Оглавление
Ruben Zeegers. Privacy & Data Protection Essentials Courseware - English
Colofon
About the Courseware
Other publications by Van Haren Publishing
Table of content
Self-Reflection of understanding Diagram
Timetable
1. Overview
Scope
Summary
Context
Target group
Requirements for certification
Examination details
Bloom level
Training. Contact hours
Indication study effort
Training organization
2. Exam requirements
3. List of Basic Concepts
4. Literature. Exam literature
Comment
Literature matrix
Introduction
Sample Exam. 1 / 20 The illegal collection, storage, modification, disclosure or dissemination of personal data is an offence by European law
2 / 20 How are privacy and data protection related to each other?
3 / 20 The word 'privacy' is not mentioned in the GDPR
4 / 20 The GDPR is related to personal data protection
5 / 20 Which information is regarded as personal data according to the GDPR?
6 / 20 Which right of data subjects is explicitly defined by the GDPR?
7 / 20 “An independent public authority which is established by a Member State pursuant to Article 51."
8 / 20 Which role in data protection determines the purposes and means of the processing of personal data?
9 / 20 'Informed consent' is a lawful basis to process personal data under the GDPR. The purpose of the processing for which consent is given should be documented
10 / 20 The processing of personal data has to meet certain quality requirements
11 / 20"The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed."
12 / 20 What is the term used in the GDPR for unauthorized disclosure of, or access to, personal data?
13 / 20 A social services organization plans to design a new database to administrate its clients and the care they need
14 / 20 A Dutch controller has contracted the processing of sensitive personal data out to a processor in a North African country, without consulting the supervisory authority. Is was discovered and he was penalized by the supervisory authority. Six months later the authority finds out that the controller is guilty of the same transgression again for another processing operation
15 / 20 Supervisory Authorities are assigned a number of responsibilities aimed at making sure data protection regulations are complied with
16 / 20 Binding corporate rules are a means for organizations to ease their administrative burden when complying with the GDPR
17 / 20 What should be done so that a Controller is able to outsource the processing of personal data to a Processor?
18 / 20 Often staff that works with personal data consider privacy and information security as separate issues
19 / 20 Session cookies are one of the most common types of cookie
20 / 20 Sometimes websites track visitors and store their information for marketing purposes
Answer Key. 1 / 20 The illegal collection, storage, modification, disclosure or dissemination of personal data is an offence by European law
2 / 20 How are privacy and data protection related to each other?
3 / 20 The word 'privacy' is not mentioned in the GDPR
4 / 20 The GDPR is related to personal data protection
5 / 20 Which information is regarded as personal data according to the GDPR?
6 / 20 Which right of data subjects is explicitly defined by the GDPR?
7 / 20 “An independent public authority which is established by a Member State pursuant to Article 51."
8 / 20 Which role in data protection determines the purposes and means of the processing of personal data?
9 / 20 'Informed consent' is a lawful basis to process personal data under the GDPR. The purpose of the processing for which consent is given should be documented
10 / 20 The processing of personal data has to meet certain quality requirements
11 / 20"The controller shall implement appropriate technical and organizational measures for ensuring that (...) only personal data which are necessary for each specific purpose of the processing are processed."
12 / 20 What is the term used in the GDPR for unauthorized disclosure of, or access to, personal data?
13 / 20 A social services organization plans to design a new database to administrate its clients and the care they need
14 / 20 A Dutch controller has contracted the processing of sensitive personal data out to a processor in a North African country, without consulting the supervisory authority. Is was discovered and he was penalized by the supervisory authority. Six months later the authority finds out that the controller is guilty of the same transgression again for another processing operation
15 / 20 Supervisory Authorities are assigned a number of responsibilities aimed at making sure data protection regulations are complied with
16 / 20 Binding corporate rules are a means for organizations to ease their administrative burden when complying with the GDPR
17 / 20 What should be done so that a Controller is able to outsource the processing of personal data to a Processor?
18 / 20 Often staff that works with personal data consider privacy and information security as separate issues
19 / 20 Session cookies are one of the most common types of cookie
20 / 20 Sometimes websites track visitors and store their information for marketing purposes
Evaluation
Preface
I. Privacy fundamentals. 1 Definitions and historical context
1.1 The history of data protection regulations
1.1.1 Data Protection history in ‘birds view’
1.1.2 Regulation versus Directive
1.1.3 Status of the GDPR until 25 May 2018
1.2 Material and territorial scope of the GDPR. 1.2.1 Material scope
1.2.2 Territorial scope
1.3 Definitions
1.3.1 Privacy
1.3.2 Data Protection
1.3.3 Personal Data
1.3.4 Natural person
1.3.5 Direct, indirect, pseudonymized personal data
1.3.5.1 Direct personal data
1.3.5.2 Indirect personal data
1.3.5.3 Pseudonymized personal data
1.3.6 Special personal data
1.3.7 Processing
1.4 Roles, responsibilities, stakeholders. 1.4.1 Controller
1.4.2 Processor
1.4.3 Data Protection Officer (DPO)
1.4.3.1 Tasks of the DPO
1.4.4 Recipient
1.4.5 Third party
2 Processing of personal data
2.1 Data processing principles
2.1.1 Lawfulness, fairness and transparency
2.1.2 Purpose limitation
2.1.3 Data minimization
2.1.4 Accuracy
2.1.5 Storage limitation
2.1.6 Integrity and confidentiality
2.1.7 Accountability
3 Legitimate grounds and purpose limitation. 3.1 Legitimate grounds for processing
3.1.1 Purpose limitation & purpose specification
3.1.1.1 Specified
3.1.1.2 Explicit
3.1.1.3 Legitimate
3.1.2 Proportionality and subsidiarity
3.1.2.1 Subsidiarity
3.1.2.2 Proportionality
4 Rights of data subjects
4.1 Transparent information, communication and modalities
4.2 Information on and access to personal data. 4.2.1 Information to be provided to the data subject
4.2.2 Additional information to be provided
4.3 Right of access (inspection) by the data subject
4.4 Rectification and erasure. 4.4.1 Right to rectification
4.4.2 Right to erasure (‘right to be forgotten’)
4.4.3 Right to restriction of processing
4.4.4 Notification obligation (rectification / erasure / restriction of processing)
4.4.5 Right to data portability
4.5 Right to object and automated individual decision-making. 4.5.1 Right to object
4.5.2 Automated individual decision-making, including profiling
4.5.3 Right to lodge a complaint with a supervisory authority
5 Data breaches and related procedures. 5.1 The concept of data breach
5.2 Procedures on how to act when a data breach occurs
5.2.1 Notification of a personal data breach to the supervisory authority
5.2.2 Notification of a personal data breach to the controller
5.2.3 Notification of a personal data breach to the data subject
5.2.3.1 Encryption, etc
5.2.3.2 Mitigating measures
5.2.3.3 Disproportionate effort
5.3 Categories of data breaches
II. Organizing data protection. 6 Importance of data protection for the organization
6.1 Requirements to comply to the GDPR
6.1.1 Principles relating to processing of personal data are met
6.1.2 Legal structure
6.1.3 Impact assessment
6.1.4 Controller – processor contract
6.1.5 Prior consultation
6.2 Required types of administration. 6.2.1 Record of processing activities
6.2.2 Record of data breaches
7 Supervisory authorities
7.1 General responsibilities of a supervisory authority
7.1.1 To monitor and enforce the application of the Regulation
7.1.2 To advise and promote awareness
7.1.3 To administrate data breaches and other infringements
7.1.4 To set standards
7.1.4.1 Processing requiring DPIA
7.1.4.2 Code of conduct, certification
7.1.4.3 Standard contractual clauses, binding corporate rules and - contracts
7.1.5 To cooperate with other supervisory authorities and the EDPS
7.2 Roles and responsibilities related to data breaches
7.3 Powers of the supervisory authority in enforcing the GDPR
7.3.1 Investigative powers of the supervisory authority
7.3.2 Corrective powers of the supervisory authority
7.3.3 General conditions for imposing administrative fines
7.3.3.1 Proportionate
7.3.3.2 Dissuasive
7.4 Cross-border data transfer. 7.4.1 ‘One-stop-shop‘
7.4.2 ‘Cross border processing’
7.4.3 Multinational company
7.4.4 Internationally operating company
7.4.5 ‘substantially affect’
7.5 Regulations applying to data transfer inside the EEA. 7.5.1 Identifying the lead supervisory authority
7.5.2 Regulations applying to data transfer outside the EEA
7.5.2.1 Transfers on the basis of an adequacy decision
7.5.2.2 Transfers subject to appropriate safeguards
7.5.2.3 Binding corporate rules (BCR)
7.5.3 Transfers or disclosures not authorized by Union law
7.5.4 Regulations applying to data transfer between the EEA and the USA
III. Practice of data protection. 8 Quality aspects. 8.1 Data Protection by design and by default
8.1.1 The seven principles of data protection by design
8.1.1.1 Proactive not Reactive; Preventative not Remedial
8.1.1.2 Data Protection as the Default Setting
8.1.1.3 Privacy Embedded into Design
8.1.1.4 Full Functionality — Positive-Sum, not Zero-Sum
8.1.1.5 End-to-End Security — Full Lifecycle Protection
8.1.1.6 Visibility and Transparency — Keep it Open
8.1.1.7 Respect for User Privacy — Keep it User-Centric
8.1.2 Benefits of the application of the principles of Privacy by design and privacy by default
8.2 Written contracts between the controller and the processor
8.2.1 Clauses of such a written contract
8.2.1.1 Example
8.3 Data Protection impact assessment (DPIA)
8.3.1 Objectives of a DPIA
8.3.2 Topics of a DPIA report
8.4 Data Life Cycle (DLC) management
8.4.1 Purpose of DLC
8.4.2 Understanding the data stream(s)
8.4.2.1 Data collection
8.4.2.2 Permissions structure
8.4.2.3 Build in retention / deletion rules
8.5 Data protection audit
8.5.1 Purpose of an audit
8.5.1.1 Adequacy audit
8.5.1.2 Compliance Audit
8.5.2 Contents of an audit plan
8.6 Practice related applications of the use of data, marketing and social media. 8.6.1 The use of social media information in marketing activities
8.6.2 Use of internet in the field of marketing
8.6.3 Cookies
8.6.3.1 Session cookies
8.6.3.2 Persistent cookies
8.6.3.3 Tracking cookies
8.6.4 Other profiling info: the price of ‘free’ services
8.6.5 The data protection perspective
8.6.5.1 Cookies
8.6.5.2 Profiling
8.7 Big data
