According to the GDPR, for which situations should a Data Protection Impact Assessment (DPIA) be conducted?
A Belgian company has their headquarters in France for tax purposes. They enter into a legally binding contract with a processor in the Netherlands for the processing of personal data of data subjects with various nationalities. A personal data breach occurs. The supervisory authorities start an investigation. Why is the French supervisory authority seen as the lead supervisory authority?
Because France is located in the middle of Europe. Incorrect. The geographical position of the countries is irrelevant.
Because France is the largest of the three EEA countries. Incorrect. The size of the countries is irrelevant.
Because the company has their headquarters in France. Correct. The country of the main establishment determines the lead supervisory authority. The 'main establishment' is the place of the central administration of that organization, or in other words: headquarters. (Literature: A, Chapter 7)
While performing a backup, a data server disk crashed. Both the data and the backup are lost. The disk contained personal data, but no special category personal dat
a. The processor states that this is a personal data breach. Is the statement of the processor true?
Yes, because the personal data on the disk were unlawfully processed. Correct. Personal data irretrievably lost is regarded as 'a breach of security leading to unlawful destruction of personal data, which also makes it a personal data breach. (Literature: A, Chapter 5; GDPR Article 4(12))
Yes, because there were no special category personal data stored on the disk. Incorrect. Accidental loss of data is a security incident (data is no longer available). According to the GDPR it is also unlawful processing of personal data, hence a personal data breach. Data do not have to belong to the category of special
personal data to fall under the category personal data breach.
No, because no personal data on the disk were processed, only destroyed. Incorrect. A technical malfunction causing data to be no longer available is a security incident. The GDPR sees accidental loss of personal data as unlawful processing (not on instruction of the controller or processor) hence as a personal data breach.
No, because this is only a security incident and not a data breach. Incorrect. Personal data that are irretrievably lost, is regarded as unauthorized processing by the GDPR, hence a personal data breach. The fact that data was accidentally destroyed also makes the event a security incident.
To comply with the General Data Protection Regulation (GDPR) it is necessary to create a procedure for reporting data breaches to the Supervisory Authority.
As the controller is a public administration agency, which option is a requirement for this procedure?
It is not necessary to inform the Supervisory Authority of any violation that occurs. But every violation must be analyzed with caution and attention. It is not necessary to notify the Supervisory Authority only if it does not present risks to the data subjects.
The DPO must always be involved to guide the best strategy and action for each violation that occurs. Article 38 legislates on the position of the data protection officer:
1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
It is clear that the DPO -- Data Protection Officer, must be involved in the entire data processing life cycle. From its collection to its exclusion.
In the contract between the controller and processor for the processing of personal data, which of the options below represents the sole responsibility of the Controller?
The correct option is exclusively for the Controller, the others are for the Processor in accordance with Articles 25 and 28 of the GDPR.
