IAPP CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Exam Practice Test

Article 82 of the GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR1. Article 82 (1) states that any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered1. Article 82 (2) states that any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR1. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller1. Article 82 (3) states that a controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage1. In this case, Jack is liable for the damage caused by the data breach, as he violated the GDPR by posting the patient’s name and health information, along with disparaging comments, on a social media website. This constitutes an infringement of the GDPR, as it violates the principles of lawfulness, fairness, and transparency (Article 5 (1) (a)), purpose limitation (Article 5 (1) (b)), data minimisation (Article 5 (1) ©), accuracy (Article 5 (1) (d)), integrity and confidentiality (Article 5 (1) (f)), and the rights of the data subject (Articles 12-23)1. The pharmaceutical company is not liable for the damage caused by the data breach, as it can prove that it is not in any way responsible for the event giving rise to the damage. The company provided privacy training to Jack, informed him of the privacy policy, obtained his consent, and dismissed him as soon as the breach was discovered. Therefore, the company complied with the obligations of the GDPR, such as the accountability principle (Article 5 (2)), the data protection by design and by default principle (Article 25), the security of processing principle (Article 32), and the notification of a personal data breach to the supervisory authority principle (Article 33)1. Therefore, option D is the correct answer. References: Art. 82 GDPR – Right to compensation and liability, Article 82 GDPR - GDPRhub

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.

Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:

The identity and contact details of the controller and processor

The categories and sources of personal data

The purposes and legal basis for processing

The recipients or categories of recipients of personal data

The retention period or criteria for determining it

The existence of any automated decision-making or profiling

The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

Submitting a written notification form

Publishing a notice on a website or other platform

Sending an email or other electronic message

Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.

 According to the Free CIPP/E Study Guide, page 14, “if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.” This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller’s own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 14

GDPR, Article 36

Article 80(1) of the GDPR states that the data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf1. These not-for-profit bodies, organisations or associations are commonly referred to as civil society organizations, as they represent the interests of citizens and groups in the public sphere2. The other options are not correct because: (A) Law firm organizations are not necessarily not-for-profit or active in the field of data protection; © Human rights organizations are a subset of civil society organizations, but not all civil society organizations are focused on human rights; (D) Constitutional rights organizations are also a subset of civil society organizations, but not all civil society organizations are concerned with constitutional rights. References: 1: Article 80(1) of the GDPR; 2: Free CIPP/E Study Guide, page 48.

Section: (none)

Explanation

The GDPR provides more latitude for a company to process data beyond its original collection purpose when the data has been pseudonymized, which means that the data can no longer be attributed to a specific data subject without the use of additional information. Pseudonymization is a technique that reduces the linkability of personal data with the data subject, and enhances the security and privacy of the data processing. According to the GDPR, pseudonymization is one of the measures that can help the company to implement the principles of data protection by design and by default, and to demonstrate compliance with the GDPR obligations. Moreover, the GDPR states that the further processing of pseudonymized data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered to be incompatible with the initial purposes, provided that appropriate safeguards are in place to protect the rights and freedoms of the data subjects. Therefore, pseudonymization can enable the company to use the data for other purposes that are beneficial for society or for innovation, without compromising the privacy of the individuals. References:

GDPR, Article 4 (5), Article 5 (1) (b), Article 6 (4) (e), Article 25, Article 32 (1) (a), Article 40 (2) (d), Article 89

Free CIPP/E Study Guide, page 17, section 2.4.1

CIPP/E Certification, page 12, section 1.1.3

Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 45, section 2.4.1

[Pseudonymisation techniques and best practices]

According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. References:

Article 35 of the GDPR

European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO

Roles and Responsibilities of a Data Protection Officer

Pseudonymisation is a method that allows you to switch the original data set (for example, e-mail or a name) with an alias or pseudonym, or, in other words, a value which does not allow the individual to be directly identified1. It is a reversible process that de-identifies data but allows the re-identification later on if necessary1. This is a well-known data management technique highly recommended by the General Data Protection Regulation (GDPR) as one of the data protection methods2. To make personal data pseudonymous, a data controller must separately hold any information that would allow linking the data to the data subject, such as a key or a code, and ensure that this information is kept securely and subject to technical and organisational measures to prevent unauthorised access or re-identification23. The other options are not correct, as they either describe other data protection methods, such as encryption or anonymisation, or do not meet the definition of pseudonymisation under the GDPR. References: Pseudonymization according to the GDPR, Pseudonymisation - Wikipedia, Anonymisation and pseudonymisation | Data Protection Commissioner

According to the WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’, the communication of a personal data breach to the data subjects should be clear, concise, transparent, easily accessible and understandable, and use clear and plain language. The communication should also be made as soon as reasonably feasible and in close cooperation with the supervisory authority. The guidelines provide some examples of methods that may be effective for communicating a breach to data subjects, such as a direct electronic message (e.g. email, SMS, direct message), a postal notification, a prominent advertisement in print media, or a notice on the homepage of the affected website. However, the guidelines also state that a notice on a corporate blog or social media would not be an effective method of communication, as it would not reach all the affected data subjects and would not allow them to take immediate action to protect themselves. Therefore, the correct answer is C. A notice on a corporate blog. References:

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’, pages 20-211

Binding Corporate Rules (BCRs) are a data transfer mechanism under the GDPR that allow multinational companies to transfer personal data within their group entities outside the EU, provided that they comply with the data protection principles and rights of the GDPR. BCRs are internal codes of conduct that must be legally binding and enforced by every member of the group.

According to Article 47 of the GDPR, BCRs must be approved by the competent Data Protection Authority (DPA) in the EU, following the consistency mechanism set out in Article 63 of the GDPR. This means that the DPA that receives the application for approval of the BCRs must communicate its draft decision to the European Data Protection Board (EDPB), which will issue its opinion on the BCRs. The EDPB is an independent body composed of representatives of the national DPAs and the European Data Protection Supervisor. The EDPB ensures the consistent application of the GDPR across the EU and issues guidelines, recommendations, and best practices on various aspects of the GDPR.

Therefore, the data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from the Data Protection Authority, which is the supervisory authority responsible for authorising and monitoring the BCRs. The company cannot rely on the BCRs as a valid legal basis for transferring personal data from the EU to the US without the DPA’s approval.

The other options are not correct, as they are not the authorities that approve the BCRs under the GDPR. The Court of Justice of the European Union (CJEU) is the judicial body of the EU that interprets and applies EU law and ensures its uniformity across the EU. The CJEU does not approve the BCRs, but it may rule on the validity or interpretation of the GDPR or other EU laws that affect data protection. The European Data Protection Board (EDPB) is an independent body that ensures the consistent application of the GDPR and issues opinions on the BCRs, but it does not approve them. The EDPB’s opinions are not binding, but they must be taken into account by the DPAs. The European Commission is the executive branch of the EU that proposes and implements EU laws and policies. The European Commission does not approve the BCRs, but it may adopt adequacy decisions that recognise that a third country or an international organisation ensures an adequate level of data protection, which is another data transfer mechanism under the GDPR.

References:

GDPR

Binding Corporate Rules (BCR)

Binding Corporate Rules - PwC

Binding Corporate Rules - GDPR Summary

A Guide for Binding Corporate Rules - Hunton Andrews Kurth

Personal data transfers: binding corporate rules (BCRs) under the GDPR

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1. Body temperature is a type of personal data that can reveal information about an individual’s health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR. The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

A. Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.

C. Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.

D. The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

References: 1 Article 4(1) of the GDPR2 Policy Brief: Location Data Under Existing Privacy Laws | FPF23 Article 2(1) of the GDPR4 Article 4(5) of the GDPR5 Article 9(2) of the GDPR.

According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed. However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy12. References:

GDPR, Article 14

Free CIPP/E Study Guide, page 19, section 2.5.1

CIPP/E Certification, page 14, section 1.2.1

Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject

Article 14 GDPR - GDPRhub

Convention 108+ is the modernised version of Convention 108, which was the first legally binding international instrument on data protection. The main purpose of Convention 108+ is to update and enhance the protection of personal data in light of the technological developments and the new challenges posed by the globalisation of data processing. Convention 108+ also aims to ensure the effective implementation and enforcement of data protection principles and rules, as well as to facilitate the free flow of data between the parties to the Convention.

References:

•Convention 108+ : the modernised version of a landmark instrument1

•Convention 108 and Protocols - Data Protection - The Council of Europe2

•Convention 108 - Council of Europe3

The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers. According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community. The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches. References: e-Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breaches

 According to Article 42 of the GDPR, the Commission may approve certification mechanisms, seals and marks for the purpose of demonstrating the existence of appropriate safeguards for personal data transfers to third countries or international organisations. These certification mechanisms, seals and marks are voluntary and transparent, and are issued by accredited certification bodies or by the competent supervisory authorities. They are subject to the general provisions on certification in Articles 42 and 43 of the GDPR. They are intended to enhance the trust of data subjects and facilitate the free flow of personal data within the Union and beyond. They are also subject to periodic review and withdrawal or suspension if the conditions for certification are not or are no longer met. References:

Article 42 of the GDPR

European Data Protection Law & Practice textbook, Chapter 8: Transfers of Personal Data to Third Countries, Section 8.3: Appropriate Safeguards, Subsection 8.3.4: Certification Mechanisms, Seals and Marks

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation

 Under the GDPR, email marketing requires explicit and unambiguous consent from the recipients, meaning that they must actively agree to receive marketing communications, and the process for obtaining this consent must be clear and transparent. A prior opt-in consent is the most common and reliable way to demonstrate compliance with this requirement, as it involves a positive action from the data subject, such as ticking a box, clicking a button, or filling a form. A pre-checked box, a notice, or an opt-out option are not sufficient to obtain valid consent, as they do not indicate a clear expression of the data subject’s will. However, there is an exception to the consent rule for existing customers, known as the “soft opt-in”. This means that a company can send email marketing messages to its customers without prior consent, if the following conditions are met:

The company obtained the customer’s contact details in the course of a sale or negotiations for a sale of a product or service;

The company only sends marketing messages about its own similar products or services;

The company gives the customer a clear opportunity to opt out of receiving such messages both when first collecting the details and in every subsequent message.

References: GDPR Article 4(11), GDPR Article 6(1)(a), GDPR Article 7, GDPR Recital 32, GDPR Recital 47, GDPR for Marketing: The Definitive Guide for 2023 - SuperOffice, A Guide to GDPR Compliance for Email Marketers in 2023

 The Individual Participation Principle is one of the Fair Information Practice Principles (FIPPs) that are not part of any legal framework, but are widely adopted by many data privacy regulations in force today1. The FIPPs are a set of guidelines for fair information practices that aim to protect the privacy and security of personal information. The Individual Participation Principle holds that individuals have a number of rights, including the right to have their personal data corrected or erased, the right to access and obtain confirmation of their personal data, the right to be informed about how their personal data is used and who it is shared with, and the right to object or withdraw consent for certain purposes2.

The General Data Protection Regulation (GDPR) is a legal framework that implements the European Union’s (EU) Data Protection Directive and provides comprehensive protection for all individuals within the EU regarding their personal data. The GDPR grants individuals a number of rights, such as the right to access, rectify, erase, restrict, port, object, or not be subject to automated decision-making based on their personal data. These rights are similar to those under the FIPPs and can be found in Articles 12 to 22 of the GDPR.

Therefore, the parts of the GDPR that provide the closest equivalent to the Individual Participation Principle are Articles 12 to 22.

References:

OECD Privacy Principles

What are the 7 main principles of GDPR?

Fair Information Practice Principles (FIPPs)

Individual Participation - International Association of Privacy Professionals

What is the right to be forgotten? | Right to erasure | Cloudflare

General Data Protection Regulation - Wikipedia

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident1. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. Therefore, a power outage that results in the loss of availability of customer data for six hours is considered a personal data breach under the GDPR.

Based on the WP 29’s February, 2018 guidance, which was endorsed by the European Data Protection Board, company Z should document the loss of availability to demonstrate accountability3. The guidance states that controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, regardless of whether the breach needs to be notified to the supervisory authority or the data subjects. This documentation must enable the supervisory authority to verify compliance with the GDPR and must be made available to the supervisory authority on request4.

The other options (A, C, and D) are not required by the GDPR or the guidance, although they may be advisable or beneficial depending on the circumstances. Option A is not mandatory, as the GDPR only requires the controller to communicate the personal data breach to the data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons5. A temporary loss of availability may not pose such a high risk, unless it affects the data subject’s essential services or activities. Option C is also not obligatory, as the GDPR only requires the controller to notify the supervisory authority of the personal data breach within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons6. A short-term loss of availability may not entail such a risk, unless it affects a large number of data subjects or sensitive data. Option D is not specified by the GDPR or the guidance, although it may be a good practice to conduct a thorough audit of all security systems after a personal data breach to identify and address any vulnerabilities or weaknesses that may have contributed to the incident or may lead to future incidents. References:

1: Article 32 of the GDPR

2: Article 4 (12) of the GDPR

3: Endorsed WP29 Guidelines

4: Article 33 (5) of the GDPR

5: Article 34 (1) of the GDPR

6: Article 33 (1) of the GDPR

7: Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01

8: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

9: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

According to the WP29 guidance on DPIA1, conducting a single DPIA to address multiple processing operations is allowed when the following conditions are met:

The processing operations present similar high risks, which would result in very similar mitigating measures;

The DPIA is reviewed and updated regularly to take into account any changes or new risks;

The DPIA is complemented by ad hoc assessments where necessary to address more specific issues.

The WP29 guidance cites the example of a railway operator who plans to evaluate the same video surveillance in all the train stations of his company as a case where a single DPIA would be sufficient, provided that the above conditions are met2. The other options do not meet these conditions, as they involve different types of processing operations, different purposes, different data subjects, or different technologies. References:

WP29 guidance on DPIA

WP29 guidance on DPIA, page 16

According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service. References:

[IAPP article on direct marketing (EU specific)]

Lexology article on direct marketing requirements under the GDPR

According to the GDPR, the processing of personal data obtained through monitoring software must be lawful, fair, and transparent. This means that the employer must inform the employees about the nature, extent, and reasons for monitoring, and the possible consequences of non-compliance with the company’s policies. The employer must also have a legitimate interest or another lawful basis for processing the employees’ data, and respect their rights and freedoms. The employer must also comply with the national laws and guidelines of each member state where it operates, which may impose additional conditions or limitations on employee monitoring. In this case, Building Block did not inform the employee from Italy that the security software would also monitor his computer activity and location, and did not specify the purpose and scope of such monitoring. Therefore, the employee could not reasonably expect that his personal data would be processed in this way, and could not exercise his rights under the GDPR, such as the right to access, rectify, or object to the processing. Moreover, the employer did not conduct a proper assessment of the necessity and proportionality of the monitoring, and did not consider less intrusive alternatives to achieve its security goals. Therefore, the employer could face legal challenges from the employee, the Italian supervisory authority, or the labor courts, if it decides to apply disciplinary measures based on the data obtained through the monitoring software. The employer could also face fines or sanctions for violating the GDPR and the Italian data protection law. References: GDPR requirements for employee monitoring: rules to follow, Can Your Organisation Monitor Employees’ Personal Communications?, ICO publishes guidance to ensure lawful monitoring in the workplace, [Guidelines on processing personal data in the context of connected vehicles and mobility related applications]

The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source12. This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller’s representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing34. This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5. Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data. Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory. References: 1: Article 13 of the GDPR 2: Article 14 of the GDPR 3: Article 13(1)(a) and © of the GDPR 4: Article 14(1)(a) and © of the GDPR 5: Recital 60 of the GDPR

 According to the GDPR, consent is one of the six lawful bases for processing personal data. Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent can be withdrawn at any time, and the withdrawal of consent must be as easy as giving it. Therefore, an individual can withdraw her consent for processing when she no longer wishes to be sent marketing materials from an organization, as this is a clear indication of her wishes and does not affect the lawfulness of the processing based on consent before its withdrawal. The other situations are not related to consent, but to other lawful bases such as contract, legitimate interest or legal obligation. References: Free CIPP/E Study Guide, page 9; CIPP/E Certification, page 3; GDPR, Article 4(11), Article 6(1)(a), Article 7(3).

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

References: GDPR, Articles 4(12), 33, 341; EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification2

The GDPR imposes several obligations on data controllers when they engage data processors to process personal data on their behalf. One of these obligations is to ensure that the contract or other legal act between the controller and the processor stipulates that the processor must assist the controller in complying with its obligations under the GDPR, including the obligation to notify personal data breaches to the competent supervisory authority and, where applicable, to the affected data subjects1. However, this does not mean that the processor can directly notify the supervisory authority without the involvement of the controller. The GDPR clearly states that it is the controller’s responsibility to notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach2. The processor must only notify the controller without undue delay after becoming aware of the breach3. Therefore, requiring that the processor directly notify the appropriate supervisory authority is not an action that a data controller can depend upon to avoid liability in the event of a security breach, as it would be contrary to the GDPR and the controller’s own obligation. Options A, B and D are actions that a data controller can take to reduce the risk of liability, as they demonstrate that the controller has exercised due diligence, assessed the potential impact of outsourcing, and chosen a reliable and compliant processor. References: 1: Article 28(3)(f) of the GDPR 2: Article 33(1) of the GDPR 3: Article 33(2) of the GDPR

Convention 108 was the first legally binding international instrument in the data protection field, adopted by the Council of Europe in 19811. However, it had some limitations that led to the creation of the Data Protection Directive (Directive 95/46/EC) by the European Union in 19952. One of the main failings of Convention 108 was that it was implemented in a fragmented manner by a small number of states, resulting in divergent and inconsistent national laws and practices3. The Data Protection Directive aimed to harmonize the data protection rules within the EU and to ensure a high level of protection for individuals’ rights and freedoms2. Therefore, option C is the correct answer. Option A is incorrect because Convention 108 did account for the rapid growth of the Internet by allowing for amendments and protocols to adapt to technological developments1. Option B is incorrect because Convention 108 did include protections for sensitive personal data, such as those revealing racial origin, political opinions, religious beliefs, health, or sexual life1. Option D is incorrect because Convention 108 did not prescribe specific penalties for violations of data protection rights, but left it to the Parties to adopt appropriate sanctions and remedies1. References:

Convention 108 and Protocols

CIPP/E Certification

Convention 108+ and the Data Protection Framework of the EU

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not1. This means that the GDPR applies to any controller or processor that has a branch, office, subsidiary, or other stable arrangement in the EU, even if the data processing occurs outside the EU. However, the GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union1. This means that the GDPR applies to any controller or processor that targets or tracks EU data subjects, even if they do not have a presence in the EU. In this case, the website operator is not required to comply with the GDPR because it does not have an establishment in the EU (option B), and it does not offer goods or services or monitor the behaviour of EU data subjects. The website operator reports primarily on North American events, does not block connections from outside the U.S., and only accepts payments in U.S. dollars, which indicate that it does not intend to target or track EU data subjects. Therefore, option B is the correct answer. References: Art. 3 GDPR – Territorial scope, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), [What does territorial scope mean under the GDPR?]

Directive 2002/58/EC, also known as the ePrivacy Directive, regulates the use of electronic communications services within the European Union. It covers issues such as confidentiality of communications, processing of traffic and location data, spam, cookies, and security breaches. It complements and particularises Directive 95/46/EC, also known as the Data Protection Directive, which sets out the general principles for the protection of personal data in the EU. The ePrivacy Directive was amended by Directive 2009/136/EC, which introduced new provisions on consent, cookies, and breach notification. The ePrivacy Directive is currently under review and will be replaced by a new Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which is still being negotiated by the EU institutions. References: Directive 2002/58/EC, Directive 2009/136/EC, [ePrivacy Regulation]

 According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed. References:

Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.

ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR.

EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.

 The definition of personal data under the GDPR is broad and covers any information that relates to an identified or identifiable natural person. This means that personal data can include information such as name, email, phone number, address, date of birth, race, gender, political opinions and more. The GDPR protects personal data on all levels, platforms and technologies, and requires organizations to process it only for a specific purpose and keep it for a limited time.

The unlinked aggregated data used for statistical purposes by an Italian company would most likely NOT be covered by the definition of personal data under the GDPR. Aggregated data is data that has been processed in such a way that individual records are no longer identifiable. For example, if a company collects the names and email addresses of its customers and then calculates the average age of its customers, the resulting data is aggregated and not personal. Therefore, this type of data would not be subject to the GDPR.

However, this does not mean that the Italian company can use this type of data without any restrictions or obligations. The GDPR still applies to any processing activity that involves personal data in any form or manner. For example, if the Italian company uses this type of data to create a profile or a segment of its customers based on their characteristics or preferences, it may still need to comply with certain principles and conditions under the GDPR. For instance, it may need to obtain consent from its customers before using their aggregated data for marketing purposes; it may need to ensure that its aggregated data is accurate and up-to-date; it may need to limit the retention period of its aggregated data; and it may need to respect the rights of its customers regarding their personal data.

References:

What is personal data? | ICO

What is considered personal data under the EU GDPR?

[GDPR personal data – what information does this cover?]

 A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project that involves personal data, especially when using new technologies or processing that is likely to result in a high risk to individuals1. The UK GDPR requires data controllers to carry out a DPIA before starting such processing and to consult the supervisory authority if the DPIA indicates a high risk that cannot be mitigated1. The UK GDPR also provides some general guidance on the content and methodology of a DPIA, but it does not prescribe a specific format or procedure1. Therefore, to effectively assist Zandelay in conducting their DPIA, it would be helpful to refer to existing DPIA guides published by local supervisory authorities, such as the ICO in the UK or the DPC in Ireland23. These guides offer more detailed and practical advice on how to conduct a DPIA, what to include in it, how to assess and mitigate the risks, and when to consult the authority23. They also provide templates, checklists, examples, and case studies to illustrate the DPIA process23. By following these guides, Zandelay can ensure that their DPIA is comprehensive, consistent, and compliant with the UK GDPR and the relevant national laws.

The other options are not as effective as option C, because:

Option A: Information about DPIAs found in Articles 38 through 40 of the UK GDPR is too general and vague to assist Zandelay in conducting their DPIA. These articles only outline the basic requirements and principles of a DPIA, but do not provide any specific guidance on how to conduct one, what to include in it, or how to assess and mitigate the risks1. Zandelay would need more detailed and practical advice to effectively perform a DPIA.

Option B: Data breach documentation that data controllers are required to maintain is not relevant to conducting a DPIA. A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data1. A data controller must document any data breaches, including the facts, effects, and remedial actions taken, and notify the supervisory authority and the affected individuals without undue delay1. However, a data breach is not the same as a data protection risk, which is the potential for adverse effects on individuals as a result of the processing of their personal data2. A DPIA is a proactive and preventive measure to identify and minimise the data protection risks of a project, not a reactive and corrective measure to deal with the consequences of a data breach2.

Option D: Records of processing activities that data controllers are required to maintain are not sufficient to assist Zandelay in conducting their DPIA. A record of processing activities is a document that contains information about the purposes, categories, recipients, transfers, retention periods, and security measures of the processing of personal data by a data controller or a data processor1. A data controller must maintain a record of processing activities under its responsibility and make it available to the supervisory authority upon request1. However, a record of processing activities is not the same as a DPIA, which is a more in-depth and systematic analysis of the data protection risks and the measures to address them2. A record of processing activities may provide some useful information for a DPIA, such as the nature, scope, context, and purposes of the processing, but it does not cover other aspects, such as the necessity, proportionality, compliance, and impact of the processing2.

https://blog.netwrix.com/2021/02/17/data-protection-impact-assessment/

https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

Under the GDPR (Article 4(12)), a personal data breach is defined as:

"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed"​.

Why Answer Choice D is Correct

Loss of Encryption Key = Loss of Data Availability

The loss of the decryption key means that the bank can no longer access customer transaction data.

Availability is a fundamental aspect of data security (Article 32). Loss of availability constitutes a breach under GDPR​.

Loss of Confidentiality & Integrity

If the encryption key is lost, data cannot be decrypted, meaning it is effectively destroyed or altered.

This qualifies as a data breach under GDPR since data integrity and confidentiality are compromised​.

Why Other Answer Choices Are Incorrect:

A (No Breach Because No Hacking):

GDPR does not require hacking for a breach to occur. A loss of access alone can qualify​.

B (No Breach Because No Unauthorized Access):

Unauthorized disclosure is one type of breach, but GDPR also covers loss and destruction of personal data​.

C (Data Breach Due to Inaccessibility):

Partially correct but does not fully explain the GDPR criteria. GDPR defines breaches in terms of confidentiality, integrity, and availability—all of which are affected​.

Conclusion:

This incident is a data breach under GDPR, as it impacts data confidentiality, integrity, and availability.

The correct answer is D, because losing the decryption key compromises data integrity and availability, qualifying as a data breach under GDPR Article 4(12)​.

The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules1. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects23. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects23. References: 1: Article 49 of the GDPR 2: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO

The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.

The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.

The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.

Based on the scenario, the main problem with the 24/7 camera monitoring is that it has no valid legal basis to be implemented in the context of Gentle Hedgehog’s business. This option is the most consistent with the GDPR’s principles and requirements, as it:

Is not based on a valid legal ground for the processing of personal data, as it does not rely on the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The legitimate interests of the employer to ensure the productivity, quality and security of the work performed by the employees must be balanced with the rights and freedoms of the employees, and the 24/7 camera monitoring is likely to be disproportionate and intrusive, especially if it covers non-work-related activities and communications. The performance of a contract with the employee does not justify the 24/7 camera monitoring, as it is not necessary for the fulfilment of the contractual obligations of the employee or the employer. The compliance with a legal obligation does not apply to the 24/7 camera monitoring, as there is no specific law or regulation that requires such a measure in the context of Gentle Hedgehog’s business.

Is not limited to what is necessary for the purposes of the monitoring, as it involves the collection and processing of excessive and irrelevant personal data, such as camera and microphone monitoring, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere. The 24/7 camera monitoring is also likely to capture personal data of third parties, such as customers, suppliers or visitors, whose consent is required for the monitoring, and whose rights and freedoms may be affected by the processing.

Is not transparent to the employees, as it does not inform them of the monitoring and its precise scope, and does not give them the opportunity to object or opt out of the monitoring. The monitoring is invisible by default, which means that the employees are not aware of when and how they are being monitored, and what personal data are being collected and processed. The so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, is also insufficient, as it does not provide the employees with a clear and comprehensive information notice, nor with a valid and specific consent form, as required by the GDPR.

Involves the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation. The facial recognition technology used by the monitoring system is a form of biometric data processing, which is prohibited by the GDPR, unless the data subject has given explicit consent, or the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the processing is necessary for reasons of substantial public interest. None of these exceptions apply to the scenario, as the facial recognition technology is not used for any of these purposes, but rather for verifying the identity of the employees each time they log in. The camera and microphone monitoring may also capture personal data revealing political opinions or trade union membership, which are also special categories of personal data, and which are not relevant or proportionate for the purposes of the monitoring.

Involves the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees. The monitoring data, including the facial recognition data, are securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France. However, Sauron Eye is a Chinese vendor of employee surveillance software, whose European headquarters is in Germany. This means that the monitoring data may be accessed or transferred by Sauron Eye to its parent company or other affiliates in China, which is a third country that does not ensure an adequate level of data protection, according to the European Commission. The transfer of personal data to China is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies. However, the scenario does not indicate that any of these safeguards or remedies are in place, and therefore the transfer of personal data to China may violate the GDPR.

The other options listed in the question are not the main problem with the 24/7 camera monitoring, as they:

Are not directly related to the GDPR’s principles and requirements, but rather to the national laws and regulations of the member states, which may vary depending on the specific context and circumstances of the monitoring. The GDPR does not specify a precise time limit for the operation of the camera monitoring, but leaves it to the national laws and regulations of the member states to determine the appropriate conditions and safeguards for the monitoring, taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of data subjects. The GDPR also does not require the approval of the trade union or the license from the national DPA for the camera monitoring, but leaves it to the national laws and regulations of the member states to establish the appropriate procedures and mechanisms for the consultation and involvement of the relevant stakeholders, such as the employees, the trade unions, the works councils, the DPAs or the courts.

Are not the main problem with the 24/7 camera monitoring, but rather the consequences or the implications of the main problem, which is the lack of a valid legal basis for the monitoring. The operation of the camera monitoring during non-business hours and employee holidays, or the accidental filming of third parties whose consent is required for the monitoring, are not the main problem, but rather the result of the main problem, which is the excessive and disproportionate collection and processing of personal data, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere. The approval of the trade union or the license from the national DPA are not the main problem, but rather the potential solutions or remedies for the main problem, which is the absence of transparency and accountability for the monitoring, which do not inform the employees of the monitoring and its precise scope, and do not give them the opportunity to object or opt out of the monitoring.

References:

GDPR, Articles 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.

EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

[EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR]

 The GDPR aims to harmonize the data protection rules across the EU and to ensure consistent and effective enforcement of those rules. However, the GDPR also recognizes that there may be some differences in the interpretation and application of the law among the member states, depending on their national legislation, culture and practices. Therefore, the GDPR introduces the concept of the “main establishment” of a controller or processor, which is the place where the decisions on the purposes and means of the processing of personal data are taken in the EU1. The main establishment determines which national supervisory authority will act as the lead authority for the cross-border processing activities of that controller or processor, and which national law will apply in case of a dispute or a complaint2. The Article 29 Working Party, which is an advisory body composed of representatives of the national supervisory authorities, the European Data Protection Supervisor and the European Commission, has issued guidelines on how to identify the main establishment of a controller or processor under the GDPR3. The guidelines emphasize that the main establishment must reflect the reality of the processing activities and the effective and real exercise of management power over those activities. The guidelines also warn against the practice of “forum shopping”, which occurs when a controller or processor designates its main establishment in a member state with the most flexible or lenient data protection regime, regardless of the actual location of the decision-making or the data processing. The guidelines state that such a practice is forbidden under the GDPR, and that the supervisory authorities will closely monitor and verify the criteria used by the controllers or processors to determine their main establishment. If the supervisory authorities find that the main establishment does not correspond to the factual situation, they may challenge the designation and apply the relevant corrective measures4. References: 1 Art. 4 (16) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Art. 56-58 GDPR – Cooperation and consistency - General Data Protection Regulation (GDPR)3 Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - European Data Protection Board4 Ibid, p. 14-15.

According to Article 8 of the GDPR, where the processing of personal data is based on consent and the offer of an information society service (ISS) is directly made to a child, the processing is lawful only if the child is at least 16 years old, or if the consent is given or authorised by the holder of parental responsibility over the child. The GDPR allows EU member states to lower the age threshold to a minimum of 13 years. The data controller must make reasonable efforts to verify that the consent is given or authorised by the holder of parental responsibility, taking into account available technology. An ISS is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. Examples of ISS include online marketplaces, social media platforms, and online games.

In this scenario, the company is offering an ISS to children, as the connected toys can talk and interact with children via the internet. The company is also processing personal data of the children, such as their voice, questions, preferences, and location. Therefore, the company must obtain parental consent for the use of the action figures before any data can be collected, unless the child is above the age threshold set by the relevant EU member state. The company must also inform the parents and the children about the nature and purpose of the data processing, the data transfers to South Africa, and the rights of the data subjects. The company must also ensure that the data processing is fair, lawful, transparent, and in accordance with the data protection principles and the children’s best interests.

The other options are incorrect because:

A. The child cannot provide consent himself, regardless of the purpose of the data processing, unless he is above the age threshold set by the relevant EU member state. The GDPR does not make any distinction between data processing for marketing or non-marketing purposes when it comes to children’s consent.

B. The company does not need to obtain written authorization from the supervisory authority to process children’s data, as long as it complies with the GDPR requirements and obtains parental consent. The supervisory authority is the independent public authority responsible for monitoring the application of the GDPR in each EU member state, and it can intervene only in cases of non-compliance or complaints.

C. Consent for data collection cannot be implied through the parent’s purchase of the action figure for the child. The GDPR requires that consent must be freely given, specific, informed, and unambiguous, and that it must be expressed by a clear affirmative action. The purchase of a product does not meet these criteria, and it does not indicate the parent’s agreement to the data processing. Moreover, the packaging of the toy does not provide sufficient information about the data processing, nor does it mention that an internet connection is required.

References: Article 8 and Recitals (38) and (58) of the GDPR, Can personal data about children be collected?, Children and the UK GDPR, CIPP/E Certification

The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.

The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.

The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.

Based on the scenario, the only monitoring that may be lawfully performed within the scope of Gentle Hedgehog’s business is the monitoring of emails, website browsing history and camera for internal video calls that are expressly marked as monitored. This option is the most consistent with the GDPR’s principles and requirements, as it:

Is based on the legitimate interests of the employer to ensure the productivity, quality and security of the work performed by the employees, as well as the performance of a contract with the employees and the compliance with a legal obligation to prevent fraud and protect confidential information.

Is limited to what is necessary for the purposes of the monitoring, as it only covers the work-related activities and communications of the employees, and excludes the private or personal ones.

Is transparent to the employees, as it informs them of the monitoring and its precise scope, and gives them the opportunity to object or opt out of the monitoring.

Does not involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring.

Does not involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.

The other options listed in the question are not lawful monitoring within the scope of Gentle Hedgehog’s business, as they:

Are not based on a valid legal ground for the processing of personal data, as they either rely on the consent of the employees, which is not freely given, informed and specific, or on the legitimate interests of the employer, which are not balanced with the rights and freedoms of the employees.

Are not limited to what is necessary for the purposes of the monitoring, as they involve the collection and processing of excessive and irrelevant personal data, such as camera and microphone monitoring, screen captures, keystrokes, and facial recognition data, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere.

Are not transparent to the employees, as they do not inform them of the monitoring and its precise scope, and do not give them the opportunity to object or opt out of the monitoring.

Involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation.

Involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.

References:

GDPR, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.

EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, pages 4, 5, 6, 7, 8, 9, 10, 11, and 12.

Data protection: GDPR and employee surveilance | Feature | Law Gazette, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.

The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.

The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.

The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.

Based on the scenario, the only condition under which the surveillance system could be used on the personal devices of employees is if the employees give valid consent and the monitoring is narrowly limited to their professional tasks. This option is the most consistent with the GDPR’s principles and requirements, as it:

Is based on a valid legal ground for the processing of personal data, namely the consent of the data subject, which must be freely given, specific, informed and unambiguous, and which can be withdrawn at any time.

Is limited to what is necessary for the purposes of the monitoring, as it only covers the work-related activities and communications of the employees, and excludes the private or personal ones.

Is transparent to the employees, as it informs them of the monitoring and its precise scope, and gives them the opportunity to object or opt out of the monitoring.

Does not involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation.

Does not involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.

The other options listed in the question are not valid conditions for using the surveillance system on the personal devices of employees, as they:

Are not based on a valid legal ground for the processing of personal data, as they either rely on the legitimate interests of the employer, which are not balanced with the rights and freedoms of the employees, or on the compliance with a legal obligation, which does not apply to the use of personal devices.

Are not limited to what is necessary for the purposes of the monitoring, as they involve the collection and processing of excessive and irrelevant personal data, such as camera and microphone monitoring, screen captures, keystrokes, and facial recognition data, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere.

Are not transparent to the employees, as they do not inform them of the monitoring and its precise scope, and do not give them the opportunity to object or opt out of the monitoring.

Involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation.

Involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.

References:

GDPR, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.

EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, pages 4, 5, 6, 7, 8, 9, 10, 11, and 12.

Data protection: GDPR and employee surveilance | Feature | Law Gazette, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.

The “soft opt-in” rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:

the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;

the sender only sends direct marketing relating to its own similar products or services; and

the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual’s details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the “soft opt-in” rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. References: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR

According to the CIPP/E study guide, Article 56 of the GDPR establishes the concept of the lead supervisory authority, which is the supervisory authority of the main or single establishment of the data controller or processor in the EU1. The lead supervisory authority has the primary responsibility for dealing with cross-border data processing, in cooperation with other concerned supervisory authorities1. Article 60 of the GDPR requires the lead supervisory authority to cooperate with the other supervisory authorities concerned in an endeavour to reach consensus2. The other supervisory authorities concerned are those that are established in a Member State where the data controller or processor has an establishment or where data subjects are substantially affected or likely to be substantially affected by the processing2. In the scenario, T-Craze is a German-headquartered company that has a French affiliate responsible for all marketing and sales activities. Therefore, the French supervisory authority is the lead supervisory authority for the processing of personal data related to the marketing and sales activities of T-Craze, as it is the supervisory authority of the main establishment of the data controller in the EU. The Spanish supervisory authority is a concerned supervisory authority, as it is the supervisory authority of the Member State where data subjects are likely to be substantially affected by the processing, such as Sofia who filed a complaint. Therefore, the Spanish supervisory authority notifies the French supervisory authority when it opens an investigation into T-Craze based on Sofia’s complaint, in order to cooperate with the lead supervisory authority and seek consensus on the action to be taken2. References: 1: CIPP/E study guide, page 87; Art. 56 GDPR; Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)2: CIPP/E study guide, page 88; Art. 60 GDPR; Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).

The steps listed in the question are part of a best practice framework for implementing a secure BYOD program, which allows employees to use their personal devices to access organizational data and applications. A BYOD program poses significant privacy and security risks, such as data leakage, unauthorized access, malware infection, and compliance violations. Therefore, an organization should follow a comprehensive approach to discover, monitor, manage, and secure the devices, apps, and data involved in a BYOD program. This approach can help the organization meet the GDPR requirements for data protection by design and by default, data security, accountability, and data breach notification. References:

Free CIPP/E Study Guide, page 15, section 2.3.3

CIPP/E Certification, page 10, section 1.1.2

Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 42, section 2.3.3

Article 9 of the GDPR outlines strict conditions for processing special categories of personal data, which includes data revealing racial or ethnic origin. While options B, C, and D might seem relevant, they don't fully align with the core purpose of MagicAI's data collection.

Here's why option A is the most appropriate:

Scientific Research: MagicAI aims to improve the accuracy and fairness of its AI system by understanding how it performs across different ethnicities, nationalities, and genders. This directly ties into scientific research aimed at improving healthcare and reducing bias in medical technology.

It's important to note that even with "scientific research" as the legal basis, MagicAI must still adhere to strict safeguards, such as:

Data Minimization: Collecting only the data absolutely necessary for the research.

Purpose Limitation: Using the data solely for the defined scientific purpose.

Appropriate Security Measures: Protecting the data against unauthorized access or disclosure.

Ethical Review: Ideally, obtaining ethical approval for the research project.

References:

GDPR Article 9 - Processing of special categories of personal data

GDPR Recital 159 - Conditions for processing special categories of data for scientific research purposes

IAPP CIPP/E textbook, Chapter 2: Key Data Protection Principles (specifically, sections on special categories of data)

Ben’s collection of additional data from customers, especially sensitive data such as philosophical beliefs and political opinions, created several potential issues for the company, such as:

The risk of violating the data minimization principle, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1.

The risk of infringing the rights and freedoms of the data subjects, who may not be aware of or consent to the secondary use of their data by Ben Knows Best, or the unauthorized access and copying of their data by Sam.

The risk of non-compliance with the GDPR’s requirements for processing special categories of data, which include data revealing philosophical beliefs and political opinions. Such data can only be processed under certain conditions, such as explicit consent, substantial public interest, or legal claims2.

The risk of data breaches or losses, as the data is transferred to a separate database, copied by Sam, and stored on the company’s servers in Vermont, which may not have adequate security measures or safeguards.

Therefore, the company would most likely require a data protection impact assessment (DPIA) to identify and mitigate these risks. A DPIA is a process that helps assess the impact of the envisaged processing operations on the protection of personal data, and consult with the supervisory authority if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk3. The other options are not necessarily required by the GDPR, although they may be good practices or contractual terms. References:

Free CIPP/E Study Guide, page 32, section 4.1.2

CIPP/E Certification, page 27, section 4.1.2

The Ultimate CIPP/E Study Guide for 2023, page 36, section 4.1.2

Principles - General Data Protection Regulation (GDPR), Article 5

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

Data protection impact assessment - General Data Protection Regulation (GDPR), Article 35

 According to Recital 51 of the GDPR, photographs are not automatically considered as biometric data, unless they are processed by a specific technical means that allows the unique identification or authentication of a natural person1. This means that printing employees’ photographs on building passes does not necessarily involve biometric data, as long as the photographs are not used for facial recognition or other similar purposes. The other options are incorrect, as they do not reflect the definition of biometric data or the conditions for processing special categories of personal data under the GDPR2. References:

Recital 51 of the GDPR

ICO guidance on special category data

Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM &CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

 According to the CIPP/E study guide, the Court of Justice of the European Union (CJEU) ruled in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González1 that an Internet search engine operator is responsible for the processing of personal data that appear on web pages published by third parties, and that such operator must comply with the EU data protection law when it has an establishment in the EU. The CJEU held that Google Spain and Google Inc. were inextricably linked in their businesses, since Google Spain promoted and sold advertising space offered by Google Inc., which oriented its activity towards the inhabitants of Spain. Therefore, Google Inc. was subject to the EU data protection law through its subsidiary Google Spain, even though the personal data processing was carried out by Google Inc. outside the EU. This implies that search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten if they have an establishment in the EU that is inextricably linked to their parent company. References: 1: CIPP/E study guide, page 16; Google Spain v AEPD and Mario Costeja González

The territorial scope of the GDPR is determined by Article 3 of the Regulation, which sets out two main criteria for applying the GDPR to the processing of personal data: the establishment criterion and the targeting criterion. The establishment criterion applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The targeting criterion applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. In addition, the GDPR applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

Therefore, the territorial scope of the GDPR does not depend on the membership of a country to a particular international agreement or organisation, but on the location and activities of the controller or processor and the data subjects involved in the processing. The Paris Agreement is an international treaty on climate change that aims to limit global warming and reduce greenhouse gas emissions. It does not have any direct or indirect relevance to the GDPR or the protection of personal data. Hence, being a party to the Paris Agreement does not affect the applicability of the GDPR to a country or a controller or processor established in that country.

The other options are incorrect because they are either directly or indirectly related to the GDPR or the protection of personal data. The European Economic Area (EEA) consists of all EU member states plus Iceland, Liechtenstein and Norway. The EEA Agreement allows these three countries to participate in the EU’s internal market and to adopt most of the EU legislation, including the GDPR. Therefore, the GDPR applies to all EEA countries as if they were EU member states. The Treaty of Lisbon is an international agreement that amends the two treaties which form the constitutional basis of the EU. The Treaty of Lisbon introduces several changes to the EU’s institutional structure, decision-making process, and policy areas, including the recognition of the Charter of Fundamental Rights of the EU as legally binding. The Charter of Fundamental Rights of the EU includes the right to the protection of personal data as a fundamental right, and provides the legal basis for the GDPR. Therefore, the GDPR applies to all EU member states that are parties to the Treaty of Lisbon. The European Union (EU) is a political and economic union of 27 member states that are located primarily in Europe. The EU has developed an internal single market through a standardised system of laws that apply in all member states, including the GDPR. Therefore, the GDPR applies to all EU member states by virtue of their membership to the EU. References: Art. 3 GDPR – Territorial scope, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Paris Agreement - Wikipedia, European Economic Area - Wikipedia, Treaty of Lisbon - Wikipedia, European Union - Wikipedia

ISO 31700 is an international standard that provides high-level requirements and recommendations for organizations that use privacy by design (PbD) in the development, maintenance and operation of consumer goods and services. PbD is a concept that aims to integrate privacy into products, services and systems by default, following seven main principles: proactive not reactive, privacy as the default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, and respect for user privacy. PbD is also a legal requirement under many prominent privacy regulations across the world, such as the GDPR. ISO 31700 is based on a consumer-centric approach, where the consumer’s privacy rights and preferences are placed at the center of product development and operation.

References: Meet the new ISO 31700 standard for Privacy by Design (PbD); 7 Steps to Comply with ISO 31700-1:2023; Privacy by Design: Embracing ISO 31700-1:2023’s Consumer Protection Guidelines.

 The Privacy and Electronic Communications Regulations (PECR) are derived from the e-privacy Directive 2002/58/EC, which aims to protect the privacy and confidentiality of users of electronic communications services. The PECR cover various aspects of electronic marketing, such as the use of cookies, unsolicited communications, and traffic and location data. According to the PECR, the following marketing-related activities require the consent of the user or subscriber, unless certain exemptions apply:

The use of cookies or similar technologies to store or access information on the user’s device (Regulation 6).

The sending of electronic mail for direct marketing purposes to individual subscribers who have not given their prior consent (Regulation 22).

The making of unsolicited calls for direct marketing purposes to individual subscribers who have registered their number with the Telephone Preference Service or who have objected to such calls from a specific caller (Regulation 21).

The sending of unsolicited communications for direct marketing purposes by means of electronic mail, fax, or automated calling systems to corporate subscribers, unless they have indicated that they do not wish to receive such communications (Regulation 23).

Therefore, among the four options, the one that is least likely to be covered by the provisions of the PECR is the advertisements passively displayed on a website, as they do not involve the use of cookies, the sending of unsolicited communications, or the processing of traffic or location data. However, such advertisements may still be subject to other data protection laws, such as the GDPR, if they involve the processing of personal data of the users.

References:

PECR

e-privacy Directive

ICO guide to PECR

Cross-border processing is defined in Article 4(23) of the GDPR as either:

•processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

•processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Therefore, the factors that are relevant for identifying whether the processing could be considered a cross-border processing are:

•the location and number of establishments of the controller or processor in the EU;

•the connection between the processing and the activities of the establishments;

•the substantial effect or likelihood of substantial effect on data subjects in more than one Member State.

The total number of the data subjects interested is not necessarily a factor, as the processing could affect only a few data subjects but still have a substantial impact on them. For example, a processing that involves the disclosure of sensitive personal data of a small group of data subjects in different Member States could be considered a cross-border processing.

References:

•GDPR Article 4 - Definitions1

•Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority2

According to the Free CIPP/E Study Guide, page 12, “the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 12

GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

cloud computing services are defined as the on-demand availability of computing resources (such as storage and infrastructure), as services over the internet. Cloud computing services share certain characteristics, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service, multi-tenancy, virtualization, resilient computing, flexible pricing models, security, automation, and sustainability234.

One of the characteristics that is not recognized as a common characteristic of cloud computing services is that the supplier assumes the vendor’s business risk associated with data processed by the supplier. This is not a characteristic of cloud computing services, but rather a contractual or legal issue that depends on the agreement between the supplier and the vendor. The supplier and the vendor may have different roles and responsibilities regarding the data processed by the supplier, such as controller, processor, or sub-processor, and they may have different obligations and liabilities under the applicable data protection laws, such as the GDPR. Therefore, the supplier does not necessarily assume the vendor’s business risk associated with data processed by the supplier, unless it is explicitly agreed by the parties or required by the law.

 According to Article 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data. Encryption is a key security measure to protect the confidentiality, integrity and availability of personal data, especially when it is transferred between different entities or locations. Encryption ensures that only authorised parties can access and modify the data, and prevents unauthorised or unlawful access, disclosure, alteration or destruction. Encryption also reduces the risk of data breaches and the potential harm to the data subjects. Therefore, encrypting the transferred data in transit and at rest would be the most important security measure to apply to the health data transmission. References:

Article 32 of the GDPR

IAPP CIPP/E Study Guide, page 58

According to Article 28(2) of the GDPR, the processor may not engage another processor (sub-processor) without the prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. Furthermore, Article 28(4) of the GDPR states that where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Therefore, the processor must ensure that the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor. References:

Article 28 of the GDPR

European Data Protection Law & Practice textbook, Chapter 6: Data Processing Obligations, Section 6.3: Processor Obligations, Subsection 6.3.2: Sub-processors

Section: (none)

Explanation

Online Behavioural Advertising (OBA) means the collection of data from a particular computer or device regarding web viewing behaviours over time and across multiple web domains not under Common Control for the purpose of using such data to predict web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such web viewing behaviours1. OBA is subject to the EU law on consent to the processing of personal data, which requires a clear affirmative action by the data subject indicating his or her agreement to the processing2. The consent must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time2. The consent must also be obtained prior to the collection and use of data for OBA purposes3. Therefore, Brady Box’s OBA practice is most likely to be

Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’2. These are:

(a) Explicit consent

(b) Employment, social security and social protection (if authorised by law)

© Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims and judicial acts

(g) Substantial public interest conditions

(h) Health or social care

(i) Public health

(j) Archiving, research and statistics

Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions ©, (f) and (a) respectively. Therefore, the correct answer is A.

References:

4: Art. 9 GDPR Processing of special categories of personal data

6: What are the rules on special category data? | ICO

The General Data Protection Regulation (GDPR) introduces a duty for controllers to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR also requires controllers to communicate the personal data breach to the affected data subjects without undue delay, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR provides that where a controller or a processor is not established in the EU, but is subject to the GDPR, the controller or the processor shall designate in writing a representative in the EU. The representative shall be established in one of the member states where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. The representative shall act on behalf of the controller or the processor and may be addressed by any supervisory authority or data subject on any issues related to the processing of personal data under the GDPR.

The GDPR also establishes a one-stop shop mechanism, which aims to ensure the consistent and effective application of the GDPR across the EU. The one-stop shop mechanism allows a controller or a processor with establishments in several member states to have a single supervisory authority as its interlocutor, which is the supervisory authority of the main establishment or of the single establishment of the controller or processor. The one-stop shop mechanism also enables a controller or a processor that is not established in the EU, but is subject to the GDPR, to deal with a single lead supervisory authority, which is the supervisory authority of the member state where the representative of the controller or processor is established.

Based on the GDPR and the guidelines of the European Data Protection Board (EDPB), if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, the controller must notify the supervisory authority of the EU member state in which the controller’s EU representative (pursuant to Article 27) is established. This is the only supervisory authority that the controller must notify, as the controller benefits from the one-stop shop mechanism and has a single lead supervisory authority. The controller does not need to notify every supervisory authority of the EU member states where the controller is offering goods or services or where the affected data subjects reside, as this would be contrary to the principle of consistency and the aim of simplification of the one-stop shop mechanism.

References:

GDPR, Articles 3, 4, 27, 28, 29, 33, 34, 51, 55, 56, 57, 58, 60, 61, 62, 63, 64, 65, 66, 67, and 68.

EDPB Guidelines 9/2022 on personal data breach notification under GDPR, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, and 16.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 3/2018 on the territorial scope of the GDPR, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, and 15.

According to the GDPR, one of the legal bases for transferring personal data to a third country or an international organization is when the transfer is necessary for the protection of the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent (Article 49(1)©). This exception applies only in very limited and exceptional situations, such as life-threatening medical emergencies. In this scenario, ProStorage most likely relied on this legal basis to transfer Ruth’s medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. Ruth was presumably unable to give her consent due to her health condition, and the transfer of her medical information was necessary to protect her vital interests, such as her life or health. Therefore, this transfer mechanism was more appropriate than the other options, which either require consent or are not relevant to the situation.

References: GDPR, Article 49(1)©1; EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/6792, page 9.

While all of the options present potential privacy issues, the lack of transparency about data processing poses the biggest risk for several reasons:

Uninformed Consent: Without clear information about data collection and usage, children and parents cannot make informed decisions about using the toys. This violates the principle of informed consent, which is a cornerstone of data protection laws.

Hidden Features: The packaging and privacy policy do not disclose the hidden functionality of the toys, including the connection to the cloud and data processing in South Africa. This lack of transparency creates distrust and raises concerns about potential misuse of data.

Unclear Data Flow: The explanation provided about the data flow is vague and incomplete. It is unclear what data is collected, how it is stored, for what purposes it is used, and who has access to it. This lack of clarity creates uncertainty and raises concerns about potential data breaches or leaks.

Limited Control: Without detailed information about data practices, users have limited control over their information. They cannot opt out of data collection or request deletion of their data, further hindering their privacy rights.

Article 8 of the ECHR protects the right to respect for private and family life, home and correspondence. However, this right is not absolute and can be subject to limitations by a public authority in accordance with the law and for a legitimate aim. The European Court of Human Rights (ECtHR) has developed a two-stage test to determine whether such limitations are justified. First, the court must examine whether there is a legitimate aim pursued by the public authority, such as national security, public safety or the prevention of crime. Second, the court must assess whether the means used by the public authority are appropriate and necessary to achieve that aim, taking into account all relevant factors such as proportionality, necessity and less restrictive alternatives12. Therefore, the right to privacy is not an absolute right but a qualified one that has to be balanced against other rights under the ECHR. References:

Article 8 - Protection of personal data

Your right to respect for private and family life

Right to respect for private and family life

Guide on Article 8 of the European Convention on Human Rights

European Convention on Human Rights - Article 8

The right to data portability only applies when the processing is based on the data subject’s consent or on a contract with the data subject12. Therefore, if the processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller, the right to data portability does not apply12. This is because the data subject does not have a direct influence on the purpose or the means of the processing in such cases3. References: 1: Article 20 of the GDPR 2: Right to data portability | ICO 3: The right to data portability (Article 20 of the GDPR)

According to the Article 29 Working Party, a just-in-time notice is a type of privacy notice that provides processing information at specific points of data collection, such as when the user clicks on a certain feature or enters personal data1. This kind of notice is commonly recommended for AI-based technologies because it allows the user to receive relevant and timely information about the processing of their data, without being overwhelmed by lengthy and complex privacy statements1. A just-in-time notice can also be combined with other types of notices, such as layered notices or privacy dashboards, to provide a more comprehensive and user-friendly transparency framework1. Therefore, option C is the correct answer. Option A is incorrect because a privacy dashboard notice is a type of notice that provides the user with a centralised and interactive overview of the processing of their data, and allows them to manage their privacy settings and preferences1. Option B is incorrect because a visualization notice is a type of notice that uses graphical elements, such as icons, symbols, colours, or animations, to convey the processing information in a more intuitive and engaging way1. Option D is incorrect because a layered notice is a type of notice that provides the processing information in a hierarchical and modular way, starting with the most essential information and allowing the user to access more details if they wish1. References:

What’s new in WP29’s final guidelines on transparency?

According to Article 15 of the GDPR, data subjects have the right to access and receive a copy of their personal data, and other supplementary information, from the data controller1. However, this right is not absolute and may be subject to limitations or restrictions. One of the grounds for refusing or limiting a data subject access request (DSAR) is when the request is manifestly unfounded or excessive, in particular because of its repetitive character1. In such cases, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to act on the request1. The controller must inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy1.

In this scenario, Jack’s DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request. Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.

Option A is incorrect because the company’s headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.

Option C is incorrect because the company cannot agree to provide the information requested in Jack’s original DSAR within a period of 3 months, as this would violate the data subject’s right of access and the principle of accountability under the GDPR. The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1. However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.

Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject’s right of access and the principle of transparency under the GDPR. The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason. The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

the right to lodge a complaint with a supervisory authority;

where the personal data are not collected from the data subject, any available information as to their source;

the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

References:

Right of access

Territorial scope

 The GDPR requires that consent must be freely given, specific, informed and unambiguous1. This means that app developers must provide clear and transparent information about the purposes and legal basis of the data processing, and allow users to choose which types of processing they agree to and which they do not. For example, users should be able to consent separately to different types of cookies, such as functional, analytical or marketing cookies2. Users should also be able to withdraw their consent at any time as easily as they gave it1. Therefore, app design and implementation must take into account these requirements and provide users with granular and user-friendly consent options, rather than relying on pre-ticked boxes, implied consent or default settings3. References: 1 Art. 4 (11) and Art. 7 GDPR – Definitions and Conditions for consent - General Data Protection Regulation (GDPR)2 Guidelines 05/2020 on consent under Regulation 2016/679 - European Data Protection Board3 How To Make Compliant GDPR Consent Forms (With Examples) - Termly.

The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive states that the use of cookies on websites and mobile applications is conditioned upon the prior consent of users, unless the cookies are strictly necessary for the provision of the service. Users must also be given clear and comprehensive information about the purposes of the cookies and the means to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing of personal data through cookies, but does not specifically address the consent requirement for cookies. The other answer choices are not relevant to the consent requirement for cookies, as they regulate different aspects of the digital economy and society. The E-Commerce Directive establishes the legal framework for online services in the EU, such as information society services, electronic contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication providers to retain certain data for a period of time for the purpose of law enforcement and national security. The EU Cybersecurity Directive aims to enhance the security of network and information systems across the EU, by setting common standards and obligations for operators of essential services and digital service providers. References:

Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu

What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script

EU Cookie Law - Data Protection and Cookies - Cookiebot™

ePrivacy Directive - Regulations - Learn how CookiePro Helps

 According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12:

the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

the categories of processing carried out on behalf of each controller;

where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D. References:

GDPR, Article 30(2)

GDPR, Article 35

ICO, Documentation1

ICO, Data protection impact assessments1

 The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of electronic communications and prevent their indiscriminate interception or monitoring. It was adopted in 2002 and amended in 2009. It applies to all providers of electronic communication services, such as internet service providers, mobile network operators, and online platforms12.

One of the main objectives of the ePrivacy Directive is to ensure that the retention of communications traffic data for law enforcement purposes is subject to strict conditions and safeguards. Communications traffic data refers to any information relating to the transmission or routing of electronic communications, such as IP addresses, timestamps, and metadata3. Such data can be used by competent national authorities for the prevention, investigation, detection or prosecution of criminal offences and safeguarding national security4.

However, the ePrivacy Directive does not allow individual EU member states to engage in such data retention without harmonizing their rules. Article 6(1)(b) of the directive states that “Member States shall ensure that any measures taken by them in relation to the retention of traffic data are consistent with this Directive”. Therefore, each EU member state must adopt a national law that complies with the requirements and limitations set by the directive12.

The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common framework for the retention of communications traffic data for law enforcement purposes across all EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the Court of Justice of the European Union (CJEU) in 2014 on procedural grounds. The CJEU found that some provisions of the DRD were inconsistent with other EU directives and principles, such as Article 8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary interference with their privacy56.

The GDPR is a new EU regulation that implements some aspects of the DRD into national law through its provisions on processing personal data. However, it does not address directly the issue of communications traffic data retention for law enforcement purposes. Instead, it requires providers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing personal data. These measures include encryption, pseudonymisation, access control, and accountability7 . The GDPR also grants individuals certain rights regarding their personal data, such as access, rectification, erasure, portability, and objection7 .

Therefore, under current EU law, there is no single legal basis for retaining communications traffic data for law enforcement purposes across all EU member states. Each member state must adopt its own national law that respects the principles and limitations established by the ePrivacy Directive.

References:

ePrivacy Directive

ePrivacy Regulation

What is Communications Traffic Data?

How is Communications Traffic Data Retained?

Data Retention Directive

Data Retention Directive annulled by CJEU

General Data Protection Regulation

What are your rights regarding your personal data?

The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means.

In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject’s rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject’s sensitive medical information without their knowledge or consent. References:

Article 4 (15) and Article 9 of the GDPR

Health data | ICO

What does the GDPR mean for personal data in medical reports?

Sensitive data and medical confidentiality - FutureLearn

Health data and data privacy: storing sensitive data under GDPR

According to the European Data Protection Law & Practice textbook, page 326, “the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” However, the CJEU also stated that “the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine’s results following a search made on the basis of the data subject’s name.” Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject’s right to be forgotten. References:

European Data Protection Law & Practice, page 326

CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, paragraphs 88 and 93

According to Article 21 of the GDPR, the data subject has the right to object at any time to the processing of his or her personal data for direct marketing purposes, which includes profiling related to such marketing. When the data subject exercises this right, the controller must stop processing the personal data for that purpose, unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. The controller must also inform the data subject of this right before the first communication with him or her, and in a clear and separate manner from other information. The controller must also provide the data subject with a simple and effective way to opt out of receiving direct marketing communications, such as an unsubscribe link or a STOP text message. The controller must respect the data subject’s choice and refrain from sending any further direct marketing messages of the relevant type (e.g., email, phone, post, etc.) to the data subject, unless he or she opts in again. The controller does not need to delete the personal data of the data subject who opts out, unless the data subject also requests the erasure of his or her data under Article 17 of the GDPR, or the data is no longer necessary for the purposes for which it was collected or processed. The controller may also retain some minimal information about the data subject (such as name and email address) to ensure that his or her opt-out request is honored and that he or she is not contacted again for direct marketing purposes. The controller must also ensure that any third parties to whom it has disclosed the personal data of the data subject for direct marketing purposes are informed of the opt-out request and comply with it, unless this proves impossible or involves disproportionate effort. References: Direct marketing rules and exceptions under the GDPR, Direct marketing and privacy and electronic communications, Marketing and advertising: the law: Direct marketing, Direct Marketing - What you need to know about direct marketing

The EU Data Act aims to increase access to data generated by connected devices (IoT devices), ensuring fair use and promoting data-driven innovation across the EU.

Key purposes of the EU Data Act:

Granting users access to data generated by their devices (Answer Choice B – Correct Answer)

One of the Act’s primary objectives is to allow users of smart devices, IoT systems, and connected industrial tools to access and control data generated by their devices​.

Improving non-personal data sharing (Answer Choice A – Incorrect)

While the Act does facilitate the transfer of non-personal data, its primary focus is on device-generated data access, rather than simply allowing free movement of non-personal data​.

Encouraging data-sharing frameworks (Answer Choice C – Incorrect)

The Act does promote data-sharing between businesses, but this is not its main goal. It primarily ensures that users retain control over data produced by their devices​.

Not primarily about personal data protection (Answer Choice D – Incorrect)

The GDPR (General Data Protection Regulation) is the primary regulation that deals with personal data protection. The Data Act does not introduce new privacy rules but instead focuses on non-personal data management​.

According to the CIPP/E study guide1, the European Commission is the EU institution that has the power to propose new data protection legislation on its own initiative, as well as amend or repeal existing laws. The European Commission is also responsible for implementing and enforcing the EU data protection framework, in cooperation with other institutions and national authorities.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals

According to the GDPR, data controllers must report personal data breaches to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Art 33 of GDPR). However, the notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art 33(1) of GDPR). In this case, TripBliss Inc. could argue that the stolen data was securely erased by Leon before it could be disclosed to anyone else, and therefore the risk of harm to the data subjects was minimal. TripBliss Inc. would have to provide evidence of the secure deletion of the data and the absence of any copies or backups. Alternatively, TripBliss Inc. could also invoke the exception of disproportionate effort to avoid notifying the data subjects directly, but only if they have made a public communication or similar measure to inform them in an equally effective manner (Art 34(3)(b) of GDPR). The other options are not valid defenses, as they do not affect the likelihood of risk to the data subjects. The incident was not caused by a third-party, but by an employee of Techiva, who was acting as a data processor on behalf of TripBliss Inc. As the data controller, TripBliss Inc. is responsible for ensuring that the data processor provides sufficient guarantees to implement appropriate technical and organisational measures to comply with the GDPR (Art 28 of GDPR). The sensitivity of the data categories is not relevant for the notification obligation, as any personal data breach could pose a risk to the data subjects, depending on the circumstances. The GDPR does not provide a threshold for the sensitivity of the data, but rather requires a case-by-case assessment of the potential impact of the breach. References:

GDPR, Art 33, Art 34, Art 28

Free CIPP/E Study Guide, p. 15

European Data Protection Law & Practice, p. 123-124

Personal data breach notification under the GDPR

 Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:

personal data revealing racial or ethnic origin;

personal data revealing political opinions;

personal data revealing religious or philosophical beliefs;

personal data revealing trade union membership;

genetic data;

biometric data (where used for identification purposes);

data concerning health;

data concerning a person’s sex life; and

data concerning a person’s sexual orientation.

Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

Special category data | ICO

Art. 9 GDPR Processing of special categories of personal data

Special Categories of Data - International Association of Privacy Professionals