Data Processing Principles & Special Categories of Data

Question 1

What are the principles listed in GDPR Article 5?

Answer 1

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

Question 2

What mnemonic device helps to remember the GDPR processing principles?

Answer 2

Llamas parade drowsily as Smurfs implode accidentally.

Question 3

When is processing of personal data lawful under GDPR?

Answer 3

Only when a legal basis exists and processing is fair and transparent.

Question 4

What are the 6 legal bases for processing personal data under GDPR?

Answer 4

1. Consent
2. Contract performance
3. Vital interests
4. Legal obligation
5. Public interest
6. Legitimate interest

Mnemonic: Crazed clowns vandalize long purple limos.

Question 5

What does fairness in data processing require?

Answer 5

• Transparency
• Informed decision-making
• Impact assessment

Question 6

What is ‘justified detriment’ in data processing?

Answer 6

Processing with negative effects that remains fair.

Examples: investigations or tax assessments

Question 7

What is required of controllers under the principle of transparency?

Answer 7

• Clear
• Open
• Understandable to individuals

Question 8

When must fair processing information be provided if data is collected directly from the data subject?

Answer 8

At the point or time of collection.

Question 9

How should fair information processing notices be designed?

Answer 9

• Accessible
• In plain language
• Appropriate for the audience

Question 10

When is notification not required for directly collected data?

Answer 10

When the data subject is already aware of the collection.

Question 11

What are exceptions to notification for data collected from other sources?

Answer 11

• Disproportionate effort or impossibility
• To protect legitimate interests (e.g., fraud prevention)
• To protect data confidentiality (e.g., legal privilege)

Question 12

What is the principle of purpose limitation under GDPR?

Answer 12

Personal data must be collected for specified, explicit, and legitimate purposes.

Question 13

What is secondary/further processing?

Answer 13

Use of personal data beyond the original purpose.

Question 14

When is further processing permitted under GDPR?

Answer 14

Only when compatible with the original purpose.

Question 15

What factors determine the lawfulness of secondary processing?

Answer 15

• Connection between purposes
• Processing context
• Reasonable expectations
• Data’s nature
• Consequences on data subject
• Safeguards

Question 16

What is the principle of data minimization?

Answer 16

Controllers must collect and process only data that is relevant, necessary, and adequate to accomplish a stated purpose.

Question 17

What are the 2 key implementation concepts for data minimization?

Answer 17

1. Necessity
2. Proportionality

Question 18

What does necessity mean in data minimization?

Answer 18

Data must be strictly required to achieve a specific, legitimate purpose.

Question 19

What does proportionality mean in data minimization?

Answer 19

Interference with privacy must not exceed what is necessary to achieve the purpose.

Question 20

What factors are considered under proportionality?

Answer 20

• Scope and amount of data collected
• Impact on individual
• Availability of less intrusive alternatives

Question 21

What is the principle of accuracy under the GDPR?

Answer 21

Controllers must ensure personal data is correct, complete, and current.

Question 22

What are ‘reasonable measures’ in the context of accuracy?

Answer 22

Implementing data quality processes throughout the data life cycle.

Question 23

What should controllers do during data collection to ensure accuracy?

Answer 23

• Verify data authenticity
• Evaluate source reliability
• Consider potential adverse impacts of inaccuracies

Question 24

What should controllers do to maintain accuracy?

Answer 24

• Correct errors
• Keep records of errors and corrections

Question 25

What is the principle of **storage limitation** under GDPR?

Answer 25

Data **must not be retained any longer than needed** for the purpose for which it was collected.

Question 26

What should happen to data once it is **no longer needed**?

Answer 26

It should be **securely deleted**.

Question 27

When can data be retained **longer than necessary**?

Answer 27

* Public interest * Scientific * Historical * Statistical purposes

Question 28

What **determines retention period** when no statutory law applies?

Answer 28

The organization’s **internal policy**.

Question 29

What does the principle of **integrity** require?

Answer 29

Data must remain accurate, complete, and **unaltered** throughout its life cycle.

Question 30

What does the principle of **confidentiality** require?

Answer 30

Data must be protected from: * Unauthorized modification * Access * Disclosure * Exfiltration

Question 31

What **safeguards** support integrity and confidentiality?

Answer 31

* Pseudonymization * Encryption * Adherence to international standards ## Footnote Example standards: ISO/IEC 27001 and NIST

Question 32

When is processing allowed under the **contract basis**?

Answer 32

When **necessary to fulfill a contract with the data subject** or at their request before entering a contract.

Question 33

What is the **vital interest basis** used for?

Answer 33

**Protecting life**, usually in emergencies.

Question 34

What qualifies as a **legal obligation** for processing?

Answer 34

Compliance with EU **law obligations**. ## Footnote Examples: tax or social security obligations

Question 35

What does the **public interest** basis cover?

Answer 35

Tasks **performed in the public interest** or **under official authority**. ## Footnote Examples: elections or censuses

Question 36

What is the **legitimate interest** basis?

Answer 36

Processing **necessary for a controller’s or third party’s interest**, unless overridden by data subject's rights. ## Footnote Examples: fraud prevention, ensuring network security

Question 37

What is the **UK ICO 3-part test** for legitimate interest?

Answer 37

1. Identify the interest 2. Show processing is necessary 3. Balance against data subject’s rights and freedoms

Question 38

What are the **4 main requirements** for **valid consent** under GDPR?

Answer 38

1. Freely given 2. Specific 3. Informed 4. Unambiguous

Question 39

What is an example of '**freely given**' consent?

Answer 39

Options to **accept or decline** using an unchecked checkbox.

Question 40

What is a bad example of '**freely given**' consent?

Answer 40

Access to service is **conditional** on unnecessary processing.

Question 41

What is an example of '**specific**' consent?

Answer 41

**Separate consent** for marketing emails and third-party data sharing.

Question 42

What is a bad example of '**specific**' consent?

Answer 42

Single checkbox **covering multiple data uses**.

Question 43

What is an example of '**informed**' consent?

Answer 43

Notice includes: * Who is collecting data * Purpose * How to withdraw * Written in plain language

Question 44

What is a bad example of '**informed**' consent?

Answer 44

* Notice uses vague, jargon-filled language * Omits the controller's identity

Question 45

What is an example of '**unambiguous**' consent?

Answer 45

A clear 'I agree' statement or **affirmative checkbox**.

Question 46

What is a bad example of '**unambiguous**' consent?

Answer 46

**Pre-checked box** or implied agreement without action.

Question 47

How must consent be **presented**?

Answer 47

Clearly distinguishable from other matters. ## Footnote Example: Separated from terms of service

Question 48

Why is the **power dynamic between** controller and data subject important for consent?

Answer 48

An imbalance (e.g., employer-employee) may invalidate consent.

Question 49

What should controllers do when consent **may be revoked**?

Answer 49

Have a contingency plan in place for an **alternative legal basis** to process.

Question 50

Why is opt-out **not valid consent**?

Answer 50

* Consent requires action * Passive inaction or pre-checked boxes do not qualify

Question 51

What renders consent **invalid**?

Answer 51

* Consent given under **duress or coercion** * Where **vulnerable populations** lack capacity

Question 52

What populations may have **questionable capacity** for valid consent?

Answer 52

* Children * Elderly * Individuals with mental health disorders * Asylum seekers * People with disabilities

Question 53

When is **parental consent required** under GDPR?

Answer 53

For **children under 16** when consent is the legal basis and services are offered directly to the child.

Question 54

Can member states **lower the age** for valid child consent?

Answer 54

**Yes**, to as low as 13, but not lower.

Question 55

What does the UK ICO recommend regarding **consent renewal**?

Answer 55

Consent should be refreshed **every 2 years**.

Question 56

When must **new consent be obtained**?

Answer 56

When the **scope** or **nature of processing changes**.

Question 57

When are photographs considered **biometric data** under GDPR?

Answer 57

When used to **uniquely identify or authenticate** an individual.

Question 58

What must controllers comply with when processing **special categories of data**?

Answer 58

Requirements under both **Articles 6** and **9** of GDPR.

Question 59

What are the **10 exceptions** for processing special categories of data?

Answer 59

1. Consent 2. Employment/social protection law 3. Vital interests 4. Not-for-profit bodies 5. Public data 6. Legal claims 7. Substantial public interest 8. Health/social care 9. Public health 10. Archiving/research/statistics ## Footnote Mnemonic: Cats eat very nice pizza, lions share honey providing aid

Question 60

What does '**explicit consent**' entail?

Answer 60

A **clear, express statement** such as written, digital, or verbal confirmation.

Question 61

When is processing allowed under **employment-related exception**?

Answer 61

When necessary for employment, social security, or social protection law.

Question 62

What types of organizations are covered under the **not-for-profit exception**?

Answer 62

* Religious * Political * Civil society groups

Question 63

When is processing allowed under the **legal claims exception**?

Answer 63

When required to **establish, exercise, or defend legal claims** with a significant connection to the need.

Question 64

What is the meaning of '**substantial public interest**'?

Answer 64

A **real and significant societal benefit**, not a vague public good. ## Footnote Examples: preventing unlawful acts, safeguarding children, protecting public from dishonesty, misconduct, regulatory or oversight functions

Question 65

What are **health and social care** exceptions?

Answer 65

* Preventive or occupational medicine * Working capacity assessments * Diagnosis * Health/social care services and management

Question 66

What is included under **public health exception**?

Answer 66

* Health status * Morbidity * Disability

Question 67

What safeguards must be in place for **archiving, research, and statistics**?

Answer 67

Technical and organizational measures under Article 89. ## Footnote Examples: pseudonymization or anonymization

Question 68

What types of data are considered **crime-related** under GDPR?

Answer 68

Convictions and offenses

Question 69

What types of data are considered **security-related** under GDPR?

Answer 69

* Penalties * Restrictions * Conditions from the criminal justice process ## Footnote Examples: cautions, parole, bail, or electronic tagging