IAPP CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Exam Practice Test

The GDPR defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements12. Therefore, the relevant factors when determining if a processing activity would be considered profiling are:

• whether the processing involves data that is considered personal data;
• whether the processing of the data is done through automated means; and
• whether the processing is used to predict the behavior of data subjects.

The identity of the processor, whether it is the controller or a third-party vendor, is not relevant for the definition of profiling. However, it may have implications for the accountability and responsibility of the parties involved, as well as the data protection rights of the data subjects34. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What is automated individual decision-making and profiling? | ICO, WP29 releases guidelines on profiling under the GDPR, UK: A Guide To GDPR Profiling And Automated Decision-Making - Mondaq

 According to the GDPR, a controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data1. A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller1. The controller and the processor must enter into a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller2.

In this scenario, BHealthy is the controller for the personal data of its customers, as it determines the purposes and means of the processing, such as conducting research to decide how to market its new line of sunscreens across Europe. Natural Insight is the processor for the personal data that BHealthy shares with it, as it processes the data on behalf of BHealthy for the purpose of determining the price point for the new sunscreens. However, Natural Insight is also a controller for the same personal data when it uses it for its own purpose of improving its machine learning algorithms, which is not part of the contract or legal act with BHealthy. Therefore, Natural Insight is a controller and a processor for the same personal data, depending on the purpose of the processing3.

References:

• Art. 4 GDPR – Definitions
• Art. 28 GDPR – Processor
• Guidelines 07/2020 on the concepts of controller and processor in the GDPR

I hope this helps you understand the GDPR and the controller-processor relationship better. If you have any other questions, please feel free to ask me. ?

According to the GDPR, when personal data is collected from the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the contact details of the data protection officer, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the data subject’s rights, and any other information necessary to ensure fair and transparent processing1. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language2. Therefore, Building Block should have provided its employees with information about who they can contact with any queries regarding the monitoring, such as the data protection officer or the Privacy Office, as part of the information notice before implementing the security measures. This would enable the employees to exercise their rights, such as the right to access, rectify, erase, restrict or object to the processing of their personal data, or the right to lodge a complaint with a supervisory authority3. References: 1 Art. 13 GDPR – Information to be provided where personal data are collected from the data subject - General Data Protection Regulation (GDPR)2 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)3 Art. 15-22 GDPR – Rights of the data subject - General Data Protection Regulation (GDPR).

The purpose limitation principle requires that personal data be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. However, the GDPR does not provide a clear definition of what constitutes an incompatible purpose. Instead, it leaves room for interpretation by the member states, taking into account the context and circumstances of the processing. This means that the degree of flexibility a controller has in using personal data for a new purpose may vary depending on the member state’s law and guidance. Some factors that may affect the compatibility assessment include the link between the original and the new purpose, the expectations of the data subject, the nature of the data, the impact of the further processing, and the safeguards applied by the controller. References:

• GDPR Article 5(1)(b), which states the purpose limitation principle.
• GDPR Article 6(4), which lists the criteria for assessing the compatibility of a new purpose.
• ICO guidance, which explains the purpose limitation principle and provides examples of compatible and incompatible purposes.
• [EDPB guidelines], which provide further guidance on the application of the purpose limitation principle.

The GDPR establishes a two-tier system of administrative fines for infringements of its provisions, depending on the nature, gravity, and duration of the infringement, as well as other factors such as the intentional or negligent character of the infringement, the actions taken to mitigate the damage, the degree of co-operation with the supervisory authority, and any previous infringements1. The lower tier of fines can be up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The lower tier of fines applies to infringements of the GDPR relating to the following aspects1:

• The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43;
• The obligations of the certification body pursuant to Articles 42 and 43;
• The obligations of the monitoring body pursuant to Article 41 (4). The higher tier of fines can be up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The higher tier of fines applies to infringements of the GDPR relating to the following aspects1:
• The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9;
• The data subjects’ rights pursuant to Articles 12 to 22;
• The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
• Any obligations pursuant to Member State law adopted under Chapter IX;
• Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 (2) or failure to provide access in violation of Article 58 (1). Therefore, higher fines are assessed for GDPR violations due to violations of a data subject’s rights, as these are among the infringements that fall under the higher tier of fines. Data subjects’ rights are the rights granted to individuals whose personal data are processed by controllers or processors, such as the right to access, rectify, erase, restrict, object, or port their data, as well as the right to be informed, to withdraw consent, and to lodge a complaint1. Violations of these rights can cause significant harm to the data subjects and undermine the objectives of the GDPR. Therefore, option D is the correct answer. References: Art. 83 GDPR – General conditions for imposing administrative fines, Article 83 GDPR - GDPRhub

 According to GDPR Article 4(22), a supervisory authority is concerned by the processing of personal data if the data subjects residing in its member state are substantially affected or likely to be substantially affected by the processing, or if a complaint has been lodged with it. This concept is mainly introduced to ensure that the rights and interests of data subjects are protected by the supervisory authorities that are closest to them, regardless of where the controller or processor is established or where the lead supervisory authority is located. The concerned supervisory authorities have the right to participate in the one-stop-shop and consistency mechanisms, and to express their views and objections on the draft decisions of the lead supervisory authority. They also have the duty to cooperate and assist each other in the performance of their tasks. References: GDPR Article 4(22), GDPR Article 60, GDPR Article 63, The role of the ’supervisory authority concerned’ (Chapter 3.1 …

According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed. However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy12. References:

• GDPR, Article 14
• Free CIPP/E Study Guide, page 19, section 2.5.1
• CIPP/E Certification, page 14, section 1.2.1
• Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
• Article 14 GDPR - GDPRhub

 According to Article 33 of the GDPR, processors must notify controllers without undue delay after becoming aware of a personal data breach1. Even though Leon and Fred did not disclose the data to anyone else, the unauthorized access and copying of the log files still constitutes a personal data breach2. Therefore, Techiva, as a processor, has a legal responsibility to report it to TripBliss Inc., as the controller. The other options are not legal obligations for processors, although they may be good practices or contractual terms. References:

• Free CIPP/E Study Guide, page 32, section 4.1.2
• CIPP/E Certification, page 27, section 4.1.2
• Cipp-e Study guides, Class notes & Summaries, page 38, section 4.1.2
• New IAPP CIPP-E Exam Practice Questions, question 141
• Processors’ responsibilities, paragraph 2

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of home and have the character’s abilities remain intact.

Why is this company obligated to comply with the GDPR?

A. The company has offices in the EU. B. The company employs staff in the EU. C. The company’s data center is located in a country outside the EU. D. The company’s products are marketed directly to EU customers.

Answer:

Verified Answer: D. The company’s products are marketed directly to EU customers.

Comprehensive Explanation: According to section 6(1)© of the GDPR1, personal data shall be processed by organisations, which offer goods or services or otherwise carry out activities, in relation to which processing of personal data may be regarded as relevant for their legitimate interests. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance

Consent is one of the legal bases for processing personal data under the GDPR, but it must meet certain conditions to be valid. According to Article 4(11) of the GDPR, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In this scenario, consent would not be considered an adequate legal basis for accessing the party zone, because it is not freely given. Freely given consent means that the data subject has a genuine and free choice to agree or disagree to the processing, and that there is no detriment, coercion, or significant negative consequences if the data subject does not consent. However, in this case, the consent is conditional on accessing the party zone, which is the main purpose of the event. Therefore, the data subject does not have a real choice, and may feel pressured or obliged to consent in order to participate in the event. This violates the principle of free consent, and could invalidate the consent as a legal basis.

References:

•GDPR Article 4 - Definitions1

•GDPR Article 7 - Conditions for consent2

•Guidelines 05/2020 on consent under Regulation 2016/6793

Directive 2002/58/EC, also known as the ePrivacy Directive, regulates the use of electronic communications services within the European Union. It covers issues such as confidentiality of communications, processing of traffic and location data, spam, cookies, and security breaches. It complements and particularises Directive 95/46/EC, also known as the Data Protection Directive, which sets out the general principles for the protection of personal data in the EU. The ePrivacy Directive was amended by Directive 2009/136/EC, which introduced new provisions on consent, cookies, and breach notification. The ePrivacy Directive is currently under review and will be replaced by a new Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which is still being negotiated by the EU institutions. References: Directive 2002/58/EC, Directive 2009/136/EC, [ePrivacy Regulation]

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.

Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:

• The identity and contact details of the controller and processor
• The categories and sources of personal data
• The purposes and legal basis for processing
• The recipients or categories of recipients of personal data
• The retention period or criteria for determining it
• The existence of any automated decision-making or profiling
• The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

• Submitting a written notification form
• Publishing a notice on a website or other platform
• Sending an email or other electronic message
• Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.

According to Article 37(2) of the GDPR, a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment12. This means that the DPO should be able to communicate effectively with the data subjects and the supervisory authorities in the relevant languages and jurisdictions, and to perform the tasks referred to in Article 39 of the GDPR34. The accessibility of the DPO does not necessarily depend on the physical location of the DPO, but rather on the availability of the DPO to the relevant stakeholders via various means of communication34. Therefore, the DPO does not have to be located in the country where the data controller has its main establishment, nor does the group of undertakings have to obtain approval from a supervisory authority or be comprised of organizations of similar sizes and functions to appoint a single DPO. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What’s different about a group data protection officer?, Data Protection Officers: What US Companies Need to Know - Cooley

 According to the CIPP/E study guide, the Court of Justice of the European Union (CJEU) ruled in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González1 that an Internet search engine operator is responsible for the processing of personal data that appear on web pages published by third parties, and that such operator must comply with the EU data protection law when it has an establishment in the EU. The CJEU held that Google Spain and Google Inc. were inextricably linked in their businesses, since Google Spain promoted and sold advertising space offered by Google Inc., which oriented its activity towards the inhabitants of Spain. Therefore, Google Inc. was subject to the EU data protection law through its subsidiary Google Spain, even though the personal data processing was carried out by Google Inc. outside the EU. This implies that search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten if they have an establishment in the EU that is inextricably linked to their parent company. References: 1: CIPP/E study guide, page 16; Google Spain v AEPD and Mario Costeja González

 According to the GDPR, consent is one of the six lawful bases for processing personal data. Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent can be withdrawn at any time, and the withdrawal of consent must be as easy as giving it. Therefore, an individual can withdraw her consent for processing when she no longer wishes to be sent marketing materials from an organization, as this is a clear indication of her wishes and does not affect the lawfulness of the processing based on consent before its withdrawal. The other situations are not related to consent, but to other lawful bases such as contract, legitimate interest or legal obligation. References: Free CIPP/E Study Guide, page 9; CIPP/E Certification, page 3; GDPR, Article 4(11), Article 6(1)(a), Article 7(3).

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU). References:

• IAPP CIPP/E Study Guide, page 7
• [Universal Declaration of Human Rights]
• [Article 12 of the UDHR]

The GDPR applies to the processing of personal data of data subjects who are in the EU, regardless of their nationality or residence. This means that non-EU residents who are physically located in the EU are protected by the GDPR, and EU residents who are outside the EU are not. However, this does not mean that non-EU residents who are outside the EU can be asked to waive their GDPR rights by a company that is subject to the GDPR. The GDPR does not allow such waivers, as they would undermine the essence of the fundamental rights and freedoms of data subjects. The GDPR also requires that data subjects are provided with clear and transparent information about the processing of their personal data, and that they give their consent freely, specifically, informedly and unambiguously. A blanket waiver of GDPR rights does not meet these criteria, and would therefore be invalid and unenforceable.

References:

•GDPR Article 3 - Territorial scope1

•GDPR Article 7 - Conditions for consent2

•GDPR Article 25 - Data protection by design and by default3

•GDPR Recital 171 - Relationship with previously concluded agreements4

According to Article 33 of the GDPR, in the case of a personal data breach, the processor (Provider Y) shall notify the controller (Company X) without undue delay after becoming aware of the breach. The processor does not have the obligation to notify the supervisory authority, the public, or law enforcement, unless otherwise required by law. The controller is responsible for notifying the supervisory authority and, where necessary, the data subjects, unless the breach is unlikely to result in a risk to their rights and freedoms. References:

• Article 33 of the GDPR, which regulates the notification of a personal data breach to the supervisory authority.
• [Article 34 of the GDPR], which regulates the communication of a personal data breach to the data subject.
• ICO guidance, which explains the roles and responsibilities of controllers and processors in relation to data breach notification.

According to Article 23 of the GDPR, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, may be restricted by a legislative measure of a Member State or the Union, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard certain public interests or the rights and freedoms of others1. However, Article 23 does not include Article 77, which grants the data subject the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR2. Therefore, this right cannot be restricted by any legislative measure, as it is essential for the effective judicial protection of the data subject and the enforcement of the GDPR3. References:

• Free CIPP/E Study Guide, page 14, section 2.3
• GDPR, Article 77
• GDPR, Article 23
• Guidelines on restrictions of data subject rights under Art. 23 of the GDPR, page 4, section 2
• Statement on restrictions on data subject rights in connection to the COVID-19 pandemic, page 2, section 2

 According to the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject1. The GDPR also recognizes that the processing of special categories of personal data, such as data revealing political opinions, religious or philosophical beliefs, or data concerning health or sex life, may entail a high risk to the rights and freedoms of natural persons2. Therefore, such data can only be processed under certain conditions, such as when the data subject has given explicit consent, or when the processing is necessary for reasons of substantial public interest3.

In this scenario, Ben had the company collect additional data from its customers, including their philosophical beliefs, political opinions and marital status, without a valid legal basis or a legitimate purpose. He also copied the data of the single customers onto a separate database for his own online dating website, without informing them or obtaining their consent. This processing of special categories of personal data created a significant risk to the customers’ fundamental rights and freedoms, such as their right to privacy, dignity, non-discrimination and self-determination. The customers may also suffer from identity theft, fraud, harassment, or unwanted marketing as a result of the unauthorized use of their data. Therefore, Ben’s actions constituted the most serious violation of the GDPR in this scenario.

References:

• Art. 5 GDPR – Principles relating to processing of personal data
• Recital 51 GDPR – Protecting sensitive personal data
• Art. 9 GDPR – Processing of special categories of personal data
• [Guidelines 3/2019 on processing of personal data through video devices]

I hope this helps you understand the GDPR and data processing better. If you have any other questions, please feel free to ask me. ?

According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. References:

• Article 35 of the GDPR
• European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO
• Roles and Responsibilities of a Data Protection Officer

According to the GDPR, a data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art 4(7) of GDPR). A data processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art 4(8) of GDPR). In this case, JaphSoft would be considered a controller under the GDPR because it uses the personal data it receives from Liem and EcoMick to improve its own products and services through machine learning. This means that JaphSoft determines the purposes and means of this processing activity, which is not covered by the agreement with Liem and EcoMick. JaphSoft also decides how long to retain the personal data, which is another indication of its controller role. The other options are not sufficient to establish JaphSoft as a controller, as they could also apply to a processor. Having access to personal data in the MarketIQ database does not imply that JaphSoft determines the purposes and means of the processing. It could be acting on behalf of Liem and EcoMick, who are the controllers of the data in the database. Making decisions regarding the technical and organizational measures necessary to protect the personal data is also a duty of a processor, who must implement appropriate security measures in accordance with the GDPR and the instructions of the controller (Art 28 and Art 32 of GDPR). References:

• GDPR, Art 4, Art 28, Art 32
• Free CIPP/E Study Guide, p. 15
• European Data Protection Law & Practice, p. 123
• What is a data controller or a data processor?
• CNIL publishes guidance on data processing roles under EU GDPR
• Guide for multi-controller situations under the GDPR

 According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12:

• the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
• the categories of processing carried out on behalf of each controller;
• where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
• where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D. References:

• GDPR, Article 30(2)
• GDPR, Article 35
• ICO, Documentation1
• ICO, Data protection impact assessments1

According to the GDPR, the material scope of the regulation covers the processing of personal data wholly or partly by automated means, or by non-automated means if the data forms part of a filing system or is intended to form part of a filing system (Article 2(1)). Personal data is defined as any information relating to an identified or identifiable natural person (data subject) (Article 4(1)). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1)). Therefore, pseudonymous data, such as blockchain transactions that use public keys or other identifiers, may still fall within the definition of personal data if the data subject can be identified or re-identified by using additional information or means (Recital 26).

The GDPR also applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to the offering of goods or services to such data subjects in the European Union or the monitoring of their behaviour as far as their behaviour takes place within the European Union (Article 3(2)). Therefore, the territorial scope of the GDPR covers both controllers and processors established in the European Union, and controllers and processors not established in the European Union but targeting or monitoring data subjects in the European Union.

In this scenario, blockchain transactions are classified as pseudonymous data, which may still be considered as personal data under the GDPR if the data subjects can be identified or re-identified. Therefore, such transactions are within the material scope of the GDPR, as they involve the processing of personal data by automated means. However, the GDPR only applies to such transactions to the extent that they include data subjects in the European Union, either by having a controller or processor established in the European Union, or by offering goods or services to or monitoring the behaviour of such data subjects. Therefore, the answer is C.

References: GDPR, Articles 2, 3, 4, Recital 261; EDPB Guidelines 05/2020 on consent under Regulation 2016/6792, page 17; Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data - CNIL3

Article 8 of the ECHR protects the right to respect for private and family life, home and correspondence. However, this right is not absolute and can be subject to limitations by a public authority in accordance with the law and for a legitimate aim. The European Court of Human Rights (ECtHR) has developed a two-stage test to determine whether such limitations are justified. First, the court must examine whether there is a legitimate aim pursued by the public authority, such as national security, public safety or the prevention of crime. Second, the court must assess whether the means used by the public authority are appropriate and necessary to achieve that aim, taking into account all relevant factors such as proportionality, necessity and less restrictive alternatives12. Therefore, the right to privacy is not an absolute right but a qualified one that has to be balanced against other rights under the ECHR. References:

• Article 8 - Protection of personal data
• Your right to respect for private and family life
• Right to respect for private and family life
• Guide on Article 8 of the European Convention on Human Rights
• European Convention on Human Rights - Article 8

ISO 31700 is an international standard that provides high-level requirements and recommendations for organizations that use privacy by design (PbD) in the development, maintenance and operation of consumer goods and services. PbD is a concept that aims to integrate privacy into products, services and systems by default, following seven main principles: proactive not reactive, privacy as the default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, and respect for user privacy. PbD is also a legal requirement under many prominent privacy regulations across the world, such as the GDPR. ISO 31700 is based on a consumer-centric approach, where the consumer’s privacy rights and preferences are placed at the center of product development and operation.

References: Meet the new ISO 31700 standard for Privacy by Design (PbD); 7 Steps to Comply with ISO 31700-1:2023; Privacy by Design: Embracing ISO 31700-1:2023’s Consumer Protection Guidelines.

A multinational company that is appointing a mandatory data protection officer (DPO) must also consult national derogations to evaluate if there are additional cases to be considered in relation to the matter. According to Article 37 (1) of the GDPR, a DPO must be designated by the controller or the processor in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or © the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences 1. However, Article 37 (4) of the GDPR also allows Member States to provide for additional cases where a DPO must be designated by law 1. Therefore, a multinational company must consult the national laws of the EU jurisdictions in which it operates to ensure that it complies with any additional requirements for appointing a DPO.

The other options are not correct because they are not directly related to the appointment of a DPO. Conducting a Data Protection Privacy Assessment, assessing the number of employees, and revising the data processing activities are all good practices for ensuring compliance with the GDPR, but they are not mandatory actions for designating a DPO. Moreover, the number of employees is not a relevant criterion for appointing a DPO, as the GDPR does not set any threshold based on the size of the organization 2. References: 1: Article 37 of the GDPR 2: Guidelines on Data Protection Officers (‘DPOs’)

 According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed. References:

• Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.
• ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR.
• EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.

 The GDPR states that the parental consent mechanism generally applies when the child is younger than 16 years1. Processing personal data will be lawful only if the child’s parent or custodian has consented to such processing2. However, Member States are allowed to lower this threshold in national legislation up to 13 years old3. This means that Member States have some choice regarding the age limit for children’s consent, as long as it is not below 13 years. The GDPR also requires that the consent request is clear and understandable for the child, and that the controller makes reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility4. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Complying with the GDPR when vulnerable people use smart devices

I hope this helps. If you have any other questions, please let me know. ?.

Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’2. These are:

• (a) Explicit consent
• (b) Employment, social security and social protection (if authorised by law)
• © Vital interests
• (d) Not-for-profit bodies
• (e) Made public by the data subject
• (f) Legal claims and judicial acts
• (g) Substantial public interest conditions
• (h) Health or social care
• (i) Public health
• (j) Archiving, research and statistics

Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions ©, (f) and (a) respectively. Therefore, the correct answer is A.

References:

• 4: Art. 9 GDPR Processing of special categories of personal data
• 6: What are the rules on special category data? | ICO

The GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. The company must also identify a lawful basis for processing personal data, such as legal obligation, legitimate interest, or consent, and respect the data subject rights, such as the right to information, access, rectification, erasure, restriction, objection, and portability. Moreover, the company must be aware of the specific rules and restrictions regarding the processing of special categories of data (such as biometric, health, or political data) and data relating to criminal convictions and offences, which are subject to Article 10 of the GDPR and the laws of each member state. The company must also consider the national employment laws and the guidelines of the relevant supervisory authorities, which may impose additional conditions or limitations on the scope, methods, and purposes of background checks. For example, some member states may require prior authorization, notification, or consultation with the supervisory authority, the data subject, or the works council before conducting background checks. Some member states may also prohibit or restrict certain types of background checks, such as social media screening, credit checks, or criminal record checks, unless they are necessary, proportionate, and relevant for the specific job position or sector. Therefore, the company must conduct a thorough assessment of the legal framework and the risks and benefits of background checks in each member state where it operates or recruits employees, and ensure that it has a clear and consistent policy and procedure for conducting background checks in a GDPR-compliant manner. References: How to ‘background check’ under the GDPR, How to perform GDPR compliant background checks, GDPR and the processing of criminal conviction data across Europe, Pre-employment vetting: Data protection and criminal records, How GDPR Affects Background Checking

The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1. One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2. The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3. One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs. Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5. Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6. Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7. References: 1: Article 46(1) of the GDPR 2: Standard Contractual Clauses (SCC) - European Commission 3: EU Standard Contractual Clauses (Word documents) 4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 5: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 6: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 7: Article 31 of the GDPR

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident1. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. Therefore, a power outage that results in the loss of availability of customer data for six hours is considered a personal data breach under the GDPR.

Based on the WP 29’s February, 2018 guidance, which was endorsed by the European Data Protection Board, company Z should document the loss of availability to demonstrate accountability3. The guidance states that controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, regardless of whether the breach needs to be notified to the supervisory authority or the data subjects. This documentation must enable the supervisory authority to verify compliance with the GDPR and must be made available to the supervisory authority on request4.

The other options (A, C, and D) are not required by the GDPR or the guidance, although they may be advisable or beneficial depending on the circumstances. Option A is not mandatory, as the GDPR only requires the controller to communicate the personal data breach to the data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons5. A temporary loss of availability may not pose such a high risk, unless it affects the data subject’s essential services or activities. Option C is also not obligatory, as the GDPR only requires the controller to notify the supervisory authority of the personal data breach within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons6. A short-term loss of availability may not entail such a risk, unless it affects a large number of data subjects or sensitive data. Option D is not specified by the GDPR or the guidance, although it may be a good practice to conduct a thorough audit of all security systems after a personal data breach to identify and address any vulnerabilities or weaknesses that may have contributed to the incident or may lead to future incidents. References:

• 1: Article 32 of the GDPR
• 2: Article 4 (12) of the GDPR
• 3: Endorsed WP29 Guidelines
• 4: Article 33 (5) of the GDPR
• 5: Article 34 (1) of the GDPR
• 6: Article 33 (1) of the GDPR
• 7: Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01
• 8: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• 9: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

Sandy should give this feedback to Dan and the marketing team, as it reflects the principle of data minimization, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1. Collecting birth date and salary information from customers who want to download white papers or register for events is not necessary for those purposes, and may pose risks for data protection and security. Moreover, such information may fall under the category of special data, which requires explicit consent from the data subjects and can only be processed under certain conditions2. The other options do not comply with the principle of data minimization, as they still involve collecting more data than needed, even if they are optional or in brackets. References:

• Free CIPP/E Study Guide, page 23, section 3.1
• CIPP/E Certification, page 18, section 3.1
• The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1
• Principles - General Data Protection Regulation (GDPR), Article 5
• Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

According to the GDPR, pseudonymization is a technique that reduces the linkability of personal data to a specific data subject by replacing identifying attributes with pseudonyms1. Pseudonymization is not a sufficient measure to anonymize personal data, which means that the data cannot be attributed to an identifiable person without additional information2. Pseudonymization can help data controllers and processors to comply with the GDPR principles of data minimization, purpose limitation, and storage limitation, as well as to enhance the security and confidentiality of personal data3.

In this scenario, JaphSoft’s use of pseudonymization is not in compliance with the GDPR because of option C: JaphSoft was in possession of information that could be used to identify data subjects. This is because JaphSoft did not keep the additional information (the contact information) separately from the pseudonymized data (the identifying information), and did not apply technical and organizational measures to prevent the re-identification of the data subjects4. This means that JaphSoft could potentially link the personal data to the individuals, and therefore, the data was not effectively pseudonymized. Moreover, JaphSoft did not have a deletion process for the data it received from clients, which could violate the principle of storage limitation that requires personal data to be kept no longer than necessary for the purposes for which they are processed.

According to the GDPR, the right to be forgotten, also known as the right to erasure, is not an absolute right and only applies in certain circumstances1. One of the exceptions to this right is when the processing of personal data is necessary for the establishment, exercise or defence of legal claims2. In this scenario, the company may need to retain the personal data of Jack, such as his employment records, performance reviews, and internal emails, in order to defend itself against a possible legal action of unfair dismissal. Therefore, the company should not erase the data at this time, unless it is confident that it has no legal basis to keep it. The company should also inform Jack of the reasons for not complying with his request and of his right to lodge a complaint with a supervisory authority or a judicial remedy3. References: 1: Everything you need to know about the “Right to be forgotten”2: Article 17(3)(e) of the GDPR3: Article 12(4) of the GDPR.

1. A request may be manifestly unfounded or excessive if it has no clear purpose, is clearly frivolous or vexatious, is made repeatedly by the same data subject, or goes beyond what is reasonably necessary to fulfil the data subject’s request2. In such cases, the organisation can either charge a reasonable fee or refuse to act on the request, but it must be able to justify its decision and inform the data subject of the reasons and their right to lodge a complaint with a supervisory authority or a judicial remedy1. The other options are not correct, as they either do not reflect the conditions for charging a fee under the GDPR, or are not relevant to the question. References: Right of access | ICO, Charge for a Data Subject Request GDPR - GDPR Wiki

 According to Article 58 of the GDPR, each supervisory authority has the power to notify the controller or the processor of an alleged infringement of the GDPR as part of its investigative powers. This power allows the supervisory authority to alert the controller or the processor of a possible violation of the GDPR and to initiate further actions if necessary. The notification may also include recommendations or instructions on how to remedy the infringement or prevent further violations. References:

• Article 58 of the GDPR
• European Data Protection Law & Practice textbook, Chapter 9: Supervision and Enforcement, Section 9.2: Supervisory Authorities, Subsection 9.2.2: Powers of Supervisory Authorities

According to Article 46 of the GDPR, in the absence of an adequacy decision by the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. One of the possible appropriate safeguards is the use of standard data protection clauses adopted by the Commission or by a supervisory authority. However, Article 46(5) states that the possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority shall not affect the possibility for the controller or processor to rely upon other appropriate safeguards provided for in paragraph 2 of this Article, provided that they ensure that data subjects have enforceable and effective rights as regards the processing of their data. Therefore, in this case, Jackie’s recommendation of requiring UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data is an additional measure that could be considered as an appropriate safeguard, especially since UpFinance implements several data protection measures, including end-to-end encryption, with encryption keys held by the customer, which would ensure a high level of security and confidentiality of the personal data transferred. References:

• Article 46 of the GDPR
• IAPP CIPP/E Study Guide, page 67

According to the CIPP/E study guide1, the European Commission is the EU institution that has the power to propose new data protection legislation on its own initiative, as well as amend or repeal existing laws. The European Commission is also responsible for implementing and enforcing the EU data protection framework, in cooperation with other institutions and national authorities.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals

According to the GDPR, consent is one of the lawful bases for processing personal data1. Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. Therefore, consent must be specific to each purpose of processing and cannot be bundled with other purposes3. If a company wants to use personal data for a new purpose that is not compatible with the original purpose for which consent was given, it must obtain a new consent from the data subjects for the new processing4. Simply informing the data subjects of the new purpose or updating the privacy notice is not sufficient, as it does not imply the data subject’s agreement to the new processing. Proceeding with the new processing without obtaining a new consent would be unlawful and could result in fines and sanctions5. References:

• Free CIPP/E Study Guide, page 23, section 4.1.1
• GDPR, Article 4 (11)
• GDPR, Recital 32
• GDPR, Article 6 (4)
• GDPR, Article 83 (5) (a)

When assessing the level of risk created by a data breach, the size of any data processor involved would not have to be taken into consideration. According to the GDPR, a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” 1. The GDPR requires data controllers and processors to notify the relevant supervisory authority of a data breach within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons 2. The GDPR also requires data controllers to communicate the data breach to the affected data subjects without undue delay, if the breach is likely to result in a high risk to their rights and freedoms 3.

The GDPR does not specify the exact criteria for determining the level of risk, but it provides some guidance in Recital 85, which states that “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing” . The recital also mentions some factors that could increase the risk, such as the ease of identification of individuals, the special categories of personal data, the large scale of the processing, or the special characteristics of the data controller . Therefore, these factors should be taken into consideration when assessing the level of risk created by a data breach.

However, the size of any data processor involved is not relevant for the risk assessment, as it does not affect the impact of the breach on the data subjects. The data processor is only responsible for processing the personal data on behalf of the data controller, and has no direct relationship with the data subjects . The data processor’s obligations in case of a data breach are to notify the data controller without undue delay, and to assist the data controller in complying with its obligations under the GDPR . The data processor’s size may affect its ability to fulfill these obligations, but it does not change the level of risk created by the data breach itself. References: 1: Article 4(12) of the GDPR 2: Article 33 of the GDPR 3: Article 34 of the GDPR : Recital 85 of the GDPR : Article 4(8) of the GDPR : Article 28 of the GDPR

I hope this helps. If you have any other questions, please feel free to ask. ?

According to the GDPR, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes1. This means that data controllers must inform data subjects about the purposes of data processing and obtain their consent or another lawful basis for any new or different purposes2.

In the scenario, Brady transferred his customers’ personal data to Hermes Designs, a third-party contractor, to fulfill a requested service. However, Hermes Designs used the data for a new purpose that was not disclosed to the customers: creating sample customized banner advertisements and conducting direct marketing. This is a violation of the purpose limitation principle and could expose Brady to legal risks and customer complaints.

Therefore, Brady should be concerned with Hermes Designs’ handling of customer personal data and take appropriate measures to ensure compliance with the GDPR.

I hope this helps. If you have any other questions, please feel free to ask. ?

1: Article 5(1)(b) of the GDPR 2: Article 6(4) of the GDPR

 According to the UK GDPR, employees have the right to access and receive a copy of their personal data, and other supplementary information, from their employer. This is known as a data subject access request (DSAR). Employers must respond to a DSAR without delay and within one month of receipt of the request, unless the request is complex or excessive. Employers should perform a reasonable search for the requested information and provide it in an accessible, concise and intelligible format. Employers can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. Some of the exemptions that may apply in the employment context are: legal privilege, management forecasting, confidential references, negotiations, regulatory functions, and criminal convictions and offences. Employers should disclose the information securely and inform the employee of their rights and the source of the data. References:

• Right of access | ICO
• Subject access request Q and As for employers | ICO
• Data Subject Access Request (Employers’ Guide) | DavidsonMorris

One of the main reasons why the CJEU invalidated the Privacy Shield was that it found that the US surveillance programs were not limited to what is strictly necessary and proportionate, as required by the EU law. The CJEU also criticized the lack of effective judicial remedies for EU data subjects whose data was accessed by US authorities. The Trans-Atlantic Data Privacy Framework is intended to address these issues by introducing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and by creating a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The Framework also enhances the oversight and transparency of US surveillance practices.

References: EU–US Data Privacy Framework - Wikipedia; FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House; United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework; European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework; A practical approach to the new Trans-Atlantic Data Privacy Framework.

The material scope of the GDPR is outlined in Article 21. The Regulation applies to ‘processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’1 However, the Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity1. This exemption is meant to protect the privacy of individuals in their private sphere and to exclude activities that have no connection with a professional or commercial activity2. The exemption covers activities such as correspondence, social networking, online publication of photos or videos, and the use of online services for personal purposes2. However, the exemption does not apply if the processing of personal data affects the rights and freedoms of others, such as when the data is made accessible to an indefinite number of people3. Therefore, the processing of personal data by a natural person in the course of a large-scale but purely personal or household activity is not exempt from the material scope of the GDPR, as it may have an impact on the privacy of other individuals. The other options are exempt from the material scope of the GDPR, as they involve small-scale, purely personal or household activities that do not affect the rights and freedoms of others. References: 1: Article 2 of the GDPR2: Recital 18 of the GDPR3: CJEU, Case C-101/01, Lindqvist, 2003.

 A dynamic IP address is a unique numerical label for a device on the internet that changes every time the device connects to the internet. A dynamic IP address by itself is not personal data, as it does not directly identify the person who owns or uses the device. However, a dynamic IP address can become personal data when it is combined with other data held by the controller, such as the web pages accessed by the device, the time and duration of the visit, the location of the device, or the user’s preferences and interests. In this case, the controller can use the additional data to identify the data subject, either directly or indirectly, by linking the dynamic IP address to a specific person or a profile. This was confirmed by the Court of Justice of the European Union (CJEU) in the case of Breyer v Bundesrepublik Deutschland, where the CJEU ruled that a dynamic IP address registered by a website provider constitutes personal data in relation to that provider, where the latter has the legal means to obtain the identity of the data subject from the internet service provider (ISP) that assigned the dynamic IP address. Therefore, option B is the correct answer. References: Directive 95/46/EC, Directive 2002/58/EC, Breyer v Bundesrepublik Deutschland, Case C-582/14, Dynamic IP Addresses can be Personal Data

Works councils are employee representative bodies that exist in some European countries, such as Germany, France, Spain and Italy. They have various roles and powers depending on the national laws and collective agreements, but generally they aim to protect and promote the interests of the employees in relation to the employer. Some of the common roles of works councils are:

• Determining whether to approve or reject certain decisions of the employer that affect employees, such as transfers, dismissals, redundancies, working hours, health and safety, etc.
• Determining whether employees’ personal data can be processed or not, based on the principle of co-determination, which means that the employer needs the consent of the works council for any data processing that involves employee monitoring, evaluation or control.
• Determining what changes will affect employee working conditions, such as wages, benefits, training, social facilities, etc.

However, works councils do not have the role of determining the monetary fines to be levied against employers for data breach violations of employee data. This is the role of the data protection authorities, which are independent public bodies that supervise, through investigative and corrective powers, the application of the data protection law. Works councils may cooperate with the data protection authorities or file complaints on behalf of the employees, but they do not have the authority to impose sanctions on the employers. References: Free CIPP/E Study Guide, page 27; CIPP/E Certification, page 13.

 A lead supervisory authority (LSA) is the main point of contact for organisations that process personal data across multiple EU member states. The LSA is responsible for coordinating cross-border investigations, issuing binding decisions, and enforcing GDPR compliance1. Cross-border processing is the main concern of the LSA, as it involves data processing activities that affect data subjects in more than one member state, or that take place in more than one member state2. The other options are not the main concern of the LSA, as they are either covered by the national supervisory authorities of each member state, or are not specific to cross-border processing. References: Is it possible to choose your lead supervisory authority under the GDPR?, Art. 56 GDPR – Competence of the lead supervisory authority, Navigating GDPR Compliance with a Lead Supervisory Authority, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority

Article 58 of the GDPR lists the powers of supervisory authorities in EU member states. Among these powers are the investigative powers, which include the right to access data and information from controllers and processors, as well as to access their premises and equipment. This power enables the supervisory authorities to perform their tasks of monitoring and enforcing the GDPR. The other options are not powers of supervisory authorities under Article 58 of the GDPR. References: Art. 58 GDPR – Powers, Article 58 Powers - GDPR, Article 58 GDPR - GDPRhub

According to the CJEU, the ePrivacy Directive does not define the concept of consent, but refers to the GDPR for its interpretation1. Therefore, the GDPR standard of consent applies to the use of cookies and similar technologies that require consent under the ePrivacy Directive. The GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. The CJEU also clarified that the consent requirements apply regardless of whether the cookies constitute personal data or not, as the ePrivacy Directive covers any information stored or accessed on the user’s device1. The other options are incorrect, as the CJEU ruled that pre-checked boxes, implicit consent by scrolling, and insufficient information on the cookies do not meet the GDPR standard of consent1. References:

• Free CIPP/E Study Guide, page 14, section 2.3
• GDPR, Article 4 (11)
• ePrivacy Directive, Article 5 (3)
• Planet49: CJEU Rules on Cookie Consent
• CURIA - List of results

According to the GDPR, consent is one of the six lawful bases for processing personal data, but not the only one. The other five are: contract, legal obligation, vital interests, public task and legitimate interests. Legitimate interests can be invoked by controllers who process personal data for their own benefit or for the benefit of third parties, as long as such processing does not override the rights and freedoms of the data subjects, especially if they are children. The GDPR also recognizes that processing personal data for journalistic purposes or the purposes of academic, artistic or literary expression may be necessary for the exercise of the right to freedom of expression and information, which is a legitimate interest. Therefore, the company may not need to obtain the consent of everyone whose image they use for their documentary, if they can demonstrate that their processing is necessary for the purposes of their journalistic, artistic or literary expression, and that they have taken into account the reasonable expectations of the data subjects and the potential impact on their privacy. The company should also comply with any relevant national laws or codes of conduct that may apply to such processing. References:

• GDPR, Article 6(1)(a)-(f)
• GDPR, Recital 47
• GDPR, Article 85

 The ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) are two EU laws that regulate different aspects of personal data processing. The ePD focuses on electronic communications and the use of cookies and similar technologies, while the GDPR covers the broader principles and rights of data protection. Both laws apply to any organization that processes personal data of individuals in the EU, regardless of where the organization is located.

Option D involves both electronic communication and personal data processing, and therefore requires compliance with both ePD and GDPR. Paying a search engine company to give prominence to certain products and services within specific search results implies the use of cookies or similar technologies to track the online behavior of users and target them with personalized ads. This requires the consent of the users under the ePD, as well as the provision of clear and comprehensive information about the purpose and scope of the data processing. Moreover, the organization must comply with the GDPR requirements for data protection by design and by default, data minimization, data security, data subject rights, and accountability.

Option A only involves the use of cookies or similar technologies, and therefore only requires compliance with the ePD. Creating an untargeted pop-up ad on a website does not involve the processing of personal data, as the ad is not based on the online behavior or preferences of the users. However, the organization must still obtain the consent of the users for the use of cookies or similar technologies, and provide them with clear and comprehensive information about the purpose and scope of the data processing.

Option B only involves the processing of personal data, and therefore only requires compliance with the GDPR. Calling a potential customer to notify her of an upcoming product sale involves the collection and use of the customer’s personal data, such as name, phone number, and purchase history. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.

Option C only involves the processing of personal data, and therefore only requires compliance with the GDPR. Emailing a customer to announce that his recent order should arrive earlier than expected involves the use of the customer’s personal data, such as name, email address, and order details. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure. References:

• Free CIPP/E Study Guide, page 15, section 2.3.3
• CIPP/E Certification, page 10, section 1.1.2
• Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 42, section 2.3.3
• ePrivacy: The EU’s other data protection rule
• The New Rules of Data Privacy
• A guide to GDPR data privacy requirements
• A guide to the data protection principles

According to the ePrivacy Directive (2002/58/EC), the use of cookies or similar devices that store or access information on the user’s device requires the user’s consent, unless the cookie is strictly necessary to enable the use of a service requested by the user. For example, a cookie that remembers the items in a shopping cart does not require consent, but a cookie that tracks the user’s browsing behavior for analytics or advertising purposes does. The consent must be freely given, specific, informed, and unambiguous, and can be obtained through appropriate settings of the browser or other application. The consent must also be separate from other consents, such as the consent to the processing of personal data. The categories of data involved or the recipients of the data do not affect the consent requirement for the use of cookies. The consent must also be obtained before the cookie is placed or accessed, unless the cookie is exempted. Therefore, option A is correct.

Option B is incorrect because explicit consent is not required for the use of cookies, unless the cookie also involves the processing of special categories of personal data under the GDPR. However, in this scenario, there is no indication that the cookies collect or process such data. Therefore, option B is incorrect.

Option C is incorrect because the consent requirement for the use of cookies does not depend on the recipients of the data or the level of aggregation of the data. The consent must be obtained from the user whose device is accessed or stored by the cookie, regardless of who receives the data or how it is processed. Therefore, option C is incorrect.

Option D is incorrect because the consent requirement for the use of cookies does not depend on the potential for location tracking. The consent must be obtained for any cookie that is not strictly necessary to enable the use of a service requested by the user, regardless of the type or purpose of the cookie. Therefore, option D is incorrect.

References:

• ePrivacy Directive, Article 5(3)
• GDPR, Article 4(11), Article 7, Article 9
• CIPP/E Study Guide, Chapter 5, Section 5.2.2

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing1. The GDPR does not prescribe specific security measures, but rather provides a list of factors to consider when determining the appropriate level of security, such as:

• The state of the art and the costs of implementation;
• The nature, scope, context and purposes of processing;
• The risk of varying likelihood and severity for the rights and freedoms of natural persons.

Therefore, the level of security required by the GDPR is not absolute, but relative to the specific circumstances of each processing activity. The GDPR also encourages the use of codes of conduct and certification mechanisms to demonstrate compliance with the security requirements1.

In the scenario, Natural Insight is a processor who receives customer information from BHealthy, a controller, for the purpose of providing pricing services. Natural Insight has a contractual obligation to implement technical and organisational measures to ensure the security of the data, as well as to comply with the GDPR. Natural Insight’s security obligations are not limited to the measures assessed by BHealthy prior to entering into the contract, nor to the level of security that a reasonable data subject would expect. Rather, Natural Insight must take into account the industry practices for protecting customer contact information and purchase history, as well as the potential risks that may arise from the processing, such as data breaches, identity theft, fraud, or discrimination. Natural Insight must also keep up with the state of the art and the costs of implementation, and adjust its security measures accordingly.

References:

• 4: Art. 32 GDPR Security of processing

According to the European Data Protection Law & Practice textbook, page 326, “the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” However, the CJEU also stated that “the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine’s results following a search made on the basis of the data subject’s name.” Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject’s right to be forgotten. References:

• European Data Protection Law & Practice, page 326
• CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, paragraphs 88 and 93

According to the GDPR, personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed1. Therefore, the data storage period of the backup system must be aligned with this principle and reviewed regularly. Moreover, the GDPR requires that when a controller (the company) uses a processor (AWS) to process personal data on its behalf, it must ensure that the processor provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR and ensure the protection of the rights of the data subjects2. This is usually done by signing a data processing agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3. AWS offers a GDPR-compliant Data Processing Addendum (DPA) that is incorporated into the AWS Service Terms and applies automatically to all customers who require it to comply with the GDPR4. References:

• Free CIPP/E Study Guide, page 24, section 4.2.1
• Free CIPP/E Study Guide, page 25, section 4.3
• GDPR, Article 28
• GDPR - Amazon Web Services (AWS), section “GDPR resources”

The GDPR requires that the information provided to data subjects about the processing of their personal data must be concise, transparent, intelligible and easily accessible, using clear and plain language1. However, this can be challenging when the processing activities are complex, diverse or voluminous. Therefore, a good practice is to use a layered privacy notice, which consists of providing a short notice with the key elements of the privacy information, such as the identity of the controller, the purposes and legal basis of the processing, the recipients of the data, the data subject’s rights, and the contact details of the data protection officer or the supervisory authority. The short notice can then contain links to more detailed information, either by expanding each section or by directing the user to a separate page or document. This way, the user can easily access the information that is most relevant or important to them, without being overwhelmed by a long and complex notice23. A layered privacy notice can be used on websites, in emails, in mobile apps, or in any other medium where space or attention span is limited4. References: 1 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)2 Layered Notice - International Association of Privacy Professionals3 What methods can we use to provide privacy information? | ICO. 4 Layered Notice - West Virginia.

According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on the basis of a decision taken at a Union level that is binding for that member state, unless it is derogated from by national law. This means that the GDPR applies to any processing of personal data within the EU, regardless of where the controller or processor is located, as long as it is based on a decision made at a Union level that is binding for that member state.

Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves personal data of EU citizens being processed by a controller or processor based outside the EU, which may be subject to a decision made at a Union level that is binding for that member state.

Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1. Monitoring may fall under other legal frameworks, such as national security or counter-terrorism laws.

Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision made at a Union level that is binding for that member state.

Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal data of EU residents by a non-EU business that targets EU customers, which may not be subject to any decision made at a Union level that is binding for that member state.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals.

According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Who-R-U is not established in the Union, but it is collecting location information of its Canadian customers who use the app while traveling abroad, including in the EU. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Who-R-U does not have any establishment in the Union, as the naming-rights deal does not involve any technology or infrastructure; (B) Who-R-U is not offering goods or services to data subjects in the Union, as it only targets Canadian customers and blocks internet traffic from outside of Canada; © Who-R-U is not engaging in commercial activities conducted in the Union, as it only accepts Canadian currency and does not process orders that request the DNA report to be sent outside of Canada. References: 1: Article 3(2) of the GDPR; Free CIPP/E Study Guide, page 11.

Section: (none)

Explanation

Online Behavioural Advertising (OBA) means the collection of data from a particular computer or device regarding web viewing behaviours over time and across multiple web domains not under Common Control for the purpose of using such data to predict web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such web viewing behaviours1. OBA is subject to the EU law on consent to the processing of personal data, which requires a clear affirmative action by the data subject indicating his or her agreement to the processing2. The consent must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time2. The consent must also be obtained prior to the collection and use of data for OBA purposes3. Therefore, Brady Box’s OBA practice is most likely to be

This is not a common characteristic of cloud-computing services, as the supplier usually does not assume the vendor’s business risk. In fact, the supplier often limits its liability for data breaches or losses, and the vendor remains responsible for complying with data protection laws and regulations. The other options are common characteristics of cloud-computing services, as they reflect the nature of cloud computing as a flexible, scalable, and cost-effective way of processing data, but also pose challenges for data protection and security. References:

• Free CIPP/E Study Guide, page 17, section 2.3.2
• CIPP/E Certification, page 12, section 2.3.2
• Cipp-e Study guides, Class notes & Summaries, page 23, section 2.3.2

The “soft opt-in” rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:

• the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;
• the sender only sends direct marketing relating to its own similar products or services; and
• the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual’s details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the “soft opt-in” rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. References: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR

 This is not a valid set of standard contractual clauses because it does not correspond to any of the decisions adopted by the European Commission under the GDPR or the previous Data Protection Directive 95/46. The correct decision for EU processor to non-EU or EEA controller is Decision 2010/87/EU, which was amended by Decision 2004/915/EC. Decision 2007/72/EC is actually related to the recognition of the adequacy of the protection of personal data in Switzerland. References:

• Free CIPP/E Study Guide, page 18, section 3.4.2
• Standard contractual clauses for international transfers, section 1.1
• Standard Contractual Clauses (SCC), section 2.1
• Decision 2007/72/EC

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2)). Therefore, the GDPR would apply to the following entities:

• A South American company that regularly collects European customers’ personal data, as it is offering goods or services to data subjects in the EU.
• A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state, as it has an establishment in the EU.
• A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers, as it has an establishment in the EU and is offering goods or services to data subjects in the EU.

The GDPR would not apply to the following entity:

• A North American company servicing customers in South Africa that uses a cloud storage system made by a European company, as it does not have an establishment in the EU, nor is it offering goods or services to data subjects in the EU, nor is it monitoring their behaviour within the EU. The fact that it uses a cloud storage system made by a European company does not trigger the application of the GDPR, unless the cloud provider is also processing personal data on behalf of the North American company in the context of its activities in the EU.

References: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Art. 3 GDPR – Territorial scope - General Data Protection Regulation (GDPR)

According to Article 17 of the GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; © the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). However, Article 17(3) provides that the right to erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information. Therefore, this would not be a valid ground for data subject delisting requests. References:

Article 17 of the GDPR

EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)

According to Article 46(2)© of the GDPR, standard contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) can be used as a legal basis for data transfers to third countries12. This means that, in addition to the European Commission, national data protection authorities can adopt standard contractual clauses, provided that they meet the conditions and requirements set out in the GDPR and obtain the approval of the Commission. The other options are not correct, as approved data controllers, the Council of the European Union and the European Data Protection Supervisor do not have the power to adopt standard contractual clauses under the GDPR. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Standard Contractual Clauses (SCC) - European Commission

I hope this helps. If you have any other questions, please let me know. ?.