: Individual/organization deciding on the purposes of data processing (e.g., company/legal entity, social media platform operator).
• Processor: Individual/organization processing data on behalf of the controller (e.g., IT service provider, cloud provider).

GDPR: Key Roles and Responsibilities in Social Media

• Joint Responsibility: Social media operators are jointly responsible for data processing.
• Consequences: Site owners must fulfill information obligations and safeguard data subject rights (e.g., right to information, right to erasure).

GDPR: Lawfulness of Data Processing – Purpose (Art 5 para 1 icw Art 6 GDPR)

• Strict Purpose Limitation Principle: The use of data must be limited to a specific, defined purpose. Data can be processed only for: specified, unambiguous, legitimate purposes. (e.g., for payroll, contact information)

GDPR: Lawfulness of Data Processing (Art 6 + 9 GDPR)

• Non-sensitive data (Art 6): necessary for the performance of a contract; legitimate interests of the controller or a third party; necessary for compliance with legal obligation; consent of the data subject.
• Sensitive data (Art 9): Express consent; fulfilling employment/social security obligations; legal claims; consent of the data subject.

GDPR: Legitimate Interests (Art 6)

• Non-sensitive data: low risk for data subjects, processing expected by the data subject. Little need for additional protection.
• Sensitive data: high risk for data subjects, potentially surprising processing with special vulnerability needing extra protection.

GDPR: Lawfulness of Data Processing – Legitimate Grounds (Art 6 GDPR)

• Consent:
  • Voluntary, genuine choice.
  • Unambiguous and specific to the case.
  • Informational.
• When: Before use of data.
• Formal Requirement: No formal requirement, but silence and pre-activated checkboxes are invalid. Consent must be verifiable and actively given.
• Revocability: Revocable at any time without reason, effective for the future. Simple as the granting itself.

GDPR: Lawfulness of Data Processing (Art 6)

• Consent of the data subject details to include in the consent; reference to revocability; must follow directly from the form.
• Practical Tip: Provide an extra checkbox for consent; not in general terms or declarations.

GDPR: No Consent in the Sense of the GDPR

• Mere indication: Mere indication of a contact address is not sufficient.
• Social Media Interactions: "Social media friendship" clicks, "likes," or "tell a friend" functions.
• Silence: Pre-activated checkboxes or inactivity are invalid.
• Separate Consent Required: Consent is likely required for each purpose; should be given before receiving the first advertisement to be valid.

GDPR: Form and Presentation of Consent

• Consent examples for: GDPR compliant use for marketing purposes (mail, phone, etc).
• Use of data separate from consent (service provision).
• Revocation of consent (how and when).

GDPR: Case Law on Consent

• Case studies/details from legal decisions on consent (e.g., employee use of GPS systems; cookie consent; marketing purposes).

GDPR: Direct Marketing by Snail Mail

• Differing Conclusions: The Federal Administrative Court's assessment differs from the DPA, weighing business interests against data subject rights.
• Explicit Mention: The interest of "direct marketing" is explicitly mentioned in Recital 47, along with a low severity of interference with rights.

Excursus: Contacting (Potential) Customers

• Spam: § 174 TKG defines Spam, and requires prior consent of recipients.

Spam (§ 174 TKG)

• Electronic Message Requirements: electronic contact for advertising requires recipient consent.
• Grey Area of Legitimate Interests: justifiable under data protection law through legitimate interests.
• Unsolicited Communication: Violations of TKG, but not necessarily a violation of GDPR. Limited potential use of soft opt-ins.

GDPR: Inadmissible Measures and Consequences

• Concealed Identity: Concealing the sender's identity is generally inadmissible.
• Lack of Information: Advertising that does appear recognizable and does not provide sufficient information about the advertising message is not acceptable. No reasonable way for a user to contact or unsubscribe for the advertised goods or services.
• Legal Consequences: Actions without consent are often categorized as either administrative offenses or violations of unfair competition law (e.g. aggressive business practices).

GDPR: Data Breach Notification

• Evaluation: Evaluation of risk level within 72 hours of knowledge of the breach. Detailed internal documentation of all data breaches.
• Risk Levels:
  • No Risk: Internal documentation.
  • Risk: Internal documentation + notification to DPA.
  • High Risk: Internal documentation + notification to both DPA + data subjects.
• To do criteria: decisive criteria for risk assessment
  • type of data breach
  • type, sensitivity and scope of the affected data
  • possibility to identify the data subjects
  • severity and likelihood of impending consequences
  • data subjects requiring special protection
  • number of data subjects

GDPR: Transfer of Personal Data to Third Countries

• Adequacy decision: Certain countries are considered to provide an adequate level of data protection, allowing transfer without additional measures.
• Standard Data Protection Clauses: Pre-approved clauses are available to assist with transfers.
• Schrems II: Subsequent rulings require specific steps to ensure that transfers are compliant.
• Binding Corporate Rules: Rules, standards and guidelines for a company to adhere to regarding the processing of personal data.
• Derogations: Exceptions for specific situations regarding data transfer.

GDPR: US Data Transfers

• History: Case studies/details of EU-US data transfer issues (e.g., Safe Harbor, Privacy Shield).

GDPR: Data transfer to the US

• Max Schrems Saga: details on case's impact, adequacy decisions and implications. What protection do SCCs offer? What specific guarantees exist for each situation?

GDPR: Consequences of Data Protection Violations

• Appeal: Data subjects' right to appeal to the DPA.
• Investigation: Formal investigation of violation by the DPA.
• Penalties: Penalties for violations (e.g., damages, injunctive relief, in extreme cases imprisonment for controllers).

GDPR: Consequences in Case of Data Protection Violations – DPA Proceedings

• Complaint: A formal complaint issued by a user/data subject to the DPA, and investigated by the DPA.
• Violation Review: Request to modify the processing activity, restrictions on processing.
• Penalties: May range from modification to outright prohibition of data processing.

GDPR: Preparation for Audit by DPA

• Company preparation, required processes, communication channels related to DPA.

GDPR: Penalties

• Imposing fines: The potential fines that can be imposed directly on legal entities due to violations.
• Criteria/considerations: factors that contribute to the level of the fine.

Case Study: Data Protection

• Summaries of the case study details, highlighting privacy concerns or potential issues. Includes details about a company and issues raised in a case study, such as loss of a tablet and customer requests for GDPR compliance.

Repetition Questions

• Multiple choice style questions covering essential GDPR concepts, terms and criteria. Answers will be dependent on the questions specified.