Ace Your CIPP-E Certified Information Privacy Professional Exam

Convention 108+ is the modernised version of Convention 108, which was the first legally binding international instrument on data protection. The main purpose of Convention 108+ is to update and enhance the protection of personal data in light of the technological developments and the new challenges posed by the globalisation of data processing. Convention 108+ also aims to ensure the effective implementation and enforcement of data protection principles and rules, as well as to facilitate the free flow of data between the parties to the Convention.

References:

•Convention 108+ : the modernised version of a landmark instrument1

•Convention 108 and Protocols - Data Protection - The Council of Europe2

•Convention 108 - Council of Europe3

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.

References: EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, page 151; CIPP/E Textbook, page 136.

 According to the UK GDPR, employees have the right to access and receive a copy of their personal data, and other supplementary information, from their employer. This is known as a data subject access request (DSAR). Employers must respond to a DSAR without delay and within one month of receipt of the request, unless the request is complex or excessive. Employers should perform a reasonable search for the requested information and provide it in an accessible, concise and intelligible format. Employers can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. Some of the exemptions that may apply in the employment context are: legal privilege, management forecasting, confidential references, negotiations, regulatory functions, and criminal convictions and offences. Employers should disclose the information securely and inform the employee of their rights and the source of the data. References:

Right of access | ICO

Subject access request Q and As for employers | ICO

Data Subject Access Request (Employers’ Guide) | DavidsonMorris

Pseudonymisation is a technique that replaces, removes or transforms information that identifies individuals, and keeps that information separate from the rest of the data. Pseudonymised data is still personal data under the GDPR, because it can be re-identified with the use of additional information. However, pseudonymisation can reduce the risks of processing personal data and help comply with data protection principles and obligations. Pseudonymisation is different from anonymisation, which is the process of irreversibly transforming personal data so that the data subject is no longer identifiable. References:

GDPR Article 4(5), which defines pseudonymisation.

GDPR Recital 26, which explains the difference between pseudonymisation and anonymisation.

EDPS blog post, which provides an overview of pseudonymisation and its benefits.

ICO guidance, which gives practical advice on how to implement pseudonymisation.