GDPR Flashcards

Flashcards based on GDPR lecture notes for exam preparation.

What is the General Data Protection Regulation (GDPR)?

Officially REGULATION (EU) 2016/679, effective uniformly across the EU without national transposition.

Who is the author of the 'Data Protection (EN)' document?

Prof. Carlos Galán.

What is the overall goal of the 'Data Protection (EN)' document?

To explain the key aspects and requirements of the GDPR, highlighting changes from previous legislation and outlining obligations for organizations processing personal data.

What are the main sections within the 'Data Protection (EN)' document?

Introduction, Lawfulness of Processing, Consent, Transparency, Rights of the Subject, Controller-Processor Relationship, Active Liability Measures, Infractions and Sanctions, Conclusions: What to Do Now?

What does RGPD stand for?

Spanish acronym for General Data Protection Regulation.

When did the GDPR come into force?

May 2016.

When did the GDPR become applicable?

May 2018.

What does 'directly applicable regulation' mean for the GDPR?

Takes effect uniformly across all EU member states without needing national laws for transposition.

What is the Principle of Proactive Responsibility in GDPR?

Principle of proactively managing data protection based on risks involved, rather than strict rules.

What is the definition of 'PERSONAL DATA' under GDPR?

Any information about an identified or identifiable natural person.

Who is the 'data subject'?

The natural person the data is about.

What is an 'identifiable natural person'?

Someone who can be identified directly or indirectly, through identifiers like name, ID number, location data, or online identifier.

What is the definition of 'PROCESSING' under GDPR?

Any operation performed on personal data, whether or not by automatic means, including collection, recording, storage, use, etc.

What is 'PROFILE PROCESSING'?

Automated processing of personal data to evaluate personal aspects of an individual, such as performance, financial situation, health, preferences, etc.

What is 'PSEUDONYMIZATION'?

Processing data so it can't be attributed to a data subject without additional information (kept separately with security measures).

Who is the 'CONTROLLER' under GDPR?

The entity that decides why and how personal data will be processed.

Who is the 'PROCESSOR' under GDPR?

The entity that processes personal data on behalf of the controller.

What is the definition of 'CONSENT OF THE SUBJECT' under GDPR?

A free, specific, informed, and unequivocal indication of the data subject's wishes.

What constitutes a 'PERSONAL DATA BREACH'?

A breach leading to accidental or unlawful destruction, loss, alteration, unauthorized communication, or access to personal data.

What is the principle of Lawfulness of Processing under GDPR?

All data processing needs a valid legal reason; you cannot process data without a legitimate basis.

What are the potential legal bases for processing data under GDPR?

Consent, contractual relationship, vital interests, legal obligation, public interest/powers, legitimate interests.

For consent to be valid under GDPR, what characteristics must it have?

FREE, SPECIFIC, INFORMED, and UNEQUIVOCAL.

In what situations must consent be EXPRESS under GDPR?

Automated decision making and international transfers of data.

What is the key requirement for TRANSPARENCY under GDPR?

Information provided to data subjects must be concise, transparent, easily accessible, and use clear, simple language.

What are the core data protection PRINCIPLES that underpin the GDPR?

Legality, Loyalty and Transparency; Limitation Principle; Data Minimization; Accuracy; Conservation Period; Integrity and Security; Proactive Liability.

What is the LIMITATION PRINCIPLE under GDPR?

Data must be collected only for specific, explicit, and legitimate purposes.

What is DATA MINIMIZATION under GDPR?

Data must be adequate, relevant, and limited to what is necessary for the purposes of processing.

What are the requirements for ACCURACY under GDPR?

Data must be accurate and kept up-to-date, with mechanisms to address inaccuracies.

What is the CONSERVATION PERIOD principle under GDPR?

Data should be kept only as long as necessary for the original purpose, then deleted or anonymized.

What are the requirements for INTEGRITY AND SECURITY under GDPR?

Data must be protected with adequate security measures against unauthorized or unlawful processing, loss, or damage.

What is PROACTIVE LIABILITY under GDPR?

Controllers and processors must comply with principles and demonstrate compliance.

What are the ARSO rights granted to individuals under GDPR?

Access, Rectification, Suppression/Erasure, Opposition, plus new rights.

What are the key requirements for the PROCEDURE FOR EXERCISE OF RIGHTS under GDPR?

Controllers must facilitate exercise of rights; procedures must be visible, accessible, and simple; exercise of rights is free.

What is the Right to Obtain a Copy under GDPR?

Individuals have the right to obtain a copy of their personal data being processed.

What is the Right to Portability under GDPR?

Individuals can obtain and reuse their personal data across different services in a structured, commonly used, and machine-readable format.

What is the key point regarding the Controller-Processor Relationship under GDPR?

GDPR places obligations directly on processors, but ultimate responsibility remains with the controller.

What is the MINIMUM CONTENT required in a data processing contract (Art 28)?

Object, duration, nature, purpose of treatment, data types, data subject categories, processor obligations, subcontracting conditions, assistance to the controller.

How does RISK ANALYSIS affect active liability measures under GDPR?

Adoption of active responsibility measures is conditional on the risk that processing may entail for the rights and freedoms of data subjects.

List some questions to help determine risk when analyzing data.

Is sensitive data processed? Large number of people? Profiling? Data cross-checked with other sources? Data intended for another purpose? Large amounts of data? Privacy-invasive technologies?

What is the RECORD OF TREATMENT ACTIVITIES requirement under GDPR?

Controllers and processors must keep a record of processing operations.

What are DATA PROTECTION FROM DESIGN AND BY DEFAULT measures?

These are measures to be applied by the controller before the beginning of the treatment and during its development.

What is required regarding SECURITY MEASURES under GDPR?

Organizations must establish appropriate technical and organizational measures to guarantee an adequate level of security.

What are the requirements for DATA BREACH NOTIFICATIONS (Art 33)?

The controller must notify the competent data protection authority unless the breach is unlikely to pose a risk to the rights and freedoms of those affected.

What is a DATA PROTECTION IMPACT ASSESSMENT (DPIA) (Art 35)?

Controllers must carry out a DPIA prior to processing likely involving a high risk to data subject rights/freedoms.

List some HIGH RISK assumptions requiring a DPIA.

Profiling leading to decisions with legal effects, large-scale processing of sensitive data, large-scale systematic observation of a public access area.

In what cases is appointment of a DATA PROTECTION OFFICER (DPO) (Art 37) MANDATORY?

Public authorities, entities with habitual/systematic observation of large-scale data, or large-scale processing of sensitive data.

What are the requirements for appointing a DPO?

The DPO must be appointed based on professional qualifications and knowledge of data protection law and practice.

Mention some data may only is communicated outside the EEA (European Economic Area) under specific conditions

When countries, territories, or sectors offer an adequate level of protection

What are the regulations regarding TREATMENT OF MINORS (CHILDREN) under GDPR?

Consent is only valid from age 16. Under 16, consent must have the authorization of parents or legal guardians.