INFO5301 Data Privacy and General Data Protection Regulation
by Union or Member State law, the controller or the specific criteria for its nomination
may be provided for by Union or Member State law;
• ‘processor’ means a natural or legal person, public authority, agency or other body
which processes personal data on behalf of the controller;
• ‘personal data breach’ means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed;
1.3 Who is primarily concerned by the GDPR? (Hint: Chapter 1, Art: 3)
Answer: EU citizens and all bodies processing their data.
This Regulation applies to the processing of personal data in the context of the activities
of an establishment of a controller or a processor in the Union, regardless of whether the
processing takes place in the Union or not.
The data subject is defined as a natural person, e.g. a citizen of any EU country or of another
country. The controller is a natural or legal person. The controller determines the purposes
and conditions for the processing of personal data, e.g. profit companies, non-profit com-
panies, governments, state agencies and people. The processor is a natural or legal person
who processes personal data on behalf of the controller, e.g. an IT vendor. The GDPR places
various obligations on the controller, which is the body ultimately responsible for the law-
ful processing of personal data. Controllers should only use processors that can meet the
requirements of lawful personal data processing prescribed by the GDPR.
1.4 What is considered as lawful consent in the GDPR? (Hint: Chapter 2, Art: 7, Look into
the suitable recitals as well.)
1. A continuation of navigation on a site or a mobile application by a simple scroll.
2. The simple act of downloading a document from a site or mobile application.
3. A clear affirmative act by which the person freely expresses, in a specific and informed
manner, their consent to data processing.
Answer: (3)
According to the GDPR, consent should be given by a clear positive act by which the data
subject freely, specifically, informed and unequivocally expresses his or her consent to the
processing of personal data – for example by means of a written declaration, including by
electronic means, or an oral declaration. This could be done by ticking a box when con-
sulting a website, by opting for certain technical parameters for IT services or by means
of another statement or other behaviour clearly indicating that the data subject accepts the
proposed processing of their personal data. There can therefore be no consent in the event
of silence, default ticked boxes or inactivity. Consent given should apply to all processing
activities with the same purpose(s). Where the processing has several purposes, consent
should be given for all of them. If the data subject’s consent is given following an electronic
request, the request must be clear and concise and must not unnecessarily disrupt the use of
the service for which it is granted.
Information Security Management Page 2of 6