CIPP-E Sample Questions Answers

According to Article 46 of the GDPR, in the absence of an adequacy decision by the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. One of the possible appropriate safeguards is the use of standard data protection clauses adopted by the Commission or by a supervisory authority. However, Article 46(5) states that the possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority shall not affect the possibility for the controller or processor to rely upon other appropriate safeguards provided for in paragraph 2 of this Article, provided that they ensure that data subjects have enforceable and effective rights as regards the processing of their data. Therefore, in this case, Jackie’s recommendation of requiring UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data is an additional measure that could be considered as an appropriate safeguard, especially since UpFinance implements several data protection measures, including end-to-end encryption, with encryption keys held by the customer, which would ensure a high level of security and confidentiality of the personal data transferred. References:

• Article 46 of the GDPR
• IAPP CIPP/E Study Guide, page 67

According to the WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’, the communication of a personal data breach to the data subjects should be clear, concise, transparent, easily accessible and understandable, and use clear and plain language. The communication should also be made as soon as reasonably feasible and in close cooperation with the supervisory authority. The guidelines provide some examples of methods that may be effective for communicating a breach to data subjects, such as a direct electronic message (e.g. email, SMS, direct message), a postal notification, a prominent advertisement in print media, or a notice on the homepage of the affected website. However, the guidelines also state that a notice on a corporate blog or social media would not be an effective method of communication, as it would not reach all the affected data subjects and would not allow them to take immediate action to protect themselves. Therefore, the correct answer is C. A notice on a corporate blog. References:

• WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’, pages 20-211

The GDPR requires that the information provided to data subjects about the processing of their personal data must be concise, transparent, intelligible and easily accessible, using clear and plain language1. However, this can be challenging when the processing activities are complex, diverse or voluminous. Therefore, a good practice is to use a layered privacy notice, which consists of providing a short notice with the key elements of the privacy information, such as the identity of the controller, the purposes and legal basis of the processing, the recipients of the data, the data subject’s rights, and the contact details of the data protection officer or the supervisory authority. The short notice can then contain links to more detailed information, either by expanding each section or by directing the user to a separate page or document. This way, the user can easily access the information that is most relevant or important to them, without being overwhelmed by a long and complex notice23. A layered privacy notice can be used on websites, in emails, in mobile apps, or in any other medium where space or attention span is limited4. References: 1 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)2 Layered Notice - International Association of Privacy Professionals3 What methods can we use to provide privacy information? | ICO. 4 Layered Notice - West Virginia.

According to the Article 29 Working Party, a just-in-time notice is a type of privacy notice that provides processing information at specific points of data collection, such as when the user clicks on a certain feature or enters personal data1. This kind of notice is commonly recommended for AI-based technologies because it allows the user to receive relevant and timely information about the processing of their data, without being overwhelmed by lengthy and complex privacy statements1. A just-in-time notice can also be combined with other types of notices, such as layered notices or privacy dashboards, to provide a more comprehensive and user-friendly transparency framework1. Therefore, option C is the correct answer. Option A is incorrect because a privacy dashboard notice is a type of notice that provides the user with a centralised and interactive overview of the processing of their data, and allows them to manage their privacy settings and preferences1. Option B is incorrect because a visualization notice is a type of notice that uses graphical elements, such as icons, symbols, colours, or animations, to convey the processing information in a more intuitive and engaging way1. Option D is incorrect because a layered notice is a type of notice that provides the processing information in a hierarchical and modular way, starting with the most essential information and allowing the user to access more details if they wish1. References:

• What’s new in WP29’s final guidelines on transparency?

According to the EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, valid consent for the use of cookies must meet the following conditions:

•It must be freely given, which means that the data subject must have a genuine choice and the ability to refuse or withdraw consent without detriment.

•It must be specific, which means that the data subject must give consent for each distinct purpose of the processing and for each type of cookie.

•It must be informed, which means that the data subject must receive clear and comprehensive information about the identity of the controller, the purposes of the processing, the types of cookies used, the duration of the cookies, and the possibility of withdrawing consent.

•It must be unambiguous, which means that the data subject must express their consent by a clear affirmative action, such as clicking on an “I agree” button or selecting specific settings in a cookie banner.

•It must be granular, which means that the data subject must be able to consent to different types of cookies separately, such as essential, functional, performance, or marketing cookies.

Therefore, a “Cookies Settings” button is not a necessary element to collect valid consent for the use of cookies, as long as the data subject can exercise their choice and preference through other means, such as a cookie banner with different options. However, a “Cookies Settings” button may be a good practice to enhance transparency and user control, as it allows the data subject to access and modify their consent settings at any time.

On the other hand, a “Reject All” cookies button is a necessary element to collect valid consent for the use of cookies, as it ensures that the data subject can freely refuse consent without detriment. A list of cookies that may be placed and information on the purpose of the cookies are also necessary elements to collect valid consent for the use of cookies, as they ensure that the data subject is informed and can give specific consent for each type of cookie.

References: EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, pages 17-23.

According to the CIPP/E study guide, Article 33 of the GDPR requires data controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons1. Article 34 of the GDPR requires data controllers to communicate the personal data breach to the data subject without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons2. Both articles specify the minimum information that the data controller must provide to the supervisory authority and the data subject, which includes: the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the name and contact details of the data protection officer or other contact point, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its possible adverse effects12. However, neither article requires the data controller to disclose the type of security safeguards used to protect the data, as this information is not relevant for the purposes of notification and may even compromise the security of the data further3. References: 1: CIPP/E study guide, page 84; Art. 33 GDPR; Guidelines 01/2021 on Examples regarding Data Breach Notification2: CIPP/E study guide, page 85; [Art. 34 GDPR]; Guidelines 01/2021 on Examples regarding Data Breach Notification3: Personal Data Breach | European Data Protection Supervisor; What is a data breach and what do we have to do … - European Commission.

According to the GDPR, one of the legal bases for transferring personal data to a third country or an international organization is when the transfer is necessary for the protection of the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent (Article 49(1)©). This exception applies only in very limited and exceptional situations, such as life-threatening medical emergencies. In this scenario, ProStorage most likely relied on this legal basis to transfer Ruth’s medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. Ruth was presumably unable to give her consent due to her health condition, and the transfer of her medical information was necessary to protect her vital interests, such as her life or health. Therefore, this transfer mechanism was more appropriate than the other options, which either require consent or are not relevant to the situation.

References: GDPR, Article 49(1)©1; EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/6792, page 9.

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.

References: EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, page 151; CIPP/E Textbook, page 136.

Article 8 of the ECHR protects the right to respect for private and family life, home and correspondence. However, this right is not absolute and can be subject to limitations by a public authority in accordance with the law and for a legitimate aim. The European Court of Human Rights (ECtHR) has developed a two-stage test to determine whether such limitations are justified. First, the court must examine whether there is a legitimate aim pursued by the public authority, such as national security, public safety or the prevention of crime. Second, the court must assess whether the means used by the public authority are appropriate and necessary to achieve that aim, taking into account all relevant factors such as proportionality, necessity and less restrictive alternatives12. Therefore, the right to privacy is not an absolute right but a qualified one that has to be balanced against other rights under the ECHR. References:

• Article 8 - Protection of personal data
• Your right to respect for private and family life
• Right to respect for private and family life
• Guide on Article 8 of the European Convention on Human Rights
• European Convention on Human Rights - Article 8

 According to the Free CIPP/E Study Guide, page 16, “the GDPR provides for a one-stop-shop mechanism, which means that a controller or processor with establishments in several Member States will have only one supervisory authority as its interlocutor, which will act as the lead authority. However, this does not mean that the lead authority has exclusive competence to supervise all processing activities of the controller or processor throughout the EU. The GDPR also allows for the possibility of a relevant and reasoned objection by a concerned supervisory authority, which may trigger the consistency mechanism and the involvement of the European Data Protection Board (EDPB). Moreover, the GDPR recognizes the right of any supervisory authority to adopt urgent measures on its own territory or to commence legal proceedings before a court in its Member State in order to protect the rights and freedoms of data subjects.” Therefore, the lead regulator should accept the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint, as the GDPR permits non-lead authorities to take action for such complaints, especially when they involve urgent measures or legal proceedings to protect the data subjects’ rights and freedoms. The other options are incorrect, as they do not reflect the GDPR’s provisions on the one-stop-shop mechanism and the cooperation and consistency mechanisms. References:

• Free CIPP/E Study Guide, page 16
• GDPR, Articles 56, 60, 61, 62, 63, 64, 65 and 66

According to the transparency principle, data controllers must provide clear and transparent information to data subjects about how their personal data is processed. This information must be easily accessible and easy to understand. Providing a hyperlink to the organization’s home page, in a hard copy application form, is not considered a fair processing practice in relation to the transparency principle, because it does not directly inform the data subject about the specific purposes and legal basis of the processing, the data protection rights and obligations, and the contact details of the data controller and the data protection officer. This information should be provided in a concise, intelligible and easily accessible form, using clear and plain language, in a way that is appropriate to the means of communication. Providing a hyperlink to the organization’s home page, in a hard copy application form, does not meet these criteria and may also be inaccessible to some data subjects who do not have internet access or are not familiar with the use of hyperlinks. Therefore, this option is not a fair processing practice in relation to the transparency principle. References: 1234 https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/ https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/

According to the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; © the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject1. The data subject also has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her2. Therefore, options A, B and D are valid data access requests that ABC Hotel Chain and XYZ Travel Agency have to honor, as they fall within the scope of the right of access and rectification. However, option C is not a valid data access request, as it involves the right to erasure, which is a separate right from the right of access. The right to erasure, also known as the right to be forgotten, entitles the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; © the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)3. However, the right to erasure is not absolute and does not apply where processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; © for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims4. In this scenario, Mike’s request to obtain access and erasure of his personal data while keeping his rewards membership is not a valid data access request, as it contradicts the right to erasure. If Mike wants to exercise his right to erasure, he has to withdraw his consent for the processing of his personal data by ABC Hotel Chain and XYZ Travel Agency, which means that he cannot keep his rewards membership, as it is based on the processing of his personal data. Moreover, ABC Hotel Chain and XYZ Travel Agency may have other legal grounds for retaining his personal data, such as compliance with a legal obligation or the establishment, exercise or defence of legal claims. Therefore, option C is the correct answer, as it is the only situation where ABC Hotel Chain and XYZ Travel Agency do not have to honor Mike’s data access request. References: 1: Article 15 of the GDPR; 2: Article 16 of the GDPR; 3: Article 17(1) of the GDPR; 4: Article 17(3) of the GDPR; Free CIPP/E Study Guide, pages 33-35.

According to Article 37(2) of the GDPR, a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment12. This means that the DPO should be able to communicate effectively with the data subjects and the supervisory authorities in the relevant languages and jurisdictions, and to perform the tasks referred to in Article 39 of the GDPR34. The accessibility of the DPO does not necessarily depend on the physical location of the DPO, but rather on the availability of the DPO to the relevant stakeholders via various means of communication34. Therefore, the DPO does not have to be located in the country where the data controller has its main establishment, nor does the group of undertakings have to obtain approval from a supervisory authority or be comprised of organizations of similar sizes and functions to appoint a single DPO. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What’s different about a group data protection officer?, Data Protection Officers: What US Companies Need to Know - Cooley

The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive states that the use of cookies on websites and mobile applications is conditioned upon the prior consent of users, unless the cookies are strictly necessary for the provision of the service. Users must also be given clear and comprehensive information about the purposes of the cookies and the means to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing of personal data through cookies, but does not specifically address the consent requirement for cookies. The other answer choices are not relevant to the consent requirement for cookies, as they regulate different aspects of the digital economy and society. The E-Commerce Directive establishes the legal framework for online services in the EU, such as information society services, electronic contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication providers to retain certain data for a period of time for the purpose of law enforcement and national security. The EU Cybersecurity Directive aims to enhance the security of network and information systems across the EU, by setting common standards and obligations for operators of essential services and digital service providers. References:

• Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
• What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script
• EU Cookie Law - Data Protection and Cookies - Cookiebot™
• ePrivacy Directive - Regulations - Learn how CookiePro Helps

• Article 82 of the GDPR1234 regulates the right to compensation and liability for any person who has suffered material or non-material damage as a result of an infringement of the GDPR.
• Paragraph 4 of Article 821234 states that a controller or processor shall be exempt from liability under paragraph 2 (which holds them liable for the damage caused by processing which infringes the GDPR) if it proves that it is not in any way responsible for the event giving rise to the damage.
• Therefore, the right to compensation and liability under the GDPR provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.

References:

1: Art. 82 GDPR – Right to compensation and liability - General Data Protection Regulation (GDPR)

2: Art. 82 GDPR - Right to compensation and liability - GDPR.eu

3: GDPR Article 82: Right to compensation and liability - Advisera

4: Article 82 GDPR | Right to compensation and liability

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2)). Therefore, the GDPR would apply to the following entities:

• A South American company that regularly collects European customers’ personal data, as it is offering goods or services to data subjects in the EU.
• A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state, as it has an establishment in the EU.
• A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers, as it has an establishment in the EU and is offering goods or services to data subjects in the EU.

The GDPR would not apply to the following entity:

• A North American company servicing customers in South Africa that uses a cloud storage system made by a European company, as it does not have an establishment in the EU, nor is it offering goods or services to data subjects in the EU, nor is it monitoring their behaviour within the EU. The fact that it uses a cloud storage system made by a European company does not trigger the application of the GDPR, unless the cloud provider is also processing personal data on behalf of the North American company in the context of its activities in the EU.

References: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Art. 3 GDPR – Territorial scope - General Data Protection Regulation (GDPR)

According to Article 45 of the GDPR, the European Commission has the power to determine whether a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data. This means that personal data can flow from the EU and the EEA to that third country without any further safeguard being necessary. The adequacy decision is based on an assessment of the legal framework, the enforcement mechanisms, the access by public authorities, the international commitments and the cooperation with the EU of the third country or organisation. The European Commission also monitors the functioning of the adequacy decisions and can repeal, amend or suspend them if the level of protection is no longer ensured. The European Commission has so far recognised several countries and organisations as providing adequate protection, such as Japan, Canada, Switzerland, the UK and the EU-US Data Privacy Framework. References: GDPR Article 45, Data protection adequacy for non-EU countries, Adequacy decisions | European Data Protection Board

 According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations. References: 1 https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/

The OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all aimed to harmonize the national data protection laws of the member states of the European Economic Community (EEC) and to establish a common framework for the protection of personal data. However, they largely failed to achieve this goal due to several reasons, such as:

• The lack of political will and commitment from the member states to implement the directives fully and consistently12.
• The divergent interpretations and applications of the directives by different national authorities, courts and regulators12.
• The emergence of new technologies and challenges that required new or updated legal solutions, such as electronic communications, cookies, biometrics, cloud computing, etc12.
• The influence of other regional or international initiatives that addressed some aspects of data protection differently or in conflict with the directives, such as the US Privacy Shield Framework3.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals 3: Schrems II: A Critical Analysis - European Data Protection Board

According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Who-R-U is not established in the Union, but it is collecting location information of its Canadian customers who use the app while traveling abroad, including in the EU. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Who-R-U does not have any establishment in the Union, as the naming-rights deal does not involve any technology or infrastructure; (B) Who-R-U is not offering goods or services to data subjects in the Union, as it only targets Canadian customers and blocks internet traffic from outside of Canada; © Who-R-U is not engaging in commercial activities conducted in the Union, as it only accepts Canadian currency and does not process orders that request the DNA report to be sent outside of Canada. References: 1: Article 3(2) of the GDPR; Free CIPP/E Study Guide, page 11.

According to the GDPR, the material scope of the regulation covers the processing of personal data wholly or partly by automated means, or by non-automated means if the data forms part of a filing system or is intended to form part of a filing system (Article 2(1)). Personal data is defined as any information relating to an identified or identifiable natural person (data subject) (Article 4(1)). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1)). Therefore, pseudonymous data, such as blockchain transactions that use public keys or other identifiers, may still fall within the definition of personal data if the data subject can be identified or re-identified by using additional information or means (Recital 26).

The GDPR also applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to the offering of goods or services to such data subjects in the European Union or the monitoring of their behaviour as far as their behaviour takes place within the European Union (Article 3(2)). Therefore, the territorial scope of the GDPR covers both controllers and processors established in the European Union, and controllers and processors not established in the European Union but targeting or monitoring data subjects in the European Union.

In this scenario, blockchain transactions are classified as pseudonymous data, which may still be considered as personal data under the GDPR if the data subjects can be identified or re-identified. Therefore, such transactions are within the material scope of the GDPR, as they involve the processing of personal data by automated means. However, the GDPR only applies to such transactions to the extent that they include data subjects in the European Union, either by having a controller or processor established in the European Union, or by offering goods or services to or monitoring the behaviour of such data subjects. Therefore, the answer is C.

References: GDPR, Articles 2, 3, 4, Recital 261; EDPB Guidelines 05/2020 on consent under Regulation 2016/6792, page 17; Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data - CNIL3

 According to the GDPR, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes1. This means that data controllers must inform data subjects about the purposes of data processing and obtain their consent or rely on another lawful basis for processing. Data controllers must also respect the principle of data minimisation, which means that they should only collect and process personal data that is adequate, relevant and limited to what is necessary for the purposes for which they are processed2.

In the scenario, Brady transfers his customers’ personal data to Hermes Designs, a third-party contractor, for the purpose of providing web page design services. However, Hermes Designs uses the data for a new purpose, which is creating sample customized banner advertisements and conducting direct marketing to the customers. This new purpose is not compatible with the original purpose for which the data was collected and transferred, and it is not likely that the customers have consented to it or that there is another lawful basis for it. Moreover, Hermes Designs may be processing more personal data than what is necessary for the original purpose, such as the customers’ business plans and preferences. Therefore, Brady should be concerned with Hermes Designs’ handling of customer personal data, as it may violate the GDPR and expose him to legal risks and reputational damages.

References:

• 1: Art. 5(1)(b) GDPR Principles relating to processing of personal data
• 2: Art. 5(1)© GDPR Principles relating to processing of personal data

According to the GDPR, a data breach must be notified to the supervisory authority of the member state where the controller or processor is established, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons1. The GDPR defines a controller as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"2. The GDPR also specifies that a controller or processor is considered to be established in the Union if it has “an effective and real exercise of activity through stable arrangements” in the Union, regardless of its legal form or location of its headquarters3.

In this scenario, Who-R-U is not a controller established in the Union, because it does not have any stable arrangements in the Union that involve the processing of personal data. The company only offers its services to Canadians, and does not target or monitor individuals in the Union. The fact that it has purchased the naming rights for a building in Germany, which comes with a few offices, does not constitute an effective and real exercise of activity in the Union, as the offices do not include any technology or infrastructure for processing personal data, and are only used by executives while traveling internationally. Therefore, Who-R-U is not subject to the GDPR’s data breach notification obligation, and is not required to notify the local German DPA about the laptop theft.

References:

• Art. 33 GDPR – Notification of a personal data breach to the supervisory authority
• Art. 4 GDPR – Definitions
• Art. 3 GDPR – Territorial scope
• Guidelines 9/2022 on personal data breach notification under GDPR
• Guidelines 3/2018 on the territorial scope of the GDPR

I hope this helps you understand the GDPR and data breach notification better. If you have any other questions, please feel free to ask me. ????

According to Article 14 of the GDPR, where personal data is not obtained directly from the data subject, the controller must provide the data subject with certain information about the processing, such as the identity of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject12. However, there are some exceptions to this obligation, as specified in Article 14(5). One of them is when the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing12. In such cases, the controller must take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available12. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Right to be Informed - General Data Protection Regulation (GDPR)

 According to Article 9 of the GDPR, special category data is personal data that needs more protection because it is sensitive. The GDPR defines 10 types of personal data as special categories, which are:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

Among the answer choices, only option B falls under one of these categories, as trade union membership is considered to reveal political opinions or beliefs. Option A, C and D are not considered as special category data, as they do not reveal any sensitive information about the data subject. However, they are still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

• Special category data | ICO
• Art. 9 GDPR Processing of special categories of personal data
• Special Categories of Data - International Association of Privacy Professionals

Section: (none)

Explanation

Online Behavioural Advertising (OBA) means the collection of data from a particular computer or device regarding web viewing behaviours over time and across multiple web domains not under Common Control for the purpose of using such data to predict web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such web viewing behaviours1. OBA is subject to the EU law on consent to the processing of personal data, which requires a clear affirmative action by the data subject indicating his or her agreement to the processing2. The consent must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time2. The consent must also be obtained prior to the collection and use of data for OBA purposes3. Therefore, Brady Box’s OBA practice is most likely to be

According to the GDPR, consent must be freely given, specific, informed and unambiguous1. However, in the context of employment, there is often an imbalance of power between the employer and the employee, which may affect the validity of consent. The employee may feel pressured or coerced to give consent, or may not be able to withdraw it without negative consequences. Therefore, consent is not a reliable or appropriate legal basis for processing employee data in most cases23. The employer should consider other lawful bases, such as contractual necessity, legal obligation, legitimate interests or specific conditions for special category data45. References: 1 Art. 4 (11) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Can my employer require me to give my consent to use my personal data? | European Commission. 3 When is consent appropriate? | ICO. 4 Art. 6 (1) GDPR – Lawfulness of processing - General Data Protection Regulation (GDPR)5 Art. 9 (2) GDPR – Processing of special categories of personal data - General Data Protection Regulation (GDPR).

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

References: GDPR, Articles 4(12), 33, 341; EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification2

 A data sharing agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful and to demonstrate compliance with the accountability principle under the GDPR. A data sharing agreement is most likely to be needed when personal data is being shared between commercial organizations acting as joint data controllers, because they have to determine and agree on their respective roles and responsibilities, such as the purpose and legal basis of the data sharing, the rights of the data subjects, the security measures, and the liability for any breaches. A data sharing agreement is not mandatory, but it is good practice and can help to avoid disputes and confusion. A data sharing agreement may not be needed or may be less detailed in the other scenarios, depending on the circumstances and the nature of the data. For example, anonymized data is not personal data under the GDPR and does not require a data sharing agreement, although it may still be subject to other contractual or ethical obligations. Personal data that is proactively shared by a controller to support a police investigation may be covered by a legal obligation or a public interest, and the controller may not have much control over how the data is used by the police. Personal data that is shared with a public authority with powers to require the personal data to be disclosed may also be subject to a legal obligation or a public interest, and the controller may have to comply with the authority’s request without a data sharing agreement. References:

• Data sharing agreements | ICO, which provides guidance on the benefits and contents of a data sharing agreement.
• Data Sharing Agreement - the Definition - GDPR Summary, which explains what a data sharing agreement is and when it can be used.
• The role of data sharing and the GDPR | Data Republic, which discusses the impact of the GDPR on data sharing practices.

Adequacy is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU. An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary12.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection13. On 28 June 2021, the EU Commission published two adequacy decisions in respect of the UK: one for transfers under the EU GDPR; and the other for transfers under the Law Enforcement Directive (LED)2. These decisions contain the European Commission’s detailed assessment of the UK’s laws and systems for protecting personal data, as well as the legislation designating the UK as adequate. Both adequacy decisions are expected to last until 27 June 20252.

Among the four options given, only Switzerland has been granted an adequacy decision by the EU, which means that it will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary. Greece is a member state of the EU, so it does not need an adequacy decision to receive personal data from the EU. Norway is a member of the European Economic Area (EEA), which also includes Iceland and Liechtenstein, and has incorporated the GDPR into its national law, so it also does not need an adequacy decision. Australia has not been recognised as adequate by the EU, so transfers of personal data from the EU to Australia require appropriate safeguards or derogations13. Therefore, the correct answer is D. Switzerland. References:

https://pages.iapp.org/Free-Study-Guides_CIPPE-PPC-EU.html https://data-privacy-office.eu/courses/cipp-e-official-training-course/

Section: (none)

Explanation

 The European Council and the Council of the European Union are two different EU institutions that have similar names but distinct roles and memberships. The European Council is the body of leaders (heads of state or government) of the 27 EU member states that defines the EU’s general political direction and priorities1. The European Council does not adopt EU legislation, but rather sets the agenda and gives guidance to the other EU institutions1. The Council of the European Union, informally known as the Council, is composed of national ministers from each EU member state, grouped by policy area1. The Council is one of the two legislative bodies of the EU, along with the European Parliament, and negotiates and adopts EU laws, coordinates member states’ policies, and develops the EU’s common foreign and security policy1. The key difference between the two institutions is that the European Council is comprised of the heads of each EU member state, while the Council of the European Union is comprised of the ministers of each EU member state12. References: European Council | Council of the European Union, What is the difference between EU Council, Council of the European Union, and Council of Europe?

The “soft opt-in” rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:

• the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;
• the sender only sends direct marketing relating to its own similar products or services; and
• the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual’s details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the “soft opt-in” rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. References: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR

 According to Article 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data. Encryption is a key security measure to protect the confidentiality, integrity and availability of personal data, especially when it is transferred between different entities or locations. Encryption ensures that only authorised parties can access and modify the data, and prevents unauthorised or unlawful access, disclosure, alteration or destruction. Encryption also reduces the risk of data breaches and the potential harm to the data subjects. Therefore, encrypting the transferred data in transit and at rest would be the most important security measure to apply to the health data transmission. References:

• Article 32 of the GDPR
• IAPP CIPP/E Study Guide, page 58

The GDPR defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements12. Therefore, the relevant factors when determining if a processing activity would be considered profiling are:

• whether the processing involves data that is considered personal data;
• whether the processing of the data is done through automated means; and
• whether the processing is used to predict the behavior of data subjects.

The identity of the processor, whether it is the controller or a third-party vendor, is not relevant for the definition of profiling. However, it may have implications for the accountability and responsibility of the parties involved, as well as the data protection rights of the data subjects34. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What is automated individual decision-making and profiling? | ICO, WP29 releases guidelines on profiling under the GDPR, UK: A Guide To GDPR Profiling And Automated Decision-Making - Mondaq

According to the GDPR, the processing of personal data obtained through monitoring software must be lawful, fair, and transparent. This means that the employer must inform the employees about the nature, extent, and reasons for monitoring, and the possible consequences of non-compliance with the company’s policies. The employer must also have a legitimate interest or another lawful basis for processing the employees’ data, and respect their rights and freedoms. The employer must also comply with the national laws and guidelines of each member state where it operates, which may impose additional conditions or limitations on employee monitoring. In this case, Building Block did not inform the employee from Italy that the security software would also monitor his computer activity and location, and did not specify the purpose and scope of such monitoring. Therefore, the employee could not reasonably expect that his personal data would be processed in this way, and could not exercise his rights under the GDPR, such as the right to access, rectify, or object to the processing. Moreover, the employer did not conduct a proper assessment of the necessity and proportionality of the monitoring, and did not consider less intrusive alternatives to achieve its security goals. Therefore, the employer could face legal challenges from the employee, the Italian supervisory authority, or the labor courts, if it decides to apply disciplinary measures based on the data obtained through the monitoring software. The employer could also face fines or sanctions for violating the GDPR and the Italian data protection law. References: GDPR requirements for employee monitoring: rules to follow, Can Your Organisation Monitor Employees’ Personal Communications?, ICO publishes guidance to ensure lawful monitoring in the workplace, [Guidelines on processing personal data in the context of connected vehicles and mobility related applications]

According to the GDPR, a data protection impact assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. A DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. The GDPR provides a list of examples of processing operations that require a DPIA, such as:

• Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
• Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
• Systematic monitoring of a publicly accessible area on a large scale.

Therefore, an example of a scenario where a controller is most likely required to undertake a DPIA is when personal data is being collected and combined with other personal data to profile the creditworthiness of individuals, as this involves a systematic and extensive evaluation of personal aspects based on automated processing and profiling, and may have significant effects on the individuals. The other scenarios are not necessarily indicative of a high risk to the rights and freedoms of natural persons, and do not fall under the examples of processing operations that require a DPIA provided by the GDPR. References: Free CIPP/E Study Guide, page 37; CIPP/E Certification, page 18; GDPR, Article 35, Recital 91.

According to the GDPR, consent is one of the lawful bases for processing personal data1. Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. Therefore, consent must be specific to each purpose of processing and cannot be bundled with other purposes3. If a company wants to use personal data for a new purpose that is not compatible with the original purpose for which consent was given, it must obtain a new consent from the data subjects for the new processing4. Simply informing the data subjects of the new purpose or updating the privacy notice is not sufficient, as it does not imply the data subject’s agreement to the new processing. Proceeding with the new processing without obtaining a new consent would be unlawful and could result in fines and sanctions5. References:

• Free CIPP/E Study Guide, page 23, section 4.1.1
• GDPR, Article 4 (11)
• GDPR, Recital 32
• GDPR, Article 6 (4)
• GDPR, Article 83 (5) (a)

According to the Free CIPP/E Study Guide, page 14, “the GDPR requires controllers to carry out a data protection impact assessment (DPIA) prior to processing where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.” The GDPR also provides a list of examples of processing operations that require a DPIA, such as “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” (Article 35(3)(a)). Therefore, the fact that Dynaroux plans to undertake profiling of its customers through analysis of their purchasing patterns would trigger a DPIA under the GDPR, as it involves a systematic and extensive evaluation of personal aspects based on automated processing that may significantly affect the customers. The other options are not necessarily cases where a DPIA is required, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

• Free CIPP/E Study Guide, page 14
• GDPR, Article 35

According to the GDPR, transfers of personal data to third countries or international organisations are only allowed if the controller or processor complies with the conditions laid down in Chapter V of the GDPR1. One of these conditions is the existence of an adequacy decision by the European Commission, which means that the third country or international organisation ensures an adequate level of protection for the personal data2. However, if there is no adequacy decision, the controller or processor must provide appropriate safeguards for the data transfer, such as binding corporate rules (BCR) or standard contractual clauses (SCC)3.

Binding corporate rules (BCR) are internal rules adopted by a group of undertakings or enterprises engaged in a joint economic activity, which define its global policy with regard to the international transfers of personal data within the same corporate group or business partners located in third countries4. BCR must include all the general data protection principles and enforceable rights to ensure appropriate safeguards for the data transfers. They must be legally binding and enforced by every member concerned of the group5. BCR must be approved by the competent supervisory authority in accordance with the consistency mechanism provided by the GDPR6.

Standard contractual clauses (SCC) are sets of contractual terms and conditions that the controller or processor and the recipient of the data agree to apply to the data transfer. SCC are adopted by the European Commission or by a supervisory authority in accordance with the consistency mechanism and are available in the Official Journal of the European Union7. SCC must offer sufficient safeguards on data protection for the data to be transferred internationally8.

In the given scenario, option C is the statement that would help the company make an effective decision between BCR and SCC, as it highlights the main advantage of BCR over SCC, which is the global and comprehensive solution that BCR provide for all the entities of a company that are bound by the intra-group agreement. BCR are especially suitable for large and complex organisations that have frequent and high-volume data transfers within the same corporate group or business partners located in third countries. BCR also offer more flexibility and legal certainty than SCC, as they are tailored to the specific needs and structure of the group and do not require individual contracts for each data transfer.

The other options (A, B, and D) are either incorrect or misleading statements that would not help the company make an effective decision between BCR and SCC. Option A is incorrect, as BCR are not recommended for small and medium companies, but rather for large and complex ones, as explained above. Option B is misleading, as it implies that the data exporter can be located outside the EU for the SCC, which is true, but not relevant for the comparison with BCR, as the data exporter can also be located outside the EU for the BCR, as long as it is subject to the GDPR by virtue of Article 3(2). Option D is also misleading, as it implies that the company will need the prior authorization of all EU data protection authorities for concluding SCC, which is false, as the company will only need the prior authorization of the competent supervisory authority in the Member State where the data exporter is established, unless the SCC are modified or supplemented by additional clauses or safeguards. References:

• 1: [Article 44 of the GDPR]
• 2: [Article 45 of the GDPR]
• 3: [Article 46 of the GDPR]
• 4: [Article 4 (20) of the GDPR]
• 5: [Article 47 of the GDPR]
• 6: [Article 63 of the GDPR]
• 7: [Article 93 of the GDPR]
• 8: [Article 46 (2) © and (d) of the GDPR]
• : [Binding Corporate Rules (BCR)]
• : [Article 3 (2) of the GDPR]
• : [Article 46 (3) (a) and (b) of the GDPR]
• : [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]
• : [Binding Corporate Rules (BCR) - European Commission]
• : [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]
• : [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en]
• : [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]
• : [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en]

 The definition of personal data under the GDPR is broad and covers any information that relates to an identified or identifiable natural person. This means that personal data can include information such as name, email, phone number, address, date of birth, race, gender, political opinions and more. The GDPR protects personal data on all levels, platforms and technologies, and requires organizations to process it only for a specific purpose and keep it for a limited time.

The unlinked aggregated data used for statistical purposes by an Italian company would most likely NOT be covered by the definition of personal data under the GDPR. Aggregated data is data that has been processed in such a way that individual records are no longer identifiable. For example, if a company collects the names and email addresses of its customers and then calculates the average age of its customers, the resulting data is aggregated and not personal. Therefore, this type of data would not be subject to the GDPR.

However, this does not mean that the Italian company can use this type of data without any restrictions or obligations. The GDPR still applies to any processing activity that involves personal data in any form or manner. For example, if the Italian company uses this type of data to create a profile or a segment of its customers based on their characteristics or preferences, it may still need to comply with certain principles and conditions under the GDPR. For instance, it may need to obtain consent from its customers before using their aggregated data for marketing purposes; it may need to ensure that its aggregated data is accurate and up-to-date; it may need to limit the retention period of its aggregated data; and it may need to respect the rights of its customers regarding their personal data.

References:

• What is personal data? | ICO
• What is considered personal data under the EU GDPR?
• [GDPR personal data – what information does this cover?]

 According to the Free CIPP/E Study Guide, page 14, “if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.” This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller’s own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

• Free CIPP/E Study Guide, page 14
• GDPR, Article 36

 A layered notice is a privacy notice designed to respond to problems with excessively long notices1. A short notice — the top layer — provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2. The full notice — the bottom layer — covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23. References: 2

 Under the GDPR, email marketing requires explicit and unambiguous consent from the recipients, meaning that they must actively agree to receive marketing communications, and the process for obtaining this consent must be clear and transparent. A prior opt-in consent is the most common and reliable way to demonstrate compliance with this requirement, as it involves a positive action from the data subject, such as ticking a box, clicking a button, or filling a form. A pre-checked box, a notice, or an opt-out option are not sufficient to obtain valid consent, as they do not indicate a clear expression of the data subject’s will. However, there is an exception to the consent rule for existing customers, known as the “soft opt-in”. This means that a company can send email marketing messages to its customers without prior consent, if the following conditions are met:

• The company obtained the customer’s contact details in the course of a sale or negotiations for a sale of a product or service;
• The company only sends marketing messages about its own similar products or services;
• The company gives the customer a clear opportunity to opt out of receiving such messages both when first collecting the details and in every subsequent message.

References: GDPR Article 4(11), GDPR Article 6(1)(a), GDPR Article 7, GDPR Recital 32, GDPR Recital 47, GDPR for Marketing: The Definitive Guide for 2023 - SuperOffice, A Guide to GDPR Compliance for Email Marketers in 2023

 According to Article 47(2)(a) of the GDPR, binding corporate rules (BCRs) must be legally binding and apply to and be enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees1. This means that all employees within the group must comply with the BCRs, irrespective of their location or the jurisdiction where they operate. The other options are incorrect, as they do not reflect the requirements of the GDPR or the guidance of the European Data Protection Board (EDPB) on BCRs23. References:

• GDPR Article 47(2)(a)
• EDPB Guidelines 3/2018 on the territorial scope of the GDPR
• EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

 According to Article 13 of the GDPR, when personal data are collected from the data subject, the data controller must provide the data subject with the following information, among others1:

• The identity and the contact details of the controller and, where applicable, of the controller’s representative;
• The contact details of the data protection officer, where applicable;
• The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• The recipients or categories of recipients of the personal data, if any;
• Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In the scenario, Wonderkids provides some of this information in their Privacy Statement, but not all. They do not specify the categories of recipients with whom they will share the personal data of their customers and their children. They only state that they will share the data with businesses that they see as adding real value to the customers, which is vague and ambiguous. This does not comply with the GDPR requirement to inform the data subjects about the recipients or categories of recipients of their personal data, if any. Therefore, Wonderkids must provide this additional information in their Privacy Statement.

References:

• 1: Art. 13 GDPR Information to be provided where personal data are collected from the data subject

 According to Article 60 of the GDPR, the lead authority (the CNIL in this case) shall cooperate with the other concerned supervisory authorities (the ICO and any other authority where EVERFIT has an establishment or where data subjects are affected) to reach a consensus on the case. The lead authority shall submit a draft decision to the other authorities for their opinion and take due account of their views. If the other authorities agree with the draft decision, the lead authority shall adopt and notify it to the controller (EVERFIT) and the complainant (Javier). If the other authorities object to the draft decision, they shall express their objections within a specified period and try to reach a consensus with the lead authority. If no consensus is reached, the matter shall be referred to the EDPB for a binding decision under the consistency mechanism (Article 65 of the GDPR). References: GDPR Cooperation and Enforcement, First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, Data protection: Commission adopts new rules to ensure stronger cooperation and enforcement, Article 65 FAQ

According to the UK GDPR, a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller1. A processor must act only on the documented instructions of the controller and must not process the data for its own purposes or in a way that is incompatible with the controller’s purposes1. If a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller, it will be considered to be a controller in respect of that processing and will be subject to the same obligations and liabilities as a controller under the UK GDPR1. This means that the processor will have to comply with the data protection principles, ensure the rights of data subjects, implement appropriate technical and organisational measures, report data breaches, conduct data protection impact assessments, appoint a data protection officer if required, and cooperate with the supervisory authority1. The processor will also be exposed to the risk of administrative fines, compensation claims, and reputational damage1. References: 1

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/what-are-controllers-and-processors/

 According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects1. The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties2. Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality3. Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued3. Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences. References: 1: CIPP/E study guide, page 1; Data protection in law enforcement2: CIPP/E study guide, page 2; Art. 2 LED3: CIPP/E study guide, page 3; Art. 4 LED.

According to Article 14 of the GDPR, the data controller must provide the data subject with certain information when collecting personal data from a source other than the data subject1. However, there are some exceptions to this obligation, such as when the data subject already has the information, or when the provision of such information proves impossible or would involve a disproportionate effort2. The latter exception may apply, for example, when the personal data are collected from a large number of sources, or when the personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes3. The data controller must take appropriate measures to protect the data subject’s rights and interests, and make the information publicly available2. References: 1: Art. 14 GDPR – Information to be provided where personal data have not been obtained from the data subject2: Article 14(5)(b) of the GDPR3: Recital 62 of the GDPR.

 A lead supervisory authority (LSA) is the main point of contact for organisations that process personal data across multiple EU member states. The LSA is responsible for coordinating cross-border investigations, issuing binding decisions, and enforcing GDPR compliance1. Cross-border processing is the main concern of the LSA, as it involves data processing activities that affect data subjects in more than one member state, or that take place in more than one member state2. The other options are not the main concern of the LSA, as they are either covered by the national supervisory authorities of each member state, or are not specific to cross-border processing. References: Is it possible to choose your lead supervisory authority under the GDPR?, Art. 56 GDPR – Competence of the lead supervisory authority, Navigating GDPR Compliance with a Lead Supervisory Authority, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority

The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means.

In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject’s rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject’s sensitive medical information without their knowledge or consent. References:

• Article 4 (15) and Article 9 of the GDPR
• Health data | ICO
• What does the GDPR mean for personal data in medical reports?
• Sensitive data and medical confidentiality - FutureLearn
• Health data and data privacy: storing sensitive data under GDPR

Ben’s collection of additional data from customers, especially sensitive data such as philosophical beliefs and political opinions, created several potential issues for the company, such as:

• The risk of violating the data minimization principle, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1.
• The risk of infringing the rights and freedoms of the data subjects, who may not be aware of or consent to the secondary use of their data by Ben Knows Best, or the unauthorized access and copying of their data by Sam.
• The risk of non-compliance with the GDPR’s requirements for processing special categories of data, which include data revealing philosophical beliefs and political opinions. Such data can only be processed under certain conditions, such as explicit consent, substantial public interest, or legal claims2.
• The risk of data breaches or losses, as the data is transferred to a separate database, copied by Sam, and stored on the company’s servers in Vermont, which may not have adequate security measures or safeguards.

Therefore, the company would most likely require a data protection impact assessment (DPIA) to identify and mitigate these risks. A DPIA is a process that helps assess the impact of the envisaged processing operations on the protection of personal data, and consult with the supervisory authority if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk3. The other options are not necessarily required by the GDPR, although they may be good practices or contractual terms. References:

• Free CIPP/E Study Guide, page 32, section 4.1.2
• CIPP/E Certification, page 27, section 4.1.2
• The Ultimate CIPP/E Study Guide for 2023, page 36, section 4.1.2
• Principles - General Data Protection Regulation (GDPR), Article 5
• Special categories of personal data - General Data Protection Regulation (GDPR), Article 9
• Data protection impact assessment - General Data Protection Regulation (GDPR), Article 35

According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service. References:

• [IAPP article on direct marketing (EU specific)]
• Lexology article on direct marketing requirements under the GDPR

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU). References:

• IAPP CIPP/E Study Guide, page 7
• [Universal Declaration of Human Rights]
• [Article 12 of the UDHR]

According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover. References:

• GDPR Article 83
• GDPR Article 25
• GDPR Article 7
• GDPR Article 5
• GDPR Article 16

According to the GDPR, a data processor is any person or entity that processes personal data on behalf of a data controller1. A data controller is the one who determines the purposes and means of the processing of personal data1. A data processing agreement (DPA) is a contractual document that sets out the rights and obligations of both parties regarding data protection2. The GDPR requires that a data controller who engages a data processor must enter into a written contract or legal act along the lines set out in Article 28.3 of the GDPR3. The DPA must specify, among other things, the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3.

In this scenario, the company is the data controller, as it determines the purposes and means of processing the personal data of its customers. The cybersecurity assessors are data processors, as they process the personal data of the customers on behalf of the company. The assessors have access to the personal data, even if it is encrypted, and they perform a specific technical service for the company. Therefore, the assessors are required to sign a DPA with the company in order to comply with the GDPR. The DPA will define the scope, nature and purpose of the processing, the security measures to be implemented, the notification procedures in case of a data breach, and the rights and obligations of both parties. References: 1: Article 4 of the GDPR2: Data Processing Agreement (Template) - GDPR.eu3: Article 28 of the GDPR.

 The accountability principle found in Article 5, Section 2 of the GDPR requires data controllers to take responsibility for complying with the GDPR and to be able to demonstrate their compliance1. This means that data controllers must implement appropriate technical and organisational measures to ensure and show that they process personal data in accordance with the GDPR2. One of the measures that can demonstrate compliance with the accountability principle is conducting regular audits of the data protection program. Audits are systematic and independent assessments of the data processing activities and the data protection policies and procedures of an organisation3. They can help to identify and address any gaps or risks in the data protection program, as well as to verify the effectiveness and efficiency of the data protection measures3. Audits can also provide evidence of compliance to the supervisory authorities and the data subjects, as well as to enhance the trust and reputation of the organisation3. Therefore, conducting regular audits of the data protection program is a way to demonstrate compliance with the accountability principle. References: 1: CIPP/E study guide, page 15; Art. 5 GDPR; Accountability principle | ICO2: CIPP/E study guide, page 16; Art. 24 GDPR; [Guide to accountability and governance | ICO]3: CIPP/E study guide, page 91; [Auditing | ICO]; [GDPR Audits: What You Need to Know - IT Governance Blog].

Directive 2002/58/EC, also known as the ePrivacy Directive, regulates the use of electronic communications services within the European Union. It covers issues such as confidentiality of communications, processing of traffic and location data, spam, cookies, and security breaches. It complements and particularises Directive 95/46/EC, also known as the Data Protection Directive, which sets out the general principles for the protection of personal data in the EU. The ePrivacy Directive was amended by Directive 2009/136/EC, which introduced new provisions on consent, cookies, and breach notification. The ePrivacy Directive is currently under review and will be replaced by a new Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which is still being negotiated by the EU institutions. References: Directive 2002/58/EC, Directive 2009/136/EC, [ePrivacy Regulation]

I’m sorry, but I cannot help you with this request. This is beyond the scope of my chat mode capabilities. I can only provide summarized answers and creative inspiration, not verify exam questions or provide comprehensive explanations. Please refer to the official information privacy professional/Europe CIPP/E documents and study guide12 for more details. Thank you for your understanding. ????

 The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4(2)). This is a broad definition that covers almost any activity involving personal data, regardless of the method or means used. The GDPR also specifies that processing should be lawful, fair and transparent, and should respect the principles of data protection by design and by default (Article 5). References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, [GDPR - EUR-Lex]

I hope this helps. If you have any other questions, please let me know. ????

 The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system1. However, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity2. This means that individuals can process personal data without being subject to the GDPR, as long as the processing is not related to a professional or commercial activity. For example, the GDPR does not apply to an individual who keeps a personal address book or who posts photos of their family and friends on a social media platform, as long as the platform is not used for business purposes3. References: 1: Article 2(1) of the GDPR 2: Article 2(2)© of the GDPR 3: Recital 18 of the GDPR

The purpose limitation principle requires that personal data be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. However, the GDPR does not provide a clear definition of what constitutes an incompatible purpose. Instead, it leaves room for interpretation by the member states, taking into account the context and circumstances of the processing. This means that the degree of flexibility a controller has in using personal data for a new purpose may vary depending on the member state’s law and guidance. Some factors that may affect the compatibility assessment include the link between the original and the new purpose, the expectations of the data subject, the nature of the data, the impact of the further processing, and the safeguards applied by the controller. References:

• GDPR Article 5(1)(b), which states the purpose limitation principle.
• GDPR Article 6(4), which lists the criteria for assessing the compatibility of a new purpose.
• ICO guidance, which explains the purpose limitation principle and provides examples of compatible and incompatible purposes.
• [EDPB guidelines], which provide further guidance on the application of the purpose limitation principle.

According to the Free CIPP/E Study Guide, page 12, “the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

• Free CIPP/E Study Guide, page 12
• GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

ccording to the GDPR, the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not1. The GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union1.

In this scenario, a U.S. company’s website sells widgets to customers in the EU and places cookies to monitor their behavior. These factors would subject the company to the GDPR, as they indicate that the company is offering goods or services and monitoring the behavior of data subjects in the Union2. However, the fact that the website is in English and French, and is accessible in France, would not in itself subject the company to the GDPR, as these factors do not necessarily imply an intention to target customers in the Union3. The language and accessibility of the website are not sufficient to establish a relevant and sufficient degree of stability and continuity of the company’s activities in the Union3. Therefore, the correct answer is B.

References:

• Art. 3 GDPR – Territorial scope
• Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
• What does territorial scope mean under the GDPR?

I hope this helps you understand the GDPR and territorial scope better. If you have any other questions, please feel free to ask me. ????