CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

The GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. The company must also identify a lawful basis for processing personal data, such as legal obligation, legitimate interest, or consent, and respect the data subject rights, such as the right to information, access, rectification, erasure, restriction, objection, and portability. Moreover, the company must be aware of the specific rules and restrictions regarding the processing of special categories of data (such as biometric, health, or political data) and data relating to criminal convictions and offences, which are subject to Article 10 of the GDPR and the laws of each member state. The company must also consider the national employment laws and the guidelines of the relevant supervisory authorities, which may impose additional conditions or limitations on the scope, methods, and purposes of background checks. For example, some member states may require prior authorization, notification, or consultation with the supervisory authority, the data subject, or the works council before conducting background checks. Some member states may also prohibit or restrict certain types of background checks, such as social media screening, credit checks, or criminal record checks, unless they are necessary, proportionate, and relevant for the specific job position or sector. Therefore, the company must conduct a thorough assessment of the legal framework and the risks and benefits of background checks in each member state where it operates or recruits employees, and ensure that it has a clear and consistent policy and procedure for conducting background checks in a GDPR-compliant manner. References: How to ‘background check’ under the GDPR, How to perform GDPR compliant background checks, GDPR and the processing of criminal conviction data across Europe, Pre-employment vetting: Data protection and criminal records, How GDPR Affects Background Checking

According to the CIPP/E study guide, data controllers should use the least intrusive means of verifying the identity of data subjects who make requests under the GDPR. Asking for a copy of an ID document or a bank account statement may be disproportionate and excessive, as they contain more personal data than necessary for authentication. Asking for the bank account number may not be sufficient, as it may be easily obtained by third parties. Therefore, the most appropriate way to confirm the identity of the customer is to ask additional security questions that only the customer would know, such as the date of the last transaction, the amount of the last deposit, or the name of the beneficiary of a recurring payment.

References: CIPP/E Study Guide, page 28; CIPP/E Textbook, page 136.

The GDPR applies to all personal data, regardless of whether it exists in physical form or not. The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as names, identification numbers, location data, or online identifiers1. Therefore, any information that can be linked directly or indirectly to a natural person is considered personal data under the GDPR.

However, the GDPR also distinguishes between different types of processing activities and their legal bases. Processing activities are the operations performed on personal data, such as collection, storage, use, disclosure, or deletion. Processing activities can be either automated or manual. Automated processing means using technology to perform processing activities without human intervention. Manual processing means using human intervention to perform processing activities.

The GDPR requires that any processing activity that involves personal data must comply with certain principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These principles and conditions apply to both automated and manual processing activities.

Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by an automated means in some way that affects its rights and freedoms. For example, if a company scans paper documents and stores them electronically in a database without deleting them after a certain period of time or when they are no longer needed for the original purpose for which they were collected (Article 6), then this would be considered an automated processing activity that involves personal data in physical form.

However, the GDPR does not apply to personal data that exists in physical form when it is handled in a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps paper documents in folders labeled with names and dates on their office shelves without scanning them or storing them electronically anywhere else (Article 5), then this would not be considered an automated processing activity that involves personal data in physical form.

References:

Physical Data - GDPR Summary

What GDPR Means for Your Physical Records - Access

Personal Data - Data Protection Act 2018

According to the transparency principle, data controllers must provide clear and transparent information to data subjects about how their personal data is processed. This information must be easily accessible and easy to understand. Providing a hyperlink to the organization’s home page, in a hard copy application form, is not considered a fair processing practice in relation to the transparency principle, because it does not directly inform the data subject about the specific purposes and legal basis of the processing, the data protection rights and obligations, and the contact details of the data controller and the data protection officer. This information should be provided in a concise, intelligible and easily accessible form, using clear and plain language, in a way that is appropriate to the means of communication. Providing a hyperlink to the organization’s home page, in a hard copy application form, does not meet these criteria and may also be inaccessible to some data subjects who do not have internet access or are not familiar with the use of hyperlinks. Therefore, this option is not a fair processing practice in relation to the transparency principle. References: 1234 https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent- processing/ https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/

 According to the European Data Protection Board, the principles relating to the processing of personal data under EU data protection law are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability1. These principles imply certain concepts or practices that data controllers and processors should follow, such as access control management, frequent pseudonymization key rotation, and error propagation avoidance along the processing chain2. However, data ownership allocation is not a concept or practice that follows from these principles, as the GDPR does not recognize the notion of data ownership by either the data subject or the data controller3. Therefore, option A is the correct answer. References:

Data protection basics

Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

CIPP/E Study Guide, page 11

Under the GDPR, the lead supervisory authority is determined by where the main establishment related to the processing activity is located.

In this case, even though the company's headquarters is in Germany, the SaaS application was specifically defined and implemented by the Polish establishment. This indicates that the Polish establishment has the primary role in determining the purposes and means of processing personal data related to that SaaS service. Therefore, the supervisory authority of Poland would be the lead supervisory authority for this specific processing activity.

References:

GDPR Article 56 - Competence of the lead supervisory authority

IAPP CIPP/E textbook, Chapter 3: EU General Data Protection Regulation (specifically, sections on One-Stop Shop mechanism and lead supervisory authority)

According to the Free CIPP/E Study Guide, page 12, “the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 12

GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

According to Article 46 of the GDPR, in the absence of an adequacy decision by the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. One of the possible appropriate safeguards is the use of standard data protection clauses adopted by the Commission or by a supervisory authority. However, Article 46(5) states that the possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority shall not affect the possibility for the controller or processor to rely upon other appropriate safeguards provided for in paragraph 2 of this Article, provided that they ensure that data subjects have enforceable and effective rights as regards the processing of their data. Therefore, in this case, Jackie’s recommendation of requiring UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data is an additional measure that could be considered as an appropriate safeguard, especially since UpFinance implements several data protection measures, including end-to-end encryption, with encryption keys held by the customer, which would ensure a high level of security and confidentiality of the personal data transferred. References:

Article 46 of the GDPR

IAPP CIPP/E Study Guide, page 67

 According to Article 13 of the GDPR, when personal data are collected from the data subject, the controller shall provide the data subject with certain information, such as the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, and the existence of the data subject’s rights. This information shall be provided at the time when personal data are obtained. The purpose of this requirement is to ensure that the data subject is informed and aware of how their personal data will be used and shared, and to enable them to exercise their rights accordingly. Therefore, customers shall receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process. References:

Article 13 of the GDPR

IAPP CIPP/E Study Guide, page 32

 According to the GDPR, the lead supervisory authority is the supervisory authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority is determined according to the location of the main establishment or the single establishment of the controller or processor in the EU. The main establishment is the place where the decisions about the purposes and means of the processing are taken, or where the controller has its central administration in the EU. The single establishment is the only place where the controller or processor is established in the EU. Therefore, in this scenario, T-Craze’s lead supervisory authority is Germany, because that is where T-Craze is headquartered and where it has its main product-design office, which implies that the decisions about the processing of personal data are taken there. The other options are not correct, because the location of the processing, the market or the affiliates are not relevant for determining the lead supervisory authority. References: Free CIPP/E Study Guide, page 39; CIPP/E Certification, page 19; GDPR, Article 4(16), Article 4(22), Article 56, Recital 36.

The GDPR establishes a two-tier system of administrative fines for infringements of its provisions, depending on the nature, gravity, and duration of the infringement, as well as other factors such as the intentional or negligent character of the infringement, the actions taken to mitigate the damage, the degree of co-operation with the supervisory authority, and any previous infringements1. The lower tier of fines can be up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The lower tier of fines applies to infringements of the GDPR relating to the following aspects1:

The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43;

The obligations of the certification body pursuant to Articles 42 and 43;

The obligations of the monitoring body pursuant to Article 41 (4). The higher tier of fines can be up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The higher tier of fines applies to infringements of the GDPR relating to the following aspects1:

The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9;

The data subjects’ rights pursuant to Articles 12 to 22;

The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

Any obligations pursuant to Member State law adopted under Chapter IX;

Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 (2) or failure to provide access in violation of Article 58 (1). Therefore, higher fines are assessed for GDPR violations due to violations of a data subject’s rights, as these are among the infringements that fall under the higher tier of fines. Data subjects’ rights are the rights granted to individuals whose personal data are processed by controllers or processors, such as the right to access, rectify, erase, restrict, object, or port their data, as well as the right to be informed, to withdraw consent, and to lodge a complaint1. Violations of these rights can cause significant harm to the data subjects and undermine the objectives of the GDPR. Therefore, option D is the correct answer. References: Art. 83 GDPR – General conditions for imposing administrative fines, Article 83 GDPR - GDPRhub

 A lead supervisory authority (LSA) is the main point of contact for organisations that process personal data across multiple EU member states. The LSA is responsible for coordinating cross-border investigations, issuing binding decisions, and enforcing GDPR compliance1. Cross-border processing is the main concern of the LSA, as it involves data processing activities that affect data subjects in more than one member state, or that take place in more than one member state2. The other options are not the main concern of the LSA, as they are either covered by the national supervisory authorities of each member state, or are not specific to cross-border processing. References: Is it possible to choose your lead supervisory authority under the GDPR?, Art. 56 GDPR – Competence of the lead supervisory authority, Navigating GDPR Compliance with a Lead Supervisory Authority, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority

Article 82 of the GDPR1234 regulates the right to compensation and liability for any person who has suffered material or non-material damage as a result of an infringement of the GDPR.

Paragraph 4 of Article 821234 states that a controller or processor shall be exempt from liability under paragraph 2 (which holds them liable for the damage caused by processing which infringes the GDPR) if it proves that it is not in any way responsible for the event giving rise to the damage.

Therefore, the right to compensation and liability under the GDPR provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.

References:

1: Art. 82 GDPR – Right to compensation and liability - General Data Protection Regulation (GDPR)

2: Art. 82 GDPR - Right to compensation and liability - GDPR.eu

3: GDPR Article 82: Right to compensation and liability - Advisera

4: Article 82 GDPR | Right to compensation and liability

 According to the UK GDPR, employees have the right to access and receive a copy of their personal data, and other supplementary information, from their employer. This is known as a data subject access request (DSAR). Employers must respond to a DSAR without delay and within one month of receipt of the request, unless the request is complex or excessive. Employers should perform a reasonable search for the requested information and provide it in an accessible, concise and intelligible format. Employers can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. Some of the exemptions that may apply in the employment context are: legal privilege, management forecasting, confidential references, negotiations, regulatory functions, and criminal convictions and offences. Employers should disclose the information securely and inform the employee of their rights and the source of the data. References:

Right of access | ICO

Subject access request Q and As for employers | ICO

Data Subject Access Request (Employers’ Guide) | DavidsonMorris

 The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system1. However, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity2. This means that individuals can process personal data without being subject to the GDPR, as long as the processing is not related to a professional or commercial activity. For example, the GDPR does not apply to an individual who keeps a personal address book or who posts photos of their family and friends on a social media platform, as long as the platform is not used for business purposes3. References: 1: Article 2(1) of the GDPR 2: Article 2(2)© of the GDPR 3: Recital 18 of the GDPR

 The GDPR requires that consent must be freely given, specific, informed and unambiguous1. This means that app developers must provide clear and transparent information about the purposes and legal basis of the data processing, and allow users to choose which types of processing they agree to and which they do not. For example, users should be able to consent separately to different types of cookies, such as functional, analytical or marketing cookies2. Users should also be able to withdraw their consent at any time as easily as they gave it1. Therefore, app design and implementation must take into account these requirements and provide users with granular and user-friendly consent options, rather than relying on pre-ticked boxes, implied consent or default settings3. References: 1 Art. 4 (11) and Art. 7 GDPR – Definitions and Conditions for consent - General Data Protection Regulation (GDPR)2 Guidelines 05/2020 on consent under Regulation 2016/679 - European Data Protection Board3 How To Make Compliant GDPR Consent Forms (With Examples) - Termly.

The GDPR is the EU’s general data protection regulation that applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. The GDPR sets out the principles, rights and obligations for the protection of personal data, as well as the enforcement and cooperation mechanisms among the data protection authorities and the European Data Protection Board.

The Digital Services Act (DSA), the Data Governance Act (DGA) and the Digital Markets Act (DMA) are part of the EU’s digital strategy that aims to create a single market for data and digital services, by supporting responsible access, sharing and re-use of data, while respecting the values of the EU and in particular the protection of personal data. These legal acts do not change or replace the GDPR, but rather complement and reinforce it, by addressing specific issues and challenges related to the digital economy and society. The DSA, the DGA and the DMA explicitly state that they apply without prejudice to the GDPR and that they respect and uphold the fundamental rights and freedoms of individuals, including the right to the protection of personal data.

The DSA is a proposal for a regulation that seeks to harmonise the rules and responsibilities of online intermediaries, such as platforms, hosting services, cloud providers and online marketplaces, in order to ensure a safe and trustworthy online environment for users and businesses. The DSA introduces a set of obligations for online intermediaries, such as transparency, accountability, due diligence, cooperation and reporting, depending on their size, role and impact. The DSA also establishes a new governance and cooperation system among the national authorities and the European Commission, as well as a mechanism for out-of-court dispute resolution.

The DGA is a proposal for a regulation that aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. The DGA introduces a new legal framework for data sharing services, such as data brokers, data marketplaces, data trusts and data cooperatives, that facilitate data exchange between data holders and data users. The DGA also sets out rules and requirements for data altruism, which is the voluntary consent of individuals or organisations to share data for the common good. The DGA also establishes a new governance model for data sharing in the EU, involving the European Data Innovation Board, the national competent authorities and the European Commission.

The DMA is a proposal for a regulation that intends to limit the power of large online platforms that act as gatekeepers in the digital market, by imposing a set of obligations and prohibitions to prevent unfair practices and ensure fair and open competition. The DMA defines the criteria and the procedure for identifying the gatekeepers, such as search engines, social networks, online marketplaces, app stores and cloud services, that have a significant impact and influence in the digital economy. The DMA also provides for the supervision and enforcement of the rules by the European Commission, as well as the possibility of imposing fines and sanctions for non-compliance.

References:

GDPR, Articles 1, 2, 3, 4, 5, 6, 7, 8, and 9.

DSA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.

DGA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.

DMA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.

According to the CJEU, the ePrivacy Directive does not define the concept of consent, but refers to the GDPR for its interpretation1. Therefore, the GDPR standard of consent applies to the use of cookies and similar technologies that require consent under the ePrivacy Directive. The GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. The CJEU also clarified that the consent requirements apply regardless of whether the cookies constitute personal data or not, as the ePrivacy Directive covers any information stored or accessed on the user’s device1. The other options are incorrect, as the CJEU ruled that pre-checked boxes, implicit consent by scrolling, and insufficient information on the cookies do not meet the GDPR standard of consent1. References:

Free CIPP/E Study Guide, page 14, section 2.3

GDPR, Article 4 (11)

ePrivacy Directive, Article 5 (3)

Planet49: CJEU Rules on Cookie Consent

CURIA - List of results

 A data sharing agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful and to demonstrate compliance with the accountability principle under the GDPR. A data sharing agreement is most likely to be needed when personal data is being shared between commercial organizations acting as joint data controllers, because they have to determine and agree on their respective roles and responsibilities, such as the purpose and legal basis of the data sharing, the rights of the data subjects, the security measures, and the liability for any breaches. A data sharing agreement is not mandatory, but it is good practice and can help to avoid disputes and confusion. A data sharing agreement may not be needed or may be less detailed in the other scenarios, depending on the circumstances and the nature of the data. For example, anonymized data is not personal data under the GDPR and does not require a data sharing agreement, although it may still be subject to other contractual or ethical obligations. Personal data that is proactively shared by a controller to support a police investigation may be covered by a legal obligation or a public interest, and the controller may not have much control over how the data is used by the police. Personal data that is shared with a public authority with powers to require the personal data to be disclosed may also be subject to a legal obligation or a public interest, and the controller may have to comply with the authority’s request without a data sharing agreement. References:

Data sharing agreements | ICO, which provides guidance on the benefits and contents of a data sharing agreement.

Data Sharing Agreement - the Definition - GDPR Summary, which explains what a data sharing agreement is and when it can be used.

The role of data sharing and the GDPR | Data Republic, which discusses the impact of the GDPR on data sharing practices.

An adequacy decision is a decision adopted by the European Commission, which determines that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data1. This means that the third country or organisation provides a level of protection that is essentially equivalent to that guaranteed within the European Union (EU), taking into account its domestic law and international commitments, as well as the respect for the rule of law, human rights and fundamental freedoms, relevant legislation, and the existence and effective functioning of independent supervisory authorities1. An adequacy decision is one of the transfer tools that can be used to transfer personal data to a third country or organisation without requiring any further authorisation1. However, an adequacy decision is not permanent and can be amended, suspended or repealed by the Commission at any time, if the conditions are no longer met1. Therefore, according to the recommendations of the European Data Protection Board (EDPB), the additional action that should be taken when a transfer to a third country is based upon an adequacy decision is to monitor changes in the law or practice of the third country that would lower the level of protection of personal data2. This means that the data exporter should stay informed of any developments in the third country or organisation that could affect the validity of the adequacy decision, and take appropriate measures if the level of protection is no longer adequate2. The data exporter should also cooperate with the competent supervisory authority and inform it of any issues that may affect the compliance with the adequacy decision2. Therefore, option D is the correct answer. References: Art. 45 GDPR – Transfers on the basis of an adequacy decision, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

According to the General Data Protection Regulation (GDPR), a data processor is a natural or legal person, agency, public authority, or any other body who processes personal data on behalf of a data controller. A data controller is a natural or legal person, agency, public authority, or any other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. The GDPR imposes specific obligations and responsibilities on both data controllers and data processors, and requires them to enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.

In this scenario, BHealthy is the data controller, as it determines the purpose and means of collecting and sharing its customer information with Natural Insight. Natural Insight is the data processor, as it processes the customer information on behalf of BHealthy for the purpose of determining the price point for BHealthy’s new sunscreens. However, Natural Insight also intends to use the customer information for its own purpose of improving its algorithms, which may not be aligned with BHealthy’s purpose or instructions. This may constitute a breach of the data processing contract and the GDPR, as the data processor must only process the personal data on documented instructions from the data controller, unless required to do so by EU or member state law (Article 28(3)(a) of the GDPR).

Therefore, the only case in which Natural Insight’s use of BHealthy’s data for improvement of its algorithms would be considered data processor activity is if Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms. This would mean that BHealthy has given its consent and authorization for Natural Insight to process the data for that specific purpose, and that Natural Insight is acting in accordance with BHealthy’s instructions. In this case, Natural Insight would still be bound by the data processing contract and the GDPR, and would have to comply with the other obligations and requirements of a data processor, such as ensuring the security of the data, respecting the conditions for engaging another processor, assisting the data controller in ensuring compliance with the GDPR, and deleting or returning the data to the data controller after the end of the service.

The other options are not valid cases for data processor activity, as they do not involve the data controller’s instructions or consent. If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy, it may still be processing the data for a different purpose than the one for which it was collected and shared, and without BHealthy’s knowledge or approval. If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product improvement activities, it may still be violating the data processing contract and the GDPR, as it is not acting on behalf of the data controller, but for its own benefit. If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use their information for its product improvement activities, it may still be infringing the data controller’s rights and obligations, as it is not the data controller’s role to inform the data subjects of the processing activities, and it may not have a lawful basis for processing the data for its own purpose.

References:

GDPR

Data Controllers and Processors - GDPR EU

Who does the UK GDPR apply to? | ICO

What Activities Count as Processing Under the GDPR?

What constitutes data processing? - European Commission

 According to Article 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data. Encryption is a key security measure to protect the confidentiality, integrity and availability of personal data, especially when it is transferred between different entities or locations. Encryption ensures that only authorised parties can access and modify the data, and prevents unauthorised or unlawful access, disclosure, alteration or destruction. Encryption also reduces the risk of data breaches and the potential harm to the data subjects. Therefore, encrypting the transferred data in transit and at rest would be the most important security measure to apply to the health data transmission. References:

Article 32 of the GDPR

IAPP CIPP/E Study Guide, page 58

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU). References:

IAPP CIPP/E Study Guide, page 7

[Universal Declaration of Human Rights]

[Article 12 of the UDHR]

According to the WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’, the communication of a personal data breach to the data subjects should be clear, concise, transparent, easily accessible and understandable, and use clear and plain language. The communication should also be made as soon as reasonably feasible and in close cooperation with the supervisory authority. The guidelines provide some examples of methods that may be effective for communicating a breach to data subjects, such as a direct electronic message (e.g. email, SMS, direct message), a postal notification, a prominent advertisement in print media, or a notice on the homepage of the affected website. However, the guidelines also state that a notice on a corporate blog or social media would not be an effective method of communication, as it would not reach all the affected data subjects and would not allow them to take immediate action to protect themselves. Therefore, the correct answer is C. A notice on a corporate blog. References:

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’, pages 20-211

A DPIA is not a one-time activity. While it's crucial to conduct a DPIA before implementing a new system that processes personal data (like the fingerprint system), the GDPR requires organizations to review and update their DPIAs periodically, especially when there are changes that might affect the risk to data subjects.

Here's why the other options are incorrect:

A. After the complaint of the supporter: While a complaint might trigger a review of the processing, the DPIA should have been done proactively before any issues arose.

C. At the end of every match of the season: This frequency is excessive and doesn't align with the idea of assessing risks when changes occur.

D. After the AEPD notification of the investigation: Similar to option A, this is reactive rather than proactive.

References:

GDPR Article 35 - Data protection impact assessment

IAPP CIPP/E textbook, Chapter 4: Accountability and Data Governance (specifically, sections on DPIAs and ongoing review)

WP29 Guidelines on Data Protection Impact Assessment (DPIA)

After determining the scope of a ransomware attack, the organization should assess the risks associated with the breach. This risk assessment will help determine whether notification of affected individuals and regulatory bodies is required. If notification is required, it should be done within the relevant timeframes.

References:

IAPP CIPP/E textbook, Chapter 5: Data Breach Notification

IAPP CIPP/E Study Guide, Domain 3: Incident Response

According to Article 28(3)(f) of the GDPR, the written agreement between the controller and the processor must include an obligation on the processor to assist the controller in ensuring compliance with the controller’s obligations pursuant to Articles 32 to 36 of the GDPR. These obligations include notifying the supervisory authority and the data subjects about personal data breaches, as well as conducting data protection impact assessments and consulting with the supervisory authority when required. The processor must assist the controller by taking appropriate technical and organisational measures, insofar as this is possible, and considering the nature of the processing and the information available to the processor. References:

GDPR Article 28(3)(f)

CIPP/E Textbook, Chapter 6, Section 6.2.2, page 154

Free CIPP/E Study Guide, page 18

 According to Article 13 of the GDPR, when personal data are collected from the data subject, the data controller must provide the data subject with the following information, among others1:

The identity and the contact details of the controller and, where applicable, of the controller’s representative;

The contact details of the data protection officer, where applicable;

The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

The recipients or categories of recipients of the personal data, if any;

Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In the scenario, Wonderkids provides some of this information in their Privacy Statement, but not all. They do not specify the categories of recipients with whom they will share the personal data of their customers and their children. They only state that they will share the data with businesses that they see as adding real value to the customers, which is vague and ambiguous. This does not comply with the GDPR requirement to inform the data subjects about the recipients or categories of recipients of their personal data, if any. Therefore, Wonderkids must provide this additional information in their Privacy Statement.

References:

1: Art. 13 GDPR Information to be provided where personal data are collected from the data subject

The European model for data protection is best described as comprehensive, because it covers all sectors and types of data processing, and applies to any organization that targets or collects data related to people in the EU. The GDPR is the main legal instrument of this model, and it establishes a set of principles, rights, and obligations for data protection, as well as a harmonized framework for enforcement and cooperation among EU member states and data protection authorities. The GDPR also aims to ensure consistency with other EU laws and policies, such as the ePrivacy Directive, the Charter of Fundamental Rights, and the European Data Strategy. The European model for data protection is based on the recognition of data protection as a fundamental right and a public interest, and it reflects the EU’s values and objectives of promoting human dignity, democracy, and the rule of law. References:

Data protection in the EU, section “Legislation”

What is GDPR, the EU’s new data protection law?, section “What is the GDPR?”

European Data Protection, Third Edition, page 1, section “Introduction”

European Data Protection: Law and Practice, page 1, section “Introduction”

The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1. One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2. The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3. One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs. Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5. Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6. Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7. References: 1: Article 46(1) of the GDPR 2: Standard Contractual Clauses (SCC) - European Commission 3: EU Standard Contractual Clauses (Word documents) 4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 5: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 6: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 7: Article 31 of the GDPR

According to the GDPR, consent must be freely given, specific, informed and unambiguous1. However, in the context of employment, there is often an imbalance of power between the employer and the employee, which may affect the validity of consent. The employee may feel pressured or coerced to give consent, or may not be able to withdraw it without negative consequences. Therefore, consent is not a reliable or appropriate legal basis for processing employee data in most cases23. The employer should consider other lawful bases, such as contractual necessity, legal obligation, legitimate interests or specific conditions for special category data45. References: 1 Art. 4 (11) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Can my employer require me to give my consent to use my personal data? | European Commission. 3 When is consent appropriate? | ICO. 4 Art. 6 (1) GDPR – Lawfulness of processing - General Data Protection Regulation (GDPR)5 Art. 9 (2) GDPR – Processing of special categories of personal data - General Data Protection Regulation (GDPR).

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.

Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:

The identity and contact details of the controller and processor

The categories and sources of personal data

The purposes and legal basis for processing

The recipients or categories of recipients of personal data

The retention period or criteria for determining it

The existence of any automated decision-making or profiling

The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

Submitting a written notification form

Publishing a notice on a website or other platform

Sending an email or other electronic message

Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.

According to the GDPR, a data protection impact assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. A DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. The GDPR provides a list of examples of processing operations that require a DPIA, such as:

Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.

Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.

Systematic monitoring of a publicly accessible area on a large scale.

Therefore, an example of a scenario where a controller is most likely required to undertake a DPIA is when personal data is being collected and combined with other personal data to profile the creditworthiness of individuals, as this involves a systematic and extensive evaluation of personal aspects based on automated processing and profiling, and may have significant effects on the individuals. The other scenarios are not necessarily indicative of a high risk to the rights and freedoms of natural persons, and do not fall under the examples of processing operations that require a DPIA provided by the GDPR. References: Free CIPP/E Study Guide, page 37; CIPP/E Certification, page 18; GDPR, Article 35, Recital 91.

According to the GDPR, legitimate interest is one of the possible legal bases for processing personal data, which means that the data controller has a valid reason to process the data that is not overridden by the interests or rights of the data subject1. The GDPR specifically mentions fraud prevention as a potential legitimate interest of the data controller, as it serves both the interests of the online shop and the data subjects who may be victims of fraud1. However, the data controller must conduct a balancing test to ensure that the legitimate interest is not outweighed by the potential harm or intrusion to the data subject’s privacy1. The data controller must also provide clear and transparent information to the data subject about the processing of their data for fraud prevention purposes, and respect their right to object to such processing1.

The other options are incorrect because:

A. Protection of the interests of the data subjects is not a legal basis for processing personal data, but rather a condition for processing special categories of personal data under Article 9 of the GDPR2. Moreover, fraud prevention does not necessarily protect the interests of the data subjects, but rather the interests of the online shop and the general public.

B. Performance of a contract is a legal basis for processing personal data that is necessary for the execution or fulfilment of a contract between the data controller and the data subject2. However, fraud prevention is not strictly necessary for the performance of a contract, as it is not directly related to the delivery of goods or services that the data subject has purchased from the online shop.

D. Consent is a legal basis for processing personal data that requires the data subject to give their informed, specific, and freely given agreement to the processing of their data for one or more purposes2. However, consent is not the most appropriate legal basis for fraud prevention, as it may not be freely given by the data subject, who may feel pressured to agree to the processing of their data in order to complete their purchase. Moreover, consent may not be reliable or effective for fraud prevention, as it can be withdrawn by the data subject at any time, or may be given by a fraudster who is not the legitimate owner of the data.

References: 2 Article 6 and 9 of the GDPR1 Legitimate interests | ICO1.

 According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations. References: 1 https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/

The purpose limitation principle requires that personal data be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. However, the GDPR does not provide a clear definition of what constitutes an incompatible purpose. Instead, it leaves room for interpretation by the member states, taking into account the context and circumstances of the processing. This means that the degree of flexibility a controller has in using personal data for a new purpose may vary depending on the member state’s law and guidance. Some factors that may affect the compatibility assessment include the link between the original and the new purpose, the expectations of the data subject, the nature of the data, the impact of the further processing, and the safeguards applied by the controller. References:

GDPR Article 5(1)(b), which states the purpose limitation principle.

GDPR Article 6(4), which lists the criteria for assessing the compatibility of a new purpose.

ICO guidance, which explains the purpose limitation principle and provides examples of compatible and incompatible purposes.

[EDPB guidelines], which provide further guidance on the application of the purpose limitation principle.

The transparency principle, as stated in Article 5(1)(a) of the GDPR, requires that personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject. This principle is closely linked to the right to be informed, as specified in Articles 13 and 14 of the GDPR, which oblige the controller to provide the data subject with certain information about the processing of their personal data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the existence of the data subject’s rights, and the retention period or criteria for the personal data. The right to be informed aims to ensure that the data subject is aware of and can verify the lawfulness of the processing, and to enable them to exercise their rights effectively. Therefore, the transparency principle is most directly related to the right to be informed. References:

Article 5(1)(a) of the GDPR

Article 13 of the GDPR

Article 14 of the GDPR

IAPP CIPP/E Study Guide, page 31

The GDPR defines processors as entities that process personal data on behalf of controllers, typically under a contract or other legal act that sets out the subject matter, duration, nature, purpose, type and categories of personal data, and the obligations and rights of the controller. Processors must act only on the documented instructions of the controller, unless required by law to act otherwise. Processors must also comply with the GDPR’s requirements regarding the security, confidentiality, transfer, sub-processing, notification, assistance, cooperation, and documentation of the personal data processing.

However, the GDPR does not prescribe the exact technical and organisational measures that processors must implement to ensure the security of the personal data processing. Instead, the GDPR requires that processors take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of data subjects. Therefore, processors have some discretion to determine their own type of hardware or software and the specific security measures for the processing, as long as they provide a level of security appropriate to the risk and comply with the controller’s instructions. Processors may also adhere to approved codes of conduct or certification mechanisms to demonstrate their compliance with the GDPR’s security requirements.

The other options listed in the question are not aspects of processing that the GDPR allows processors to determine for themselves. According to the GDPR:

Processors must inform the controller of any intended changes concerning the addition or replacement of other processors, and give the controller the opportunity to object to such changes. Processors must also impose the same data protection obligations on any sub-processors as those agreed with the controller.

Processors must not process the personal data for their own purposes, unless they have a legal basis to do so and inform the data subjects accordingly. Processors must only process the personal data for the purposes determined by the controller, and in accordance with the controller’s instructions.

Processors must not use the personal data relating to the controller’s customers for their own marketing campaigns, unless they have obtained the consent of the data subjects or have another legitimate interest to do so. Processors must respect the data subjects’ rights to object to direct marketing and to withdraw their consent at any time.

References:

GDPR, Articles 4, 28, 29, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42 and 43.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27 and 28.

Pseudonymisation is a method that allows you to switch the original data set (for example, e-mail or a name) with an alias or pseudonym, or, in other words, a value which does not allow the individual to be directly identified1. It is a reversible process that de-identifies data but allows the re-identification later on if necessary1. This is a well-known data management technique highly recommended by the General Data Protection Regulation (GDPR) as one of the data protection methods2. To make personal data pseudonymous, a data controller must separately hold any information that would allow linking the data to the data subject, such as a key or a code, and ensure that this information is kept securely and subject to technical and organisational measures to prevent unauthorised access or re-identification23. The other options are not correct, as they either describe other data protection methods, such as encryption or anonymisation, or do not meet the definition of pseudonymisation under the GDPR. References: Pseudonymization according to the GDPR, Pseudonymisation - Wikipedia, Anonymisation and pseudonymisation | Data Protection Commissioner

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1. Body temperature is a type of personal data that can reveal information about an individual’s health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR. The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

A. Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.

C. Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.

D. The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

References: 1 Article 4(1) of the GDPR2 Policy Brief: Location Data Under Existing Privacy Laws | FPF23 Article 2(1) of the GDPR4 Article 4(5) of the GDPR5 Article 9(2) of the GDPR.

ABC Hotel Chain and XYZ Travel Agency are joint controllers in this relationship, because they jointly determine the purposes and means of the processing of personal data of their customers. According to Article 26 of the GDPR, joint controllers are two or more controllers who jointly participate in the decision-making process regarding the processing of personal data 1. In this scenario, ABC Hotel Chain and XYZ Travel Agency use a common platform for collecting and sharing customer data, and they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Therefore, they have a common influence on the processing of personal data and share a common objective of integrating their marketing efforts. Moreover, they offer a rewards program that allows customers to sign up to accumulate points that can be redeemed for free travel, which implies a joint benefit from the processing of personal data.

The other options are not correct because they do not reflect the actual roles of ABC Hotel Chain and XYZ Travel Agency in this relationship. A controller is a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data 2. A processor is a natural or legal person who processes personal data on behalf of the controller 3. In this scenario, neither ABC Hotel Chain nor XYZ Travel Agency act solely or on behalf of the other in processing the personal data of their customers. Rather, they act together in a collaborative manner and share the responsibility and accountability for the processing of personal data. Therefore, they are joint controllers, not independent controllers or controller and processor. References: 1: Article 26 of the GDPR 2: Article 4(7) of the GDPR 3: Article 4(8) of the GDPR

 According to the GDPR, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes1. This means that data controllers must inform data subjects about the purposes of data processing and obtain their consent or rely on another lawful basis for processing. Data controllers must also respect the principle of data minimisation, which means that they should only collect and process personal data that is adequate, relevant and limited to what is necessary for the purposes for which they are processed2.

In the scenario, Brady transfers his customers’ personal data to Hermes Designs, a third-party contractor, for the purpose of providing web page design services. However, Hermes Designs uses the data for a new purpose, which is creating sample customized banner advertisements and conducting direct marketing to the customers. This new purpose is not compatible with the original purpose for which the data was collected and transferred, and it is not likely that the customers have consented to it or that there is another lawful basis for it. Moreover, Hermes Designs may be processing more personal data than what is necessary for the original purpose, such as the customers’ business plans and preferences. Therefore, Brady should be concerned with Hermes Designs’ handling of customer personal data, as it may violate the GDPR and expose him to legal risks and reputational damages.

References:

1: Art. 5(1)(b) GDPR Principles relating to processing of personal data

2: Art. 5(1)© GDPR Principles relating to processing of personal data

 The GDPR requires that personal data be kept for no longer than is necessary for the purposes for which the personal data are processed1. However, the GDPR also allows member states to provide for more specific rules on the processing of employees’ personal data in the employment context, including the retention periods for erasure and deletion of categories of personal data2. Therefore, the employer should securely store the data that is required to be kept under local law, such as tax records, pension records, or health and safety records34. The employer should also ensure that the data is protected from unauthorized or unlawful access, accidental loss, destruction, or damage1. The employer should not store the data for longer than necessary or for purposes other than those for which the data was collected, unless the employee has given consent or there is another legal basis for doing so13. References: 1: Article 5 of the GDPR 2: Article 88 of the GDPR 3: Data Protection and GDPR in the Workplace | Factsheets | CIPD 4: How to Manage the Retention of Employee Data | GDPR Blog

 This is not a valid set of standard contractual clauses because it does not correspond to any of the decisions adopted by the European Commission under the GDPR or the previous Data Protection Directive 95/46. The correct decision for EU processor to non-EU or EEA controller is Decision 2010/87/EU, which was amended by Decision 2004/915/EC. Decision 2007/72/EC is actually related to the recognition of the adequacy of the protection of personal data in Switzerland. References:

Free CIPP/E Study Guide, page 18, section 3.4.2

Standard contractual clauses for international transfers, section 1.1

Standard Contractual Clauses (SCC), section 2.1

Decision 2007/72/EC

One of the main differences between a Regulation and a Directive in the EU law is that a Regulation is directly applicable and binding in all EU member states, without the need for national implementing measures, while a Directive sets out the objectives and principles that the member states must achieve, but leaves them the choice of form and methods to transpose it into their national laws. Therefore, by taking the form of a Regulation, the GDPR aims to harmonize and unify the data protection rules across the EU, and to ensure a consistent implementation and enforcement of the data protection laws throughout the EU. The other aspects of the GDPR listed in the question, such as the one-stop shop mechanism, the mandatory notification of large-scale data breaches, and the mandatory appointment of a data protection officer, are also important features of the GDPR, but they do not have the same impact on the consistency of the data protection laws as the form of a Regulation.

References: Difference between A Regulation And Directive (European Law)1; EUR-Lex - 310401_2 - EN - EUR-Lex2; EU GDPR vs. European Data Protection Directive 95/46/EC - Advisera3; Difference between GDPR and Data Protection Directive - Profolus

According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data. References:

Art. 13 GDPR - Information to be provided where personal data are collected from the data subject

Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject

Article 13: Information to be provided where personal data are collected from the data subject - GDPR

 According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects1. The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties2. Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality3. Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued3. Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences. References: 1: CIPP/E study guide, page 1; Data protection in law enforcement2: CIPP/E study guide, page 2; Art. 2 LED3: CIPP/E study guide, page 3; Art. 4 LED.

According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on the basis of a decision taken at a Union level that is binding for that member state, unless it is derogated from by national law. This means that the GDPR applies to any processing of personal data within the EU, regardless of where the controller or processor is located, as long as it is based on a decision made at a Union level that is binding for that member state.

Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves personal data of EU citizens being processed by a controller or processor based outside the EU, which may be subject to a decision made at a Union level that is binding for that member state.

Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1. Monitoring may fall under other legal frameworks, such as national security or counter-terrorism laws.

Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision made at a Union level that is binding for that member state.

Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal data of EU residents by a non-EU business that targets EU customers, which may not be subject to any decision made at a Union level that is binding for that member state.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals.

According to the Treaty on European Union (TEU), the European Parliament shall, jointly with the Council, exercise legislative and budgetary functions. It shall also exercise functions of political control and consultation as laid down in the Treaties1. The Council of the European Union, also known as the Council, is the institution that represents the governments of the Member States. Together with the European Parliament, it adopts European legislation and coordinates the policies of the Member States2. The other options are not correct because: (A) The European Commission is the institution that proposes and implements EU policies, ensures the application of EU law, and represents the Union in international affairs3; (B) The Article 29 Working Party was an advisory body composed of representatives of the national data protection authorities, the European Data Protection Supervisor and the European Commission. It was replaced by the European Data Protection Board in 20184; (D) The European Data Protection Board is an independent body that ensures the consistent application of the General Data Protection Regulation and promotes cooperation among the national data protection authorities5. References: 1: Article 14(1) of the TEU; 2: The Council of the European Union; 3: The European Commission; 4: Article 29 Working Party; 5: [European Data Protection Board].

According to the CIPP/E study guide, Article 33 of the GDPR requires data controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons1. Article 34 of the GDPR requires data controllers to communicate the personal data breach to the data subject without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons2. Both articles specify the minimum information that the data controller must provide to the supervisory authority and the data subject, which includes: the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the name and contact details of the data protection officer or other contact point, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its possible adverse effects12. However, neither article requires the data controller to disclose the type of security safeguards used to protect the data, as this information is not relevant for the purposes of notification and may even compromise the security of the data further3. References: 1: CIPP/E study guide, page 84; Art. 33 GDPR; Guidelines 01/2021 on Examples regarding Data Breach Notification2: CIPP/E study guide, page 85; [Art. 34 GDPR]; Guidelines 01/2021 on Examples regarding Data Breach Notification3: Personal Data Breach | European Data Protection Supervisor; What is a data breach and what do we have to do … - European Commission.

While all of the options present potential privacy issues, the lack of transparency about data processing poses the biggest risk for several reasons:

Uninformed Consent: Without clear information about data collection and usage, children and parents cannot make informed decisions about using the toys. This violates the principle of informed consent, which is a cornerstone of data protection laws.

Hidden Features: The packaging and privacy policy do not disclose the hidden functionality of the toys, including the connection to the cloud and data processing in South Africa. This lack of transparency creates distrust and raises concerns about potential misuse of data.

Unclear Data Flow: The explanation provided about the data flow is vague and incomplete. It is unclear what data is collected, how it is stored, for what purposes it is used, and who has access to it. This lack of clarity creates uncertainty and raises concerns about potential data breaches or leaks.

Limited Control: Without detailed information about data practices, users have limited control over their information. They cannot opt out of data collection or request deletion of their data, further hindering their privacy rights.

 According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Bioface is not established in the Union, but it is collecting photographs of data subjects in the Union and using a facial recognition algorithm to identify them. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Bioface does not have any establishment in the Union, as it only collects data from web-based services, which does not imply the existence of stable arrangements in the Union2; (B) Bioface is not offering services in the Union, as it only targets government agencies and companies in the US and Canada, and does not intend to provide its service to data subjects in the Union3; © Bioface collects data from subjects and uses it for automated processing, but this is not a sufficient criterion to determine the territorial scope of the GDPR, as it does not relate to the offering of goods or services or the monitoring of behavior in the Union4. References: 1: Article 3(2) of the GDPR; 2: EDPB Guidelines, paragraph 20; 3: EDPB Guidelines, paragraph 38; 4: EDPB Guidelines, paragraph 50.

The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures1. This principle is known as integrity and confidentiality, or sometimes as security2. Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it3. By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage. References: 1: Article 5(1)(f) of the GDPR 2: A guide to the data protection principles | ICO 3: Encryption | ICO

According to the GDPR, the processing of personal data obtained through monitoring software must be lawful, fair, and transparent. This means that the employer must inform the employees about the nature, extent, and reasons for monitoring, and the possible consequences of non-compliance with the company’s policies. The employer must also have a legitimate interest or another lawful basis for processing the employees’ data, and respect their rights and freedoms. The employer must also comply with the national laws and guidelines of each member state where it operates, which may impose additional conditions or limitations on employee monitoring. In this case, Building Block did not inform the employee from Italy that the security software would also monitor his computer activity and location, and did not specify the purpose and scope of such monitoring. Therefore, the employee could not reasonably expect that his personal data would be processed in this way, and could not exercise his rights under the GDPR, such as the right to access, rectify, or object to the processing. Moreover, the employer did not conduct a proper assessment of the necessity and proportionality of the monitoring, and did not consider less intrusive alternatives to achieve its security goals. Therefore, the employer could face legal challenges from the employee, the Italian supervisory authority, or the labor courts, if it decides to apply disciplinary measures based on the data obtained through the monitoring software. The employer could also face fines or sanctions for violating the GDPR and the Italian data protection law. References: GDPR requirements for employee monitoring: rules to follow, Can Your Organisation Monitor Employees’ Personal Communications?, ICO publishes guidance to ensure lawful monitoring in the workplace, [Guidelines on processing personal data in the context of connected vehicles and mobility related applications]

According to the EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, valid consent for the use of cookies must meet the following conditions:

•It must be freely given, which means that the data subject must have a genuine choice and the ability to refuse or withdraw consent without detriment.

•It must be specific, which means that the data subject must give consent for each distinct purpose of the processing and for each type of cookie.

•It must be informed, which means that the data subject must receive clear and comprehensive information about the identity of the controller, the purposes of the processing, the types of cookies used, the duration of the cookies, and the possibility of withdrawing consent.

•It must be unambiguous, which means that the data subject must express their consent by a clear affirmative action, such as clicking on an “I agree” button or selecting specific settings in a cookie banner.

•It must be granular, which means that the data subject must be able to consent to different types of cookies separately, such as essential, functional, performance, or marketing cookies.

Therefore, a “Cookies Settings” button is not a necessary element to collect valid consent for the use of cookies, as long as the data subject can exercise their choice and preference through other means, such as a cookie banner with different options. However, a “Cookies Settings” button may be a good practice to enhance transparency and user control, as it allows the data subject to access and modify their consent settings at any time.

On the other hand, a “Reject All” cookies button is a necessary element to collect valid consent for the use of cookies, as it ensures that the data subject can freely refuse consent without detriment. A list of cookies that may be placed and information on the purpose of the cookies are also necessary elements to collect valid consent for the use of cookies, as they ensure that the data subject is informed and can give specific consent for each type of cookie.

References: EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, pages 17-23.

 According to the EDPB guidelines on the concepts of controller and processor in the GDPR1, joint controllers are entities that jointly determine the purposes and means of the processing of personal data. Joint controllership can result from a common decision or from converging decisions that are necessary for the processing to take place. Joint controllers must have a transparent arrangement that sets out their respective roles and responsibilities, and must ensure that individuals can exercise their rights against each controller. In this scenario, Gellcoat and Freifish are joint controllers with respect to the personal data related to the event, because they both decided to share data from their client databases, to come up with a list of people to invite, to agree on the content of the invitations, and to build an app to gather feedback. These decisions are joint and inseparable, and they have a tangible impact on the determination of the purposes and means of the processing. However, Gellcoat and Freifish are separate controllers for their other purposes, such as maintaining their own client databases, marketing their own products, or complying with their own legal obligations. These purposes are independent and separate from the joint purpose of organizing the event. Therefore, option A is the correct answer. Option B is incorrect because joint controllership does not depend on the merging of databases or the ownership of data, but on the joint determination of purposes and means. Option C is incorrect because joint controllership does not require a written designation in a contract, but can be inferred from the factual circumstances. Option D is incorrect because separate controllers and processors have different roles and responsibilities under the GDPR, and Gellcoat and Freifish do not act as processors for each other. References:

Guidelines 07/2020 on the concepts of controller and processor in the GDPR

What does it mean if you are joint controllers?

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors under the GDPR

This is not a common characteristic of cloud-computing services, as the supplier usually does not assume the vendor’s business risk. In fact, the supplier often limits its liability for data breaches or losses, and the vendor remains responsible for complying with data protection laws and regulations. The other options are common characteristics of cloud-computing services, as they reflect the nature of cloud computing as a flexible, scalable, and cost-effective way of processing data, but also pose challenges for data protection and security. References:

Free CIPP/E Study Guide, page 17, section 2.3.2

CIPP/E Certification, page 12, section 2.3.2

Cipp-e Study guides, Class notes & Summaries, page 23, section 2.3.2

 Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:

personal data revealing racial or ethnic origin;

personal data revealing political opinions;

personal data revealing religious or philosophical beliefs;

personal data revealing trade union membership;

genetic data;

biometric data (where used for identification purposes);

data concerning health;

data concerning a person’s sex life; and

data concerning a person’s sexual orientation.

Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

Special category data | ICO

Art. 9 GDPR Processing of special categories of personal data

Special Categories of Data - International Association of Privacy Professionals

The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules1. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects23. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects23. References: 1: Article 49 of the GDPR 2: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO

According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover. References:

GDPR Article 83

GDPR Article 25

GDPR Article 7

GDPR Article 5

GDPR Article 16

Convention 108+ is the modernised version of Convention 108, which was the first legally binding international instrument on data protection. The main purpose of Convention 108+ is to update and enhance the protection of personal data in light of the technological developments and the new challenges posed by the globalisation of data processing. Convention 108+ also aims to ensure the effective implementation and enforcement of data protection principles and rules, as well as to facilitate the free flow of data between the parties to the Convention.

References:

•Convention 108+ : the modernised version of a landmark instrument1

•Convention 108 and Protocols - Data Protection - The Council of Europe2

•Convention 108 - Council of Europe3

According to Article 37 of the GDPR, the designation of a data protection officer (DPO) is mandatory for controllers and processors in three cases1:

When the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

When the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

The GDPR does not define what constitutes “regular and systematic monitoring” or “large scale”, but the Article 29 Working Party (now replaced by the European Data Protection Board) has provided some guidance on these concepts2. According to the guidance, “regular and systematic monitoring” includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising, but also offline activities such as CCTV or health data monitoring. The guidance also suggests some criteria to assess whether the processing is carried out on a large scale, such as the number of data subjects concerned, the volume of data or the range of data items processed, the duration or permanence of the processing activity, and the geographical extent of the processing.

In the given scenario, option D is the only one that clearly falls under the second case of mandatory DPO designation, as it implies that the controller or processor is engaged in regular and systematic monitoring of data subjects on a large scale as part of their core activities. This could include, for example, online behavioural advertising, location tracking, loyalty programs, or health data analytics. The other options are not sufficient to trigger the obligation to appoint a DPO, unless they are combined with other factors that indicate a large scale or a high risk of the processing. For instance, option A is not relevant, as the GDPR does not set a threshold based on the size or number of employees of the organisation. Option B is also not decisive, as the GDPR does not distinguish between for-profit or non-profit purposes of the processing. Option C may require a DPO if the processing of financial information or information relating to children is done on a large scale and involves special categories of data, but it is not a general rule. References:

1: Article 37 of the GDPR

2: Guidelines on Data Protection Officers (‘DPOs’)

3: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

4: https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf

5: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

6: [https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf]

7: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]

 According to the UK GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions1. The controller must stop the processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims1. The WP 29 Guidelines on Automated individual decision-making and Profiling provide some guidance on how to assess the existence of such compelling legitimate grounds2. The controller needs to carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection, consider the impact of the profiling on the data subject’s interest, rights and freedoms, and consider the importance of the profiling to their particular objective2. However, the controller does not need to demonstrate that the profiling is for the purposes of direct marketing, as this is a separate ground for objection under Article 21(2) of the UK GDPR, which gives the data subject an absolute right to object to such processing13. Therefore, option C is the correct answer, as it is not required by the controller to demonstrate that it has compelling legitimate grounds for profiling. References: 132

https://gdpr.eu/article-21-right-to-object/ https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

 According to Article 47(2)(a) of the GDPR, binding corporate rules (BCRs) must be legally binding and apply to and be enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees1. This means that all employees within the group must comply with the BCRs, irrespective of their location or the jurisdiction where they operate. The other options are incorrect, as they do not reflect the requirements of the GDPR or the guidance of the European Data Protection Board (EDPB) on BCRs23. References:

GDPR Article 47(2)(a)

EDPB Guidelines 3/2018 on the territorial scope of the GDPR

EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

According to the GDPR, the material scope of the regulation covers the processing of personal data wholly or partly by automated means, or by non-automated means if the data forms part of a filing system or is intended to form part of a filing system (Article 2(1)). Personal data is defined as any information relating to an identified or identifiable natural person (data subject) (Article 4(1)). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1)). Therefore, pseudonymous data, such as blockchain transactions that use public keys or other identifiers, may still fall within the definition of personal data if the data subject can be identified or re-identified by using additional information or means (Recital 26).

The GDPR also applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to the offering of goods or services to such data subjects in the European Union or the monitoring of their behaviour as far as their behaviour takes place within the European Union (Article 3(2)). Therefore, the territorial scope of the GDPR covers both controllers and processors established in the European Union, and controllers and processors not established in the European Union but targeting or monitoring data subjects in the European Union.

In this scenario, blockchain transactions are classified as pseudonymous data, which may still be considered as personal data under the GDPR if the data subjects can be identified or re-identified. Therefore, such transactions are within the material scope of the GDPR, as they involve the processing of personal data by automated means. However, the GDPR only applies to such transactions to the extent that they include data subjects in the European Union, either by having a controller or processor established in the European Union, or by offering goods or services to or monitoring the behaviour of such data subjects. Therefore, the answer is C.

References: GDPR, Articles 2, 3, 4, Recital 261; EDPB Guidelines 05/2020 on consent under Regulation 2016/6792, page 17; Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data - CNIL3

 This is not an explicit right granted to data subjects under the GDPR, as the GDPR does not specifically address the sale of personal data. However, the GDPR does require that data subjects give their consent to any processing of their personal data that is not based on another legal basis, such as a contract or a legal obligation1. Therefore, data subjects have the right to withdraw their consent at any time, and the controller must inform them of this right before obtaining their consent2. The other options are explicit rights granted to data subjects under the GDPR, as they are listed in Chapter 3 of the regulation3. References:

Free CIPP/E Study Guide, page 23, section 3.1

CIPP/E Certification, page 18, section 3.1

The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1

GDPR data subject rights - 8 fundamental & additional rights, paragraph 4

Rights of the data subject - General Data Protection Regulation (GDPR), Article 7

Rights of the data subject - General Data Protection Regulation (GDPR), Chapter 3

 The definition of personal data under the GDPR is broad and covers any information that relates to an identified or identifiable natural person. This means that personal data can include information such as name, email, phone number, address, date of birth, race, gender, political opinions and more. The GDPR protects personal data on all levels, platforms and technologies, and requires organizations to process it only for a specific purpose and keep it for a limited time.

The unlinked aggregated data used for statistical purposes by an Italian company would most likely NOT be covered by the definition of personal data under the GDPR. Aggregated data is data that has been processed in such a way that individual records are no longer identifiable. For example, if a company collects the names and email addresses of its customers and then calculates the average age of its customers, the resulting data is aggregated and not personal. Therefore, this type of data would not be subject to the GDPR.

However, this does not mean that the Italian company can use this type of data without any restrictions or obligations. The GDPR still applies to any processing activity that involves personal data in any form or manner. For example, if the Italian company uses this type of data to create a profile or a segment of its customers based on their characteristics or preferences, it may still need to comply with certain principles and conditions under the GDPR. For instance, it may need to obtain consent from its customers before using their aggregated data for marketing purposes; it may need to ensure that its aggregated data is accurate and up-to-date; it may need to limit the retention period of its aggregated data; and it may need to respect the rights of its customers regarding their personal data.

References:

What is personal data? | ICO

What is considered personal data under the EU GDPR?

[GDPR personal data – what information does this cover?]

 According to the GDPR, data controllers must respond to a data access request (also known as a subject access request or SAR) without undue delay and in any event within one month of receipt of the request. This time limit can be extended by a further two months if the request is complex or if the controller receives a number of requests from the same individual. However, the controller must still inform the individual within one month of receipt of the request and explain why the extension is necessary. The time limit is calculated from the day after the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. If there is no corresponding calendar date, the deadline is the last day of the next month. If the deadline falls on a weekend or public holiday, the response must be provided on the next working day. References:

GDPR, Article 12(3)

ICO, Right of access1

ICO, Time limits for responding to data protection rights requests2

The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers. According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community. The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches. References: e-Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breaches

According to the GDPR, a transfer of personal data to a third country or an international organisation may take place only if the conditions laid down in Chapter V of the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation1. A third country is any country outside of the European Union (EU) and the European Economic Area (EEA)2. Therefore, a transfer impact assessment is only required when personal data is transferred to a third country or an international organisation that does not provide an adequate level of data protection, as recognised by the European Commission3. HRYourWay is a German based company, and Germany is a member state of the EU and the EEA. Thus, HRYourWay is not located in a third country, and no transfer impact assessment is needed for transferring personal data to it. The other options are incorrect, as they are not relevant to the question of whether a transfer impact assessment is required or not. References:

GDPR, Chapter V

GDPR, Article 4 (24)

GDPR, Article 45