Learn GDPR data processing vocabulary: DPA structure, data controller vs. processor, sub-processors, Standard Contractual Clauses (SCCs), and transfer impact assessments.
0 / 5 completed
1 / 5
Under GDPR, a company uses Salesforce CRM to store its customers' personal data. Salesforce processes the data only as instructed by the company. In this relationship, which role does each party hold?
The data controller determines the purposes and means of processing personal data (the company decides why and how customer data is stored). The data processor processes personal data on behalf of the controller and only under its documented instructions (Salesforce executes those instructions). GDPR Article 28 requires a Data Processing Agreement (DPA) between them.
2 / 5
A SaaS vendor's DPA mentions that it may engage AWS and Twilio to deliver its service, and that the customer's prior written consent is required before adding new ones. What are AWS and Twilio in this context?
A sub-processor is a third party engaged by the data processor to carry out processing activities on behalf of the controller. Under GDPR Article 28(2), the processor must obtain the controller's authorisation before engaging sub-processors. The DPA typically lists current sub-processors and establishes a notification mechanism (e.g., 30-day notice) for new ones.
3 / 5
After the Schrems II ruling invalidated the EU-US Privacy Shield, EU companies needed a new legal mechanism for transferring personal data to the US. What mechanism — updated by the European Commission in 2021 — is now most widely used for this purpose?
Standard Contractual Clauses (SCCs) are pre-approved contractual templates issued by the European Commission that provide appropriate safeguards for data transfers to third countries (GDPR Article 46(2)(c)). The 2021 SCCs replaced the outdated 2001/2010 versions and introduced a modular structure covering controller-to-controller, controller-to-processor, and processor-to-processor transfers.
4 / 5
Before transferring EU personal data to a country without an adequacy decision, a company must assess local laws that might undermine the transfer safeguards (e.g., government surveillance laws). What is this assessment called?
A Transfer Impact Assessment (TIA) — sometimes called a Transfer Risk Assessment — evaluates whether the legal framework of the destination country effectively protects the data as required by GDPR. It was made mandatory by the EDPB following Schrems II. The assessment examines laws on access by public authorities, available remedies for data subjects, and the practical likelihood of interference.
5 / 5
A DPA clause states: 'Processor shall implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, including pseudonymisation and encryption of personal data.' What does 'pseudonymisation' mean in a GDPR context?
Pseudonymisation (GDPR Article 4(5)) means replacing directly identifying information (e.g., name, email) with a pseudonym (e.g., a token or hash), while storing the key that links pseudonym to identity separately and securely. Unlike anonymisation, pseudonymised data is still personal data under GDPR — it just has enhanced protection. It is a recommended technical measure under Article 25 (Data Protection by Design).