CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Question and Answers

According to the ePrivacy Directive, which regulates direct electronic marketing in the EU, consent is generally required before sending marketing emails or texts. However, there is an exception known as the ‘soft opt-in’, which allows marketing emails or texts to be sent on an opt-out basis if the recipient’s details were collected “in the context of the sale of a product or a service” and the marketing is for “similar products or services” provided by the same organisation12. Therefore, WonderKids can send direct marketing information by email without prior consent of the person booking the childcare, as long as the information is about similar products or services to those purchased from WonderKids, and the person is given a clear and easy way to opt out of receiving such emails. The other options are not allowed under the ePrivacy Directive, unless the person has given explicit consent to receive them. References:

• Free CIPP/E Study Guide, page 33, section 4.1.3
• CIPP/E Certification, page 28, section 4.1.3
• Cipp-e Study guides, Class notes & Summaries, page 39, section 4.1.3
• Direct marketing rules and exceptions under the GDPR, paragraph 5
• Marketing | ICO, section “What does the ‘soft opt-in’ mean?”

According to the GDPR, consent must be freely given, specific, informed and unambiguous1. However, in the context of employment, there is often an imbalance of power between the employer and the employee, which may affect the validity of consent. The employee may feel pressured or coerced to give consent, or may not be able to withdraw it without negative consequences. Therefore, consent is not a reliable or appropriate legal basis for processing employee data in most cases23. The employer should consider other lawful bases, such as contractual necessity, legal obligation, legitimate interests or specific conditions for special category data45. References: 1 Art. 4 (11) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Can my employer require me to give my consent to use my personal data? | European Commission. 3 When is consent appropriate? | ICO. 4 Art. 6 (1) GDPR – Lawfulness of processing - General Data Protection Regulation (GDPR)5 Art. 9 (2) GDPR – Processing of special categories of personal data - General Data Protection Regulation (GDPR).

 According to the CIPP/E study guide, the Court of Justice of the European Union (CJEU) ruled in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González1 that an Internet search engine operator is responsible for the processing of personal data that appear on web pages published by third parties, and that such operator must comply with the EU data protection law when it has an establishment in the EU. The CJEU held that Google Spain and Google Inc. were inextricably linked in their businesses, since Google Spain promoted and sold advertising space offered by Google Inc., which oriented its activity towards the inhabitants of Spain. Therefore, Google Inc. was subject to the EU data protection law through its subsidiary Google Spain, even though the personal data processing was carried out by Google Inc. outside the EU. This implies that search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten if they have an establishment in the EU that is inextricably linked to their parent company. References: 1: CIPP/E study guide, page 16; Google Spain v AEPD and Mario Costeja González

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2)). Therefore, the GDPR would apply to the following entities:

• A South American company that regularly collects European customers’ personal data, as it is offering goods or services to data subjects in the EU.
• A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state, as it has an establishment in the EU.
• A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers, as it has an establishment in the EU and is offering goods or services to data subjects in the EU.

The GDPR would not apply to the following entity:

• A North American company servicing customers in South Africa that uses a cloud storage system made by a European company, as it does not have an establishment in the EU, nor is it offering goods or services to data subjects in the EU, nor is it monitoring their behaviour within the EU. The fact that it uses a cloud storage system made by a European company does not trigger the application of the GDPR, unless the cloud provider is also processing personal data on behalf of the North American company in the context of its activities in the EU.

References: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Art. 3 GDPR – Territorial scope - General Data Protection Regulation (GDPR)

According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. References:

• Article 35 of the GDPR
• European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO
• Roles and Responsibilities of a Data Protection Officer

The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source12. This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller’s representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing34. This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5. Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data. Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory. References: 1: Article 13 of the GDPR 2: Article 14 of the GDPR 3: Article 13(1)(a) and © of the GDPR 4: Article 14(1)(a) and © of the GDPR 5: Recital 60 of the GDPR

According to the UK GDPR, the controller and the processor must support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge1. The controller and the processor must also ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and that he or she reports directly to the highest management level of the controller or the processor1. 

 According to the Free CIPP/E Study Guide, page 16, “the GDPR provides for a one-stop-shop mechanism, which means that a controller or processor with establishments in several Member States will have only one supervisory authority as its interlocutor, which will act as the lead authority. However, this does not mean that the lead authority has exclusive competence to supervise all processing activities of the controller or processor throughout the EU. The GDPR also allows for the possibility of a relevant and reasoned objection by a concerned supervisory authority, which may trigger the consistency mechanism and the involvement of the European Data Protection Board (EDPB). Moreover, the GDPR recognizes the right of any supervisory authority to adopt urgent measures on its own territory or to commence legal proceedings before a court in its Member State in order to protect the rights and freedoms of data subjects.” Therefore, the lead regulator should accept the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint, as the GDPR permits non-lead authorities to take action for such complaints, especially when they involve urgent measures or legal proceedings to protect the data subjects’ rights and freedoms. The other options are incorrect, as they do not reflect the GDPR’s provisions on the one-stop-shop mechanism and the cooperation and consistency mechanisms. References:

• Free CIPP/E Study Guide, page 16
• GDPR, Articles 56, 60, 61, 62, 63, 64, 65 and 66

cloud computing services are defined as the on-demand availability of computing resources (such as storage and infrastructure), as services over the internet. Cloud computing services share certain characteristics, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service, multi-tenancy, virtualization, resilient computing, flexible pricing models, security, automation, and sustainability234.

One of the characteristics that is not recognized as a common characteristic of cloud computing services is that the supplier assumes the vendor’s business risk associated with data processed by the supplier. This is not a characteristic of cloud computing services, but rather a contractual or legal issue that depends on the agreement between the supplier and the vendor. The supplier and the vendor may have different roles and responsibilities regarding the data processed by the supplier, such as controller, processor, or sub-processor, and they may have different obligations and liabilities under the applicable data protection laws, such as the GDPR. Therefore, the supplier does not necessarily assume the vendor’s business risk associated with data processed by the supplier, unless it is explicitly agreed by the parties or required by the law.

When assessing the level of risk created by a data breach, the size of any data processor involved would not have to be taken into consideration. According to the GDPR, a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” 1. The GDPR requires data controllers and processors to notify the relevant supervisory authority of a data breach within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons 2. The GDPR also requires data controllers to communicate the data breach to the affected data subjects without undue delay, if the breach is likely to result in a high risk to their rights and freedoms 3.

The GDPR does not specify the exact criteria for determining the level of risk, but it provides some guidance in Recital 85, which states that “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing” . The recital also mentions some factors that could increase the risk, such as the ease of identification of individuals, the special categories of personal data, the large scale of the processing, or the special characteristics of the data controller . Therefore, these factors should be taken into consideration when assessing the level of risk created by a data breach.

However, the size of any data processor involved is not relevant for the risk assessment, as it does not affect the impact of the breach on the data subjects. The data processor is only responsible for processing the personal data on behalf of the data controller, and has no direct relationship with the data subjects . The data processor’s obligations in case of a data breach are to notify the data controller without undue delay, and to assist the data controller in complying with its obligations under the GDPR . The data processor’s size may affect its ability to fulfill these obligations, but it does not change the level of risk created by the data breach itself. References: 1: Article 4(12) of the GDPR 2: Article 33 of the GDPR 3: Article 34 of the GDPR : Recital 85 of the GDPR : Article 4(8) of the GDPR : Article 28 of the GDPR

I hope this helps. If you have any other questions, please feel free to ask. 😊

 Under the GDPR, email marketing requires explicit and unambiguous consent from the recipients, meaning that they must actively agree to receive marketing communications, and the process for obtaining this consent must be clear and transparent. A prior opt-in consent is the most common and reliable way to demonstrate compliance with this requirement, as it involves a positive action from the data subject, such as ticking a box, clicking a button, or filling a form. A pre-checked box, a notice, or an opt-out option are not sufficient to obtain valid consent, as they do not indicate a clear expression of the data subject’s will. However, there is an exception to the consent rule for existing customers, known as the “soft opt-in”. This means that a company can send email marketing messages to its customers without prior consent, if the following conditions are met:

• The company obtained the customer’s contact details in the course of a sale or negotiations for a sale of a product or service;
• The company only sends marketing messages about its own similar products or services;
• The company gives the customer a clear opportunity to opt out of receiving such messages both when first collecting the details and in every subsequent message.

References: GDPR Article 4(11), GDPR Article 6(1)(a), GDPR Article 7, GDPR Recital 32, GDPR Recital 47, GDPR for Marketing: The Definitive Guide for 2023 - SuperOffice, A Guide to GDPR Compliance for Email Marketers in 2023

Convention 108 was the first legally binding international instrument in the data protection field, adopted by the Council of Europe in 19811. However, it had some limitations that led to the creation of the Data Protection Directive (Directive 95/46/EC) by the European Union in 19952. One of the main failings of Convention 108 was that it was implemented in a fragmented manner by a small number of states, resulting in divergent and inconsistent national laws and practices3. The Data Protection Directive aimed to harmonize the data protection rules within the EU and to ensure a high level of protection for individuals’ rights and freedoms2. Therefore, option C is the correct answer. Option A is incorrect because Convention 108 did account for the rapid growth of the Internet by allowing for amendments and protocols to adapt to technological developments1. Option B is incorrect because Convention 108 did include protections for sensitive personal data, such as those revealing racial origin, political opinions, religious beliefs, health, or sexual life1. Option D is incorrect because Convention 108 did not prescribe specific penalties for violations of data protection rights, but left it to the Parties to adopt appropriate sanctions and remedies1. References:

• Convention 108 and Protocols
• CIPP/E Certification
• Convention 108+ and the Data Protection Framework of the EU

 According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Bioface is not established in the Union, but it is collecting photographs of data subjects in the Union and using a facial recognition algorithm to identify them. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Bioface does not have any establishment in the Union, as it only collects data from web-based services, which does not imply the existence of stable arrangements in the Union2; (B) Bioface is not offering services in the Union, as it only targets government agencies and companies in the US and Canada, and does not intend to provide its service to data subjects in the Union3; © Bioface collects data from subjects and uses it for automated processing, but this is not a sufficient criterion to determine the territorial scope of the GDPR, as it does not relate to the offering of goods or services or the monitoring of behavior in the Union4. References: 1: Article 3(2) of the GDPR; 2: EDPB Guidelines, paragraph 20; 3: EDPB Guidelines, paragraph 38; 4: EDPB Guidelines, paragraph 50.

 This is not a valid set of standard contractual clauses because it does not correspond to any of the decisions adopted by the European Commission under the GDPR or the previous Data Protection Directive 95/46. The correct decision for EU processor to non-EU or EEA controller is Decision 2010/87/EU, which was amended by Decision 2004/915/EC. Decision 2007/72/EC is actually related to the recognition of the adequacy of the protection of personal data in Switzerland. References:

• Free CIPP/E Study Guide, page 18, section 3.4.2
• Standard contractual clauses for international transfers, section 1.1
• Standard Contractual Clauses (SCC), section 2.1
• Decision 2007/72/EC

According to the GDPR, personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes1. This means that data controllers must inform data subjects about the purposes of data processing and obtain their consent or another lawful basis for any new or different purposes2.

In the scenario, Brady transferred his customers’ personal data to Hermes Designs, a third-party contractor, to fulfill a requested service. However, Hermes Designs used the data for a new purpose that was not disclosed to the customers: creating sample customized banner advertisements and conducting direct marketing. This is a violation of the purpose limitation principle and could expose Brady to legal risks and customer complaints.

Therefore, Brady should be concerned with Hermes Designs’ handling of customer personal data and take appropriate measures to ensure compliance with the GDPR.

I hope this helps. If you have any other questions, please feel free to ask. 😊

1: Article 5(1)(b) of the GDPR 2: Article 6(4) of the GDPR

 The Privacy and Electronic Communications Regulations (PECR) are derived from the e-privacy Directive 2002/58/EC, which aims to protect the privacy and confidentiality of users of electronic communications services. The PECR cover various aspects of electronic marketing, such as the use of cookies, unsolicited communications, and traffic and location data. According to the PECR, the following marketing-related activities require the consent of the user or subscriber, unless certain exemptions apply:

• The use of cookies or similar technologies to store or access information on the user’s device (Regulation 6).
• The sending of electronic mail for direct marketing purposes to individual subscribers who have not given their prior consent (Regulation 22).
• The making of unsolicited calls for direct marketing purposes to individual subscribers who have registered their number with the Telephone Preference Service or who have objected to such calls from a specific caller (Regulation 21).
• The sending of unsolicited communications for direct marketing purposes by means of electronic mail, fax, or automated calling systems to corporate subscribers, unless they have indicated that they do not wish to receive such communications (Regulation 23).

Therefore, among the four options, the one that is least likely to be covered by the provisions of the PECR is the advertisements passively displayed on a website, as they do not involve the use of cookies, the sending of unsolicited communications, or the processing of traffic or location data. However, such advertisements may still be subject to other data protection laws, such as the GDPR, if they involve the processing of personal data of the users.

References:

• PECR
• e-privacy Directive
• ICO guide to PECR

The GDPR requires that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. In this scenario, the company ABCD is the controller of the client data, and the loss of the memory stick containing unencrypted and clear text personal data is a personal data breach that may pose a risk to the rights and freedoms of the data subjects, such as identity theft, fraud, financial loss, or reputational damage. Therefore, the company ABCD should notify the data protection supervisory authority as soon as possible, and provide the information specified in Article 33(3) of the GDPR, such as the nature of the breach, the categories and number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach1. Option A is the correct answer, as it reflects the obligation of the controller under the GDPR. Options B, C and D are incorrect, as they do not comply with the GDPR requirements. Option B would delay the notification beyond the 72-hour deadline, which could result in administrative fines or other sanctions3. Option C would misuse the “disproportionate effort” exception, which only applies to the communication of the breach to the data subjects, not to the notification to the supervisory authority, and only when the controller has implemented appropriate technical and organisational protection measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access it4. Option D would prematurely notify the customers of the company without first notifying the supervisory authority, and without assessing the level of risk and the necessity of such communication, which should be done in consultation with the supervisory authority5. References: 1: Article 33(1) of the GDPR 2: Article 4(12) of the GDPR 3: Article 83(4)(a) of the GDPR 4: Article 34(3)(a) of the GDPR 5: Article 34(1) and (2) of the GDPR

This is not a common characteristic of cloud-computing services, as the supplier usually does not assume the vendor’s business risk. In fact, the supplier often limits its liability for data breaches or losses, and the vendor remains responsible for complying with data protection laws and regulations. The other options are common characteristics of cloud-computing services, as they reflect the nature of cloud computing as a flexible, scalable, and cost-effective way of processing data, but also pose challenges for data protection and security. References:

• Free CIPP/E Study Guide, page 17, section 2.3.2
• CIPP/E Certification, page 12, section 2.3.2
• Cipp-e Study guides, Class notes & Summaries, page 23, section 2.3.2

The GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. The company must also identify a lawful basis for processing personal data, such as legal obligation, legitimate interest, or consent, and respect the data subject rights, such as the right to information, access, rectification, erasure, restriction, objection, and portability. Moreover, the company must be aware of the specific rules and restrictions regarding the processing of special categories of data (such as biometric, health, or political data) and data relating to criminal convictions and offences, which are subject to Article 10 of the GDPR and the laws of each member state. The company must also consider the national employment laws and the guidelines of the relevant supervisory authorities, which may impose additional conditions or limitations on the scope, methods, and purposes of background checks. For example, some member states may require prior authorization, notification, or consultation with the supervisory authority, the data subject, or the works council before conducting background checks. Some member states may also prohibit or restrict certain types of background checks, such as social media screening, credit checks, or criminal record checks, unless they are necessary, proportionate, and relevant for the specific job position or sector. Therefore, the company must conduct a thorough assessment of the legal framework and the risks and benefits of background checks in each member state where it operates or recruits employees, and ensure that it has a clear and consistent policy and procedure for conducting background checks in a GDPR-compliant manner. References: How to ‘background check’ under the GDPR, How to perform GDPR compliant background checks, GDPR and the processing of criminal conviction data across Europe, Pre-employment vetting: Data protection and criminal records, How GDPR Affects Background Checking

 According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed. References:

• Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.
• ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR.
• EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.

The GDPR (General Data Protection Regulation) applies to any organisation that processes personal data of EU residents, regardless of where the processing takes place. Therefore, WonderKids, as a data controller based in France, must comply with the GDPR when it transfers personal data to its hosting service provider in Switzerland, which acts as a data processor on behalf of WonderKids.

According to Article 28 of the GDPR, data controllers must only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects and the security of the data. The data controller and the data processor must also enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.

The contract must include, among other things, the following provisions:

• The data processor must process the personal data only on documented instructions from the data controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or member state law;
• The data processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• The data processor must take all measures required pursuant to Article 32 of the GDPR, which relates to the security of the processing;
• The data processor must respect the conditions for engaging another processor, and inform the data controller of any intended changes concerning the addition or replacement of other processors, giving the data controller the opportunity to object to such changes;
• The data processor must assist the data controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, which relate to the security of the processing, the notification of personal data breaches, the communication of personal data breaches to data subjects, the data protection impact assessment, and the prior consultation with the supervisory authority;
• The data processor must, at the choice of the data controller, delete or return all the personal data to the data controller after the end of the provision of services relating to the processing, and delete existing copies unless EU or member state law requires storage of the personal data;
• The data processor must make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

Therefore, among the four options, the one that must be included in the contract between WonderKids and the hosting service provider is the requirement to implement technical and organisational measures to protect the data, as this is part of the data processor’s obligations under Article 28 and Article 32 of the GDPR.

The other options are not mandatory under the GDPR, although they may be advisable or desirable depending on the circumstances. Controller-to-controller model contract clauses are used when personal data is transferred from one data controller to another data controller, not from a data controller to a data processor. Audit rights for the data subjects are not explicitly required by the GDPR, although the data controller must ensure that the data processor allows for and contributes to audits conducted by the data controller or another auditor mandated by the data controller. A non-disclosure agreement may be useful to protect the confidentiality of the personal data, but it is not sufficient to ensure the compliance with the GDPR, as it does not cover all the aspects of the data processing relationship.

References:

• GDPR
• Web Hosting and GDPR Compliance - What to Look For
• The GDPR: Why you need to review your third-party service providers’ security
• GDPR Compliance for Third-Party Service Providers: Vendor Management

According to Article 15 of the GDPR, data subjects have the right to access and receive a copy of their personal data, and other supplementary information, from the data controller1. However, this right is not absolute and may be subject to limitations or restrictions. One of the grounds for refusing or limiting a data subject access request (DSAR) is when the request is manifestly unfounded or excessive, in particular because of its repetitive character1. In such cases, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to act on the request1. The controller must inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy1.

In this scenario, Jack’s DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request. Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.

Option A is incorrect because the company’s headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.

Option C is incorrect because the company cannot agree to provide the information requested in Jack’s original DSAR within a period of 3 months, as this would violate the data subject’s right of access and the principle of accountability under the GDPR. The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1. However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.

Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject’s right of access and the principle of transparency under the GDPR. The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason. The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

References:

• Right of access
• Territorial scope

The EU Artificial Intelligence Act (AI Act) is a proposed regulation that aims to establish harmonised rules on the development and use of artificial intelligence in the EU. The AI Act classifies AI systems according to their level of risk and imposes various requirements and obligations on providers and users of such systems. The AI Act also provides for the enforcement of its rules by national competent authorities and the European Commission. According to Article 71 of the AI Act, the sanctions for non-compliance with the AI Act depend on the type and severity of the infringement. The maximum fine for the most serious infringements, such as placing on the market or putting into service prohibited AI systems, or failing to comply with the data and data governance requirements for high-risk AI systems, is the higher of up to 30 million Euro or up to 6% of the total worldwide annual turnover of the preceding financial year of the legal entity concerned. This is the same level of fine as for the most serious infringements of the General Data Protection Regulation (GDPR).

References:

•EUR-Lex - 52021PC0206 - EN - EUR-Lex1

•European Parliament Adopts Negotiating Position on the AI Act2

According to Article 37(2) of the GDPR, a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment12. This means that the DPO should be able to communicate effectively with the data subjects and the supervisory authorities in the relevant languages and jurisdictions, and to perform the tasks referred to in Article 39 of the GDPR34. The accessibility of the DPO does not necessarily depend on the physical location of the DPO, but rather on the availability of the DPO to the relevant stakeholders via various means of communication34. Therefore, the DPO does not have to be located in the country where the data controller has its main establishment, nor does the group of undertakings have to obtain approval from a supervisory authority or be comprised of organizations of similar sizes and functions to appoint a single DPO. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What’s different about a group data protection officer?, Data Protection Officers: What US Companies Need to Know - Cooley

Works councils are employee representative bodies that exist in some European countries, such as Germany, France, Spain and Italy. They have various roles and powers depending on the national laws and collective agreements, but generally they aim to protect and promote the interests of the employees in relation to the employer. Some of the common roles of works councils are:

• Determining whether to approve or reject certain decisions of the employer that affect employees, such as transfers, dismissals, redundancies, working hours, health and safety, etc.
• Determining whether employees’ personal data can be processed or not, based on the principle of co-determination, which means that the employer needs the consent of the works council for any data processing that involves employee monitoring, evaluation or control.
• Determining what changes will affect employee working conditions, such as wages, benefits, training, social facilities, etc.

However, works councils do not have the role of determining the monetary fines to be levied against employers for data breach violations of employee data. This is the role of the data protection authorities, which are independent public bodies that supervise, through investigative and corrective powers, the application of the data protection law. Works councils may cooperate with the data protection authorities or file complaints on behalf of the employees, but they do not have the authority to impose sanctions on the employers. References: Free CIPP/E Study Guide, page 27; CIPP/E Certification, page 13.

One of the main differences between a Regulation and a Directive in the EU law is that a Regulation is directly applicable and binding in all EU member states, without the need for national implementing measures, while a Directive sets out the objectives and principles that the member states must achieve, but leaves them the choice of form and methods to transpose it into their national laws. Therefore, by taking the form of a Regulation, the GDPR aims to harmonize and unify the data protection rules across the EU, and to ensure a consistent implementation and enforcement of the data protection laws throughout the EU. The other aspects of the GDPR listed in the question, such as the one-stop shop mechanism, the mandatory notification of large-scale data breaches, and the mandatory appointment of a data protection officer, are also important features of the GDPR, but they do not have the same impact on the consistency of the data protection laws as the form of a Regulation.

References: Difference between A Regulation And Directive (European Law)1; EUR-Lex - 310401_2 - EN - EUR-Lex2; EU GDPR vs. European Data Protection Directive 95/46/EC - Advisera3; Difference between GDPR and Data Protection Directive - Profolus

Article 80(1) of the GDPR states that the data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf1. These not-for-profit bodies, organisations or associations are commonly referred to as civil society organizations, as they represent the interests of citizens and groups in the public sphere2. The other options are not correct because: (A) Law firm organizations are not necessarily not-for-profit or active in the field of data protection; © Human rights organizations are a subset of civil society organizations, but not all civil society organizations are focused on human rights; (D) Constitutional rights organizations are also a subset of civil society organizations, but not all civil society organizations are concerned with constitutional rights. References: 1: Article 80(1) of the GDPR; 2: Free CIPP/E Study Guide, page 48.

 According to Article 13 of the GDPR, when personal data are collected from the data subject, the data controller must provide the data subject with the following information, among others1:

• The identity and the contact details of the controller and, where applicable, of the controller’s representative;
• The contact details of the data protection officer, where applicable;
• The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• The recipients or categories of recipients of the personal data, if any;
• Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In the scenario, Wonderkids provides some of this information in their Privacy Statement, but not all. They do not specify the categories of recipients with whom they will share the personal data of their customers and their children. They only state that they will share the data with businesses that they see as adding real value to the customers, which is vague and ambiguous. This does not comply with the GDPR requirement to inform the data subjects about the recipients or categories of recipients of their personal data, if any. Therefore, Wonderkids must provide this additional information in their Privacy Statement.

References:

• 1: Art. 13 GDPR Information to be provided where personal data are collected from the data subject

According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service. References:

• [IAPP article on direct marketing (EU specific)]
• Lexology article on direct marketing requirements under the GDPR

According to the GDPR, the material scope of the regulation covers the processing of personal data wholly or partly by automated means, or by non-automated means if the data forms part of a filing system or is intended to form part of a filing system (Article 2(1)). Personal data is defined as any information relating to an identified or identifiable natural person (data subject) (Article 4(1)). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1)). Therefore, pseudonymous data, such as blockchain transactions that use public keys or other identifiers, may still fall within the definition of personal data if the data subject can be identified or re-identified by using additional information or means (Recital 26).

The GDPR also applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to the offering of goods or services to such data subjects in the European Union or the monitoring of their behaviour as far as their behaviour takes place within the European Union (Article 3(2)). Therefore, the territorial scope of the GDPR covers both controllers and processors established in the European Union, and controllers and processors not established in the European Union but targeting or monitoring data subjects in the European Union.

In this scenario, blockchain transactions are classified as pseudonymous data, which may still be considered as personal data under the GDPR if the data subjects can be identified or re-identified. Therefore, such transactions are within the material scope of the GDPR, as they involve the processing of personal data by automated means. However, the GDPR only applies to such transactions to the extent that they include data subjects in the European Union, either by having a controller or processor established in the European Union, or by offering goods or services to or monitoring the behaviour of such data subjects. Therefore, the answer is C.

References: GDPR, Articles 2, 3, 4, Recital 261; EDPB Guidelines 05/2020 on consent under Regulation 2016/6792, page 17; Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data - CNIL3

 A data protection impact assessment (DPIA) is a process to identify and minimise the data protection risks of a project that is likely to result in a high risk to the rights and freedoms of individuals1. The GDPR requires controllers to conduct a DPIA before starting such processing activities1. In this case, Building Block should have done a DPIA before implementing the SecurityScan measure, as it involves the monitoring of employees’ computers, which could affect their privacy and other fundamental rights2. A DPIA would help Building Block to assess the necessity, proportionality and compliance measures of the SecurityScan measure, as well as to identify and mitigate the risks to the employees and to consult with the relevant stakeholders, such as the data protection officer, the employees themselves, and the supervisory authorities12. The other options are not the first step that Building Block should have done, as they either follow or depend on the outcome of the DPIA. References: Data Protection Impact Assessment (DPIA) - GDPR.eu, Data protection impact assessments | ICO

The GDPR defines profiling as any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, such as their preferences, behaviour, or interests1. Profiling is subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality2. The GDPR also provides specific rights for data subjects who are subject to profiling, such as the right to be informed, the right to access, the right to rectify, the right to object, and the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on them3.

In the given scenario, the online shop is engaging in profiling by tracking the browsing behaviour of its European customers and predicting future purchases. It is also sharing this information with third parties, which may involve further processing of the personal data. Therefore, the online shop must comply with the GDPR requirements for profiling and ensure that it has a valid legal basis for the processing. According to Article 6 of the GDPR, there are six possible legal bases for processing personal data: consent, contract, legal obligation, vital interests, public interest, or legitimate interests4. However, not all of them are equally applicable or appropriate for profiling activities, especially when they involve sensitive or special categories of data, such as biometric, genetic, or health data, which require additional safeguards under Article 9 of the GDPR5.

In this case, the most relevant and suitable legal basis for the online shop’s profiling is consent, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their personal data for one or more specific purposes6. Consent must be freely given, specific, informed, and unambiguous, and must be obtained before the processing begins7. The online shop must also inform the data subject about the nature and purpose of the profiling, the logic involved, the consequences, and the rights they have in relation to it. The online shop must also respect the data subject’s right to withdraw their consent at any time and to object to the profiling.

Therefore, the online shop’s primary obligation while engaging in this kind of profiling is to solicit informed consent through a notice on its website, which must be clear, concise, and easily accessible, and must not be bundled with other terms and conditions. The online shop must also provide a simple and effective mechanism for the data subject to give or revoke their consent, such as a checkbox, a slider, or a button. The online shop must also keep records of the consent obtained and be able to demonstrate that it has complied with the GDPR requirements for consent.

The other options (B, C, and D) are not the primary obligation for the online shop, as they are either irrelevant or insufficient for the GDPR compliance. Seeking authorization from the European supervisory authorities is not necessary, unless the online shop is involved in a cross-border processing that requires a prior consultation under Article 36 of the GDPR. Demonstrating a prior business relationship with the customers is not a valid legal basis for the profiling, as it does not imply consent or legitimate interests. Proving that it uses sufficient security safeguards to protect customer data is a general obligation for any processing of personal data, but it does not address the specific issues and risks of profiling, such as discrimination, manipulation, or loss of control. References:

• 1: What is automated individual decision-making and profiling?
• 2: Article 5 of the GDPR
• 3: Rights related to automated decision making including profiling
• 4: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]
• 5: Article 9 of the GDPR
• 6: Article 4 (11) of the GDPR
• 7: Article 7 of the GDPR
• : Article 13 and 14 of the GDPR
• : Article 21 of the GDPR
• : Article 12 of the GDPR
• : [Guidelines on consent under Regulation 2016/679]
• : Article 24 of the GDPR
• : Article 36 of the GDPR
• : [Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679]
• : [https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf]
• : [https://edpb.europa.eu/sites/edpb/files/files/file1/20171104_wp251rev01_en.pdf]

According to the CJEU, the ePrivacy Directive does not define the concept of consent, but refers to the GDPR for its interpretation1. Therefore, the GDPR standard of consent applies to the use of cookies and similar technologies that require consent under the ePrivacy Directive. The GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. The CJEU also clarified that the consent requirements apply regardless of whether the cookies constitute personal data or not, as the ePrivacy Directive covers any information stored or accessed on the user’s device1. The other options are incorrect, as the CJEU ruled that pre-checked boxes, implicit consent by scrolling, and insufficient information on the cookies do not meet the GDPR standard of consent1. References:

• Free CIPP/E Study Guide, page 14, section 2.3
• GDPR, Article 4 (11)
• ePrivacy Directive, Article 5 (3)
• Planet49: CJEU Rules on Cookie Consent
• CURIA - List of results

Binding Corporate Rules (BCRs) are a data transfer mechanism under the GDPR that allow multinational companies to transfer personal data within their group entities outside the EU, provided that they comply with the data protection principles and rights of the GDPR. BCRs are internal codes of conduct that must be legally binding and enforced by every member of the group.

According to Article 47 of the GDPR, BCRs must be approved by the competent Data Protection Authority (DPA) in the EU, following the consistency mechanism set out in Article 63 of the GDPR. This means that the DPA that receives the application for approval of the BCRs must communicate its draft decision to the European Data Protection Board (EDPB), which will issue its opinion on the BCRs. The EDPB is an independent body composed of representatives of the national DPAs and the European Data Protection Supervisor. The EDPB ensures the consistent application of the GDPR across the EU and issues guidelines, recommendations, and best practices on various aspects of the GDPR.

Therefore, the data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from the Data Protection Authority, which is the supervisory authority responsible for authorising and monitoring the BCRs. The company cannot rely on the BCRs as a valid legal basis for transferring personal data from the EU to the US without the DPA’s approval.

The other options are not correct, as they are not the authorities that approve the BCRs under the GDPR. The Court of Justice of the European Union (CJEU) is the judicial body of the EU that interprets and applies EU law and ensures its uniformity across the EU. The CJEU does not approve the BCRs, but it may rule on the validity or interpretation of the GDPR or other EU laws that affect data protection. The European Data Protection Board (EDPB) is an independent body that ensures the consistent application of the GDPR and issues opinions on the BCRs, but it does not approve them. The EDPB’s opinions are not binding, but they must be taken into account by the DPAs. The European Commission is the executive branch of the EU that proposes and implements EU laws and policies. The European Commission does not approve the BCRs, but it may adopt adequacy decisions that recognise that a third country or an international organisation ensures an adequate level of data protection, which is another data transfer mechanism under the GDPR.

References:

• GDPR
• Binding Corporate Rules (BCR)
• Binding Corporate Rules - PwC
• Binding Corporate Rules - GDPR Summary
• A Guide for Binding Corporate Rules - Hunton Andrews Kurth
• Personal data transfers: binding corporate rules (BCRs) under the GDPR

According to the transparency principle, data controllers must provide clear and transparent information to data subjects about how their personal data is processed. This information must be easily accessible and easy to understand. Providing a hyperlink to the organization’s home page, in a hard copy application form, is not considered a fair processing practice in relation to the transparency principle, because it does not directly inform the data subject about the specific purposes and legal basis of the processing, the data protection rights and obligations, and the contact details of the data controller and the data protection officer. This information should be provided in a concise, intelligible and easily accessible form, using clear and plain language, in a way that is appropriate to the means of communication. Providing a hyperlink to the organization’s home page, in a hard copy application form, does not meet these criteria and may also be inaccessible to some data subjects who do not have internet access or are not familiar with the use of hyperlinks. Therefore, this option is not a fair processing practice in relation to the transparency principle. References: 1234 https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/ https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/

According to the GDPR, a data protection impact assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. A DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. The GDPR provides a list of examples of processing operations that require a DPIA, such as:

• Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
• Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
• Systematic monitoring of a publicly accessible area on a large scale.

Therefore, an example of a scenario where a controller is most likely required to undertake a DPIA is when personal data is being collected and combined with other personal data to profile the creditworthiness of individuals, as this involves a systematic and extensive evaluation of personal aspects based on automated processing and profiling, and may have significant effects on the individuals. The other scenarios are not necessarily indicative of a high risk to the rights and freedoms of natural persons, and do not fall under the examples of processing operations that require a DPIA provided by the GDPR. References: Free CIPP/E Study Guide, page 37; CIPP/E Certification, page 18; GDPR, Article 35, Recital 91.

Directive 2002/58/EC, also known as the ePrivacy Directive, regulates the use of electronic communications services within the European Union. It covers issues such as confidentiality of communications, processing of traffic and location data, spam, cookies, and security breaches. It complements and particularises Directive 95/46/EC, also known as the Data Protection Directive, which sets out the general principles for the protection of personal data in the EU. The ePrivacy Directive was amended by Directive 2009/136/EC, which introduced new provisions on consent, cookies, and breach notification. The ePrivacy Directive is currently under review and will be replaced by a new Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which is still being negotiated by the EU institutions. References: Directive 2002/58/EC, Directive 2009/136/EC, [ePrivacy Regulation]

According to the GDPR, when personal data is collected from the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the contact details of the data protection officer, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the data subject’s rights, and any other information necessary to ensure fair and transparent processing1. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language2. Therefore, Building Block should have provided its employees with information about who they can contact with any queries regarding the monitoring, such as the data protection officer or the Privacy Office, as part of the information notice before implementing the security measures. This would enable the employees to exercise their rights, such as the right to access, rectify, erase, restrict or object to the processing of their personal data, or the right to lodge a complaint with a supervisory authority3. References: 1 Art. 13 GDPR – Information to be provided where personal data are collected from the data subject - General Data Protection Regulation (GDPR)2 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)3 Art. 15-22 GDPR – Rights of the data subject - General Data Protection Regulation (GDPR).

The Convention 108+ is the modernized version of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which was opened for signature on 10 October 20181. The Convention 108+ aims to reinforce the individuals’ protection, strengthen the implementation of the Convention, and promote it as a universal standard for data protection2. The Convention 108+ reflects the same principles as those enshrined in the EU’s General Data Protection Regulation (GDPR), which applies from 25 May 20183. Therefore, the Convention 108+ and the GDPR are largely consistent and coherent in their provisions and objectives.

However, one of the principles of the Convention 108+ that is not consistent with a principle found in the GDPR is the necessity of the bulk collection of personal data by the government. The Convention 108+ allows for the possibility of bulk collection of personal data by the government for national security purposes, subject to certain safeguards and oversight mechanisms. The GDPR, on the other hand, does not regulate the processing of personal data by the government for national security purposes, as this falls outside the scope of EU law. The GDPR also does not explicitly endorse the bulk collection of personal data by the government, but rather requires that any processing of personal data must be based on a legal basis, respect the principles of data protection, and ensure the rights and freedoms of data subjects. Therefore, the correct answer is C.

References:

• Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
• Convention 108+ and the GDPR
• General Data Protection Regulation
• [Convention 108+: the consultative committee of the convention for the protection of individuals with regard to the processing of personal data (T-PD) publishes its guidelines on artificial intelligence and data protection]
• [Article 3 GDPR – Territorial scope]
• [Article 5 GDPR – Principles relating to processing of personal data]

I hope this helps you understand the Convention 108+ and the GDPR better. If you have any other questions, please feel free to ask me. 😊

According to the GDPR, a record of processing activities (RoPA) is a document that provides an overview of how personal data is processed within an organisation. It must include information on the types of personal data processed, the purposes for which the data is processed, and the measures taken to ensure the security of the data123. A RoPA must be kept up to date and made available to the supervisory authority upon request1.

In this scenario, Anna does not have to include Frank’s performance database in her RoPA, because it does not contain any personal data. Personal data is any information relating to an identified or identifiable natural person4. Frank’s performance database only contains aggregated or anonymised data that cannot identify any individual student. Therefore, it does not fall under the definition of personal data under the GDPR.

However, Anna still has to complete her RoPA for all other types of records that are processed by Granchester University, such as student records, staff and alumni records, and Department for Education records. These records may contain personal data that needs to be minimised and protected in accordance with the GDPR principles4. Anna also has to conduct a risk analysis before processing these records, as required by Article 35(2) of the GDPR4. She also has to report any security incidents involving these records, as required by Article 33(3) of the GDPR4.

References:

• [Art. 30 GDPR – Records of processing activities]
• [How do we document our processing activities?]
• Records of Processing (Article 30) Guidance
• GDPR Records of Processing Activities | Resources
• Records of Processing Activities: A Key GDPR Compliance Requirement

A risk analysis is a process of identifying, assessing and mitigating the potential threats and vulnerabilities that may affect the personal data processing activities of an organization. A risk analysis is not a one-time activity, but a continuous and dynamic process that requires regular monitoring and updating. A risk analysis is also not a substitute for compliance with the GDPR, but a tool to help ensure compliance by identifying and addressing the legal obligations and best practices.

According to the GDPR, an organization must conduct a data protection impact assessment (DPIA) before starting any new or significantly increased processing activity that may pose a high risk to the rights and freedoms of the data subjects. A DPIA is a systematic and documented process that aims to identify, evaluate and mitigate the risks associated with such processing activities. A DPIA must be carried out by or on behalf of the controller (the person or entity that determines the purposes and means of processing) or by another person acting on their behalf.

In this scenario, Frank is conducting a DPIA for his new processing activity of analyzing his students’ performance data in relation to Department for Education expectations. This processing activity poses a high risk to the rights and freedoms of his students, as it involves collecting, storing, using and transferring their personal data without their explicit consent or knowledge. Therefore, Frank must conduct a DPIA before starting this processing activity.

However, there are some exceptions to this requirement. One of them is when the processing activity involves personal data that are no longer relevant for the original purpose for which they were collected or otherwise processed. In this case, Frank can use existing personal data without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.

Therefore, in this situation, Anna will find that a risk analysis is NOT necessary in this situation as long as the data subjects are no longer current students of Frank’s. This means that Frank can use his existing student records without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.

References:

• Risks and data protection impact assessments (DPIAs) | ICO
• What Are GDPR Risk Assessments and Why Are They Important?
• GDPR Compliance Risk Assessment Best Practices | Accountable
• Why risk assessments are essential for GDPR compliance

The GDPR applies to all personal data, regardless of whether it exists in physical form or not. The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as names, identification numbers, location data, or online identifiers1. Therefore, any information that can be linked directly or indirectly to a natural person is considered personal data under the GDPR.

However, the GDPR also distinguishes between different types of processing activities and their legal bases. Processing activities are the operations performed on personal data, such as collection, storage, use, disclosure, or deletion. Processing activities can be either automated or manual. Automated processing means using technology to perform processing activities without human intervention. Manual processing means using human intervention to perform processing activities.

The GDPR requires that any processing activity that involves personal data must comply with certain principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These principles and conditions apply to both automated and manual processing activities.

Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by an automated means in some way that affects its rights and freedoms. For example, if a company scans paper documents and stores them electronically in a database without deleting them after a certain period of time or when they are no longer needed for the original purpose for which they were collected (Article 6), then this would be considered an automated processing activity that involves personal data in physical form.

However, the GDPR does not apply to personal data that exists in physical form when it is handled in a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps paper documents in folders labeled with names and dates on their office shelves without scanning them or storing them electronically anywhere else (Article 5), then this would not be considered an automated processing activity that involves personal data in physical form.

References:

• Physical Data - GDPR Summary
• What GDPR Means for Your Physical Records - Access
• Personal Data - Data Protection Act 2018

According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data. References:

• Art. 13 GDPR - Information to be provided where personal data are collected from the data subject
• Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
• Article 13: Information to be provided where personal data are collected from the data subject - GDPR

 According to Article 58 of the GDPR, each supervisory authority has the power to notify the controller or the processor of an alleged infringement of the GDPR as part of its investigative powers. This power allows the supervisory authority to alert the controller or the processor of a possible violation of the GDPR and to initiate further actions if necessary. The notification may also include recommendations or instructions on how to remedy the infringement or prevent further violations. References:

• Article 58 of the GDPR
• European Data Protection Law & Practice textbook, Chapter 9: Supervision and Enforcement, Section 9.2: Supervisory Authorities, Subsection 9.2.2: Powers of Supervisory Authorities

The GDPR imposes several obligations on data controllers when they engage data processors to process personal data on their behalf. One of these obligations is to ensure that the contract or other legal act between the controller and the processor stipulates that the processor must assist the controller in complying with its obligations under the GDPR, including the obligation to notify personal data breaches to the competent supervisory authority and, where applicable, to the affected data subjects1. However, this does not mean that the processor can directly notify the supervisory authority without the involvement of the controller. The GDPR clearly states that it is the controller’s responsibility to notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach2. The processor must only notify the controller without undue delay after becoming aware of the breach3. Therefore, requiring that the processor directly notify the appropriate supervisory authority is not an action that a data controller can depend upon to avoid liability in the event of a security breach, as it would be contrary to the GDPR and the controller’s own obligation. Options A, B and D are actions that a data controller can take to reduce the risk of liability, as they demonstrate that the controller has exercised due diligence, assessed the potential impact of outsourcing, and chosen a reliable and compliant processor. References: 1: Article 28(3)(f) of the GDPR 2: Article 33(1) of the GDPR 3: Article 33(2) of the GDPR

According to the GDPR, consent is one of the lawful bases for processing personal data1. Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. Therefore, consent must be specific to each purpose of processing and cannot be bundled with other purposes3. If a company wants to use personal data for a new purpose that is not compatible with the original purpose for which consent was given, it must obtain a new consent from the data subjects for the new processing4. Simply informing the data subjects of the new purpose or updating the privacy notice is not sufficient, as it does not imply the data subject’s agreement to the new processing. Proceeding with the new processing without obtaining a new consent would be unlawful and could result in fines and sanctions5. References:

• Free CIPP/E Study Guide, page 23, section 4.1.1
• GDPR, Article 4 (11)
• GDPR, Recital 32
• GDPR, Article 6 (4)
• GDPR, Article 83 (5) (a)

 Under the GDPR, the processing of personal data of a child on the basis of consent requires the consent of the holder of parental responsibility over the child, unless the child is at least 16 years old or the applicable national law provides for a lower age (not below 13 years). However, there are some situations where the processing of personal data of a child without parental consent may be justified by other lawful grounds, such as the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party. One of these situations is when the processing is necessary for providing preventive or counselling services to the child, especially in the context of information society services. This is recognised by Recital 38 of the GDPR, which states that:

“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”

Therefore, the processing of personal data of a child without parental consent may be lawful if it is necessary for providing preventive or counselling services to the child, such as health, education, social or legal services, that are offered directly to the child and that aim to protect the child’s well-being, safety, development or rights. This may include, for example, online counselling platforms, sexual health advice services, anti-bullying or mental health support services, or child protection helplines. In such cases, the controller should ensure that the processing is fair, transparent, proportionate and respectful of the child’s best interests, and that appropriate safeguards are in place to protect the child’s personal data and rights.

The other options are not likely to justify the processing of personal data of a child without parental consent, as they do not meet the criteria of necessity, proportionality or legitimacy. The processing of personal data of a child for market research purposes is not necessary for the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party, and may pose significant risks to the child’s privacy and autonomy. Therefore, such processing requires the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent. The provision of materials purely for educational use to a child may not require the processing of personal data of the child at all, or may only require the processing of minimal personal data, such as the child’s name or email address. In such cases, the processing may be based on the consent of the child, if the child is old enough to understand the implications of their consent, or on the legitimate interests of the controller, if the processing is necessary for the provision of the educational materials and does not override the interests or rights of the child. However, the controller should still inform the child and the holder of parental responsibility about the processing and provide them with the opportunity to object or withdraw their consent. The existence of a legitimate business interest does not automatically justify the processing of personal data of a child without parental consent, as the controller must also consider the impact of the processing on the rights and freedoms of the child, and whether the processing is necessary and proportionate for the pursuit of that interest. Moreover, the controller must balance the legitimate business interest against the interests or rights of the child, and ensure that the processing does not cause any harm or disadvantage to the child. If the processing involves the use of personal data of a child for the purposes of marketing or creating personality or user profiles, the controller must obtain the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent, as these purposes pose a high risk to the child’s privacy and autonomy. References: GDPR Article 6, GDPR Article 8, GDPR Recital 38, Children and the UK GDPR | ICO, Guidelines on consent under Regulation 2016/679 - European Data Protection Board

The reason why the consent provided by Ms. Iman would not be considered valid in regard to JaphSoft is not because she did not provide her consent for her personal data to be shared with EcoMick, but because she was not told which controller would be processing her personal data. JaphSoft is a controller, as it determines the purpose and means of the processing of personal data, which is to improve its marketing optimization models and to provide better services to its customers. JaphSoft does not act only on the instructions of Liem and EcoMick, who are the original controllers of the personal data, but rather uses the data for its own benefit and interest. Therefore, JaphSoft should have obtained a separate consent from Ms. Iman, or relied on another lawful basis, such as legitimate interest, to process her personal data. Ms. Iman only gave consent to Liem, not to JaphSoft, and she was not informed that her personal data would be shared with or processed by another controller.

 A dynamic IP address is a unique numerical label for a device on the internet that changes every time the device connects to the internet. A dynamic IP address by itself is not personal data, as it does not directly identify the person who owns or uses the device. However, a dynamic IP address can become personal data when it is combined with other data held by the controller, such as the web pages accessed by the device, the time and duration of the visit, the location of the device, or the user’s preferences and interests. In this case, the controller can use the additional data to identify the data subject, either directly or indirectly, by linking the dynamic IP address to a specific person or a profile. This was confirmed by the Court of Justice of the European Union (CJEU) in the case of Breyer v Bundesrepublik Deutschland, where the CJEU ruled that a dynamic IP address registered by a website provider constitutes personal data in relation to that provider, where the latter has the legal means to obtain the identity of the data subject from the internet service provider (ISP) that assigned the dynamic IP address. Therefore, option B is the correct answer. References: Directive 95/46/EC, Directive 2002/58/EC, Breyer v Bundesrepublik Deutschland, Case C-582/14, Dynamic IP Addresses can be Personal Data

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1. Body temperature is a type of personal data that can reveal information about an individual’s health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR. The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

• A. Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.
• C. Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.
• D. The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

References: 1 Article 4(1) of the GDPR2 Policy Brief: Location Data Under Existing Privacy Laws | FPF23 Article 2(1) of the GDPR4 Article 4(5) of the GDPR5 Article 9(2) of the GDPR.

 According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects1. The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties2. Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality3. Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued3. Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences. References: 1: CIPP/E study guide, page 1; Data protection in law enforcement2: CIPP/E study guide, page 2; Art. 2 LED3: CIPP/E study guide, page 3; Art. 4 LED.

 The General Data Protection Regulation (GDPR) is a data protection law that applies to the processing of personal data of individuals in the European Union (EU) and the European Economic Area (EEA). Personal data is any information relating to an identified or identifiable natural person, such as name, address, email, phone number, etc12. The GDPR does not apply to personal data that is anonymized, meaning that it cannot be linked back to a specific individual12. Anonymization can be achieved by removing or masking any identifying information from the data, such as using pseudonyms, aggregating or generalizing the data, or applying statistical methods12.

Therefore, the type of data that lies beyond the scope of the GDPR is anonymized data.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals

 According to the Free CIPP/E Study Guide, page 14, “if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.” This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller’s own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

• Free CIPP/E Study Guide, page 14
• GDPR, Article 36

Ben’s collection of additional data from customers, especially sensitive data such as philosophical beliefs and political opinions, created several potential issues for the company, such as:

• The risk of violating the data minimization principle, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1.
• The risk of infringing the rights and freedoms of the data subjects, who may not be aware of or consent to the secondary use of their data by Ben Knows Best, or the unauthorized access and copying of their data by Sam.
• The risk of non-compliance with the GDPR’s requirements for processing special categories of data, which include data revealing philosophical beliefs and political opinions. Such data can only be processed under certain conditions, such as explicit consent, substantial public interest, or legal claims2.
• The risk of data breaches or losses, as the data is transferred to a separate database, copied by Sam, and stored on the company’s servers in Vermont, which may not have adequate security measures or safeguards.

Therefore, the company would most likely require a data protection impact assessment (DPIA) to identify and mitigate these risks. A DPIA is a process that helps assess the impact of the envisaged processing operations on the protection of personal data, and consult with the supervisory authority if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk3. The other options are not necessarily required by the GDPR, although they may be good practices or contractual terms. References:

• Free CIPP/E Study Guide, page 32, section 4.1.2
• CIPP/E Certification, page 27, section 4.1.2
• The Ultimate CIPP/E Study Guide for 2023, page 36, section 4.1.2
• Principles - General Data Protection Regulation (GDPR), Article 5
• Special categories of personal data - General Data Protection Regulation (GDPR), Article 9
• Data protection impact assessment - General Data Protection Regulation (GDPR), Article 35

According to the EDPB Guidelines 8/2022, the lead supervisory authority of a controller is the supervisory authority of the main or single establishment of the controller in the EEA. The main establishment is the place where the controller has its place of central administration in the EEA, unless decisions on the purposes and means of the processing are taken in another establishment in the EEA, and that establishment has the power to implement those decisions. The controller must be able to demonstrate that such an establishment exists. The supervisory authority of the main establishment is the lead supervisory authority, regardless of what the controller has identified as the authority to which data subjects can lodge complaints. Therefore, criterion C is not relevant for identifying the lead supervisory authority of a controller.

References: EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority123, paragraphs 19-24.

According to the GDPR, a transfer of personal data to a third country or an international organisation may take place only if the conditions laid down in Chapter V of the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation1. A third country is any country outside of the European Union (EU) and the European Economic Area (EEA)2. Therefore, a transfer impact assessment is only required when personal data is transferred to a third country or an international organisation that does not provide an adequate level of data protection, as recognised by the European Commission3. HRYourWay is a German based company, and Germany is a member state of the EU and the EEA. Thus, HRYourWay is not located in a third country, and no transfer impact assessment is needed for transferring personal data to it. The other options are incorrect, as they are not relevant to the question of whether a transfer impact assessment is required or not. References:

• GDPR, Chapter V
• GDPR, Article 4 (24)
• GDPR, Article 45

One of the main reasons why the CJEU invalidated the Privacy Shield was that it found that the US surveillance programs were not limited to what is strictly necessary and proportionate, as required by the EU law. The CJEU also criticized the lack of effective judicial remedies for EU data subjects whose data was accessed by US authorities. The Trans-Atlantic Data Privacy Framework is intended to address these issues by introducing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and by creating a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The Framework also enhances the oversight and transparency of US surveillance practices.

References: EU–US Data Privacy Framework - Wikipedia; FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House; United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework; European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework; A practical approach to the new Trans-Atlantic Data Privacy Framework.

The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1. One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2. The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3. One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs. Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5. Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6. Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7. References: 1: Article 46(1) of the GDPR 2: Standard Contractual Clauses (SCC) - European Commission 3: EU Standard Contractual Clauses (Word documents) 4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 5: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 6: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 7: Article 31 of the GDPR

According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed. However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy12. References:

• GDPR, Article 14
• Free CIPP/E Study Guide, page 19, section 2.5.1
• CIPP/E Certification, page 14, section 1.2.1
• Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
• Article 14 GDPR - GDPRhub

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

References: GDPR, Articles 4(12), 33, 341; EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification2

 According to Recital 51 of the GDPR, photographs are not automatically considered as biometric data, unless they are processed by a specific technical means that allows the unique identification or authentication of a natural person1. This means that printing employees’ photographs on building passes does not necessarily involve biometric data, as long as the photographs are not used for facial recognition or other similar purposes. The other options are incorrect, as they do not reflect the definition of biometric data or the conditions for processing special categories of personal data under the GDPR2. References:

• Recital 51 of the GDPR
• ICO guidance on special category data

Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM &CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

 According to the UK GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions1. The controller must stop the processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims1. The WP 29 Guidelines on Automated individual decision-making and Profiling provide some guidance on how to assess the existence of such compelling legitimate grounds2. The controller needs to carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection, consider the impact of the profiling on the data subject’s interest, rights and freedoms, and consider the importance of the profiling to their particular objective2. However, the controller does not need to demonstrate that the profiling is for the purposes of direct marketing, as this is a separate ground for objection under Article 21(2) of the UK GDPR, which gives the data subject an absolute right to object to such processing13. Therefore, option C is the correct answer, as it is not required by the controller to demonstrate that it has compelling legitimate grounds for profiling. References: 132

https://gdpr.eu/article-21-right-to-object/ https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

Article 30 of the GDPR requires controllers and processors to maintain records of their processing activities, which include information such as the purposes of the processing, the categories of personal data, the recipients of the data, the retention periods, and the security measures12. However, Article 30 does not require controllers to keep records of incidents of personal data breaches, whether disclosed or not. This is a separate obligation under Article 33 and Article 34, which require controllers to notify the supervisory authority and the data subjects of any personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons34. References: 1: Article 30 of the GDPR 2: What do we need to document under Article 30 of the UK GDPR? | ICO 3: Article 33 of the GDPR 4: Article 34 of the GDPR

Section: (none)

Explanation