CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Article 9 of the GDPR outlines strict conditions for processing special categories of personal data, which includes data revealing racial or ethnic origin. While options B, C, and D might seem relevant, they don't fully align with the core purpose of MagicAI's data collection.

Here's why option A is the most appropriate:

Scientific Research: MagicAI aims to improve the accuracy and fairness of its AI system by understanding how it performs across different ethnicities, nationalities, and genders. This directly ties into scientific research aimed at improving healthcare and reducing bias in medical technology.

It's important to note that even with "scientific research" as the legal basis, MagicAI must still adhere to strict safeguards, such as:

Data Minimization: Collecting only the data absolutely necessary for the research.

Purpose Limitation: Using the data solely for the defined scientific purpose.

Appropriate Security Measures: Protecting the data against unauthorized access or disclosure.

Ethical Review: Ideally, obtaining ethical approval for the research project.

References:

GDPR Article 9 - Processing of special categories of personal data

GDPR Recital 159 - Conditions for processing special categories of data for scientific research purposes

IAPP CIPP/E textbook, Chapter 2: Key Data Protection Principles (specifically, sections on special categories of data)

The ECHR and the CJEU are part of two different legal systems: the Council of Europe and the European Union, respectively. The ECHR is a treaty that guarantees human rights and fundamental freedoms to individuals within the jurisdiction of its 47 member states. The CJEU is the judicial branch of the EU that ensures the uniform interpretation and application of EU law within its 27 member states. The ECHR can only hear complaints from individuals or states alleging violations of the rights enshrined in the convention, and it can only issue judgments that are binding on the respondent state. The CJEU, on the other hand, can hear cases from individuals, states, EU institutions, or national courts on any matter of EU law, and it can issue rulings that are binding on all EU member states and institutions. The CJEU can also impose sanctions or penalties on states that fail to comply with its judgments or EU law in general. Therefore, the CJEU has more power and authority to enforce EU law than the ECHR has to enforce human rights law. References: CIPP/E Certification, ECHR and the CJEU, The UK, the EU and a British Bill of Rights

 According to the GDPR, the lead supervisory authority is the supervisory authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority is determined according to the location of the main establishment or the single establishment of the controller or processor in the EU. The main establishment is the place where the decisions about the purposes and means of the processing are taken, or where the controller has its central administration in the EU. The single establishment is the only place where the controller or processor is established in the EU. Therefore, in this scenario, T-Craze’s lead supervisory authority is Germany, because that is where T-Craze is headquartered and where it has its main product-design office, which implies that the decisions about the processing of personal data are taken there. The other options are not correct, because the location of the processing, the market or the affiliates are not relevant for determining the lead supervisory authority. References: Free CIPP/E Study Guide, page 39; CIPP/E Certification, page 19; GDPR, Article 4(16), Article 4(22), Article 56, Recital 36.

 According to the EDPB guidelines on the concepts of controller and processor in the GDPR1, joint controllers are entities that jointly determine the purposes and means of the processing of personal data. Joint controllership can result from a common decision or from converging decisions that are necessary for the processing to take place. Joint controllers must have a transparent arrangement that sets out their respective roles and responsibilities, and must ensure that individuals can exercise their rights against each controller. In this scenario, Gellcoat and Freifish are joint controllers with respect to the personal data related to the event, because they both decided to share data from their client databases, to come up with a list of people to invite, to agree on the content of the invitations, and to build an app to gather feedback. These decisions are joint and inseparable, and they have a tangible impact on the determination of the purposes and means of the processing. However, Gellcoat and Freifish are separate controllers for their other purposes, such as maintaining their own client databases, marketing their own products, or complying with their own legal obligations. These purposes are independent and separate from the joint purpose of organizing the event. Therefore, option A is the correct answer. Option B is incorrect because joint controllership does not depend on the merging of databases or the ownership of data, but on the joint determination of purposes and means. Option C is incorrect because joint controllership does not require a written designation in a contract, but can be inferred from the factual circumstances. Option D is incorrect because separate controllers and processors have different roles and responsibilities under the GDPR, and Gellcoat and Freifish do not act as processors for each other. References:

Guidelines 07/2020 on the concepts of controller and processor in the GDPR

What does it mean if you are joint controllers?

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors under the GDPR

According to Article 82 of the GDPR1, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. Any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Therefore, Javier can sue any one of the EVETFIT branches that were involved in processing his personal data without his consent and in violation of his rights, and he can claim full compensation from that branch. The branch that pays the compensation can then claim back from the other branches involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage. References: 1 Art. 82 GDPR – Right to compensation and liability - General Data Protection Regulation (GDPR)

According to the Free CIPP/E Study Guide, page 12, “the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 12

GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

According to Article 28(2) of the GDPR, the processor may not engage another processor (sub-processor) without the prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. Furthermore, Article 28(4) of the GDPR states that where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Therefore, the processor must ensure that the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor. References:

Article 28 of the GDPR

European Data Protection Law & Practice textbook, Chapter 6: Data Processing Obligations, Section 6.3: Processor Obligations, Subsection 6.3.2: Sub-processors

The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means.

In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject’s rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject’s sensitive medical information without their knowledge or consent. References:

Article 4 (15) and Article 9 of the GDPR

Health data | ICO

What does the GDPR mean for personal data in medical reports?

Sensitive data and medical confidentiality - FutureLearn

Health data and data privacy: storing sensitive data under GDPR

 The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of electronic communications and prevent their indiscriminate interception or monitoring. It was adopted in 2002 and amended in 2009. It applies to all providers of electronic communication services, such as internet service providers, mobile network operators, and online platforms12.

One of the main objectives of the ePrivacy Directive is to ensure that the retention of communications traffic data for law enforcement purposes is subject to strict conditions and safeguards. Communications traffic data refers to any information relating to the transmission or routing of electronic communications, such as IP addresses, timestamps, and metadata3. Such data can be used by competent national authorities for the prevention, investigation, detection or prosecution of criminal offences and safeguarding national security4.

However, the ePrivacy Directive does not allow individual EU member states to engage in such data retention without harmonizing their rules. Article 6(1)(b) of the directive states that “Member States shall ensure that any measures taken by them in relation to the retention of traffic data are consistent with this Directive”. Therefore, each EU member state must adopt a national law that complies with the requirements and limitations set by the directive12.

The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common framework for the retention of communications traffic data for law enforcement purposes across all EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the Court of Justice of the European Union (CJEU) in 2014 on procedural grounds. The CJEU found that some provisions of the DRD were inconsistent with other EU directives and principles, such as Article 8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary interference with their privacy56.

The GDPR is a new EU regulation that implements some aspects of the DRD into national law through its provisions on processing personal data. However, it does not address directly the issue of communications traffic data retention for law enforcement purposes. Instead, it requires providers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing personal data. These measures include encryption, pseudonymisation, access control, and accountability7 . The GDPR also grants individuals certain rights regarding their personal data, such as access, rectification, erasure, portability, and objection7 .

Therefore, under current EU law, there is no single legal basis for retaining communications traffic data for law enforcement purposes across all EU member states. Each member state must adopt its own national law that respects the principles and limitations established by the ePrivacy Directive.

References:

ePrivacy Directive

ePrivacy Regulation

What is Communications Traffic Data?

How is Communications Traffic Data Retained?

Data Retention Directive

Data Retention Directive annulled by CJEU

General Data Protection Regulation

What are your rights regarding your personal data?

According to Article 21 of the GDPR, the data subject has the right to object at any time to the processing of his or her personal data for direct marketing purposes, which includes profiling related to such marketing. When the data subject exercises this right, the controller must stop processing the personal data for that purpose, unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. The controller must also inform the data subject of this right before the first communication with him or her, and in a clear and separate manner from other information. The controller must also provide the data subject with a simple and effective way to opt out of receiving direct marketing communications, such as an unsubscribe link or a STOP text message. The controller must respect the data subject’s choice and refrain from sending any further direct marketing messages of the relevant type (e.g., email, phone, post, etc.) to the data subject, unless he or she opts in again. The controller does not need to delete the personal data of the data subject who opts out, unless the data subject also requests the erasure of his or her data under Article 17 of the GDPR, or the data is no longer necessary for the purposes for which it was collected or processed. The controller may also retain some minimal information about the data subject (such as name and email address) to ensure that his or her opt-out request is honored and that he or she is not contacted again for direct marketing purposes. The controller must also ensure that any third parties to whom it has disclosed the personal data of the data subject for direct marketing purposes are informed of the opt-out request and comply with it, unless this proves impossible or involves disproportionate effort. References: Direct marketing rules and exceptions under the GDPR, Direct marketing and privacy and electronic communications, Marketing and advertising: the law: Direct marketing, Direct Marketing - What you need to know about direct marketing

The “soft opt-in” rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:

the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;

the sender only sends direct marketing relating to its own similar products or services; and

the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual’s details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the “soft opt-in” rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. References: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR

Article 80(1) of the GDPR states that the data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf1. These not-for-profit bodies, organisations or associations are commonly referred to as civil society organizations, as they represent the interests of citizens and groups in the public sphere2. The other options are not correct because: (A) Law firm organizations are not necessarily not-for-profit or active in the field of data protection; © Human rights organizations are a subset of civil society organizations, but not all civil society organizations are focused on human rights; (D) Constitutional rights organizations are also a subset of civil society organizations, but not all civil society organizations are concerned with constitutional rights. References: 1: Article 80(1) of the GDPR; 2: Free CIPP/E Study Guide, page 48.

According to Article 45 of the GDPR, the European Commission has the power to determine, on the basis of an assessment, whether a non-EU country, a territory or a sector within that country, or an international organisation ensures an adequate level of data protection. This means that the data protection rules and standards in that country or organisation are equivalent to those in the EU. The effect of an adequacy decision is that personal data can flow freely from the EU to that country or organisation without any further safeguards or authorisations. The European Commission has adopted adequacy decisions for several countries and organisations, such as Japan, Canada, and the EU-US Data Privacy Framework. References: Data protection adequacy for non-EU countries, Adequate Level of Protection

Ben’s collection of additional data from customers, especially sensitive data such as philosophical beliefs and political opinions, created several potential issues for the company, such as:

The risk of violating the data minimization principle, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1.

The risk of infringing the rights and freedoms of the data subjects, who may not be aware of or consent to the secondary use of their data by Ben Knows Best, or the unauthorized access and copying of their data by Sam.

The risk of non-compliance with the GDPR’s requirements for processing special categories of data, which include data revealing philosophical beliefs and political opinions. Such data can only be processed under certain conditions, such as explicit consent, substantial public interest, or legal claims2.

The risk of data breaches or losses, as the data is transferred to a separate database, copied by Sam, and stored on the company’s servers in Vermont, which may not have adequate security measures or safeguards.

Therefore, the company would most likely require a data protection impact assessment (DPIA) to identify and mitigate these risks. A DPIA is a process that helps assess the impact of the envisaged processing operations on the protection of personal data, and consult with the supervisory authority if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk3. The other options are not necessarily required by the GDPR, although they may be good practices or contractual terms. References:

Free CIPP/E Study Guide, page 32, section 4.1.2

CIPP/E Certification, page 27, section 4.1.2

The Ultimate CIPP/E Study Guide for 2023, page 36, section 4.1.2

Principles - General Data Protection Regulation (GDPR), Article 5

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

Data protection impact assessment - General Data Protection Regulation (GDPR), Article 35

The Customer for Life plan may conflict with Article 7 of the GDPR, which states that “the data subject shall have the right to withdraw his or her consent at any time” and that “it shall be as easy to withdraw as to give consent” 1. The plan violates this principle by stating that customers agree not to withdraw direct marketing consent and that the company can ignore any attempts to do so. This is not a valid way of obtaining or maintaining consent, as consent must be freely given, specific, informed and unambiguous 2. Moreover, the plan may also conflict with Article 21 of the GDPR, which gives data subjects the right to object to direct marketing at any time 3. References: 1: Article 7(3) of the GDPR 2: Article 4(11) of the GDPR 3: Article 21(2) of the GDPR

I hope this helps. If you have any other questions, please feel free to ask. ????

Before Anna determines whether Frank’s performance database is permissible, she needs to know more information about the following aspects of the data processing:

The purpose and legal basis of the data processing, which should be clearly defined and documented in a data protection impact assessment (DPIA) or a similar document12.

The nature and extent of the personal data involved, which should be limited to what is necessary for the purpose and not retained longer than necessary12.

The measures taken to ensure the security and confidentiality of the personal data, such as encryption, pseudonymization, access control, etc12.

The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict their personal data, as well as their right to object or withdraw consent12.

The potential risks and consequences of the data processing for the rights and freedoms of the data subjects, such as identity theft, discrimination, reputational damage, etc12.

In this case, Anna needs to know more information about what students have been told and how the research will be used. This is because:

The purpose of using student records for research purposes is not clear from Frank’s description. He does not specify whether he has obtained consent from the students or their parents/guardians, or whether he has informed them about his research objectives and methods.

The nature and extent of using student records for research purposes is not clear from Frank’s description. He does not specify which student records he is using (e.g., by name or by reference number), how many records he is using (e.g., by cohort or by class), or how long he will keep them (e.g., until graduation or indefinitely).

The measures taken to ensure the security and confidentiality of using student records for research purposes are not clear from Frank’s description. He does not specify whether he has encrypted his program or his laptop before transferring it to his home device, whether he has backed up his program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT department.

Therefore, Anna needs more information about these aspects before she can determine whether Frank’s performance database is permissible under the GDPR.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals

 The Privacy and Electronic Communications Regulations (PECR) are derived from the e-privacy Directive 2002/58/EC, which aims to protect the privacy and confidentiality of users of electronic communications services. The PECR cover various aspects of electronic marketing, such as the use of cookies, unsolicited communications, and traffic and location data. According to the PECR, the following marketing-related activities require the consent of the user or subscriber, unless certain exemptions apply:

The use of cookies or similar technologies to store or access information on the user’s device (Regulation 6).

The sending of electronic mail for direct marketing purposes to individual subscribers who have not given their prior consent (Regulation 22).

The making of unsolicited calls for direct marketing purposes to individual subscribers who have registered their number with the Telephone Preference Service or who have objected to such calls from a specific caller (Regulation 21).

The sending of unsolicited communications for direct marketing purposes by means of electronic mail, fax, or automated calling systems to corporate subscribers, unless they have indicated that they do not wish to receive such communications (Regulation 23).

Therefore, among the four options, the one that is least likely to be covered by the provisions of the PECR is the advertisements passively displayed on a website, as they do not involve the use of cookies, the sending of unsolicited communications, or the processing of traffic or location data. However, such advertisements may still be subject to other data protection laws, such as the GDPR, if they involve the processing of personal data of the users.

References:

PECR

e-privacy Directive

ICO guide to PECR

The European model for data protection is best described as comprehensive, because it covers all sectors and types of data processing, and applies to any organization that targets or collects data related to people in the EU. The GDPR is the main legal instrument of this model, and it establishes a set of principles, rights, and obligations for data protection, as well as a harmonized framework for enforcement and cooperation among EU member states and data protection authorities. The GDPR also aims to ensure consistency with other EU laws and policies, such as the ePrivacy Directive, the Charter of Fundamental Rights, and the European Data Strategy. The European model for data protection is based on the recognition of data protection as a fundamental right and a public interest, and it reflects the EU’s values and objectives of promoting human dignity, democracy, and the rule of law. References:

Data protection in the EU, section “Legislation”

What is GDPR, the EU’s new data protection law?, section “What is the GDPR?”

European Data Protection, Third Edition, page 1, section “Introduction”

European Data Protection: Law and Practice, page 1, section “Introduction”

The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.

The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.

The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.

Based on the scenario, the main problem with the 24/7 camera monitoring is that it has no valid legal basis to be implemented in the context of Gentle Hedgehog’s business. This option is the most consistent with the GDPR’s principles and requirements, as it:

Is not based on a valid legal ground for the processing of personal data, as it does not rely on the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The legitimate interests of the employer to ensure the productivity, quality and security of the work performed by the employees must be balanced with the rights and freedoms of the employees, and the 24/7 camera monitoring is likely to be disproportionate and intrusive, especially if it covers non-work-related activities and communications. The performance of a contract with the employee does not justify the 24/7 camera monitoring, as it is not necessary for the fulfilment of the contractual obligations of the employee or the employer. The compliance with a legal obligation does not apply to the 24/7 camera monitoring, as there is no specific law or regulation that requires such a measure in the context of Gentle Hedgehog’s business.

Is not limited to what is necessary for the purposes of the monitoring, as it involves the collection and processing of excessive and irrelevant personal data, such as camera and microphone monitoring, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere. The 24/7 camera monitoring is also likely to capture personal data of third parties, such as customers, suppliers or visitors, whose consent is required for the monitoring, and whose rights and freedoms may be affected by the processing.

Is not transparent to the employees, as it does not inform them of the monitoring and its precise scope, and does not give them the opportunity to object or opt out of the monitoring. The monitoring is invisible by default, which means that the employees are not aware of when and how they are being monitored, and what personal data are being collected and processed. The so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, is also insufficient, as it does not provide the employees with a clear and comprehensive information notice, nor with a valid and specific consent form, as required by the GDPR.

Involves the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation. The facial recognition technology used by the monitoring system is a form of biometric data processing, which is prohibited by the GDPR, unless the data subject has given explicit consent, or the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the processing is necessary for reasons of substantial public interest. None of these exceptions apply to the scenario, as the facial recognition technology is not used for any of these purposes, but rather for verifying the identity of the employees each time they log in. The camera and microphone monitoring may also capture personal data revealing political opinions or trade union membership, which are also special categories of personal data, and which are not relevant or proportionate for the purposes of the monitoring.

Involves the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees. The monitoring data, including the facial recognition data, are securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France. However, Sauron Eye is a Chinese vendor of employee surveillance software, whose European headquarters is in Germany. This means that the monitoring data may be accessed or transferred by Sauron Eye to its parent company or other affiliates in China, which is a third country that does not ensure an adequate level of data protection, according to the European Commission. The transfer of personal data to China is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies. However, the scenario does not indicate that any of these safeguards or remedies are in place, and therefore the transfer of personal data to China may violate the GDPR.

The other options listed in the question are not the main problem with the 24/7 camera monitoring, as they:

Are not directly related to the GDPR’s principles and requirements, but rather to the national laws and regulations of the member states, which may vary depending on the specific context and circumstances of the monitoring. The GDPR does not specify a precise time limit for the operation of the camera monitoring, but leaves it to the national laws and regulations of the member states to determine the appropriate conditions and safeguards for the monitoring, taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of data subjects. The GDPR also does not require the approval of the trade union or the license from the national DPA for the camera monitoring, but leaves it to the national laws and regulations of the member states to establish the appropriate procedures and mechanisms for the consultation and involvement of the relevant stakeholders, such as the employees, the trade unions, the works councils, the DPAs or the courts.

Are not the main problem with the 24/7 camera monitoring, but rather the consequences or the implications of the main problem, which is the lack of a valid legal basis for the monitoring. The operation of the camera monitoring during non-business hours and employee holidays, or the accidental filming of third parties whose consent is required for the monitoring, are not the main problem, but rather the result of the main problem, which is the excessive and disproportionate collection and processing of personal data, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere. The approval of the trade union or the license from the national DPA are not the main problem, but rather the potential solutions or remedies for the main problem, which is the absence of transparency and accountability for the monitoring, which do not inform the employees of the monitoring and its precise scope, and do not give them the opportunity to object or opt out of the monitoring.

References:

GDPR, Articles 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.

EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

[EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR]

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.

References: EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, page 151; CIPP/E Textbook, page 136.

cloud computing services are defined as the on-demand availability of computing resources (such as storage and infrastructure), as services over the internet. Cloud computing services share certain characteristics, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service, multi-tenancy, virtualization, resilient computing, flexible pricing models, security, automation, and sustainability234.

One of the characteristics that is not recognized as a common characteristic of cloud computing services is that the supplier assumes the vendor’s business risk associated with data processed by the supplier. This is not a characteristic of cloud computing services, but rather a contractual or legal issue that depends on the agreement between the supplier and the vendor. The supplier and the vendor may have different roles and responsibilities regarding the data processed by the supplier, such as controller, processor, or sub-processor, and they may have different obligations and liabilities under the applicable data protection laws, such as the GDPR. Therefore, the supplier does not necessarily assume the vendor’s business risk associated with data processed by the supplier, unless it is explicitly agreed by the parties or required by the law.

A DPIA is not a one-time activity. While it's crucial to conduct a DPIA before implementing a new system that processes personal data (like the fingerprint system), the GDPR requires organizations to review and update their DPIAs periodically, especially when there are changes that might affect the risk to data subjects.

Here's why the other options are incorrect:

A. After the complaint of the supporter: While a complaint might trigger a review of the processing, the DPIA should have been done proactively before any issues arose.

C. At the end of every match of the season: This frequency is excessive and doesn't align with the idea of assessing risks when changes occur.

D. After the AEPD notification of the investigation: Similar to option A, this is reactive rather than proactive.

References:

GDPR Article 35 - Data protection impact assessment

IAPP CIPP/E textbook, Chapter 4: Accountability and Data Governance (specifically, sections on DPIAs and ongoing review)

WP29 Guidelines on Data Protection Impact Assessment (DPIA)

 The GDPR states that the parental consent mechanism generally applies when the child is younger than 16 years1. Processing personal data will be lawful only if the child’s parent or custodian has consented to such processing2. However, Member States are allowed to lower this threshold in national legislation up to 13 years old3. This means that Member States have some choice regarding the age limit for children’s consent, as long as it is not below 13 years. The GDPR also requires that the consent request is clear and understandable for the child, and that the controller makes reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility4. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Complying with the GDPR when vulnerable people use smart devices

I hope this helps. If you have any other questions, please let me know. ????.

 A. Consent management and withdrawal.  Article 32 of the GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. These measures should take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. The three domains of security covered by Article 32 are:

Preventative security: This refers to the measures that aim to prevent or reduce the likelihood of security incidents, such as unauthorized or unlawful access, disclosure, alteration, loss or destruction of personal data. Examples of preventative security measures include encryption, pseudonymization, access control, firewalls, antivirus software, etc.

Incident detection and response: This refers to the measures that aim to detect, analyze, contain, eradicate and recover from security incidents, as well as to notify the relevant authorities and data subjects, and to document the facts and actions taken. Examples of incident detection and response measures include security monitoring, logging, auditing, incident response plans, breach notification procedures, etc.

Remedial security: This refers to the measures that aim to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, as well as to mitigate the adverse effects of security incidents on the data subjects. Examples of remedial security measures include backup, disaster recovery, business continuity, compensation, etc.

Consent management and withdrawal is not a domain of security covered by Article 32, but rather a requirement for the lawfulness of processing based on consent under Article 6(1)(a) and Article 7 of the GDPR. Consent management and withdrawal involves obtaining, recording, updating and revoking the consent of data subjects for specific purposes of processing, as well as informing them of their right to withdraw their consent at any time. References: Free CIPP/E Study Guide, page 35; CIPP/E Certification, page 17; GDPR, Article 32, Article 6(1)(a), Article 7.

 Under the GDPR, email marketing requires explicit and unambiguous consent from the recipients, meaning that they must actively agree to receive marketing communications, and the process for obtaining this consent must be clear and transparent. A prior opt-in consent is the most common and reliable way to demonstrate compliance with this requirement, as it involves a positive action from the data subject, such as ticking a box, clicking a button, or filling a form. A pre-checked box, a notice, or an opt-out option are not sufficient to obtain valid consent, as they do not indicate a clear expression of the data subject’s will. However, there is an exception to the consent rule for existing customers, known as the “soft opt-in”. This means that a company can send email marketing messages to its customers without prior consent, if the following conditions are met:

The company obtained the customer’s contact details in the course of a sale or negotiations for a sale of a product or service;

The company only sends marketing messages about its own similar products or services;

The company gives the customer a clear opportunity to opt out of receiving such messages both when first collecting the details and in every subsequent message.

References: GDPR Article 4(11), GDPR Article 6(1)(a), GDPR Article 7, GDPR Recital 32, GDPR Recital 47, GDPR for Marketing: The Definitive Guide for 2023 - SuperOffice, A Guide to GDPR Compliance for Email Marketers in 2023

The EU Artificial Intelligence Act (AI Act) is a proposed regulation that aims to establish harmonised rules on the development and use of artificial intelligence in the EU. The AI Act classifies AI systems according to their level of risk and imposes various requirements and obligations on providers and users of such systems. The AI Act also provides for the enforcement of its rules by national competent authorities and the European Commission. According to Article 71 of the AI Act, the sanctions for non-compliance with the AI Act depend on the type and severity of the infringement. The maximum fine for the most serious infringements, such as placing on the market or putting into service prohibited AI systems, or failing to comply with the data and data governance requirements for high-risk AI systems, is the higher of up to 30 million Euro or up to 6% of the total worldwide annual turnover of the preceding financial year of the legal entity concerned. This is the same level of fine as for the most serious infringements of the General Data Protection Regulation (GDPR).

References:

•EUR-Lex - 52021PC0206 - EN - EUR-Lex1

•European Parliament Adopts Negotiating Position on the AI Act2

A multinational company that is appointing a mandatory data protection officer (DPO) must also consult national derogations to evaluate if there are additional cases to be considered in relation to the matter. According to Article 37 (1) of the GDPR, a DPO must be designated by the controller or the processor in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or © the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences 1. However, Article 37 (4) of the GDPR also allows Member States to provide for additional cases where a DPO must be designated by law 1. Therefore, a multinational company must consult the national laws of the EU jurisdictions in which it operates to ensure that it complies with any additional requirements for appointing a DPO.

The other options are not correct because they are not directly related to the appointment of a DPO. Conducting a Data Protection Privacy Assessment, assessing the number of employees, and revising the data processing activities are all good practices for ensuring compliance with the GDPR, but they are not mandatory actions for designating a DPO. Moreover, the number of employees is not a relevant criterion for appointing a DPO, as the GDPR does not set any threshold based on the size of the organization 2. References: 1: Article 37 of the GDPR 2: Guidelines on Data Protection Officers (‘DPOs’)

 According to Recital 51 of the GDPR, photographs are not automatically considered as biometric data, unless they are processed by a specific technical means that allows the unique identification or authentication of a natural person1. This means that printing employees’ photographs on building passes does not necessarily involve biometric data, as long as the photographs are not used for facial recognition or other similar purposes. The other options are incorrect, as they do not reflect the definition of biometric data or the conditions for processing special categories of personal data under the GDPR2. References:

Recital 51 of the GDPR

ICO guidance on special category data

Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM &CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

A risk analysis is a process of identifying, assessing and mitigating the potential threats and vulnerabilities that may affect the personal data processing activities of an organization. A risk analysis is not a one-time activity, but a continuous and dynamic process that requires regular monitoring and updating. A risk analysis is also not a substitute for compliance with the GDPR, but a tool to help ensure compliance by identifying and addressing the legal obligations and best practices.

According to the GDPR, an organization must conduct a data protection impact assessment (DPIA) before starting any new or significantly increased processing activity that may pose a high risk to the rights and freedoms of the data subjects. A DPIA is a systematic and documented process that aims to identify, evaluate and mitigate the risks associated with such processing activities. A DPIA must be carried out by or on behalf of the controller (the person or entity that determines the purposes and means of processing) or by another person acting on their behalf.

In this scenario, Frank is conducting a DPIA for his new processing activity of analyzing his students’ performance data in relation to Department for Education expectations. This processing activity poses a high risk to the rights and freedoms of his students, as it involves collecting, storing, using and transferring their personal data without their explicit consent or knowledge. Therefore, Frank must conduct a DPIA before starting this processing activity.

However, there are some exceptions to this requirement. One of them is when the processing activity involves personal data that are no longer relevant for the original purpose for which they were collected or otherwise processed. In this case, Frank can use existing personal data without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.

Therefore, in this situation, Anna will find that a risk analysis is NOT necessary in this situation as long as the data subjects are no longer current students of Frank’s. This means that Frank can use his existing student records without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.

References:

Risks and data protection impact assessments (DPIAs) | ICO

What Are GDPR Risk Assessments and Why Are They Important?

GDPR Compliance Risk Assessment Best Practices | Accountable

Why risk assessments are essential for GDPR compliance

Directive 2002/58/EC, also known as the ePrivacy Directive, regulates the use of electronic communications services within the European Union. It covers issues such as confidentiality of communications, processing of traffic and location data, spam, cookies, and security breaches. It complements and particularises Directive 95/46/EC, also known as the Data Protection Directive, which sets out the general principles for the protection of personal data in the EU. The ePrivacy Directive was amended by Directive 2009/136/EC, which introduced new provisions on consent, cookies, and breach notification. The ePrivacy Directive is currently under review and will be replaced by a new Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which is still being negotiated by the EU institutions. References: Directive 2002/58/EC, Directive 2009/136/EC, [ePrivacy Regulation]

 According to Article 42 of the GDPR, the Commission may approve certification mechanisms, seals and marks for the purpose of demonstrating the existence of appropriate safeguards for personal data transfers to third countries or international organisations. These certification mechanisms, seals and marks are voluntary and transparent, and are issued by accredited certification bodies or by the competent supervisory authorities. They are subject to the general provisions on certification in Articles 42 and 43 of the GDPR. They are intended to enhance the trust of data subjects and facilitate the free flow of personal data within the Union and beyond. They are also subject to periodic review and withdrawal or suspension if the conditions for certification are not or are no longer met. References:

Article 42 of the GDPR

European Data Protection Law & Practice textbook, Chapter 8: Transfers of Personal Data to Third Countries, Section 8.3: Appropriate Safeguards, Subsection 8.3.4: Certification Mechanisms, Seals and Marks

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation

 According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12:

the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

the categories of processing carried out on behalf of each controller;

where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D. References:

GDPR, Article 30(2)

GDPR, Article 35

ICO, Documentation1

ICO, Data protection impact assessments1

 The ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) are two EU laws that regulate different aspects of personal data processing. The ePD focuses on electronic communications and the use of cookies and similar technologies, while the GDPR covers the broader principles and rights of data protection. Both laws apply to any organization that processes personal data of individuals in the EU, regardless of where the organization is located.

Option D involves both electronic communication and personal data processing, and therefore requires compliance with both ePD and GDPR. Paying a search engine company to give prominence to certain products and services within specific search results implies the use of cookies or similar technologies to track the online behavior of users and target them with personalized ads. This requires the consent of the users under the ePD, as well as the provision of clear and comprehensive information about the purpose and scope of the data processing. Moreover, the organization must comply with the GDPR requirements for data protection by design and by default, data minimization, data security, data subject rights, and accountability.

Option A only involves the use of cookies or similar technologies, and therefore only requires compliance with the ePD. Creating an untargeted pop-up ad on a website does not involve the processing of personal data, as the ad is not based on the online behavior or preferences of the users. However, the organization must still obtain the consent of the users for the use of cookies or similar technologies, and provide them with clear and comprehensive information about the purpose and scope of the data processing.

Option B only involves the processing of personal data, and therefore only requires compliance with the GDPR. Calling a potential customer to notify her of an upcoming product sale involves the collection and use of the customer’s personal data, such as name, phone number, and purchase history. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.

Option C only involves the processing of personal data, and therefore only requires compliance with the GDPR. Emailing a customer to announce that his recent order should arrive earlier than expected involves the use of the customer’s personal data, such as name, email address, and order details. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure. References:

Free CIPP/E Study Guide, page 15, section 2.3.3

CIPP/E Certification, page 10, section 1.1.2

Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 42, section 2.3.3

ePrivacy: The EU’s other data protection rule

The New Rules of Data Privacy

A guide to GDPR data privacy requirements

A guide to the data protection principles

 A lead supervisory authority (LSA) is the main point of contact for organisations that process personal data across multiple EU member states. The LSA is responsible for coordinating cross-border investigations, issuing binding decisions, and enforcing GDPR compliance1. Cross-border processing is the main concern of the LSA, as it involves data processing activities that affect data subjects in more than one member state, or that take place in more than one member state2. The other options are not the main concern of the LSA, as they are either covered by the national supervisory authorities of each member state, or are not specific to cross-border processing. References: Is it possible to choose your lead supervisory authority under the GDPR?, Art. 56 GDPR – Competence of the lead supervisory authority, Navigating GDPR Compliance with a Lead Supervisory Authority, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority

While all of the options present potential privacy issues, the lack of transparency about data processing poses the biggest risk for several reasons:

Uninformed Consent: Without clear information about data collection and usage, children and parents cannot make informed decisions about using the toys. This violates the principle of informed consent, which is a cornerstone of data protection laws.

Hidden Features: The packaging and privacy policy do not disclose the hidden functionality of the toys, including the connection to the cloud and data processing in South Africa. This lack of transparency creates distrust and raises concerns about potential misuse of data.

Unclear Data Flow: The explanation provided about the data flow is vague and incomplete. It is unclear what data is collected, how it is stored, for what purposes it is used, and who has access to it. This lack of clarity creates uncertainty and raises concerns about potential data breaches or leaks.

Limited Control: Without detailed information about data practices, users have limited control over their information. They cannot opt out of data collection or request deletion of their data, further hindering their privacy rights.

 The GDPR requires that personal data be kept for no longer than is necessary for the purposes for which the personal data are processed1. However, the GDPR also allows member states to provide for more specific rules on the processing of employees’ personal data in the employment context, including the retention periods for erasure and deletion of categories of personal data2. Therefore, the employer should securely store the data that is required to be kept under local law, such as tax records, pension records, or health and safety records34. The employer should also ensure that the data is protected from unauthorized or unlawful access, accidental loss, destruction, or damage1. The employer should not store the data for longer than necessary or for purposes other than those for which the data was collected, unless the employee has given consent or there is another legal basis for doing so13. References: 1: Article 5 of the GDPR 2: Article 88 of the GDPR 3: Data Protection and GDPR in the Workplace | Factsheets | CIPD 4: How to Manage the Retention of Employee Data | GDPR Blog

 According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed. References:

Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.

ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR.

EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.

According to the ePrivacy Directive, which regulates direct electronic marketing in the EU, consent is generally required before sending marketing emails or texts. However, there is an exception known as the ‘soft opt-in’, which allows marketing emails or texts to be sent on an opt-out basis if the recipient’s details were collected “in the context of the sale of a product or a service” and the marketing is for “similar products or services” provided by the same organisation12. Therefore, WonderKids can send direct marketing information by email without prior consent of the person booking the childcare, as long as the information is about similar products or services to those purchased from WonderKids, and the person is given a clear and easy way to opt out of receiving such emails. The other options are not allowed under the ePrivacy Directive, unless the person has given explicit consent to receive them. References:

Free CIPP/E Study Guide, page 33, section 4.1.3

CIPP/E Certification, page 28, section 4.1.3

Cipp-e Study guides, Class notes & Summaries, page 39, section 4.1.3

Direct marketing rules and exceptions under the GDPR, paragraph 5

Marketing | ICO, section “What does the ‘soft opt-in’ mean?”

Pseudonymisation is a technique that replaces, removes or transforms information that identifies individuals, and keeps that information separate from the rest of the data. Pseudonymised data is still personal data under the GDPR, because it can be re-identified with the use of additional information. However, pseudonymisation can reduce the risks of processing personal data and help comply with data protection principles and obligations. Pseudonymisation is different from anonymisation, which is the process of irreversibly transforming personal data so that the data subject is no longer identifiable. References:

GDPR Article 4(5), which defines pseudonymisation.

GDPR Recital 26, which explains the difference between pseudonymisation and anonymisation.

EDPS blog post, which provides an overview of pseudonymisation and its benefits.

ICO guidance, which gives practical advice on how to implement pseudonymisation.

According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Who-R-U is not established in the Union, but it is collecting location information of its Canadian customers who use the app while traveling abroad, including in the EU. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Who-R-U does not have any establishment in the Union, as the naming-rights deal does not involve any technology or infrastructure; (B) Who-R-U is not offering goods or services to data subjects in the Union, as it only targets Canadian customers and blocks internet traffic from outside of Canada; © Who-R-U is not engaging in commercial activities conducted in the Union, as it only accepts Canadian currency and does not process orders that request the DNA report to be sent outside of Canada. References: 1: Article 3(2) of the GDPR; Free CIPP/E Study Guide, page 11.

 According to the GDPR, the right of access by the data subject is one of the rights granted to individuals to obtain information about the processing of their personal data by a data controller1. The data controller must provide a copy of the personal data undergoing processing and additional information, such as the purposes, the categories, the recipients, the retention period, the rights, the source, and the automated decision-making of the processing1. The data controller must also inform the data subject of the existence of the right to access and the means to exercise it2.

The GDPR also specifies the time limit for responding to a data subject access request. The data controller must provide the information without undue delay and in any event within one month of receipt of the request1. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, but the data controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. The data controller must also verify the identity of the data subject before providing the information, but this verification should not extend the time limit for responding to the request3.

In this scenario, Mike is an EU resident who has booked travel itineraries through XYZ Travel Agency and stayed at ABC Hotel Chain’s locations. Both companies are U.S.-based multinational companies that use a common platform for collecting and sharing their customer data. Mike has signed the agreement to be a rewards program member of XYZ Travel Agency. Mike wants to know what personal information the company holds about him and sends an email requesting access to his data.

Assuming that both companies are subject to the GDPR, either because they offer goods or services to individuals in the EU or because they monitor the behavior of individuals in the EU4, they must comply with the right of access by the data subject and provide Mike with the information he requests. The time period in which Mike should receive a response to his request is not more than one month of receipt of his request, unless there are grounds for extending the period by two further months. The companies must also verify Mike’s identity before providing the information, but this verification should not affect the time limit for responding to the request.

Therefore, the correct answer is A. Not more than one month of receipt of Mike’s request.

References: 1 Article 15 of the GDPR2 Article 13 and 14 of the GDPR3 Guidelines on the right to data portability | European Data Protection Board34 Article 3 of the GDPR.

According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. References:

Article 35 of the GDPR

European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO

Roles and Responsibilities of a Data Protection Officer

The Data Retention Directive was a EU law that required providers of electronic communications services to retain certain data, such as traffic and location data, for a period of between six months and two years, for the purpose of preventing, investigating, detecting and prosecuting serious crime1. However, in 2014, the Court of Justice of the European Union declared the Directive invalid, because it violated the fundamental rights to respect for private life and to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU2. The Court found that the Directive entailed a wide-ranging and particularly serious interference with those rights, without being limited to what is strictly necessary3. One of the reasons for this finding was that the Directive applied to all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception, thus affecting the entire population of the EU4. The Court also noted that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and unlawful access, and did not require the data to be retained within the EU5. References: 1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC2 Charter of Fundamental Rights of the European Union3 Press release No 54/14 - Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others4 Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others. Requests for a preliminary ruling from the High Court (Ireland) and the Verfassungsgerichtshof (Austria). Joined cases C-293/12 and C-594/125 Ibid.

 According to the UK GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions1. The controller must stop the processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims1. The WP 29 Guidelines on Automated individual decision-making and Profiling provide some guidance on how to assess the existence of such compelling legitimate grounds2. The controller needs to carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection, consider the impact of the profiling on the data subject’s interest, rights and freedoms, and consider the importance of the profiling to their particular objective2. However, the controller does not need to demonstrate that the profiling is for the purposes of direct marketing, as this is a separate ground for objection under Article 21(2) of the UK GDPR, which gives the data subject an absolute right to object to such processing13. Therefore, option C is the correct answer, as it is not required by the controller to demonstrate that it has compelling legitimate grounds for profiling. References: 132

https://gdpr.eu/article-21-right-to-object/ https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

 A dynamic IP address is a unique numerical label for a device on the internet that changes every time the device connects to the internet. A dynamic IP address by itself is not personal data, as it does not directly identify the person who owns or uses the device. However, a dynamic IP address can become personal data when it is combined with other data held by the controller, such as the web pages accessed by the device, the time and duration of the visit, the location of the device, or the user’s preferences and interests. In this case, the controller can use the additional data to identify the data subject, either directly or indirectly, by linking the dynamic IP address to a specific person or a profile. This was confirmed by the Court of Justice of the European Union (CJEU) in the case of Breyer v Bundesrepublik Deutschland, where the CJEU ruled that a dynamic IP address registered by a website provider constitutes personal data in relation to that provider, where the latter has the legal means to obtain the identity of the data subject from the internet service provider (ISP) that assigned the dynamic IP address. Therefore, option B is the correct answer. References: Directive 95/46/EC, Directive 2002/58/EC, Breyer v Bundesrepublik Deutschland, Case C-582/14, Dynamic IP Addresses can be Personal Data

Works councils are employee representative bodies that exist in some European countries, such as Germany, France, Spain and Italy. They have various roles and powers depending on the national laws and collective agreements, but generally they aim to protect and promote the interests of the employees in relation to the employer. Some of the common roles of works councils are:

Determining whether to approve or reject certain decisions of the employer that affect employees, such as transfers, dismissals, redundancies, working hours, health and safety, etc.

Determining whether employees’ personal data can be processed or not, based on the principle of co-determination, which means that the employer needs the consent of the works council for any data processing that involves employee monitoring, evaluation or control.

Determining what changes will affect employee working conditions, such as wages, benefits, training, social facilities, etc.

However, works councils do not have the role of determining the monetary fines to be levied against employers for data breach violations of employee data. This is the role of the data protection authorities, which are independent public bodies that supervise, through investigative and corrective powers, the application of the data protection law. Works councils may cooperate with the data protection authorities or file complaints on behalf of the employees, but they do not have the authority to impose sanctions on the employers. References: Free CIPP/E Study Guide, page 27; CIPP/E Certification, page 13.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU1. Therefore, after leaving the EU under the terms of Brexit, the UK became a third country for the purposes of the GDPR, meaning that personal data transfers from the EU to the UK are subject to the rules on international data transfers under Chapter V of the GDPR2. In order to ensure the continuity and stability of data flows between the EU and the UK, the UK sought an adequacy decision from the European Commission, which is a formal recognition that a third country provides an equivalent level of data protection to that of the EU3. On 28 June 2021, the European Commission adopted two adequacy decisions in respect of the UK: one for transfers under the GDPR and the other for transfers under the Law Enforcement Directive (LED)4. These decisions allow personal data to flow freely from the EU to the UK without any further safeguard being necessary, and are expected to last until 27 June 2025, unless they are amended, suspended or repealed earlier5. References:

GDPR, Article 3

GDPR, Chapter V

Data protection adequacy for non-EU countries, section “Adequacy decisions”

UK government welcomes the European Commission’s draft data adequacy decisions

Adequacy, section “What does the EU GDPR adequacy decision say?”

According to the GDPR, a data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art 4(7) of GDPR). A data processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art 4(8) of GDPR). In this case, JaphSoft would be considered a controller under the GDPR because it uses the personal data it receives from Liem and EcoMick to improve its own products and services through machine learning. This means that JaphSoft determines the purposes and means of this processing activity, which is not covered by the agreement with Liem and EcoMick. JaphSoft also decides how long to retain the personal data, which is another indication of its controller role. The other options are not sufficient to establish JaphSoft as a controller, as they could also apply to a processor. Having access to personal data in the MarketIQ database does not imply that JaphSoft determines the purposes and means of the processing. It could be acting on behalf of Liem and EcoMick, who are the controllers of the data in the database. Making decisions regarding the technical and organizational measures necessary to protect the personal data is also a duty of a processor, who must implement appropriate security measures in accordance with the GDPR and the instructions of the controller (Art 28 and Art 32 of GDPR). References:

GDPR, Art 4, Art 28, Art 32

Free CIPP/E Study Guide, p. 15

European Data Protection Law & Practice, p. 123

What is a data controller or a data processor?

CNIL publishes guidance on data processing roles under EU GDPR

Guide for multi-controller situations under the GDPR

The CJEU ruled that the consent required by the ePrivacy Directive for the use of cookies must comply with the conditions laid down in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. Therefore, pre-checked boxes or implied consent by scrolling are not valid forms of consent for cookies. The CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user’s device, regardless of whether it is personal data or not. Furthermore, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.

References: CIPP/E Study Guide, page 29; CIPP/E Textbook, page 137; Planet49 case

Article 30 of the GDPR requires controllers and processors to maintain records of their processing activities, which include information such as the purposes of the processing, the categories of personal data, the recipients of the data, the retention periods, and the security measures12. However, Article 30 does not require controllers to keep records of incidents of personal data breaches, whether disclosed or not. This is a separate obligation under Article 33 and Article 34, which require controllers to notify the supervisory authority and the data subjects of any personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons34. References: 1: Article 30 of the GDPR 2: What do we need to document under Article 30 of the UK GDPR? | ICO 3: Article 33 of the GDPR 4: Article 34 of the GDPR

Section: (none)

Explanation

The aim of the European Data Protection Directive 95/46/EC was to establish a common legal framework for the protection of personal data within the European Union, and to ensure the free movement of such data within the internal market. The Directive was based on the recognition that the processing of personal data affects the fundamental rights and freedoms of individuals, especially their right to privacy, and that these rights need to be respected and safeguarded. At the same time, the Directive acknowledged that the free flow of personal data is essential for the economic and social development of the EU, and that the harmonization of data protection laws would facilitate the exchange of information and the provision of services across the member states. Therefore, the Directive aimed to strike a balance between the protection of individuals’ rights and the promotion of the internal market, by laying down the key principles, obligations and rights for the processing of personal data, and by providing mechanisms for cooperation and coordination among the national data protection authorities. References: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Data Protection Directive - Wikipedia

This is not a common characteristic of cloud-computing services, as the supplier usually does not assume the vendor’s business risk. In fact, the supplier often limits its liability for data breaches or losses, and the vendor remains responsible for complying with data protection laws and regulations. The other options are common characteristics of cloud-computing services, as they reflect the nature of cloud computing as a flexible, scalable, and cost-effective way of processing data, but also pose challenges for data protection and security. References:

Free CIPP/E Study Guide, page 17, section 2.3.2

CIPP/E Certification, page 12, section 2.3.2

Cipp-e Study guides, Class notes & Summaries, page 23, section 2.3.2

Under the GDPR, using CCTV on business premises involves the processing of personal data, which requires compliance with the data protection principles and obligations. However, notifying the appropriate data protection authority (DPA) is not one of the steps that a company should take before using CCTV, unless the DPA has specifically requested it or the CCTV involves high-risk processing that requires prior consultation. The other steps are necessary to ensure GDPR compliance, as explained below:

Performing a data protection impact assessment (DPIA) is a mandatory requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, such as large-scale or systematic monitoring of public areas. A DPIA is a process that helps identify and mitigate the potential privacy risks of using CCTV, and document the measures taken to address them. A DPIA should include a description of the processing, its purpose and necessity, its risks and benefits, the safeguards and security measures, and the consultation with stakeholders. A DPIA should be carried out before the CCTV system is installed or upgraded, and reviewed regularly or whenever there is a significant change in the processing.

Creating an information retention policy for those who operate the system is a good practice to ensure that the personal data collected by CCTV is not kept longer than necessary for the purpose for which it was collected, and that it is securely deleted or anonymised when no longer needed. The retention period should be determined by the specific purpose and context of using CCTV, and take into account any legal or contractual obligations, as well as the expectations and rights of the data subjects. The retention policy should also specify who is responsible for managing and deleting the CCTV footage, and how the deletion process is verified and documented.

Ensuring that safeguards are in place to prevent unauthorized access to the footage is an essential requirement to comply with the GDPR principle of integrity and confidentiality, which states that personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage. The safeguards may include technical and organisational measures, such as encryption, access control, logging, audit, training, policies and procedures, that aim to protect the CCTV footage from unauthorized or unlawful access, disclosure, alteration, or destruction, both during transmission and storage. References: GDPR Article 35, GDPR Article 36, GDPR Article 5, CCTV and video surveillance | ICO, 5 Step Guide to Check if Your CCTV is GDPR Compliant

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1. Body temperature is a type of personal data that can reveal information about an individual’s health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR. The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

A. Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.

C. Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.

D. The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

References: 1 Article 4(1) of the GDPR2 Policy Brief: Location Data Under Existing Privacy Laws | FPF23 Article 2(1) of the GDPR4 Article 4(5) of the GDPR5 Article 9(2) of the GDPR.

According to the European Data Protection Law & Practice textbook, page 326, “the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” However, the CJEU also stated that “the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine’s results following a search made on the basis of the data subject’s name.” Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject’s right to be forgotten. References:

European Data Protection Law & Practice, page 326

CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, paragraphs 88 and 93

 According to Article 33 of the GDPR, processors must notify controllers without undue delay after becoming aware of a personal data breach1. Even though Leon and Fred did not disclose the data to anyone else, the unauthorized access and copying of the log files still constitutes a personal data breach2. Therefore, Techiva, as a processor, has a legal responsibility to report it to TripBliss Inc., as the controller. The other options are not legal obligations for processors, although they may be good practices or contractual terms. References:

Free CIPP/E Study Guide, page 32, section 4.1.2

CIPP/E Certification, page 27, section 4.1.2

Cipp-e Study guides, Class notes & Summaries, page 38, section 4.1.2

New IAPP CIPP-E Exam Practice Questions, question 141

Processors’ responsibilities, paragraph 2

According to the GDPR, consent is one of the six lawful bases for processing personal data, but not the only one. The other five are: contract, legal obligation, vital interests, public task and legitimate interests. Legitimate interests can be invoked by controllers who process personal data for their own benefit or for the benefit of third parties, as long as such processing does not override the rights and freedoms of the data subjects, especially if they are children. The GDPR also recognizes that processing personal data for journalistic purposes or the purposes of academic, artistic or literary expression may be necessary for the exercise of the right to freedom of expression and information, which is a legitimate interest. Therefore, the company may not need to obtain the consent of everyone whose image they use for their documentary, if they can demonstrate that their processing is necessary for the purposes of their journalistic, artistic or literary expression, and that they have taken into account the reasonable expectations of the data subjects and the potential impact on their privacy. The company should also comply with any relevant national laws or codes of conduct that may apply to such processing. References:

GDPR, Article 6(1)(a)-(f)

GDPR, Recital 47

GDPR, Article 85

Adequacy is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU. An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary12.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection13. On 28 June 2021, the EU Commission published two adequacy decisions in respect of the UK: one for transfers under the EU GDPR; and the other for transfers under the Law Enforcement Directive (LED)2. These decisions contain the European Commission’s detailed assessment of the UK’s laws and systems for protecting personal data, as well as the legislation designating the UK as adequate. Both adequacy decisions are expected to last until 27 June 20252.

Among the four options given, only Switzerland has been granted an adequacy decision by the EU, which means that it will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary. Greece is a member state of the EU, so it does not need an adequacy decision to receive personal data from the EU. Norway is a member of the European Economic Area (EEA), which also includes Iceland and Liechtenstein, and has incorporated the GDPR into its national law, so it also does not need an adequacy decision. Australia has not been recognised as adequate by the EU, so transfers of personal data from the EU to Australia require appropriate safeguards or derogations13. Therefore, the correct answer is D. Switzerland. References:

https://pages.iapp.org/Free-Study-Guides_CIPPE-PPC-EU.html https://data-privacy-office.eu/courses/cipp-e-official-training-course/

 The General Data Protection Regulation (GDPR) is a data protection law that applies to the processing of personal data of individuals in the European Union (EU) and the European Economic Area (EEA). Personal data is any information relating to an identified or identifiable natural person, such as name, address, email, phone number, etc12. The GDPR does not apply to personal data that is anonymized, meaning that it cannot be linked back to a specific individual12. Anonymization can be achieved by removing or masking any identifying information from the data, such as using pseudonyms, aggregating or generalizing the data, or applying statistical methods12.

Therefore, the type of data that lies beyond the scope of the GDPR is anonymized data.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals

According to Article 46(2)© of the GDPR, standard contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) can be used as a legal basis for data transfers to third countries12. This means that, in addition to the European Commission, national data protection authorities can adopt standard contractual clauses, provided that they meet the conditions and requirements set out in the GDPR and obtain the approval of the Commission. The other options are not correct, as approved data controllers, the Council of the European Union and the European Data Protection Supervisor do not have the power to adopt standard contractual clauses under the GDPR. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Standard Contractual Clauses (SCC) - European Commission

I hope this helps. If you have any other questions, please let me know. ????.

According to the GDPR, when personal data is collected from the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the contact details of the data protection officer, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the data subject’s rights, and any other information necessary to ensure fair and transparent processing1. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language2. Therefore, Building Block should have provided its employees with information about who they can contact with any queries regarding the monitoring, such as the data protection officer or the Privacy Office, as part of the information notice before implementing the security measures. This would enable the employees to exercise their rights, such as the right to access, rectify, erase, restrict or object to the processing of their personal data, or the right to lodge a complaint with a supervisory authority3. References: 1 Art. 13 GDPR – Information to be provided where personal data are collected from the data subject - General Data Protection Regulation (GDPR)2 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)3 Art. 15-22 GDPR – Rights of the data subject - General Data Protection Regulation (GDPR).

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

References: GDPR, Articles 4(12), 33, 341; EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification2

 According to Article 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data. Encryption is a key security measure to protect the confidentiality, integrity and availability of personal data, especially when it is transferred between different entities or locations. Encryption ensures that only authorised parties can access and modify the data, and prevents unauthorised or unlawful access, disclosure, alteration or destruction. Encryption also reduces the risk of data breaches and the potential harm to the data subjects. Therefore, encrypting the transferred data in transit and at rest would be the most important security measure to apply to the health data transmission. References:

Article 32 of the GDPR

IAPP CIPP/E Study Guide, page 58

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2)). Therefore, the GDPR would apply to the following entities:

A South American company that regularly collects European customers’ personal data, as it is offering goods or services to data subjects in the EU.

A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state, as it has an establishment in the EU.

A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers, as it has an establishment in the EU and is offering goods or services to data subjects in the EU.

The GDPR would not apply to the following entity:

A North American company servicing customers in South Africa that uses a cloud storage system made by a European company, as it does not have an establishment in the EU, nor is it offering goods or services to data subjects in the EU, nor is it monitoring their behaviour within the EU. The fact that it uses a cloud storage system made by a European company does not trigger the application of the GDPR, unless the cloud provider is also processing personal data on behalf of the North American company in the context of its activities in the EU.

References: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Art. 3 GDPR – Territorial scope - General Data Protection Regulation (GDPR)

A data breach is broadly defined as any incident that leads to the unauthorized access, disclosure, alteration, or destruction of personal data. While options A and B might seem plausible at first glance, they focus on a narrow interpretation of a breach.

The key here is the loss of confidentiality and/or integrity. Even though no one has actively stolen the data, the bank can no longer guarantee the confidentiality of the information, nor can it ensure the integrity of the data since it cannot be accessed or modified securely. This constitutes a loss of control over the data and thus qualifies as a data breach.

References:

IAPP CIPP/E textbook, Chapter 5: Data Breach Notification (specifically, the definition of a personal data breach)

GDPR Article 4(12) - Definition of a personal data breach

Data adjustment is not a valid basic anonymization technique according to the PDPC’s guide12. Data adjustment refers to the modification of the original data values by adding or subtracting a random amount, or multiplying or dividing by a random factor3. This technique may preserve some statistical properties of the data, but it also introduces errors and inaccuracies that may affect the utility and quality of the data3. Moreover, data adjustment may not sufficiently protect the identity of individuals, as the adjusted data may still be linked or matched with other data sources3. Therefore, data adjustment is not recommended by the PDPC as a basic anonymization technique.

References:

1: GUIDE TO BASIC DATA ANONYMISATION TECHNIQUES Published 25 January 2018 - PDPC 2: GUIDE TO BASIC ANONYMISATION - PDPC 3: Guide to basic anonymisation and free tool from PDPC

According to the GDPR, consent must be freely given, specific, informed and unambiguous1. However, in the context of employment, there is often an imbalance of power between the employer and the employee, which may affect the validity of consent. The employee may feel pressured or coerced to give consent, or may not be able to withdraw it without negative consequences. Therefore, consent is not a reliable or appropriate legal basis for processing employee data in most cases23. The employer should consider other lawful bases, such as contractual necessity, legal obligation, legitimate interests or specific conditions for special category data45. References: 1 Art. 4 (11) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Can my employer require me to give my consent to use my personal data? | European Commission. 3 When is consent appropriate? | ICO. 4 Art. 6 (1) GDPR – Lawfulness of processing - General Data Protection Regulation (GDPR)5 Art. 9 (2) GDPR – Processing of special categories of personal data - General Data Protection Regulation (GDPR).

ISO 31700 is an international standard that provides high-level requirements and recommendations for organizations that use privacy by design (PbD) in the development, maintenance and operation of consumer goods and services. PbD is a concept that aims to integrate privacy into products, services and systems by default, following seven main principles: proactive not reactive, privacy as the default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, and respect for user privacy. PbD is also a legal requirement under many prominent privacy regulations across the world, such as the GDPR. ISO 31700 is based on a consumer-centric approach, where the consumer’s privacy rights and preferences are placed at the center of product development and operation.

References: Meet the new ISO 31700 standard for Privacy by Design (PbD); 7 Steps to Comply with ISO 31700-1:2023; Privacy by Design: Embracing ISO 31700-1:2023’s Consumer Protection Guidelines.

The NIS2 Directive is the EU’s legislation on cybersecurity that updates and replaces the previous NIS Directive. It aims to create a high common level of cybersecurity across the EU by setting up legal measures for the security of network and information systems used by essential and important entities in various sectors and by enhancing cooperation among the member states. The NIS2 Directive does not establish a common controls framework that every organization must adopt, but rather allows each member state to define the appropriate security measures and incident reporting requirements for the entities under its jurisdiction, taking into account the specificities of each sector and subsector. However, the NIS2 Directive does provide some general principles and objectives for the security measures, such as proportionality, risk-based approach, state of the art, and regular review and update. The NIS2 Directive also introduces minimum harmonised rules for the supervision and enforcement of the security measures and incident reporting obligations, including the possibility of imposing administrative fines.

References:

NIS2 Directive, Articles 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

The NIS2 Directive: A high common level of cybersecurity in the EU, pages 1, 2, 3, 4, 5, 6, 7, and 8.

The GDPR defines profiling as any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, such as their preferences, behaviour, or interests1. Profiling is subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality2. The GDPR also provides specific rights for data subjects who are subject to profiling, such as the right to be informed, the right to access, the right to rectify, the right to object, and the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on them3.

In the given scenario, the online shop is engaging in profiling by tracking the browsing behaviour of its European customers and predicting future purchases. It is also sharing this information with third parties, which may involve further processing of the personal data. Therefore, the online shop must comply with the GDPR requirements for profiling and ensure that it has a valid legal basis for the processing. According to Article 6 of the GDPR, there are six possible legal bases for processing personal data: consent, contract, legal obligation, vital interests, public interest, or legitimate interests4. However, not all of them are equally applicable or appropriate for profiling activities, especially when they involve sensitive or special categories of data, such as biometric, genetic, or health data, which require additional safeguards under Article 9 of the GDPR5.

In this case, the most relevant and suitable legal basis for the online shop’s profiling is consent, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their personal data for one or more specific purposes6. Consent must be freely given, specific, informed, and unambiguous, and must be obtained before the processing begins7. The online shop must also inform the data subject about the nature and purpose of the profiling, the logic involved, the consequences, and the rights they have in relation to it. The online shop must also respect the data subject’s right to withdraw their consent at any time and to object to the profiling.

Therefore, the online shop’s primary obligation while engaging in this kind of profiling is to solicit informed consent through a notice on its website, which must be clear, concise, and easily accessible, and must not be bundled with other terms and conditions. The online shop must also provide a simple and effective mechanism for the data subject to give or revoke their consent, such as a checkbox, a slider, or a button. The online shop must also keep records of the consent obtained and be able to demonstrate that it has complied with the GDPR requirements for consent.

The other options (B, C, and D) are not the primary obligation for the online shop, as they are either irrelevant or insufficient for the GDPR compliance. Seeking authorization from the European supervisory authorities is not necessary, unless the online shop is involved in a cross-border processing that requires a prior consultation under Article 36 of the GDPR. Demonstrating a prior business relationship with the customers is not a valid legal basis for the profiling, as it does not imply consent or legitimate interests. Proving that it uses sufficient security safeguards to protect customer data is a general obligation for any processing of personal data, but it does not address the specific issues and risks of profiling, such as discrimination, manipulation, or loss of control. References:

1: What is automated individual decision-making and profiling?

2: Article 5 of the GDPR

3: Rights related to automated decision making including profiling

4: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]

5: Article 9 of the GDPR

6: Article 4 (11) of the GDPR

7: Article 7 of the GDPR

: Article 13 and 14 of the GDPR

: Article 21 of the GDPR

: Article 12 of the GDPR

: [Guidelines on consent under Regulation 2016/679]

: Article 24 of the GDPR

: Article 36 of the GDPR

: [Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679]

: [https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf]

: [https://edpb.europa.eu/sites/edpb/files/files/file1/20171104_wp251rev01_en.pdf]

According to Article 36 of the GDPR, when a controller intends to process personal data that would result in a high risk to the rights and freedoms of data subjects, and a data protection impact assessment under Article 35 indicates that the risk cannot be mitigated by the controller, the controller must consult the supervisory authority before processing. The purpose of this prior consultation is to seek the advice of the supervisory authority on whether the processing complies with the GDPR and what measures can be taken to ensure compliance. During the prior consultation, the controller must provide the supervisory authority with the following information:

the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

the purposes and means of the intended processing;

the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;

the contact details of the data protection officer, if any;

the data protection impact assessment provided for in Article 35; and

any other information requested by the supervisory authority.

Therefore, the correct answer is B. An explanation of the purposes and means of the intended processing. This information is essential for the supervisory authority to understand the nature and scope of the processing and to assess its compliance with the GDPR. The other options are not required by Article 36, although they may be relevant for other aspects of the GDPR, such as the data protection by design and by default principle (A), the lawfulness of processing ©, or the designation of the data protection officer (D). References:

Article 36 of the GDPR, which regulates the prior consultation with the supervisory authority.

ICO guidance, which explains the process and requirements of the prior consultation.

EDPB guidelines, which provide further guidance on the criteria and procedure of the prior consultation.

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.

Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:

The identity and contact details of the controller and processor

The categories and sources of personal data

The purposes and legal basis for processing

The recipients or categories of recipients of personal data

The retention period or criteria for determining it

The existence of any automated decision-making or profiling

The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

Submitting a written notification form

Publishing a notice on a website or other platform

Sending an email or other electronic message

Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.

 According to GDPR Article 4(22), a supervisory authority is concerned by the processing of personal data if the data subjects residing in its member state are substantially affected or likely to be substantially affected by the processing, or if a complaint has been lodged with it. This concept is mainly introduced to ensure that the rights and interests of data subjects are protected by the supervisory authorities that are closest to them, regardless of where the controller or processor is established or where the lead supervisory authority is located. The concerned supervisory authorities have the right to participate in the one-stop-shop and consistency mechanisms, and to express their views and objections on the draft decisions of the lead supervisory authority. They also have the duty to cooperate and assist each other in the performance of their tasks. References: GDPR Article 4(22), GDPR Article 60, GDPR Article 63, The role of the ’supervisory authority concerned’ (Chapter 3.1 …