GDPR Data Subject Rights

Questions and Answers

Under GDPR, which of the following is an accurate description of the 'Right to Access'?

• The right to obtain confirmation as to whether personal data is being processed, and to access such data along with related information. (correct)
• The right to transfer personal data from one controller to another in a commonly used format.
• The right to restrict a data controller from processing data under any circumstances.
• The right to demand immediate deletion of all personal data held by a controller.

The 'Right to Rectification' under GDPR allows a data subject to correct inaccurate personal data, but does not allow for the completion of incomplete data.

False (B)

According to GDPR, how many distinct rights are data subjects given over their data?

7

According to Article 16, the right to rectification allows a data subject to have incomplete personal data ______, including by means of providing a supplementary statement.

completed

Match each GDPR right with its correct functionality:

Right of Access = Obtain confirmation of data processing and access to personal data. Right to Rectification = Correct inaccurate personal data and complete incomplete data. Right to Erasure = Request deletion of personal data under certain conditions. Right to Object = Oppose data processing for specific purposes

Which of the following data processing activities would most likely require a Data Protection Impact Assessment (DPIA)?

Implementing a system to monitor employee emails for potential data breaches. (C)

The use of badges for employees to enter premises requires a Data Protection Impact Assessment (DPIA) according to the provided information.

False (B)

What is the primary purpose of a Data Protection Impact Assessment (DPIA)?

To identify and minimize the privacy risks of a data processing activity.

A blacklist of potentially dangerous spectators at a stadium requires a DPIA because it involves processing data that could significantly impact individuals' rights and freedoms, especially if it relies on automated decision-making or involves ______ categories of data.

sensitive

Match the following data processing scenarios with whether or not they require a DPIA:

Management of employee time using badges = No Biometric fingerprint collection for premises access = Yes Cybersurveillance of employee emails for data loss prevention = Yes Blacklist of potentially dangerous spectators = Yes

You are tasked with completing a DPIA for a new project. Which online tool is explicitly recommended to assist this process?

CNIL PIA tool (B)

Submitting a DPIA group project by March 4th, 2025 at 11:59 PM is an assignment. The project requires merely responding to a received letter; no attachments are necessary.

False (B)

Besides responding to a letter, what else is required for the group project?

Attaching the proper forms.

According to the European Data Protection Committee (EDPS) guidelines, how many criteria must be met to trigger the need for a Data Protection Impact Assessment (DPIA)?

When at least 2 of the 9 specified criteria are met (B)

A DPIA is optional, and not legally mandated, even if the data processing activity poses a high risk to the rights and freedoms of data subjects after mitigation.

False (B)

Name three types of harms or damages that a DPIA seeks to identify in data processing activities.

Discrimination, identity theft/fraud, reputational damage

One mitigation strategy in a DPIA is to reduce the time personal data is ______.

retained

Which of the following is NOT a primary administrative responsibility of a Data Protection Officer (DPO)?

Answering general customer service inquiries unrelated to personal data processing. (A)

Which of the following is NOT typically considered a mitigation strategy identified during a DPIA?

Collecting as much data as possible to ensure accuracy (D)

Engaging with the Supervisory Authority (SA) is required only if the DPIA concludes that there are no residual high risks to data subjects after implementing all planned mitigations.

False (B)

A privacy policy and a privacy notice are the same thing, both intended to address data subjects directly.

False (B)

According to GDPR guidelines, in what kind of language should information be provided to data subjects regarding the processing of their data?

clear and plain

Match each DPIA exception with its justification.

Legal Obligation = Processing is necessary to comply with a law. Public Interest = Processing is necessary for a task carried out in the public interest.

What is the standard timeframe within which a Supervisory Authority (SA) must provide written advice after receiving a DPIA consultation request?

8 weeks (B)

Before undertaking any operations, organizations should conduct prior checks of ________.

risks

Match each responsibility with the appropriate entity:

Data Protection Officer (DPO) = Cooperate with governing agency during investigations Institution = Be accountable to the governing agency Organization = Maintain record keeping

An organization's privacy policy states: 'We will share your information with law enforcement agencies if legally required.' Under what condition is this information sharing justified?

To comply with a legal obligation, process, or request. (A)

Only companies with over 250 employees need to maintain standard record keeping as part of GDPR compliance.

True (A)

Besides DPIA, what other type of assessment should a DPO maintain records of?

LIA

Under what circumstances does the right to restriction of processing apply, according to Article 18?

All of the above. (D)

The right to data portability allows a data subject to transmit their personal data to any third party, regardless of the format.

False (B)

Briefly explain the condition under which the right to object, as described in the text, applies to the processing of personal data.

The right to object applies when the objection is based on grounds relating to the data subject's particular situation.

Article 17 grants the data subject the right to obtain from the controller the ______ of personal data without undue delay; this is known as the right to be _______.

erasure, forgotten

What is the primary condition under which a data subject can exercise the right to object regarding direct marketing?

At any time, without needing to provide a specific reason. (D)

If a data subject objects to the processing of their personal data for direct marketing, this objection also covers profiling related to that direct marketing.

True (A)

Match the following rights to their descriptions.

Right to Erasure = The right to have personal data deleted without undue delay. Right to Restriction of Processing = The right to limit how personal data is used when certain conditions are met. Right to Data Portability = The right to receive personal data in a machine-readable format and transmit it to another controller. Right to Object = The right to oppose the processing of personal data under certain circumstances.

What is the role of the 'controller' regarding the right to erasure?

The controller has the obligation to erase personal data without undue delay. (C)

Under GDPR, in what situation can data be processed even if the data subject objects?

When processing is necessary for a task carried out for reasons of public interest. (D)

A data subject's right to withdraw consent is absolute and applies retroactively to nullify any processing that occurred before the withdrawal.

False (B)

List three circumstances under GDPR Article 6(1) where processing personal data is considered lawful.

Consent of the data subject; necessity for contract performance; compliance with a legal obligation.

According to GDPR, processing personal data based on legitimate interests is not allowed if those interests are overridden by the fundamental rights and freedoms of the data subject, especially when the data subject is a ______.

child

Match each legal basis for processing data with its corresponding description:

Consent = The data subject agrees to the processing for specified purposes. Contract = Necessary for fulfilling a contractual agreement with the data subject. Legal Obligation = Required to comply with a law that the controller is subject to. Legitimate Interests = Necessary for the controller's interests, unless overridden by the data subject's rights.

What is the primary condition that must be met for any processing of personal data to be considered lawful under GDPR?

There must be a legal basis for the processing. (A)

Under GDPR, a data controller is always required to obtain explicit consent before processing any personal data, regardless of any other circumstances.

False (B)

Explain the concept of 'legitimate interests' as a legal basis for processing data under GDPR. What condition limits its applicability?

Processing is necessary for the controller's or a third party's interests. It is limited when the data subject's rights and freedoms override those interests.

According to Article 21, a data subject may exercise the right to object to processing of their data by automated means using ______ specifications.

technical

Which of the following scenarios is MOST likely to be justified under the 'vital interests' basis for processing personal data?

Emergency services process data, including location, to locate someone who has had a severe accident. (B)

Flashcards

GDPR Data Subject's Rights

Rights granted to individuals by the GDPR regarding their personal data, including access, rectification, erasure, and more.

Right of Access (Article 15)

The right to obtain confirmation whether personal data is being processed and to access that data, including the purpose and categories.

Right to Rectification (Article 16)

The right to correct inaccurate personal data and complete incomplete data.

What is Data Rectification?

Correcting or updating your personal information held by an organization.

Why is data protection important?

To control the data, individuals have rights to access, modify, and delete their personal data.

Right to Erasure

The right to have your personal data erased by the controller without undue delay.

Right to be Forgotten

Also known as the 'right to be forgotten,' this ensures data is removed when it's no longer needed.

Right to Restriction of Processing

The right to limit how a controller uses personal data under specific circumstances.

Restriction: Data Accuracy

Restriction when accuracy is contested, while verifying data.

Restriction: Unlawful Processing

Restriction is requested when processing is unlawful, instead of erasure.

Restriction: Legal Claims

Restriction is granted when data is needed for legal claims, not processing.

Right to Data Portability

The right to receive your data in a portable format and transmit it to another controller.

Right to Object

The right to object to the processing of personal data based on personal situation or for direct marketing purposes.

DPIA needed for Badge Entry?

Using badges for employee entry doesn't usually require a DPIA.

DPIA needed for Biometrics?

Collecting fingerprints requires a DPIA due to the biometric data.

DPIA needed for Email Surveillance?

Monitoring emails requires a DPIA due to the sensitivity of the data.

DPIA needed for Blacklists?

Creating a blacklist requires a DPIA because it impacts individuals' rights.

What is a DPIA?

A systematic assessment to identify and minimize privacy risks.

DPIA Template

A template to use when completing a DPIA.

PIA Tool

Software to help conduct and document DPIAs.

Group Project

A collaborative project involving group work and submission.

DPO Prior Checks

Checks for risks and a list of operations.

DPO Accountability

Being answerable to the governing agency.

DPO Communication

Handling questions/complaints about personal data processing.

DPO Cooperation

Co-operating with investigations between their organization and the governing agency.

DPO Policy Oversight

Overseeing privacy policies, privacy notices, and cookie policies.

DPO Record Keeping

Maintaining records of standard record keeping (+250 employees), DPIAs and LIAs.

Privacy Notice

A document explaining how personal data will be processed, data subject rights (DSR),and other mandatory information (addressed to the data subject).

Drafting Privacy Policy/Notice

Providing information about processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

G29/EDPS 9 Criteria

A list of 9 criteria used to determine when a Data Protection Impact Assessment (DPIA) is needed.

Examples of G29 Criteria

Evaluation/scoring, automated decisions with legal effects, systematic surveillance, sensitive data, large-scale data, data combination, vulnerable persons' data, innovative tech, and preventing rights exercise.

DPIA - Harms

Harms can be physical, emotional, or material damages, resulting from data processing. e.g Inability to exercise rights, financial loss, loss of confidentiality, etc..

DPIA - Mitigations

Mitigations are actions taken to reduce risks identified in a DPIA.

Examples of DPIA Mitigations

Examples: Limiting processing scope, reducing retention time, anonymizing data, training staff, data sharing agreements, changes to privacy notices.

DPIA - Exceptions

Legal obligation and public interest.

DPIA and SA Consultation

Consult your Supervisory Authority (SA) if a DPIA reveals high risks even after implementing mitigations.

SA Response Time

The SA must provide written advice within 8 weeks (extendable by 6 weeks) after receiving a consultation request.

Right to Object (Automated)

Right to object to data processing using automated means with technical specifications.

Right to Object (Research)

The right to object to processing for scientific, historical, or statistical research, unless the processing is necessary for public interest.

Right to Withdraw Consent

The right to take back your permission for data processing at any time.

Lawful Basis: Consent

Data processing is lawful if the data subject has given consent for one or more specific purposes.

Lawful Basis: Contract

Data processing is lawful if necessary for performing a contract with the data subject.

Lawful Basis: Legal Obligation

Data processing is lawful if necessary to comply with a legal obligation.

Lawful Basis: Vital Interests

Data processing is lawful if necessary to protect the vital interests of the data subject or another person.

Lawful Basis: Public Interest/Authority

Data processing is lawful if necessary for a task carried out in the public interest or by official authority.

Lawful Basis: Legitimate Interests

Data processing is lawful if necessary for the legitimate interests pursued by the controller/third party, unless overridden by data subject's rights.

Child Data Protection

Processing data based on legitimate interests is restricted if the data subject is a child

Study Notes

• Personal data protection and management is an important topic to study

GDPR Data Subject's Rights

• Chapter III (Article 12-23) and Article 7 govern data subject's rights.
• Data subjects have been given 7 distinct rights over their data under the GDPR.
• The rights can be accessed and rectified.
• Data can be erased and forgotten.
• Subjects can object and withdraw consent.
• Processing can be restricted and data can be taken back.

Right of Access (Article 15)

• Individuals can obtain confirmation from the controller about whether their data has been processed.
• If it has, they are allowed access to their personal data and other information like its purpose, categories, etc.

Right to Rectification (Article 16)

• Data subjects have the right to correct inaccurate personal data without undue delay from the controller
• Data subjects can have incomplete personal data filled with by means of providing a supplementary statement, taking the purposes of the processing into account

Right to Erasure (Article 17)

• Data subjects shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay.
• This is also known as the right to be forgotten.

Right to Restriction of Processing (Article 18)

• The data subject can seek restriction of processing from the controller if:
• The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims
• The data subject has objected to processing pursuant to Article 21(1) pending verification of whether the controller's legitimate grounds override those of the data subject.

Right to Data Portability (Article 20)

• A data subject can receive their personal data provided to a controller in a structured, commonly used, machine-readable format.
• The data subject can transmit that data to another controller without hindrance from the initial controller.

Right to Object (Article 21)

• Data subjects can object to the processing of personal data concerning them based on their particular situation.
• Where personal data are processed for direct marketing, the data subject can object to processing for marketing, including profiling related to direct marketing
• Data subjects may exercise their right to object by automated means using technical specifications within the context of information society services, notwithstanding Directive 2002/58/EC
• Data subjects can object to the processing of personal data for scientific, historical research,or statistical purposes based on their situation, unless processing is necessary for public interest tasks

Right to Withdraw Consent (Article 7(3))

• Data subjects have the right to withdraw consent at any time.

GDPR Article 6(1): How to Handle Personal Data

• Data processing is lawful only with a legal basis.
• Data processing needs consent from the data subject for one or more specific purposes
• The data processing should be for the performance of a contract the data subject is party to. It also applies to steps prior to entering into the contract
• Processing should comply with a legal obligation the controller faces
• Processing should protect the vital interests of the data subject or a natural person
• Processing should be a task carried out in the public interest or be official authority vested in the controller
• Processing should pursue the legitimate interests of the controller or a third party, unless these interests are overridden by the interests, rights, and freedoms of the data subject

Conditions for Consent

• Based on Article 7, consent requires the controller to show that the data subject has consented to personal data processing
• If a data subject's consent is in writing also containing other matters; then the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily-accessible form, using clear and plain language
• The data subject is allowed to withdraw his or her consent at any time.

What is Consent under GDPR? (Article 4)

• Consent under GDPR must be freely given, specific, informed, unambiguous, and involve a clear affirmative action.
• Being specific means the person needs to be asked to consent to individual types of data processing
• Being informed means the person must be told what they are consenting to
• Unambiguous language must be clear and simple
• Clear affirmative action needs the person to expressly consent by doing or saying something
• Consent is not valid under the GDPR If you're missing even one of those five elements
• Express consent requires the person to understand the question and implications and make a genuine choice.
• Options to do this would be, filing a form, ticking a box on a website, or during face-to-face conversation

Principles About Cookies

• Cookies are tracking files submitted and/or read when visiting a website, reading an email, or installing/using a mobile application
• Technical cookies are installed to facilitate/enable electronic communication
• Technical cookies are needed in providing service on the Internet
• Technical cookies include certain audience measurement cookies, necessary for site operation
• Consent is not necessary with technical cookies.
• Tracking cookies are about advertising and user tracking behavior
• Tracking cookies include those for social networks and audience measurement (like Google Analytics)
• Consent is mandatory with the inclusion of tracking cookies.
• CNIL(Commission Nationale de l'Informatique et des Libertés) recommends maintaining two levels of information, including Cookies banner at step 1 and Cookie manager in step 2
• "Accept all/refuse all" and/or consent by purpose/type of cookie are part of the evolution of consent gathering practices
• No choice = no consent (the user can close the pop-up window and continue freely on the site)
• Consent can easily be withdrawn using a pop-up window that remains on the site.
• Consent is good for at most 6 months

Consent Through Cookies

• Pre-ticked boxes are not allowed under the GDPR, but may other countries outside the EU will still allow it

Consent of Minors

• Parental authorization is required to process a child's personal data based on consent.
• Threshold ages will vary between 13-16 in member countries.
• Check national laws to be sure.

GDPR Cases on Children's Data

• Swedish supervisory authority fined an unnamed Swedish school €18,630 for its trial run using facial recognition to monitor student's attendance in August 2019.
• There were 22 student that participated for a duration of 3 weeks.
• Parental consent was obtained but could not be refused.
• Some data was stored in computer hard drive locked in cabinet, while School didn't carry out DPIA.
• This was a Breach of Article 5 – purpose of limitation

Legitimate Interest(Example)

• A bank gives a loan, the client stops making payments and moves without notifying the change.
• The client has not consented to the disclosure, but it is legal, which allows the bank to pursues a legitmate interest, to recover the debt
• The bank hires a debt collection agency to find the client and seek payment by disclosing the client's personal data.
• The bank can only disclose accurate, up-to-date data and no more than is required by the collection agency.
• Legitimate interest must be proportional.

Legitimate Interests Assessment Form

• Includes purpose, necessity, and balancing tests

DPO – Data Protection Officer

• Article 37 -39 defines the Data Protection Officer
• They must be regular and systematic monitoring of data subjects on a large scale Regular = ongoing for a particular period, reoccurring at fixed times, constantly or periodically taking place. Systematic = occurring according to a system, pre-arranged, organized, carried out as part of strategy Large scale = number of data subjects NOT company size
• Could be either Public authority or could be required by an EU member state
• Public authority = publicly funded museums, state schools, or universities

Specifics of the Data Protection Officer

• The DPO can either be an Employee or contracted, must have a strong understanding of the organization itself, and cannot be a temporary position
• Minimum tenure is two years.
• Renewal will be a Maximum of five terms (10 years total)
• The DPO must maintain a constant independent position by reporting to highest management level.
• Support can be requested as needed to fulfill duties. DPO cannot be swayed by business interest and is not allowed to be the controller
• Head of marketing is not allowed to be the DPO
• The DPO cannot be dismissed unless they are not fulfilling their duties with prior consent of governing regulatory authority.

DPO Tasks (Article 39)

• Tasks include informing data subjects about their rights and raise awareness of the regulation, advise their institution about the application of the GDPR rules
• Other tasks include conducting prior checks of risks, maintaining a list of operations that the organization will undertake and aiding the institution be accountable to the governing agency
• Tasks also include answering any questions, handling complaints related to the processing of personal data and co-operating in the instance of an investigation

DPO's Administrative Responsibilities

• Must oversee Privacy policies/Privacy notices/Cookie policies
• Must maintain all record keeping by Standard record keeping if +250 employees, DPIA and LIA

Privacy

• A privacy notice explains to the DS processed as well as DSR and information
• A privacy notice (public, addressing data subject) and a privacy policy are not necessarily the same (internal, addressing employees and other persons involved in processing personal data)
• The GDPR obligations drive from reading Articles 12, 13 and 14

Privacy Policy and Privacy Notices

• Following Article 12, any information must be in concise, transparent, intelligible and easily accessible form, and using clear and plain language

PIA – Privacy Impact Assessment - DPIA – Data Privacy Impact Assessment

• Article 35 is mandatory for beliefs that processing personal data can involve a high risk to the rights and freedoms of data subjects
• Must look at nature, scope, context, purpose of processing in a case.
• Must be able to identify the risks related to processing of data to mitigate them

This includes:

• Systemic and extensive evaluations based on automated processing
• Processing of data in large special categories of data/criminal conviction
• Systematic monitoring of public areas by CCTV

What Happens with 9 Criterias listed by the European Data Protection Committee(EDPS)?

• When 2 of 9 criteria are met, an affect assessment must be conducted.
• Evaluation or grading, including profiling and prediction activities
• Automated decision making with legal or similar significant effect
• Systematic surveillance is enacted
• Sensitive data and combining of data
• Processing operations can prevent Data subject from exercising the rights, or use of services

DPIA – Harms

• Identify any harm or damage processing causes with respect to physical, emotional, or material
• Examples would be from the Inability to take rights & Loss of control over the use personal data
• Additional examples include: Discrimination,Theft/fraud, Financial loss, Physical abuse, damage etc..

DPIA - Mitigations

• The Decision not to take data and reduction time
• Staff is properly trained with new systems in place
• The new data is properly shared while always offering the Opt outs..

DPIA - and SA

• Data processing is still results and has a high risk, it must be consulted from ( SA)
• All documentation must be there for review ( 8 weeks to show with extention of 6)

Description

This quiz covers the rights of data subjects under GDPR, including the right to access, rectification, and other key provisions. It explores data processing activities requiring a Data Protection Impact Assessment (DPIA). Test your knowledge of GDPR compliance.