1.Key Terms and their Definitions in the GDPR

Personal Data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, collects personal data and determines the purposes and means of the processing of personal data.

Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Subject: an identified or identifiable natural person.

Data protection officer: a position within a corporation that acts as an independent advocate for the proper care and use of customer's information.

Prior Informed Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her, before the actual processing of personal data takes place.

Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, such a list with the correspondence between each real name and its pseudonym or code.

Anonymisation: the processing of personal data in such a manner that the data subject is not or no longer identifiable.

Purpose limitation: an overarching privacy principle, according to which personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Special categories of data (sensitive data): data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question.

Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

GDPR (General Data Protection Regulation): Regulation EU/679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

EPrivacy Directive: Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.

2. EU Data Protection Scenarios

In this part you need to first carefully read the scenario and give your answer based on GDPR. Where appropriate, give reference to the article number of the GDPR. (hint: there are keywords in the questions that give clue to find the answer in the directive).

1. You are preparing a street survey to study the correlation between height and weight. For the survey you are requesting to fill a paper form which includes date of birth, height and weight. Is this a set of personal data?
2. You are organising an event and have to prepare a registration form to sell the tickets online. In the form you are going to request first name, surname and home address. Is this a set of personal data?
3. You work in a company that creates online video games and a large section of the player base are children. Each user must give consent to the processing of his/her data before playing. In the GDPR (General Data Protection Regulation), the consent from a child concerning online services will only be valid if authorised by a parent, until the child is which age? Why?
   1. 8
   2. 10
   3. 12
   4. 16
   5. 18
4. A company needs an accountant for administrative purposes and would like to hire you. You would have to manage the entry of accounting documents, the payments and the processing of all accounting data. Would you be considered a data controller? And a data processor? Why?
   1. Only data controller
   2. Only data processor
   3. Both
   4. Neither
5. You are a researcher specialising in genetic data and you work in a hospital that provides home monitoring of patients, storing, among other things, genetic data. In order to conduct a piece of scientific research, you need to process these data. Can you do it without asking for consent from the patients?
6. You work for the organiser of a festival. A newspaper asks you for the list of the registered participants. Do you have the right to disclose it?
7. Your company manages an application for traffic monitoring, allowing users to check, in real time, the least busy routes and to find parking more easily. In order to use the service, a user has to download the application and activate the location service. Your company processes the geolocation data to serve tailored advertisements to the user. Without giving a specific reason, a user requests that you erase her data from your database. Are you obliged to satisfy her request?
8. You work for a municipality that monitors noise levels through microphones in the city. A citizen says that he had a confidential conversation talking about personal information and only realised later that he was near one of the city microphones, so he asks you not to process this recording. Should you satisfy this request?
9. A company keeps track of their clients purchases for profiling purposes and substitutes each set of directlyidentifying data, e.g. first name, surname, address, phone, email, etc. with the same label - "Client". In this case the data are:
   1. pseudonymised
   2. partially anonymised
   3. fully anonymized
10. You are a car manufacturer. In order to protect and prevent dysfunction on your cars, you have installed a system that enables you to remotely update the software of your cars across Europe. This system enables you to locate the vehicles. Can you activate this system by default?
11. You are the security company (data processor) of a smart event at which the attendees are monitored through smart bracelets for the optimisation of the loudspeakers volume responding to how the crowd is distributed. In order to comply with purpose limitation, are you permitted to record and analyse the hours of arrival and departure of the attendees with the goal of optimising the scheduling of ad hoc buses for future events?
12. You are a data protection officer in an organisation that generates statistics using personal data and, therefore, you have had to ask the data subjects for consent to process their data. Some of them now want to withdraw their consent. Under the GDPR (General Data Protection Regulation), under which conditions do data subjects have the right to withdraw their consent to the processing of their data? a) Only if they had requested this option when they gave consent
    2. Only with the agreement of the supervisory authority
    3. Only if the scope of processing has been modified
    4. Only if they can prove that the request of consent was not provided in an easily accessible form
    5. At any time with no conditions.

Note: Kindly give answer in the context of Internet Security and give details according to questions demand.

The purpose of this assignment is to understand core concepts and key principles of General Data Protection Regulation (GDPR).