GDPR - High level

Question 1

What is the scope/goals of GDPR?

Answer 1

• Protect fundamental rights
• Free movement of personal data

GDPR aims to safeguard individuals’ personal data and ensure its free flow within the EU.

Question 2

What does Art 2 of GDPR cover?

Answer 2

• Processing of personal data
• Wholly/partly automated systems
• Non-automated filing systems

This article defines the material scope of GDPR.

Question 3

When does GDPR apply according to Art 3?

Answer 3

• EU establishments
• Offering goods/services in the EU
• Monitoring behavior of persons in the EU

This article outlines the territorial scope of GDPR.

Question 4

Define the key terms in Art 4 of GDPR.

Answer 4

• Personal data
• Processing
• Controller
• Processor
• Consent
• Special categories
• Pseudonymisation

These definitions are crucial for understanding GDPR.

Question 5

List the principles relating to processing as per Art 5.

Answer 5

• Lawfulness
• Fairness
• Transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity/confidentiality
• Accountability

These principles guide the processing of personal data.

Question 6

What are the legal bases for processing under Art 6?

Answer 6

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

These bases justify the lawful processing of personal data.

Question 7

What conditions must be met for consent according to Art 7?

Answer 7

• Freely given
• Specific
• Informed
• Unambiguous
• Recordkeeping
• Easy withdrawal

Consent must be clear and easily revocable.

Question 8

What is the age threshold for parental consent under Art 8?

Answer 8

Default 16, can be lowered to 13

This applies to information society services.

Question 9

Under what conditions can special categories of data be processed according to Art 9?

Answer 9

• Explicit consent
• Employment law
• Vital interests
• Public interest

Processing of special categories is generally prohibited except for specific exceptions.

Question 10

What does Art 10 state about processing of criminal conviction data?

Answer 10

• Only under official authority
• Safeguards required
• Member State law needed

This article regulates the handling of sensitive criminal data.

Question 11

When is a controller not required to identify a data subject as per Art 11?

Answer 11

When identification is not possible

This limits the rights of data subjects in such cases.

Question 12

What must a controller provide under Art 12?

Answer 12

• Concise information
• Transparent communications
• No undue delay

This ensures data subjects are informed about their rights and processing.

Question 13

What information is required when data is collected from the data subject as per Art 13?

Answer 13

• Identity
• Purposes
• Legal basis
• Recipients
• Retention
• Rights
• Transfers

This article mandates transparency at the point of data collection.

Question 14

What additional information must be provided when data is not collected from the data subject according to Art 14?

Answer 14

• Source info
• Categories of data
• Lawful basis
• Possible lack of access reasons

This ensures transparency even when data is sourced externally.

Question 15

What rights does a data subject have under Art 15?

Answer 15

• Confirm processing
• Access copies
• Purposes
• Categories
• Recipients
• Retention
• Rights
• Source
• Profiling info

This article outlines the right of access for data subjects.

Question 16

What is the right to rectification as per Art 16?

Answer 16

Right to correct inaccurate or incomplete data without undue delay

This ensures data accuracy for individuals.

Question 17

What conditions apply to the right to erasure under Art 17?

Answer 17

• Consent withdrawn
• Unlawful processing
• Compliance with legal obligation

This is also known as the right to be forgotten.

Question 18

What does Art 18 state about the right to restriction of processing?

Answer 18

• Temporarily limit processing when accuracy contested
• Unlawful processing
• Pending legal basis dispute

This right allows individuals to restrict how their data is used.

Question 19

What is the notification obligation regarding rectification/erasure/restriction in Art 19?

Answer 19

Controller must inform recipients of changes unless impossible or disproportionate

This ensures accountability and transparency.

Question 20

What is the right to data portability as per Art 20?

Answer 20

Right to receive personal data in structured, commonly used, machine-readable format

This allows individuals to transmit their data to another controller.

Question 21

What does Art 21 state about the right to object?

Answer 21

• Object to processing based on public interest
• Object to direct marketing at any time

This right empowers individuals to control their data usage.

Question 22

What does Art 22 say about automated individual decision-making?

Answer 22

Right not to be subject to solely automated decisions with legal/effective significant effects

There are exceptions to this right.

Question 23

What are the restrictions mentioned in Art 23?

Answer 23

Member State or Union law may restrict certain GDPR rights for public interests

These restrictions must be under safeguards.

Question 24

What is the responsibility of the controller as per Art 24?

Answer 24

Implement appropriate technical/organizational measures for compliance

This ensures accountability in data processing.

Question 25

What does **Art 25** state about **data protection by design and by default**?

Answer 25

Integrate data protection principles into processing and default minimisation ## Footnote This promotes proactive data protection measures.

Question 26

What are the obligations of **joint controllers** according to **Art 26**?

Answer 26

Define respective responsibilities via arrangement * Inform data subjects about essence of agreement ## Footnote This ensures clarity in data processing responsibilities.

Question 27

What must representatives of controllers/processors not established in the Union do as per **Art 27**?

Answer 27

Appoint EU representative unless exceptions apply ## Footnote This ensures accountability for non-EU entities.

Question 28

What are the **processor obligations** under **Art 28**?

Answer 28

* Process only on documented instructions * Ensure security * Use subprocessors with contract * Assist controller * Keep records ## Footnote These obligations ensure processors act in compliance with GDPR.

Question 29

What does **Art 29** state about processing under the authority of the controller/processor?

Answer 29

Persons authorized to process must follow instructions and confidentiality ## Footnote This ensures that data is handled securely and according to the controller's directives.

Question 30

What must controllers/processors maintain according to **Art 30**?

Answer 30

Records of processing activities, including: * Purposes * Categories * Transfers * Security ## Footnote Small organizations with limited processing are exempt from this requirement.