Appendix
D. Mapping of corporate data protection malpractices to causes
|
IAT1 |
IAT2 |
IAT3 |
IAT4 |
IAT5 |
ITT1 |
ITT2 |
ITT3 |
IAO1 |
IAO2 |
IAO3 |
IAO4 |
IAO5 |
IAO6 |
IAO7 |
IAO8 |
IAO9 |
ITO1 |
ITO2 |
ITO3 |
ITO4 |
ITO5 |
A1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
B1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
B2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
B3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
B4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
B5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
B6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
C7 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
E1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
E2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
E3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
F1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: A1= Inadequate information obligations, A2= Inadequate data risk assessment obligations, A3= Inadequate corporate oversight obligations, A4= Inadequate cooperation obligations, A5= Inadequate notification obligations, B1=Unauthorized data harvesting, B2=Excessive
data harvesting, B3=Forced consent, B4=Improper procedure for informed
consent, B5=Unfulfilled request for consent revocation, B6=Data fraud, C1=Unauthorized
access to personal data, C2=Excessive access to personal data, C3=Unfulfilled
request for data access, C4=Unfulfilled request for data rectification, C5=Unfulfilled
request for data deletion, C6=Insecure data storage, C7=Excessive data
storage, D1=Secondary use of personal data, D2=Unauthorized data processing,
D3=Excessive data processing, D4=Unfulfilled request for objection to data
processing, D5=Insecure data processing, D6=Erroneous data processing, E1=Unauthorized
data transfer, E2=Insecure data transfer, E3=Data selling, F1=Insecure data
disposal, IAT1= Inadequate technical safeguards against cyber intrusion,
IAT2= Inadequate technical measures to ensure the security of data storage,
IAT3= Inadequate technical measures to ensure the security of data
processing, IAT4= Inadequate technical measures to ensure the security of
data transfer, IAT5=Inadequate technical measures to ensure the security of
data disposal, ITT1= Intrusive use of surveillance systems, ITT2= Intrusive
use of tracking technologies, ITT3= Intrusive use of portable data storage
devices, IAO1= Inadequate Identity Authentication, IAO2= Poorly designed
privacy policy, IAO3= Inadequate control of access to personal data, IAO4=
Inadequate supportive resources for data protection practices, IAO5=
Inadequate digital forgetting mechanism, IAO6= Inadequate internal training,
IAO7= Absence of data protection impact assessment, IAO8= Absence of regular
and extensive security risk checks, IAO9= Inadequate due diligence, ITO1=
Intrusive data harvesting mechanism, ITO2= Intrusive data processing mechanism,
ITO3= Disregard for its obligations to obtain informed consent, ITO4=
Disregard for its obligations to fulfil the data rights of the data subjects,
ITO5= Disregard for its obligations to cooperate with supervisory authority. |