GDPR – Data Subject Rights, Transparency & Security (Pages 68-83)

65 Q&A style flashcards covering transparency obligations, each GDPR data-subject right, key response modalities, and major security duties discussed on pages 68-83.

Which GDPR articles set out the core data-subject rights?

A) Articles 1 to 10 GDPR
B) Articles 12 to 22 GDPR
C) Articles 23 to 30 GDPR
D) Articles 31 to 40 GDPR

B) Articles 12 to 22 GDPR.

What is the ‘right to be forgotten’ formally called and which article contains it?

A) Right to rectification – Article 16 GDPR
B) Right to object – Article 21 GDPR
C) Right to erasure – Article 17 GDPR
D) Right of access – Article 15 GDPR

C) Right to erasure – Article 17 GDPR.

Under Article 12(2) GDPR, what must a controller do regarding data-subject rights?

A) Discourage the exercise of data-subject rights
B) Respond only when legally compelled
C) Proactively facilitate the exercise of data-subject rights
D) Charge a fee for all data-subject requests

C) Proactively facilitate the exercise of data-subject rights.

What is the maximum normal time-limit for responding to a data-subject request under Article 12(3) GDPR?

A) 72 hours from receipt
B) Two weeks from receipt
C) One month from receipt (extendable by two further months in complex cases)
D) Six months from receipt

C) One month from receipt (extendable by two further months in complex cases).

If a controller refuses to act on a data-subject request, what must it tell the individual?

A) The reasons for not acting and the right to lodge a complaint with a supervisory authority and seek judicial remedy (Article 12(4))
B) Only that the request was refused
C) That they can re-submit the request in six months
D) That the request was excessive and baseless without further explanation

A) The reasons for not acting and the right to lodge a complaint with a supervisory authority and seek judicial remedy.

List the qualities that any information supplied to a data subject must have under Article 12(1) GDPR.

A) Lengthy, technical, and detailed
B) Brief, general, and formal
C) Comprehensive, legally precise, and open to interpretation
D) Concise, transparent, intelligible, easily accessible, in clear and plain language

D) Concise, transparent, intelligible, easily accessible, in clear and plain language.

When must Article 13 information be supplied?

A) When personal data are collected from the data subject
B) When personal data are transferred internationally
C) When a data breach occurs
D) When personal data are shared with third parties

A) When personal data are collected from the data subject.

When must Article 14 information be supplied?

A) When personal data have not been obtained from the data subject
B) When data are transferred within the EU
C) When a data subject submits an access request
D) When processing sensitive personal data

A) When personal data have not been obtained from the data subject.

Name three additional items of information a controller must give when responding to an Article 15 access request.

A) Controller's financial status, employee names, and internal policies
B) Data subject's contact history, marketing preferences, and web browsing history
C) Examples: categories of personal data, recipients or categories of recipients, envisaged storage period, existence of automated decision-making, source of data
D) Details of all data backups, server locations, and security software used

C) Examples: categories of personal data, recipients or categories of recipients, envisaged storage period, existence of automated decision-making, source of data.

What does Article 19 GDPR require after rectification, erasure or restriction?

A) Controller must notify all recipients of the data unless impossible or disproportionate effort
B) Controller must delete all related backup copies immediately
C) Controller must inform the supervisory authority
D) Controller must obtain new consent from the data subject

A) Controller must notify all recipients of the data unless impossible or disproportionate effort.

Give two grounds on which a data subject can demand erasure under Article 17(1).

A) Data no longer necessary; consent withdrawn with no other legal basis; successful objection; unlawful processing; legal obligation to erase; child’s data collected for ISS
B) Data is inconvenient for the data subject to store; data is stored on a cloud;
C) Data is more than five years old; the controller has too much data
D) The data subject simply changes their mind; the data is not public

A) Data no longer necessary; consent withdrawn with no other legal basis; successful objection; unlawful processing; legal obligation to erase; child’s data collected for ISS.

Name one exemption that permits refusal of an Article 17 erasure request.

A) The data is commercially valuable to the controller
B) Exercise of freedom of expression and information (Article 17(3)(a))
C) The data subject has previously made an erasure request
D) The data is required for internal analytics

B) Exercise of freedom of expression and information (Article 17(3)(a)).

What is the effect of a valid restriction of processing under Article 18 GDPR?

A) Data may only be processed (apart from storage) with consent, for legal claims, to protect another person or for important public interest
B) Data must be immediately erased from all systems
C) Data can be freely processed but not shared with third parties
D) Data is archived and can no longer be accessed by anyone

A) Data may only be processed (apart from storage) with consent, for legal claims, to protect another person or for important public interest.

Which two cumulative conditions must exist for the right to data portability (Article 20) to apply?

A) Processing is manual AND based on controller's legitimate interests
B) Processing is automated AND based on consent or a contract
C) Processing involves sensitive data AND is for public interest
D) Processing started before GDPR AND is for scientific research

B) Processing is automated AND based on consent or a contract.

Under Article 22, when is a solely automated decision prohibited?

A) When it produces legal effects or similarly significantly affects the individual, unless an Article 22(2) exception applies
B) When it is based on publicly available data about the individual
C) When it is used for internal operational purposes only
D) When it does not involve any human oversight whatsoever

A) When it produces legal effects or similarly significantly affects the individual, unless an Article 22(2) exception applies.

What three safeguards must accompany a permitted automated decision under Article 22(3)?

A) Right to financial compensation, legal representation, and public apology
B) Right to a second automated decision, data scientist review, and immediate appeal
C) Right to obtain human intervention, express a viewpoint, and contest the decision
D) Right to data deletion, data anonymization, and data archival

C) Right to obtain human intervention, express a viewpoint, and contest the decision.

Which article permits Member States to restrict data-subject rights for national-security, crime-prevention etc.?

A) Article 5 GDPR
B) Article 17 GDPR
C) Article 32 GDPR
D) Article 23 GDPR

D) Article 23 GDPR.

Why is security described as an ‘A-list celebrity’ principle in Chapter 10?

A) Because it is the easiest principle to implement
B) Because it is only relevant for large organizations
C) Because insecurity can undermine all other GDPR principles and draws intense media, regulatory and litigation attention
D) Because it is a voluntary principle under GDPR

C) Because insecurity can undermine all other GDPR principles and draws intense media, regulatory and litigation attention.

State the wording of the security principle in Article 5(1)(f).

A) Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
B) Personal data must always be perfectly secure against all threats, regardless of cost.
C) Personal data should be processed with minimal security to ensure accessibility.
D) Personal data security is solely the responsibility of the data subject.

A) Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Which article details the specific security obligations for controllers and processors?

A) Article 6 GDPR
B) Article 12 GDPR
C) Article 28 GDPR
D) Article 32 GDPR

D) Article 32 GDPR.

Name the three security ‘domains’ highlighted in Article 32.

A) Physical security, network security, and application security
B) Preventative security, incident detection & response, and remedial security
C) Data encryption, pseudonymisation, and access control
D) Human resources, legal and IT security

B) Preventative security, incident detection & response, and remedial security.

What four classic information-security objectives are expressly referenced in Article 32(1)(b-d)?

A) Confidentiality, integrity, availability and resilience of processing systems & services
B) Speed, efficiency, cost-effectiveness, and user-friendliness
C) Transparency, accountability, accuracy, and fairness
D) Compliance, reporting, review, and auditability

A) Confidentiality, integrity, availability and resilience of processing systems & services.

Does GDPR demand absolute security?

A) Yes – controllers must ensure 100% security at all times
B) Yes – any breach automatically signifies a violation of GDPR
C) No – it requires ‘appropriate’ measures; a breach can occur without the law being violated
D) No – security is only a recommendation, not a strict requirement

C) No – it requires ‘appropriate’ measures; a breach can occur without the law being violated.

What additional duty does Article 32(4) impose regarding personnel?

A) Ensure anyone acting under the controller/processor’s authority processes data only on instructions and under a duty of confidentiality
B) Ensure all personnel receive daily security training
C) Ensure all personnel have access to all personal data
D) Ensure personnel are personally liable for any data breach

A) Ensure anyone acting under the controller/processor’s authority processes data only on instructions and under a duty of confidentiality.

Under Article 28(1), what must a controller verify before appointing a processor?

A) That the processor has the lowest cost for services
B) That the processor provides sufficient guarantees to implement appropriate technical and organisational measures for GDPR compliance
C) That the processor is located within the EU
D) That the processor can process data faster than other providers

B) That the processor provides sufficient guarantees to implement appropriate technical and organisational measures for GDPR compliance.

Which article obliges processors to assist controllers with breach notification?

A) Article 5(1)(f) GDPR
B) Article 32(4) GDPR
C) Article 28(3)(f) GDPR
D) Article 33(1) GDPR

C) Article 28(3)(f) GDPR.

Define a ‘personal data breach’ according to Article 4(12).

A) A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
B) Any IT system failure that causes downtime for more than an hour.
C) Any instance where a data subject makes a complaint about data processing.
D) A situation where an employee accidentally deletes a non-personal file.

A) A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

What is the deadline in Article 33 for notifying a DPA of a personal-data breach?

A) Within 24 hours of detecting the breach
B) As soon as possible, but no specific deadline
C) Without undue delay and, where feasible, no later than 72 hours after becoming aware
D) Within one month of the breach discovery

C) Without undue delay and, where feasible, no later than 72 hours after becoming aware.

When must data subjects be informed of a breach under Article 34?

A) For every personal data breach, regardless of risk
B) When the breach is likely to result in a high risk to their rights and freedoms, unless an exemption applies
C) Only if the supervisory authority instructs it
D) When the breach involves sensitive personal data only

B) When the breach is likely to result in a high risk to their rights and freedoms, unless an exemption applies.

Give one exemption that removes the need to notify individuals under Article 34(3).

A) Data were encrypted or otherwise rendered unintelligible to unauthorised persons.
B) The breach affected fewer than 10 data subjects.
C) The breach was caused by an external actor.
D) The controller promptly fixed the vulnerability.

A) Data were encrypted or otherwise rendered unintelligible to unauthorised persons.

What record-keeping obligation does Article 33(5) create?

A) Controllers must only document breaches notified to the DPA.
B) Controllers must only document breaches affecting more than 100 individuals.
C) Controllers are not required to keep internal records of breaches.
D) Controllers must document all breaches (facts, effects, remedial action) whether or not they are notifiable.

D) Controllers must document all breaches (facts, effects, remedial action) whether or not they are notifiable.

List two ‘state-of-the-art’ technical measures explicitly mentioned in Article 32.

A) Firewalls and antivirus software
B) Encryption and pseudonymisation
C) Biometrics and multi-factor authentication
D) Data backup and disaster recovery plans

B) Encryption and pseudonymisation.

Why is paperwork (‘security paperwork’) critical according to section 10.4.5?

A) It is an outdated practice and of little practical value.
B) It is only required for internal auditing, not external compliance.
C) It demonstrates the existence of policies and controls, influences regulator perceptions, and can determine enforcement outcomes.
D) It guarantees that no data breaches will ever occur.

C) It demonstrates the existence of policies and controls, influences regulator perceptions, and can determine enforcement outcomes.

What layered structure for security documentation is recommended?

A) Top-level policy statements, mid-level controls, and detailed operating procedures.
B) A single, comprehensive security document covering all aspects.
C) Only high-level principles, avoiding specific procedures.
D) Separate documents for each department without central coordination.

A) Top-level policy statements, mid-level controls, and detailed operating procedures.

What is meant by the ‘insider threat’ in Article 32(4) discussion?

A) Threats originating from external cyber attackers.
B) Risks posed by employees or others under the controller’s authority who might misuse personal data.
C) Vulnerabilities in software used by the organization.
D) Competition from other businesses in the same industry.

D) Risks posed by employees or others under the controller’s authority who might misuse personal data.

Give two elements of a good security culture outlined in section 10.4.4.

A) Infrequent, generic training and lenient disciplinary actions.
B) Regular, role-based training and clear disciplinary consequences for violations.
C) Relying solely on technical measures and external consultants.
D) Focusing only on physical security and ignoring cyber threats.

B) Regular, role-based training and clear disciplinary consequences for violations.

Which article obliges both controllers and processors to keep security measures in their Article 30 records?

A) Article 30(1) for controllers and Article 30(2) for processors (general description of TOMs).
B) Article 5(1)(f) for controllers only.
C) Article 32 for processors only.
D) Article 28 for both controllers and processors.

A) Article 30(1) for controllers and Article 30(2) for processors (general description of TOMs).

What operational tool is recommended for timely responses to access requests?

A) Email communication only
B) Manual paper-based tracking
C) Spreadsheet-based tracking with no automation
D) Ticketing or workflow systems that track and manage requests.

D) Ticketing or workflow systems that track and manage requests.

When can a controller charge a fee for a data-subject request?

A) If the request is manifestly unfounded or excessive (Article 12(5)).
B) For every data-subject request, to cover administrative costs.
C) Only for requests related to data portability.
D) If the controller foresees a high volume of requests.

A) If the request is manifestly unfounded or excessive (Article 12(5)).

What must a controller do before relying on legitimate grounds to continue processing after an Article 21(1) objection?

A) Obtain explicit consent from the data subject again.
B) Anonymize all the data related to the objection.
C) Demonstrate compelling legitimate grounds that override the interests, rights and freedoms of the data subject or are needed for legal claims.
D) Ignore the objection if processing is based on legitimate interest.

C) Demonstrate compelling legitimate grounds that override the interests, rights and freedoms of the data subject or are needed for legal claims.

What is the ‘soft opt-out’ regarding direct marketing objections?

A) It allows controllers to continue direct marketing if the data subject doesn't explicitly opt-out.
B) Article 21(2) gives an absolute right to object to processing for direct marketing, meaning the controller must stop without balancing interests.
C) It's a system where data subjects receive marketing unless they reply 'STOP'.
D) It allows marketing only if the data subject has previously made a purchase.

B) Article 21(2) gives an absolute right to object to processing for direct marketing, meaning the controller must stop without balancing interests.

What special consideration applies when a child lodges an access request?

A) The request must always be denied for children under 16.
B) Parents must always make the request on behalf of the child.
C) Assess the child’s maturity; respond in clear language; possibly involve parents if in the child’s best interests.
D) Treat it the same as an adult's request, with no special considerations.

C) Assess the child’s maturity; respond in clear language; possibly involve parents if in the child’s best interests.

Explain ‘beyond use’ for backup tapes in erasure contexts.

A) Data remain on backups but are flagged and prevented from restoration or further processing until overwritten.
B) Data on backup tapes must be immediately deleted.
C) Backup tapes should be physically destroyed after each erasure request.
D) Data on backup tapes are moved to an archive and can still be accessed for audit.

A) Data remain on backups but are flagged and prevented from restoration or further processing until overwritten.

Which CJEU case first recognised a delisting right akin to erasure?

A) Schrems I v. Data Protection Commissioner
B) Fashion ID GmbH v. Verbraucherzentrale NRW e.V.
C) Google Spain v. AEPD and González (Costeja, 2014).
D) Planet49 v. Bundesverband der Verbraucherzentralen und Verbraucherverbände

C) Google Spain v. AEPD and González (Costeja, 2014).

What document guides controllers on social-media targeting and access rights?

A) ISO 27001 Standard
B) NIST Cybersecurity Framework
C) Article 29 Working Party Opinion 4/2007
D) EDPB Guidelines 8/2020 on targeting of social-media users.

D) EDPB Guidelines 8/2020 on targeting of social-media users.

How long does a controller have to respond to a rectification request?

A) 72 hours
B) One calendar month (same as other data-subject rights).
C) Two working days
D) Three months for complex cases only

B) One calendar month (same as other data-subject rights).

What concept from the DPD evolved into the GDPR’s Article 18 right?

A) ‘Blocking’ of data – now called restriction of processing.
B) ‘Right to be forgotten’
C) ‘Data portability’
D) ‘Consent management’

A) ‘Blocking’ of data – now called restriction of processing.

During restriction, when may data still be processed?

A) At any time, as long as it's not further shared.
B) Only for internal administrative purposes.
C) With consent, for legal claims, to protect another person, or for important public interest (Article 18(2)).
D) Never, restriction implies complete cessation of processing.

C) With consent, for legal claims, to protect another person, or for important public interest (Article 18(2)).

What is the primary purpose of breach transparency requirements (Articles 33-34)?

A) Risk reporting – enabling mitigation, understanding failures and allowing supervisory oversight.
B) To punish controllers for security failures.
C) To provide public notice of all data processing activities.
D) To allow data subjects to sue controllers directly.

A) Risk reporting – enabling mitigation, understanding failures and allowing supervisory oversight.

Name two professional security standards referenced as good practice.

A) PCI DSS and HIPAA
B) ISO 27001 and NIST Cybersecurity Framework
C) ITIL and COBIT
D) GDPR and CCPA

B) ISO 27001 and NIST Cybersecurity Framework.

What is the ‘state-of-the-art’ test?

A) Requirement to consider current professional consensus and best practice when selecting security measures (Article 32).
B) A specific technology that must be used for data security.
C) A test for the speed of data processing systems.
D) A legal term for the highest possible level of security.

A) Requirement to consider current professional consensus and best practice when selecting security measures (Article 32).

Under Article 11(1), must a controller collect extra data solely to identify a requester?

A) Yes, if there is any doubt about their identity.
B) Yes, if the request is made over the phone.
C) Only if the controller wants to verify more information.
D) No – a controller is not obliged to obtain additional data just to identify the data subject.

D) No – a controller is not obliged to obtain additional data just to identify the data subject.

What must be provided to data subjects exercising rights if the request was made electronically?

A) A printed copy of the response must be mailed.
B) The response can be given verbally over the phone.
C) The response should, where possible, be supplied electronically (Article 12(1)).
D) A response is not required for electronic requests.

C) The response should, where possible, be supplied electronically (Article 12(1)).

Give one circumstance when a DPIA might be needed for CCTV per WP29.

A) Systematic monitoring of publicly accessible areas on a large scale.
B) CCTV installed for personal home security.
C) A single CCTV camera inside an office for security.
D) CCTV used to monitor access to a private building entrance.

A) Systematic monitoring of publicly accessible areas on a large scale.

Why are encryption and pseudonymisation highlighted in Article 32(1)(a)?

A) They are the only security measures allowed under GDPR.
B) They are optional measures and not widely used.
C) They became de facto expected controls before GDPR and are now expressly named illustrative measures.
D) They are primarily for preventing external attacks, not internal misuses.

C) They became de facto expected controls before GDPR and are now expressly named illustrative measures.

What does Article 25(2) require regarding default settings?

A) All personal data should be publicly accessible by default.
B) By default, only personal data necessary for each specific purpose are processed and are not accessible to an indefinite number of persons.
C) Default settings should prioritize data sharing over privacy.
D) Controllers can choose any default settings they prefer.

B) By default, only personal data necessary for each specific purpose are processed and are not accessible to an indefinite number of persons.

What practical step is advised when rectifying data that may affect linked systems?

A) Assess and manage the broader impact because interlinked data changes can have cascading effects.
B) Ignore other systems, focusing only on the primary database.
C) Delete all data in linked systems to avoid inconsistencies.
D) Consult legal counsel before making any changes.

A) Assess and manage the broader impact because interlinked data changes can have cascading effects.

Which document outlines practical transparency measures for IoT devices (e.g., QR codes, videos)?

A) Article 13 GDPR directly
B) The ePrivacy Directive
C) WP29 recommendations on IoT fair-processing information (cited in 8.4.2.5).
D) ISO 27001 standard

C) WP29 recommendations on IoT fair-processing information (cited in 8.4.2.5).

What must a processor do before appointing a sub-processor?

A) Inform the data subject directly.
B) Obtain prior specific or general written authorisation from the controller and inform the controller of any changes (Article 28(2)).
C) Conduct a DPIA for the sub-processor only.
D) Ensure the sub-processor is located in the same country.

B) Obtain prior specific or general written authorisation from the controller and inform the controller of any changes (Article 28(2)).

If a data-subject request involves information about third parties, what should the controller consider?

A) Protect the third parties’ rights, e.g., by redacting or obtaining their consent before disclosure.
B) Provide all information without redaction for transparency.
C) Deny the request entirely if third-party data is involved.
D) Inform the third parties that their data has been shared.

A) Protect the third parties’ rights, e.g., by redacting or obtaining their consent before disclosure.

What is the key difference between Articles 13 and 14 notices?

A) Article 13 applies when data are collected from the subject; Article 14 applies when data are obtained from another source and requires disclosure of that source.
B) Article 13 is for B2C, Article 14 is for B2B.
C) Article 13 is for online data, Article 14 is for offline data.
D) Article 13 is for small businesses, Article 14 is for large enterprises.

A) Article 13 applies when data are collected from the subject; Article 14 applies when data are obtained from another source and requires disclosure of that source.

What approach to policy documentation is advised in section 10.4.5?

A) A single, comprehensive document for all policies.
B) Informal agreements between departments.
C) A layered approach: high-level policy statements, then controls, then operating procedures.
D) Using only external templates without internal customization.

C) A layered approach: high-level policy statements, then controls, then operating procedures.

Why might a controller pause an access request?

A) To verify the requester’s identity if reasonable doubts exist (Article 12(6)).
B) To delay the process as long as possible.
C) To get legal advice on whether to refuse the request.
D) To determine if the request is relevant to their business.

A) To verify the requester’s identity if reasonable doubts exist (Article 12(6)).

What is the main operational benefit of a strong incident-response plan?

A) Guarantees that no security incidents will ever occur.
B) Ensures rapid detection, containment and remediation of security incidents, supporting breach-notification compliance.
C) Reduces the need for security training for employees.
D) Eliminates the requirement for regular security audits.

B) Ensures rapid detection, containment and remediation of security incidents, supporting breach-notification compliance.

Under what grounds can a controller refuse an erasure request concerning children’s data?

A) If the child is under 13.
B) If the data are needed for marketing

D) Only if an Article 17(3) exemption applies, such as legal obligation, freedom of expression, or public-health research needs.