Frequently Asked Questions
Below you will find the answers to some frequently asked questions
What are Binding Corporate Rules (BCRs)?
A set of supervisory authority approved rules, like a data privacy code of conduct, within multinational corporate group to ensure legal transfer of personal information between their EU and non-EU entities.
What defines consent?
A potential legal basis for processing, and a must-have for marketing purposes. Must be freely given, informed, and given explicitly by statement or action. Silence or inactivity may no longer be relied upon. When agreeing to marketing, you have to tick the checkbox yourself - it can no longer be pre-ticked! Consent may also be withdrawn at will.
What is a Data Breach?
A security incident relating to the destruction, misuse or loss of, or accidental or unlawful access to personal information.
Who are Data Controllers?
The organisation(s) or person(s) that determines the conditions, means and purposes of the data processing activity.
What is Data Erasure?
The complete erasure of personal data once the data controller/processor no longer has a legal basis to process that data.
What is Data Portability?
A requirement for data controllers under GDPR. They must be able to provide data subjects with a copy of their data (subject to certain conditions) in a machine readable, standard format. This is often used by data subjects to allow them to switch between service providers.
What does Data Processing mean?
Any operation or set of operations on data including obtaining, recording, keeping, collecting, organising, storing, altering, adapting, retrieving, consulting, using, disclosing, transmitting, disseminating, aligning, combining, blocking, erasing or destroying the data. Basically, if it is a verb ending in -ing and relates to personal information, then it is data processing.
What are Data Protection Authorities?
A body in each member state that has been tasked with monitoring and enforcement within that member state. In Ireland, it is the Data Protection Commissioner.
Who is a Data Protection Officer?
If it meets certain criteria, an organisation may have to recruit a data protection officer - an expert on data protection and privacy who acts as an internal adviser and ensures the organisation is meeting its requirements under GDPR
Who is a Data Subject?
A natural person whose data is being processed.
What does Lawful Basis for Processing mean?
A controller needs to meet one of 6 lawful bases for processing in order for a processing activity to be permitted.
What is considered Personal Information?
Information relating to an identified or identifiable natural person. This can be direct or indirect and can include obvious data points like a username, address, email, social security number etc. It can also mean any information that relates to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
What does Privacy by Design and Default mean?
GDPR calls for organisations to consider data protection and privacy by design and default, essentially requiring them to include data protection principles from the very beginning of a new project or system design, rather than as an afterthought.
What does Privacy Shield mean?
An agreement between the European Union and the United States of America which imposes obligations on US companies to ensure they meet data protection standards before they can process data relating to EU citizens. US companies must apply to be Privacy Shield certified. The efficacy of the Framework is reviewed annually by the US Department of Commerce and the European Union.
What is the Right to be Forgotten?
In some cases, data subjects may invoke their right to be forgotten i.e. a data controller must erase his or her personal information and stop processing activities using that data. This right is not absolute and doesn't guarantee censorship or limit freedom of expression: if a data controller has a valid reason to hold on to data (a bank for KYC purposes for example) then they don't have to comply.
What is the Right to Access?
Similar (but not the same as) data portability. A data subject can ask a data controller for a copy of all the personal data they hold on him or her and the reasons why they process it. It's also known as a Subject Access Request. Under current legislation, a subject access requests costs no more that €6.35 but under GDPR, it must be provided for free.