CIPP/E Exam Prep Study Guide
Prohibition of cross border data transfers under Data Privacy Directive 95/46/EC apply when -
ANS - data transferred from a jurisdiction in the EU to a third country.
What treaty or conven
...
CIPP/E Exam Prep Study Guide
Prohibition of cross border data transfers under Data Privacy Directive 95/46/EC apply when -
ANS - data transferred from a jurisdiction in the EU to a third country.
What treaty or convention allowed the Data Protection Directive 95/46/EC to be used as a
harmonising measure for European Member states. - ANS - The Treaty of Rome
Direct marketing would include: - ANS - Email promoting new book on sale.
What two opposing forces needed to be considered in formulating a privacy framework in the
European Economic Community? - ANS - Concerns for personal freedom and privacy and
ability to support free trade.
What principle is contained in art 12 of the Human Rights Declaration? - ANS - The right to a
private life and associated freedoms.
What right is protected by art 19 of the Human Rights Declaration? - ANS - The right to freedom
of opinion and expression.
Which article of the Human Rights Declaration reconciles articles 12 and 19 and how is it stated?
- ANS - Article 29(2) states that individual rights are not absolute and there are instances where a
balance must be struck to limit their exercise.
What was the purpose of the European Convention on Human Rights? - ANS - It was an
international treaty to protect human rights and fundamental freedoms.
Name special categories of data. - ANS - Racial or ethnic origin, political affiliations/opinions,
health information, sex life, religious beliefs, trade union membership.p 58
What are the specific rights enumerated in the ECHR? - ANS - right to life, prohibition of
torture, prohibition of slavery and forced labour, right to liberty and security, right to a fair trial,
no punishment w/o law, respect for private and family life, freedom of thought, conscience and
religion, freedom of expression, freedom of assembly and association, right to marry, right to an
effective remedy and prohibition of discrimination.
What are the two rights provided under article 8 of the ECHR? - ANS - 1. right to respect for
private and family life and his correspondence.
2. No interference by public authority of this right except in accordance to law and is necessary
in a democratic society in the interest of national security public safety...
What does article 10 of the ECHR deal with? - ANS - Right to freedom of expression and to
share information and ideas across borders but qualified so as to protect the privacy of
individuals
What are the obligations imposed on EU member states as seen under the Data Protection
Directive 95/45/EC or the Data Protection Director or 'the Directive'? - ANS - The Directive sets
out general principles and leaves the member states to implement these principles as they see fit.
p 38
What are the exceptions to the consent required for cookies under the e-Privacy directive
2002/58/EC? - ANS - where 1) storage or access is for the sole purpose of carrying out
transmission of communication over an electronic network and 2) strictly necessary for
information service explicitly requested by user p 43
What is the most pertinent amendment to the e-Privacy Directive? - ANS - Cookies require prior
information and consent. p 43
When could a data controller collect data from 3rd parties without notification to the data
subjects under Data Protection Directive 95/49/EC? - ANS - A pre-approved marketing effort. p
43.
Who makes sure directive are implemented properly by the member states? - ANS - The
European Commission. p 27-28
What institution adopts adequacy findings(by which non members are regarded as providing
adequate levels of data protections) for the European Union? - ANS - The European
Commission. p 29
Which directive or convention contains specific provisions for data breaches? - ANS - The
Privacy and Electronic Communications Directive. p 42
What is the exemption in the e-Privacy Directive 2002/58/EC allowing data controllers to send
electronic marketing information? - ANS - The recipients are existing customers. p 43.
Under the Data Protection Directive (95/46/EC) what type of data subject is not covered? - ANS
- Legal persons would seem not to be but is not prohibited either(and some local laws afford
some protection) and also deceased individuals do not constitute 'natural persons' although in
some member states (Italy) data protection rules apply to deceased individuals under certain
circumstances. p 63.
Name some of the conditions to be satisfied in order to process personal data in line with
European Data Protection concepts/principles. - ANS - Obtained and processed fairly and
lawfully, for legitimate purposes, adequate/relevant/not excessive for purposes, accurate/up to
date, preserved for no longer than required. p 81
Name an incompatible purpose for processing data beyond originally specified purpose. - ANS -
Performance of a contract. If this were not true, then a mere contract would allow processing
data for any purpose. One exception is research p 87- specifically allowed p 85-86.
In the Data Protection Directive 95/46/EC what is "any freely given specific and informed
indication of his wishes by which the data subject signifies his agreement to persona data relating
to him being processed"? - ANS - Unambiguous consent. p 94
Under Data Protection Directive 95/46/EC what info must be included in the notification of data
processing? - ANS - Name of the data controller processing data and the purpose of the
processing. p 109
If personal data is not obtained directly from the data subject when should fair processing
information be provided? - ANS - At the time personal data is recorded or if disclosure to 3rd
party contemplated then no later than at the time data is first disclosed. p 111
When should a company respond to a former employee's request for his personal information
(email, etc.)? - ANS - ASAP-taking into account local data protection rules. p 126
Within what period of time must a company respond to a former employees data requrest? - ANS
- As soon as possible and within the national legal requirement. p 126
What should a company do in response to a former employee's request for his email
correspondence during his employment? - ANS - Since the company must not infringe the right
to privacy of third parties also identified in the data, affected employees may need to be
informed and consent obtained before release of information to the former employee. p 132
Why does Data Protection Directive 95/46/EC require a data controller to notify a DPA about
processing of personal data? - ANS - Threefold: 1) foster transparency, 2) help DPA carry out
regulatory functions, 3) provide source of funds for some DPAs budgets. p 163
Do BCRs (Binding Corporate Rules) provide a basis to transfer names of employees to a telecom
provider in the same country in order to provide them with mobile telephone services? - ANS -
No, BCRs deal only with intra-organisational transfers not involving third parties. p 184
For contracts based on EU standard contractual clauses with a processor outside the EEA who
must the importer/processor inform and what must he obtain before proceeding? - ANS - The
importer must inform the data controller and obtain its written consent. p 187.
What is the general European approach to protection of employment data held by an
organisation? - ANS - Employers should always consider any obligations under local
employment law that apply to the situation - e.g. consulting with the various national works
councils. p 211
Examples of sensitive employee data include: - ANS - Racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership or data concerning health or sex life. p
213
What are the exceptions specified in article 8 of the EU Data Protection Directive allowing for
the processing of sensitive employee data? - ANS - Explicit consent of the individual (last resort
given difficulty of valid consent in employee-employer relationship), to carry out obligations and
specific rights under employment law, other grounds available under local law. p 213-214
What are the two conditions in order to carry out employee monitoring? - ANS - Necessary and
legitimate. p215
Must an employer provide notice before engaging in general monitoring of e-mail traffic and
internet use by employees? - ANS - Yes but not obliged to obtain prior consent. Although in
some collective agreements, the employer must obtain consent of the works council before
commencing the particular monitoring. p 216-217.
Does the Data Protection Directive 95/46/EC allow video surveillance of employees who access
inventory? - ANS - Yes as long as DPAs have been notified, monitoring is carried out for clearly
defined, lawful purposes. p234-238
Name technologies used to track online behaviours. - ANS - Cookies, beacons, social media like
and dislike functionality. p261-262
An example of cloud computing would be? - ANS - A web-based e-mail platform. p 269-273.
What is the rationale for data protection? - ANS - Rapid progress in the field of electronic data
processing offered advantages of efficiency and productivity but created concern that the new
technologies would adversely impact the privacy of individuals.
What did the Universal Declaration of Human Rights 1948 recognize? - ANS - Inherent dignity
and the equal and inalienable rights of all members of the human race in the foundation of
freedom, justice and peace in the world.
What are the fundamental rights and freedoms protected by the European convention of Human
Rights? - ANS - right to life, prohibition of torture, slavery forced labor, right to liberty and
security, to a fair trial, no punishment without law, respect for private and family life, freedom of
thought conscience and religion, freedom of expression, of assembly and association, right to
marry, to an effective remedy and prohibition of discrimination.
What did European council resolutions 73/22 and 74/29 establish? - ANS - Principles for the
protection of personal data in automated databanks in the private and public sectors in order to
set in motion development of national legislation.
What did the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data do? - ANS - Lay out basic rules governing trans-border data flows and the
protection of personal information and privacy to facilitate harmonisation of data protection law
between countries.
What was Convention 108 adopted by the council of europe in 1981? - ANS - First binding
international instument to set standards for the protection of individuals' personal data while
seeking a balance to maintain the free flow of personal data for international trade.
What are the three parts of convention 108? - ANS - Substantive law provisions in the form of
basic principles, special rules on trans-border flows and mechanisms for mutual assistance and
consultation between the parties.
What is the aim of the Data Protection Directive ? - ANS - To further reconcile the protection of
the fundamental rights of individuals with the free flow of data from one member state to another
consistent with Art 8, 10 of the ECHR.
What was the 2000 Charter of Fundamental Rights? - ANS - Charter that further consolidates
fundamental rights applicable within the EU.
What was the main aim of the Treaty of Lisbon? - ANS - To strengthen and improve the core
structure of the EU to enable it to function more efficiently.
What is the Council of Europe? - ANS - International organisation promoting co-operation
between all countries of Europe in the areas of legal standards, human rights, democratic
development, the rule of law and cultural co-operation.
European Court of Human Rights - ANS - a supra-national or international court hearing
allegations that a contracting state has breached one or more of the human rights provisions
concerning civil and political rights set out in the Convention and its protocols
European Parliament - ANS - Body exercising legislative and budgetary functions.
European Commission - ANS - Body of the European Union responsible for proposing
legislation, implementing decisions, upholding the Union's treaties and day-to-day running of the
EU.
European Council - ANS - Has no formal legislative power, it is charged under the Treaty of
Lisbon[2] with defining "the general political directions and priorities" of the Union. It is thus
the Union's strategic (and crisis solving) body, acting as the collective presidency of the EU.
European Court of Justice - ANS - highest court in the European Union in matters of European
Union law. tasked with interpreting EU law and ensuring its equal application across all EU
member states
The Council of Europe Convention for the Protection of Individuals with Regard to the
Automatic Processing of Personal Data of 1981 (the CoE Convention), - ANS - convention
based on a series of principles addressing data protection, ensures protections for privacy but
also importance of free flow of personal data for commerce
the EU Data Protection Directive (85/46/EC), - ANS - because of fragmentation of CoE
Convention, harmonisation measure set under treaty of rome internal market provisions. Note
key principles p 39.
the EU Directive on Privacy and Electronic Communications (2002/58/EC) - as amended, - ANS
- applies to the processing of personal data in connection with the provision of publicly available
electronic communication services.
EU Data Retention Directive (2006/24/EC), - ANS - applies to traffic and location data of both
individuals and orgainsationa as well as relevant data identifying subscribers (not about actual
content of communication)
Personal data - ANS - wide notion from working party - all info concerning an identifiable
individual even if the link is tenuous."any information - relating to - identified or identifiable -
natural person"
sensitive personal data - ANS - racial, political, religious, trade union, health or sex life.
controller - ANS - determines who shall be responsible for compliance with data protecton law
and how individuals can exercise their rights.
"natural or legal person, which alone or jointly, determines purposes and means of processing
personal data
processor - ANS - "separate legal entity with respect to the controller who processes personal
data on behalf of the controller.
data subject - ANS - identified or identifiable natural person
Application of law in the EU - establishment in the EU - ANS - law of member state applies
when processing carried out in context of controller on the territory of member state
Application of law outside EU - no establishment in the EU - ANS - allows member state to
apply law to controller who though not established in EU uses equipment in that member state
unless only for transit.
Data Protection principles - ANS - Fairness and lawfulness, purpose limitation, proportionality
and data quality
Data subject has unambiguously given his consent - ANS - For consent to be effective it must be
unambiguous indication of wishes signifying agreement, freely given, specific and informed.
Legitimate processing - necessity - ANS - For performance of contract to which data subject is
party, for compliance with legal obligation, protect vital interests of data subject, in public
interest, legitimate interests of controller unless interests overridden by the interests for
fundamental rights of data subject.
Sensitive data - special categories - ANS - Starting point is prohibited but if specific rights of
controller in field of employment law if authorised by national law, to protect vital interests
(unconscious) , by non-proft, data manifestly made public, by health professional, substantial
public interest.
Transparency principle - ANS - provide data subject with certain info and notify local data
protection authories of data collecting activities.
Exceptions - ANS - national security, defence, public security,
[Show More]
.png)
