CIPP/E Exam Prep Study Guide

Document Content and Description Below

CIPP/E Exam Prep Study Guide Prohibition of cross border data transfers under Data Privacy Directive 95/46/EC apply when - ANS - data transferred from a jurisdiction in the EU to a third country. W... hat treaty or convention allowed the Data Protection Directive 95/46/EC to be used as a harmonising measure for European Member states. - ANS - The Treaty of Rome Direct marketing would include: - ANS - Email promoting new book on sale. What two opposing forces needed to be considered in formulating a privacy framework in the European Economic Community? - ANS - Concerns for personal freedom and privacy and ability to support free trade. What principle is contained in art 12 of the Human Rights Declaration? - ANS - The right to a private life and associated freedoms. What right is protected by art 19 of the Human Rights Declaration? - ANS - The right to freedom of opinion and expression. Which article of the Human Rights Declaration reconciles articles 12 and 19 and how is it stated? - ANS - Article 29(2) states that individual rights are not absolute and there are instances where a balance must be struck to limit their exercise. What was the purpose of the European Convention on Human Rights? - ANS - It was an international treaty to protect human rights and fundamental freedoms. Name special categories of data. - ANS - Racial or ethnic origin, political affiliations/opinions, health information, sex life, religious beliefs, trade union membership.p 58 What are the specific rights enumerated in the ECHR? - ANS - right to life, prohibition of torture, prohibition of slavery and forced labour, right to liberty and security, right to a fair trial, no punishment w/o law, respect for private and family life, freedom of thought, conscience and religion, freedom of expression, freedom of assembly and association, right to marry, right to an effective remedy and prohibition of discrimination. What are the two rights provided under article 8 of the ECHR? - ANS - 1. right to respect for private and family life and his correspondence. 2. No interference by public authority of this right except in accordance to law and is necessary in a democratic society in the interest of national security public safety... What does article 10 of the ECHR deal with? - ANS - Right to freedom of expression and to share information and ideas across borders but qualified so as to protect the privacy of individuals What are the obligations imposed on EU member states as seen under the Data Protection Directive 95/45/EC or the Data Protection Director or 'the Directive'? - ANS - The Directive sets out general principles and leaves the member states to implement these principles as they see fit. p 38 What are the exceptions to the consent required for cookies under the e-Privacy directive 2002/58/EC? - ANS - where 1) storage or access is for the sole purpose of carrying out transmission of communication over an electronic network and 2) strictly necessary for information service explicitly requested by user p 43 What is the most pertinent amendment to the e-Privacy Directive? - ANS - Cookies require prior information and consent. p 43 When could a data controller collect data from 3rd parties without notification to the data subjects under Data Protection Directive 95/49/EC? - ANS - A pre-approved marketing effort. p 43. Who makes sure directive are implemented properly by the member states? - ANS - The European Commission. p 27-28 What institution adopts adequacy findings(by which non members are regarded as providing adequate levels of data protections) for the European Union? - ANS - The European Commission. p 29 Which directive or convention contains specific provisions for data breaches? - ANS - The Privacy and Electronic Communications Directive. p 42 What is the exemption in the e-Privacy Directive 2002/58/EC allowing data controllers to send electronic marketing information? - ANS - The recipients are existing customers. p 43. Under the Data Protection Directive (95/46/EC) what type of data subject is not covered? - ANS - Legal persons would seem not to be but is not prohibited either(and some local laws afford some protection) and also deceased individuals do not constitute 'natural persons' although in some member states (Italy) data protection rules apply to deceased individuals under certain circumstances. p 63. Name some of the conditions to be satisfied in order to process personal data in line with European Data Protection concepts/principles. - ANS - Obtained and processed fairly and lawfully, for legitimate purposes, adequate/relevant/not excessive for purposes, accurate/up to date, preserved for no longer than required. p 81 Name an incompatible purpose for processing data beyond originally specified purpose. - ANS - Performance of a contract. If this were not true, then a mere contract would allow processing data for any purpose. One exception is research p 87- specifically allowed p 85-86. In the Data Protection Directive 95/46/EC what is "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to persona data relating to him being processed"? - ANS - Unambiguous consent. p 94 Under Data Protection Directive 95/46/EC what info must be included in the notification of data processing? - ANS - Name of the data controller processing data and the purpose of the processing. p 109 If personal data is not obtained directly from the data subject when should fair processing information be provided? - ANS - At the time personal data is recorded or if disclosure to 3rd party contemplated then no later than at the time data is first disclosed. p 111 When should a company respond to a former employee's request for his personal information (email, etc.)? - ANS - ASAP-taking into account local data protection rules. p 126 Within what period of time must a company respond to a former employees data requrest? - ANS - As soon as possible and within the national legal requirement. p 126 What should a company do in response to a former employee's request for his email correspondence during his employment? - ANS - Since the company must not infringe the right to privacy of third parties also identified in the data, affected employees may need to be informed and consent obtained before release of information to the former employee. p 132 Why does Data Protection Directive 95/46/EC require a data controller to notify a DPA about processing of personal data? - ANS - Threefold: 1) foster transparency, 2) help DPA carry out regulatory functions, 3) provide source of funds for some DPAs budgets. p 163 Do BCRs (Binding Corporate Rules) provide a basis to transfer names of employees to a telecom provider in the same country in order to provide them with mobile telephone services? - ANS - No, BCRs deal only with intra-organisational transfers not involving third parties. p 184 For contracts based on EU standard contractual clauses with a processor outside the EEA who must the importer/processor inform and what must he obtain before proceeding? - ANS - The importer must inform the data controller and obtain its written consent. p 187. What is the general European approach to protection of employment data held by an organisation? - ANS - Employers should always consider any obligations under local employment law that apply to the situation - e.g. consulting with the various national works councils. p 211 Examples of sensitive employee data include: - ANS - Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sex life. p 213 What are the exceptions specified in article 8 of the EU Data Protection Directive allowing for the processing of sensitive employee data? - ANS - Explicit consent of the individual (last resort given difficulty of valid consent in employee-employer relationship), to carry out obligations and specific rights under employment law, other grounds available under local law. p 213-214 What are the two conditions in order to carry out employee monitoring? - ANS - Necessary and legitimate. p215 Must an employer provide notice before engaging in general monitoring of e-mail traffic and internet use by employees? - ANS - Yes but not obliged to obtain prior consent. Although in some collective agreements, the employer must obtain consent of the works council before commencing the particular monitoring. p 216-217. Does the Data Protection Directive 95/46/EC allow video surveillance of employees who access inventory? - ANS - Yes as long as DPAs have been notified, monitoring is carried out for clearly defined, lawful purposes. p234-238 Name technologies used to track online behaviours. - ANS - Cookies, beacons, social media like and dislike functionality. p261-262 An example of cloud computing would be? - ANS - A web-based e-mail platform. p 269-273. What is the rationale for data protection? - ANS - Rapid progress in the field of electronic data processing offered advantages of efficiency and productivity but created concern that the new technologies would adversely impact the privacy of individuals. What did the Universal Declaration of Human Rights 1948 recognize? - ANS - Inherent dignity and the equal and inalienable rights of all members of the human race in the foundation of freedom, justice and peace in the world. What are the fundamental rights and freedoms protected by the European convention of Human Rights? - ANS - right to life, prohibition of torture, slavery forced labor, right to liberty and security, to a fair trial, no punishment without law, respect for private and family life, freedom of thought conscience and religion, freedom of expression, of assembly and association, right to marry, to an effective remedy and prohibition of discrimination. What did European council resolutions 73/22 and 74/29 establish? - ANS - Principles for the protection of personal data in automated databanks in the private and public sectors in order to set in motion development of national legislation. What did the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data do? - ANS - Lay out basic rules governing trans-border data flows and the protection of personal information and privacy to facilitate harmonisation of data protection law between countries. What was Convention 108 adopted by the council of europe in 1981? - ANS - First binding international instument to set standards for the protection of individuals' personal data while seeking a balance to maintain the free flow of personal data for international trade. What are the three parts of convention 108? - ANS - Substantive law provisions in the form of basic principles, special rules on trans-border flows and mechanisms for mutual assistance and consultation between the parties. What is the aim of the Data Protection Directive ? - ANS - To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another consistent with Art 8, 10 of the ECHR. What was the 2000 Charter of Fundamental Rights? - ANS - Charter that further consolidates fundamental rights applicable within the EU. What was the main aim of the Treaty of Lisbon? - ANS - To strengthen and improve the core structure of the EU to enable it to function more efficiently. What is the Council of Europe? - ANS - International organisation promoting co-operation between all countries of Europe in the areas of legal standards, human rights, democratic development, the rule of law and cultural co-operation. European Court of Human Rights - ANS - a supra-national or international court hearing allegations that a contracting state has breached one or more of the human rights provisions concerning civil and political rights set out in the Convention and its protocols European Parliament - ANS - Body exercising legislative and budgetary functions. European Commission - ANS - Body of the European Union responsible for proposing legislation, implementing decisions, upholding the Union's treaties and day-to-day running of the EU. European Council - ANS - Has no formal legislative power, it is charged under the Treaty of Lisbon[2] with defining "the general political directions and priorities" of the Union. It is thus the Union's strategic (and crisis solving) body, acting as the collective presidency of the EU. European Court of Justice - ANS - highest court in the European Union in matters of European Union law. tasked with interpreting EU law and ensuring its equal application across all EU member states The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (the CoE Convention), - ANS - convention based on a series of principles addressing data protection, ensures protections for privacy but also importance of free flow of personal data for commerce the EU Data Protection Directive (85/46/EC), - ANS - because of fragmentation of CoE Convention, harmonisation measure set under treaty of rome internal market provisions. Note key principles p 39. the EU Directive on Privacy and Electronic Communications (2002/58/EC) - as amended, - ANS - applies to the processing of personal data in connection with the provision of publicly available electronic communication services. EU Data Retention Directive (2006/24/EC), - ANS - applies to traffic and location data of both individuals and orgainsationa as well as relevant data identifying subscribers (not about actual content of communication) Personal data - ANS - wide notion from working party - all info concerning an identifiable individual even if the link is tenuous."any information - relating to - identified or identifiable - natural person" sensitive personal data - ANS - racial, political, religious, trade union, health or sex life. controller - ANS - determines who shall be responsible for compliance with data protecton law and how individuals can exercise their rights. "natural or legal person, which alone or jointly, determines purposes and means of processing personal data processor - ANS - "separate legal entity with respect to the controller who processes personal data on behalf of the controller. data subject - ANS - identified or identifiable natural person Application of law in the EU - establishment in the EU - ANS - law of member state applies when processing carried out in context of controller on the territory of member state Application of law outside EU - no establishment in the EU - ANS - allows member state to apply law to controller who though not established in EU uses equipment in that member state unless only for transit. Data Protection principles - ANS - Fairness and lawfulness, purpose limitation, proportionality and data quality Data subject has unambiguously given his consent - ANS - For consent to be effective it must be unambiguous indication of wishes signifying agreement, freely given, specific and informed. Legitimate processing - necessity - ANS - For performance of contract to which data subject is party, for compliance with legal obligation, protect vital interests of data subject, in public interest, legitimate interests of controller unless interests overridden by the interests for fundamental rights of data subject. Sensitive data - special categories - ANS - Starting point is prohibited but if specific rights of controller in field of employment law if authorised by national law, to protect vital interests (unconscious) , by non-proft, data manifestly made public, by health professional, substantial public interest. Transparency principle - ANS - provide data subject with certain info and notify local data protection authories of data collecting activities. Exceptions - ANS - national security, defence, public security, [Show More]

Last updated: 1 year ago

Preview 1 out of 9 pages