1. Who are the different players involved in the GDPR? What are their roles, responsibilities, liabilities?

Roles Responsibilities Liabilities

Individual whose data is being
Data Subject processed/used
Determines the purposes & Data security responsible for its own
Data Controller means of processing personal Breach Notification compliance as well the
data Principle of Data Processing compliance of its DPs.
Record Keeping
2 or + controllers jointly determine Same as Data controller liable for each other's actions unless
purposes & means of processing, BUT prove they weren't responsible.
Joint Controller sharing data controller - Clarify responsibilities in the privacy
responsibilities. notice.

Processes personal data on Data Security liable if it fails to comply with

Data Processor behalf of the Controller. Breach Notification GDPR obligations on DP
decide purpose / Record keeping OR
means Don’t follow instructions of the
DC.
Independent authority that
Supervisory Authority investigates & issues fines to
Controllers/Processors to
protect DS rights.

2. Who needs to follow the GDPR? Is there any way you can be exempt from the GDPR?
• All industries handling data of EU citizens & residents
• Don’t matter if the organization is EU based or not. (Extra territorial effect)
• All business size (Small, medium, large).
Cies < 250 employees → need to follow GDPR but don’t have to keep record of data processing activities.

Exempt from the GDPR :

• National Security and Law Enforcement : Data processing for purpose related to national security, defense, public security.
(Security Exemption)
• Personal Activities : Individuals who process data for purely personal/household activities with no connection to
pro/commercial activity
ex : Individuals storing their friends' contact information in a personal phonebook
• Deceased people (depends on mb state law)
• Historical statistical research

3. What is “personal data” and “sensitive personal data”? What are the differences between the two?
Personal data (Article 4 (1))
= Any info that identify a natural person (data subject), directly or indirectly by reference to an identifier.
Example → Name, ID number, location, online identifier, traits (physical, physiological…).

Sensitive personal data (Article 9 (1))

= Special category of personal data, more sensitive in nature & requires higher protection.
Example → racial/ethnic origin, political opinions, religious/ philosophical beliefs, biometric data, health data, sex life/sexual orientation
data.

≠ ➔ Sensitive data is more private , with stricter regulations (due to its impact on privacy & safety) and generally prohibited unless
specific conditions like consent or legal justification.

4. What are the 7 principles of the GDPR? Explain each one.

7 principles of GDPR (Article 5):
❡1. Personal data shall be:
(a) Processed lawfully, fairly and in a transparent manner… (‘lawfulness, fairness and transparency’);
(b) Collected for specified, explicit, legitimate purposes … (‘purpose limitation’);
(c) Adequate, relevant & limited to what is necessary … (‘data minimisation’);
 (d) Accurate &, where necessary, kept up to date; … (‘accuracy’);
(e) Kept in a form allowing identification of DS, & for no longer than necessary for the purposes for which the personal data are
processed … (‘storage limitation’);
(f) Processed in a manner that ensures appropriate security of the personal data … (‘integrity and confidentiality’).
❡2. The controller shall be responsible for & be able to demonstrate compliance with, paragraph 1 (‘accountability’).

5. What are the legal basis for processing standard personal data? Explain each one. (Not sensitive personal data)

Personal data can only be processed if one of the following applies:

a) The data subject has given consent;
Consent need to be → Free given, Specific, Informed, Explicit ( Pre-ticket boxes not allowed), Not Ambiguous.
b) It's necessary for performing a contract with the DS;
c) It's required by law (legal obligation);
d) It's needed to protect someone's vital interests (DS or another natural person);
e) It's for public interest or official authority tasks;
f) It's for legitimate interests, unless canceled by the DS’s rights, especially for children.
Public authorities can’t rely on legitimate interests for processing.

6. What are the data subject rights? Explain each one.

Chapter III (Article 12-23) & Article 7
➔ Data subjects are given 8 distinct rights over their data under the GDPR

1. Right to information (Article 12 – 14)

➔ DS must be informed clearly about how their data will be used, who it’s shared with, for how long.

2. Right to access (Article 15)

➔ DS can request access to their personal data held by a controller, including how and why it's being processed.

3. Right to rectification (Article 16)

➔ DS can request to a controller, the corrections to inaccurate or incomplete of their personal data, without undue delay.

4. Right to erasure (to be forgotten) (Article 17)

➔ DS can request the erasure of their personal data without undue delay & controller must comply by erasing it without undue
delay.

5. Right to restriction of processing (Article 18)

➔ DS can request restriction of processing if:
(a) contested the accuracy of the data;
(b) prefer restriction over erasure for unlawful processing;
(c) data is no longer needed by controller but DS required for it legal claims;
(d) they object to processing, pending verification of the controller’s legitimate grounds.

6. Right to data portability (Article 20)

➔ DS can request their personal data in a structured, commonly used & machine-readable format and transfer it to another
controller without hindrance.

7. Right to object (Article 21)

➔ DS can object to personal data processing (throught automated means), including for direct marketing, legitimate interest
purposes & for research unless it’s in the public interest.

8. Right to withdraw consent (Article 7(3))

➔ DS can withdraw their consent for data processing at any time & free of charge.
7. What is a DPO? When do you need one and what are its responsibilities?
DPO = Data Protection Officier
- Employee or contracted that has strong understanding of the Cy
- Not a temporary role :
o Mini tenure → 2 years
o Renewable → max 5 times (10 years total)
- Must be Independent position, reporting to top management, free from conflicts of interest
➔ Can’t be a data controller (someone who control data - head of marketing)
- Can only be fired for not fulfilling duties & with regulatory authority's approval.

When do you need one ?

• Any data controller/processor who requires regular & systematic monitoring of DS on large scale.
o Regular = ongoing for a particular period, recurring at fixed times.
o Systematic = pre-arranged & executed as part of a strategy (aim).
o Large scale = number of DS ( CY size)
• Public authority.
o Publicly funded museums, state schools, universities
• When law requires it ➔ EU member state.

Responsibilities : (Article 39)

 Inform DS about their rights & raise GDPR awareness
 Advise their institution on GDPR compliance.
 Conduct risk analysis & list the organization's planned operations.
 Ensure institution remains accountable to regulatory agency.
 Handle data complaints & questions.
 If there investigation, co-operate btw organization & governing agency (ensure communication)
 Administrative responsibilities:
o Oversee Privacy Policies/Privacy Notices/ Cookie Policies
o Maintain all record keeping (RoPA, DPIA, LIA)

8. What are the different kinds of forms that are necessary to comply with the GDPR?

3 ≠ kinds of forms :
• LIA ➔ Legitimate Interests Assessment Form
Used when you rely on GDPR interest on legal basis
o Purpose test – Why do you want to process the data ?
o Necessity test – How will this processing help you achieve your purpose ?
o Balancing test – Cy’s interest VS freedom & right of DS

• DPIA ➔ Data Privacy Impact Assessment

Used when you are doing high risk data processing activity (u need to fill this form)
Example : any sensitive information, children data, AI (clearview AI), international data transfer.
exception → Legal obligation necessity & Public interest necessity

• RoPA ➔ Record of Processing Activities Obligations

Standard record keeping (data controllers must keep a record of ALL processing activities).
exception → Cies < 250 employees.

9. What are the fines under the GDPR? How are they calculated and who issues them?

Fines under GDPR:

HIGHER TRESHOLD
➔ 20M€ or if undertaking = 4% of CY’s total ww annual CA of preceding FY, whichever is higher.
Infringements of following provisions :
- The basic principles for processing (like 7 principles of GDPR – Art 5), including conditions for consent.
- The DS’ rights (Pursuant to articles 12 & 22)
LOWER THRESHOLD
➔ 10M€ or if undertaking = 2% of CY’s total ww annual CA of preceding FY, whichever is higher.
Infringements of following provisions :
- Obligations of controllers & processors pursuant to article 8 & 39 for ex.
o Art 8 = Child’s consent
o 39 = DPO Tasks

Calculated on a case by case basis & based on :

- Nature, gravity duration of the infringement
- Intentional or negligent character of the infringement
- Degree of responsibility of the controller/processor
- Previous infringements by controller/processor ?
- Degree of cooperation with supervisory authority
- Categories of personal data affected by infringement

Who issues them ? Supervisory Authority (🇫🇷 → CNIL)

10. What are the rules for international data transfer under the GDPR?

GDPR regulates how personal data is transferred outside European Economic Area (EEA) to ensure it stays protected.

Main Rules:
1. Adequate Countries (Adequacy Findings):
➔ European Commission approves countries with strong data protection laws & data can be transferred to these without extra safeguards.
(Adequacy decisions)
ex: 🇨🇦, 🇦🇷, 🇳🇿.

2. If there is no adequacy decision:

➔ Use one of these tools:
 Standard Contractual Clauses (SCCs): Contracts pre-approved by EC ensuring data protections standard are mets.
 Binding Corporate Rules (BCRs): Rules for Cies transferring data within their own group, approved by EC.
 Accredited 3rd-party certif or approved codes of conduct can also provide appropriate safeguards.

 Last chance ➔ Derogations - Transfers are allowed if:

There is an explicit consent.
It’s for public interest reasons.

 Focus on the USA

➔ EU-US Privacy Shield (Schrems II ruling)
Transfer approved to US Cies certified under the Privacy Shield framework.

If not fall in any of these ➔ Not allowed to transfer the data.