A list of payments made using a credit card. Incorrect. Credit card data is personal data, but not special category data.

An address list of members of a political party. Correct. Personal data revealing political opinions is special personal data (Literature: A, Chapter 1; GDPR Article 9(1))

A genealogical register of someone’s ancestors. Incorrect. Genealogical information on living persons is personal data, but not special category. The GDPR does not apply to data on deceased persons.

Data Life Cycle Management (DLM)

It aims to manage data flow throughout the lifecycle, from collection, processing, sharing, storage and deletion. Having the knowledge where the data travels, who is responsible, who has access, helps a lot to implement

security measures.

Section: (none)

Explanation

Article 33 which deals with “Notification of a personal data breach to the supervisory authority” in its paragraph 1 legislates:

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The lost reports did not contain personal data, in this case GDPR is not applicable and is a security incident.

Important

A data breach is whenever something that has not been planned with personal data happens, be it improper processing, improper sharing, loss of data, deletion, etc. In other words, personal data must be used for a specific purpose, respecting the life cycle of the same (from collection to exclusion), any situation that escapes this cycle must be reported as a data breach.

This is likely to be charged on the exam. Memorize this name: “Privacy Shield”

In July 2016, Implementing Decision 2016/1250 came into force, which legislates that the United States must ensure an adequate level of protection for personal data transferred from the Union to United States organizations under the EU-US Privacy Protection Shield (Privacy Shield).

This is because the United States does not have a single law on the protection of personal data, because of its internal policy, each state can create its own laws. Privacy Shield aims to standardize this, so that companies in the European Union and the United States can offer their services.

Article 1 of the Implementing Decision 2016/1250:

1. For the purposes of Article 25(2) of Directive 95/46 / EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.

2.The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VII.

3.For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the ‘Privacy Shield List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.

This occurrence should be classified as a security vulnerability, as it does not state whether an incident occurred for this reason.

However, the failure in this procedure can allow an incident to occur if an unauthorized person has access to the workstation.

Vulnerability is the means by which an attack can cause an information security incident.

This is an issue that addresses two very important points – sensitive data and data from minors.

As these are, it is necessary to inform the Supervisory Authority and those responsible for the data subjects. Article 34 mentions:

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Recital 38 says:

Children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

When a project includes technologies or processes that use personal data. Incorrect. Only for technologies and processes that are likely to result in a high risk to the rights of data subjects is the DPIA mandatory.

When processing is likely to result in a high risk to the rights of data subjects. Correct. For processing operations which are likely to result in a high risk, a DPIA is obligatory to assess those risks and to design mitigation measures. (Literature: A, Chapter 6; GDPR Article 35)

When similar processing operations with comparable risks are repeated. Incorrect. This is a case in which a DPIA does not need to be repeated.

Personal data are collected for specified, explicit and legitimate purposes and not further processed. Incorrect. The local government is entitled to collect data on the number of cars present.

Personal data are kept in a form permitting identification of data subjects for no longer than is necessary. Correct. In the given scenario, there is no need to retain the data of a specific car identifying the owner once it has left the area (Literature: A, Chapter 2; GDPR Article 5)

Personal data are processed in a manner that ensures appropriate security of the personal data. Incorrect. The scenario does not suggest inappropriate security.

Personal data are processed in a transparent manner in relation to the data subject. Incorrect. The processing is taking place transparently, since it is communicated properly to the data subjects.

Direct personal data. Incorrect. Both direct and indirect data are described.

Indirect personal data. Incorrect. Both direct and indirect data are described.

Pseudonymized data. Incorrect. Pseudonymized data cannot directly reveal information.

Special category personal data. Correct. This is a definition of special category personal data. (Literature: A, Chapter 1; GDPR Article 4)

The correct option is the responsibility of the Supervisory Authority, the others are the responsibility of the processor.

GDPR Article 3 decrees:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

a)the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or;

b)the monitoring of their behaviour as far as their behaviour takes place within the Union.

Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.

Data protection and privacy complement each other, but they are not the same.

A well-known phrase is: “You can have security without privacy, but you cannot have privacy without security”.

Recital 4 of the GDPR says:

The processing of personal data should be designed to serve individuals. The right to protection of personal data is not absolute; it must be considered in relation to its role in society and balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedom and principles recognized in the Charter, enshrined in the Treaties, namely respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom of business, the right to action and an impartial tribunal, and cultural, religious and linguistic diversity.

With the death of the data subject, the controller can process the data in any way he wishes, since personal data of deceased persons is not within the scope of the GDPR.

Recital 27 says: This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

It aims to manage the flow of data throughout the life cycle, from collection, processing, sharing, storage and deletion.

Having the knowledge where the data travels, who is responsible, who has access, helps and a lot to implement security measures.

Recital 10 of GDPR states:

“Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member

States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.”

It also says: “This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’).

However, this does not mean that Member States can approve a rule that goes against a GDPR guideline. Note that these national provisions are measures to increase the effectiveness of the law. Here is an example the case of Ireland where it was established that the DPO is responsible for data breaches, something that is not provided for in the GDPR.