GDPR Compliance Quiz

Questions and Answers

What is the purpose of a DPIA under Article 35 of GDPR?

To ensure data is never shared

To eliminate all risks associated with data processing

To provide indispensable proof of compliance with due diligence (correct)

To design data applications

Employees are exempt from the right of data protection according to GDPR.

False

What should be done in case of changes in the data processing process according to GDPR?

The DPIA should be updated.

A Data Protection Officer (DPO) must be appointed for authorities or public bodies and companies with ______ core activities, such as systematic monitoring.

specific

Match the following aspects with their descriptions:

DPIA = Basis for decision and compliance proof DPO = Mandatory for specific organizations Updating DPIA = Required after unforeseen risks Employee data protection = Equal rights for all individuals

What was the main purpose for using GPS tracking in company-owned vehicles according to the decision dated 8 August 2018?

Protection of company property

The consent for GPS tracking was considered voluntary according to the decision from November 2018.

False

What was regarded as an adequate price for a subscription without cookies in the November 2018 decision?

EUR 6

According to the GDPR, consent to data processing must be _______ to be considered valid.

voluntary

Match the following terms to their descriptions:

GPS Tracking = Monitoring vehicle usage and location Cookies = Data stored to improve user experience on websites Voluntary Consent = Freely given approval without coercion DPA = Data Protection Authority

According to the decision on cookies, which of the following is NOT a condition for valid consent?

Substantial discounts for consenting users

Considerable negative consequences for refusing data processing can indicate non-voluntariness of consent.

True

How many days of storage were mandated for GPS tracking according to the DPA?

93 days

What is an example of entities included under 'bodies governed by public law' according to the directive discussed?

Public service agencies

Under GDPR, a person's request for the right to erasure must be fulfilled within 3 months.

False

What is the maximum time frame for notifying the data protection authority after a data breach?

72 hours

Data subjects must be notified of breaches that could result in high risk.

True

What is the right that allows individuals to obtain a copy of their personal data and information regarding how it is processed?

Right to access

What details must be included when notifying about a data breach?

description of the breach, categories and number of data subjects affected, contact details of the data protection officer

The 'right to be forgotten' falls under the __________ rights in GDPR.

rights of the data subject

In case of a data breach, immediate notification should include the description of the breach and the __________ of the data protection officer.

contact details

Match the following GDPR rights with their descriptions:

Right to erasure = Request to delete personal data Right to rectification = Request for correction of inaccurate data Right to data portability = Request to transfer personal data to another service Right to object = Request to stop processing personal data

Match the following breach notification components with their descriptions:

Description of the breach = Nature of the incident Categories of affected data subjects = Groups impacted by the breach Number of data subjects = Count of individuals involved Contact details of the data protection officer = Who to reach for further information

What is the primary function of the tool developed by Super Profiling Limited?

To monitor website traffic and user behavior

The tool uses cookies for tracking user behavior.

False

What legal compliance does the customer inquire about for using the tool?

GDPR compliance

Angsty's tablet lacks encryption and has the PIN glued to the ______.

back

Match the type of employee to their role in Super Profiling Limited:

Programmer = Develops software tools Assistant = Supports managerial tasks Marketing specialist = Handles advertising strategies Lawyer = Ensures legal compliance

What skepticism does Angsty express regarding Sly's plan?

It could violate employee privacy laws.

Careful is responsible for the legal advice required for GDPR compliance.

True

What should Angsty do with his lost tablet?

Report the loss and secure data access

Which of the following are considered technical measures under GDPR for preventing data breaches? (Select all that apply)

Rapid recovery access in case of an incident

Organizations must notify data subjects whenever a data breach occurs, regardless of the risk level.

False

What is the maximum time frame for evaluating the risk after becoming aware of a data breach?

72 hours

The __________ of systems and services is critical to ensure the confidentiality and integrity of data.

availability

Match the following GDPR measures with their descriptions:

Pseudonymization = A technique that replaces personal identifiers with artificial identifiers. Data breach notification = Informing affected individuals of a breach when there is high risk. BYOD = Bring Your Own Device policy regarding employee device usage. Disaster recovery = Strategies to recover data after an incident or disaster.

Which organization standards are mentioned as benchmarks for best practices in technical measures?

ISO/IEC 27000

Awareness training for personnel is vital for maintaining data secrecy and compliance with GDPR.

True

List one example of a general security measure that organizations must implement under GDPR.

Access control

Study Notes

Computer Science and Law Course Content

• Course Dates: Fall/Winter Term 2024-25
• Instructor: Natascha Windholz, Krems
• University: University of Applied Sciences
• Introduction to Law: October 3, 2024
• Contract and Liability Law: October 3, 2024
• Intellectual Property Law: October 10, 2024
• Data Protection Law: October 23, 2024
• Case Study: November 5, 2024
• Cybersecurity Law: November 7, 2024
• AI Law: November 28, 2024 (Case study)
• Various IT Laws (e-Commerce, consumer law, data related acts, platform law): December 5, 2024
• Q&A Session: December 5, 2024
• Exam: December 19, 2024

Data Protection

• The term "data protection" is misleading, it protects the individual "behind" the data. Privacy is the "right to be left alone."
• EU Law:
  • General Data Protection Regulation (GDPR)
  • Directive on privacy and electronic communications (e-Privacy Directive)
• National Law (Austria):
  • Austrian Data Protection Act (DSG)
  • Austrian Telecommunication Act (TKG)

GDPR: Overview

• Applicable since: May 25, 2018
• Objectives (Art 1 GDPR):
  • Protection of natural persons regarding personal data processing.
  • Establishing rules relating to the free movement of personal data.
• Elimination of previous notification and approval requirement:
  • No prior review by data protection authority (DPA).
  • Shift of responsibility to the company with subsequent ex post audit by DPA.
• Penalty powers of the DPA:
  • High penalties for violations: up to EUR 20 million / 4% of worldwide annual turnover of the previous fiscal year (higher value applies).

GDPR: Territorial Scope

• Processing by establishment in EU: GDPR applies.
• Processing by establishment outside EU, regarding goods/services offered or behavior monitored to EU data subjects:
  • GDPR + law of the country of domicile.

GDPR: Territorial Scope (Art 3 GDPR)

• Controller with registered office in EU: GDPR + law of the country of domicile (e.g. Facebook (Ireland), Google (Ireland), Xing (Germany)).
• Controller based in a third country: GDPR + possibly several national Data Protection Acts (depends on orientation) (e.g. Twitter/X (USA)).
• Controller based in Austria: GDPR + DSG.

GDPR: Material Scope (Art 2, 4 para 1 and 2 GDPR)

• Processing: Any handling of data (e.g., collect, record, organize).
• Personal data: Any information relating to an identified or identifiable natural person (e.g., dynamic IP address).
• Natural persons only: Legal persons are excluded from protection.
• Business data protection: Trade Secrets Directive protects business data.
• ePrivacy Regulation under negotiation: addresses issues regarding spam and cold calling.

GDPR: Personal/Pseudonymous/Anonymous Data

• Pseudonymization (Art 4 para 5 GDPR): Processing personal data in a way that it can no longer be attributed to a specific data subject without additional information. This information is kept separate and subject to technical and organizational measures.
• Anonymization (Recital 26): Information that does not relate to an identified or identifiable natural person, or has been rendered anonymous. High standards are difficult to achieve in practice.

GDPR: Material Scope > "Sensitive" Data

• Special categories of personal data:
  • Data relating to criminal convictions and offences (Art 10 GDPR).
  • Sensitive data (Art 9 GDPR)
• Broad definition of sensitive data: Personal data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data for uniquely identifying a natural person; data concerning health; data concerning sex life or sexual orientation.

GDPR: Fundamental Questions

• WHO processes?
• WHICH data from WHOM?
• WHAT purposes?
• WHAT legal basis?

GDPR: Key Roles and Responsibilities

• Data Subject: Natural person whose personal data are processed (e.g., customers, suppliers).
• Controller: Individual/organization deciding on the purposes of data processing (e.g., company/legal entity, social media platform operator).
• Processor: Individual/organization processing data on behalf of the controller (e.g., IT service provider, cloud provider).

GDPR: Key Roles and Responsibilities in Social Media

• Joint Responsibility: Social media operators are jointly responsible for data processing.
• Consequences: Site owners must fulfill information obligations and safeguard data subject rights (e.g., right to information, right to erasure).

GDPR: Lawfulness of Data Processing – Purpose (Art 5 para 1 icw Art 6 GDPR)

• Strict Purpose Limitation Principle: The use of data must be limited to a specific, defined purpose. Data can be processed only for: specified, unambiguous, legitimate purposes. (e.g., for payroll, contact information)

GDPR: Lawfulness of Data Processing (Art 6 + 9 GDPR)

• Non-sensitive data (Art 6): necessary for the performance of a contract; legitimate interests of the controller or a third party; necessary for compliance with legal obligation; consent of the data subject.
• Sensitive data (Art 9): Express consent; fulfilling employment/social security obligations; legal claims; consent of the data subject.

GDPR: Legitimate Interests (Art 6)

• Non-sensitive data: low risk for data subjects, processing expected by the data subject. Little need for additional protection.
• Sensitive data: high risk for data subjects, potentially surprising processing with special vulnerability needing extra protection.

GDPR: Lawfulness of Data Processing – Legitimate Grounds (Art 6 GDPR)

• Consent:
  • Voluntary, genuine choice.
  • Unambiguous and specific to the case.
  • Informational.
• When: Before use of data.
• Formal Requirement: No formal requirement, but silence and pre-activated checkboxes are invalid. Consent must be verifiable and actively given.
• Revocability: Revocable at any time without reason, effective for the future. Simple as the granting itself.

GDPR: Lawfulness of Data Processing (Art 6)

• Consent of the data subject details to include in the consent; reference to revocability; must follow directly from the form.
• Practical Tip: Provide an extra checkbox for consent; not in general terms or declarations.

GDPR: No Consent in the Sense of the GDPR

• Mere indication: Mere indication of a contact address is not sufficient.
• Social Media Interactions: "Social media friendship" clicks, "likes," or "tell a friend" functions.
• Silence: Pre-activated checkboxes or inactivity are invalid.
• Separate Consent Required: Consent is likely required for each purpose; should be given before receiving the first advertisement to be valid.

GDPR: Form and Presentation of Consent

• Consent examples for: GDPR compliant use for marketing purposes (mail, phone, etc).
• Use of data separate from consent (service provision).
• Revocation of consent (how and when).

GDPR: Case Law on Consent

• Case studies/details from legal decisions on consent (e.g., employee use of GPS systems; cookie consent; marketing purposes).

GDPR: Direct Marketing by Snail Mail

• Differing Conclusions: The Federal Administrative Court's assessment differs from the DPA, weighing business interests against data subject rights.
• Explicit Mention: The interest of "direct marketing" is explicitly mentioned in Recital 47, along with a low severity of interference with rights.

Excursus: Contacting (Potential) Customers

• Spam: § 174 TKG defines Spam, and requires prior consent of recipients.

Spam (§ 174 TKG)

• Electronic Message Requirements: electronic contact for advertising requires recipient consent.
• Grey Area of Legitimate Interests: justifiable under data protection law through legitimate interests.
• Unsolicited Communication: Violations of TKG, but not necessarily a violation of GDPR. Limited potential use of soft opt-ins.

GDPR: Inadmissible Measures and Consequences

• Concealed Identity: Concealing the sender's identity is generally inadmissible.
• Lack of Information: Advertising that does appear recognizable and does not provide sufficient information about the advertising message is not acceptable. No reasonable way for a user to contact or unsubscribe for the advertised goods or services.
• Legal Consequences: Actions without consent are often categorized as either administrative offenses or violations of unfair competition law (e.g. aggressive business practices).

GDPR: Data Breach Notification

• Evaluation: Evaluation of risk level within 72 hours of knowledge of the breach. Detailed internal documentation of all data breaches.
• Risk Levels:
  • No Risk: Internal documentation.
  • Risk: Internal documentation + notification to DPA.
  • High Risk: Internal documentation + notification to both DPA + data subjects.
• To do criteria: decisive criteria for risk assessment
  • type of data breach
  • type, sensitivity and scope of the affected data
  • possibility to identify the data subjects
  • severity and likelihood of impending consequences
  • data subjects requiring special protection
  • number of data subjects

GDPR: Transfer of Personal Data to Third Countries

• Adequacy decision: Certain countries are considered to provide an adequate level of data protection, allowing transfer without additional measures.
• Standard Data Protection Clauses: Pre-approved clauses are available to assist with transfers.
• Schrems II: Subsequent rulings require specific steps to ensure that transfers are compliant.
• Binding Corporate Rules: Rules, standards and guidelines for a company to adhere to regarding the processing of personal data.
• Derogations: Exceptions for specific situations regarding data transfer.

GDPR: US Data Transfers

• History: Case studies/details of EU-US data transfer issues (e.g., Safe Harbor, Privacy Shield).

GDPR: Data transfer to the US

• Max Schrems Saga: details on case's impact, adequacy decisions and implications. What protection do SCCs offer? What specific guarantees exist for each situation?

GDPR: Consequences of Data Protection Violations

• Appeal: Data subjects' right to appeal to the DPA.
• Investigation: Formal investigation of violation by the DPA.
• Penalties: Penalties for violations (e.g., damages, injunctive relief, in extreme cases imprisonment for controllers).

GDPR: Consequences in Case of Data Protection Violations – DPA Proceedings

• Complaint: A formal complaint issued by a user/data subject to the DPA, and investigated by the DPA.
• Violation Review: Request to modify the processing activity, restrictions on processing.
• Penalties: May range from modification to outright prohibition of data processing.

GDPR: Preparation for Audit by DPA

• Company preparation, required processes, communication channels related to DPA.

GDPR: Penalties

• Imposing fines: The potential fines that can be imposed directly on legal entities due to violations.
• Criteria/considerations: factors that contribute to the level of the fine.

Case Study: Data Protection

• Summaries of the case study details, highlighting privacy concerns or potential issues. Includes details about a company and issues raised in a case study, such as loss of a tablet and customer requests for GDPR compliance.

Repetition Questions

• Multiple choice style questions covering essential GDPR concepts, terms and criteria. Answers will be dependent on the questions specified.

Description

Test your knowledge on GDPR regulations, focusing on Article 35, Data Protection Impact Assessments (DPIAs), consent requirements, and the role of a Data Protection Officer (DPO). This quiz will cover key decisions and guidelines related to data processing and consent in the context of GDPR.