The General Data Protection Regulation (GDPR) is often known as the ''European privacy law''. What is the relationship between 'privacy' and 'data protection'?
Data protection and privacy are complementary, but not the same thing.
A very repeated phrase is: ''It is possible to have security without privacy, but it is not possible to have privacy without security''.
Privacy is a right that must be protected, and Data Protection are the measures that will be used to achieve this protection.
According to the GDPR, what is a task of a supervisory authority?
Implement technical and organizational measures to ensure compliance. Incorrect. This is the task of the controller.
Investigate security breaches of corporate information. Incorrect. Only breaches of personal data are a concern of the supervisory authority.
Monitor and enforce the application of the GDPR. Correct. This is the main task of any supervisory authority. (Literature: A, Chapter 7)
One of the seven principles of data protection by design is Functionality - Positive-Sum, not Zero-Sum. What is the essence of this principle?
Applied security standards must assure the confidentiality, integrity and availability of personal data throughout their lifecycle. Incorrect. This is an aspect of End-to-End Security - Lifecycle Protection, one of the other six basic principles.
If different types of legitimate objectives are contradictory, the privacy objectives must be given priority over other security objectives. Incorrect. Data protection by design rejects the idea that privacy competes with other interests, design objectives, and technical capabilities.
When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired. Correct. This is the essence. (Literature: A, Chapter 8; GDPR Article 25)
Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting the privacy risks. Incorrect. This is an aspect of Privacy Embedded into Design, one of the other six basic principles.
What is the purpose of a data protection audit by the supervisory authority?
To advise the controller on the mitigation of privacy risks to protect the controller from liability claims for non-compliance. Incorrect. The supervisory authority has the task to monitor compliance and to advise on enhancements, but its purpose is not to protect the controller.
To fulfill the obligation in the GDPR to implement appropriate technical and organizational measures for data protection. Incorrect. The audit is not the implementation of the measures, but an assessment of the effectiveness of them.
To monitor and enforce the application of the GDPR by assessing that processing is performed in compliance with the GDPR. Correct. According to the GDPR this is an important task of a supervisory authority. (Literature: A, Chapter 7; GDPR Article 57 (1)(a))
A company wishes to use personal data of their customers. They wish to start sending all female customers a customized newsletter. What right do all data subjects have in this scenario?
The right to compensation. Incorrect. It is unlikely that all data subjects will suffer harm that must be compensated in this scenario.
The right to object to profiling. Correct. All data subjects have a right to object to the processing of personal data for direct marketing, including profiling. This is clearly profiling. (Literature: A, Chapter 4)
The right to rectification. Incorrect. It is unlikely that the company has incorrect data on all data subjects, so the right to rectification does not apply.