CIPP-E Sample Questions Answers

According to the Free CIPP/E Study Guide, page 12, “the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

• Free CIPP/E Study Guide, page 12
• GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

According to Article 21 of the GDPR, the data subject has the right to object at any time to the processing of his or her personal data for direct marketing purposes, which includes profiling related to such marketing. When the data subject exercises this right, the controller must stop processing the personal data for that purpose, unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. The controller must also inform the data subject of this right before the first communication with him or her, and in a clear and separate manner from other information. The controller must also provide the data subject with a simple and effective way to opt out of receiving direct marketing communications, such as an unsubscribe link or a STOP text message. The controller must respect the data subject’s choice and refrain from sending any further direct marketing messages of the relevant type (e.g., email, phone, post, etc.) to the data subject, unless he or she opts in again. The controller does not need to delete the personal data of the data subject who opts out, unless the data subject also requests the erasure of his or her data under Article 17 of the GDPR, or the data is no longer necessary for the purposes for which it was collected or processed. The controller may also retain some minimal information about the data subject (such as name and email address) to ensure that his or her opt-out request is honored and that he or she is not contacted again for direct marketing purposes. The controller must also ensure that any third parties to whom it has disclosed the personal data of the data subject for direct marketing purposes are informed of the opt-out request and comply with it, unless this proves impossible or involves disproportionate effort. References: Direct marketing rules and exceptions under the GDPR, Direct marketing and privacy and electronic communications, Marketing and advertising: the law: Direct marketing, Direct Marketing - What you need to know about direct marketing

According to the UK GDPR, a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller1. A processor must act only on the documented instructions of the controller and must not process the data for its own purposes or in a way that is incompatible with the controller’s purposes1. If a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller, it will be considered to be a controller in respect of that processing and will be subject to the same obligations and liabilities as a controller under the UK GDPR1. This means that the processor will have to comply with the data protection principles, ensure the rights of data subjects, implement appropriate technical and organisational measures, report data breaches, conduct data protection impact assessments, appoint a data protection officer if required, and cooperate with the supervisory authority1. The processor will also be exposed to the risk of administrative fines, compensation claims, and reputational damage1. References: 1

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/what-are-controllers-and-processors/

According to Article 36 of the GDPR, when a controller intends to process personal data that would result in a high risk to the rights and freedoms of data subjects, and a data protection impact assessment under Article 35 indicates that the risk cannot be mitigated by the controller, the controller must consult the supervisory authority before processing. The purpose of this prior consultation is to seek the advice of the supervisory authority on whether the processing complies with the GDPR and what measures can be taken to ensure compliance. During the prior consultation, the controller must provide the supervisory authority with the following information:

• the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
• the purposes and means of the intended processing;
• the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;
• the contact details of the data protection officer, if any;
• the data protection impact assessment provided for in Article 35; and
• any other information requested by the supervisory authority.

Therefore, the correct answer is B. An explanation of the purposes and means of the intended processing. This information is essential for the supervisory authority to understand the nature and scope of the processing and to assess its compliance with the GDPR. The other options are not required by Article 36, although they may be relevant for other aspects of the GDPR, such as the data protection by design and by default principle (A), the lawfulness of processing ©, or the designation of the data protection officer (D). References:

• Article 36 of the GDPR, which regulates the prior consultation with the supervisory authority.
• ICO guidance, which explains the process and requirements of the prior consultation.
• EDPB guidelines, which provide further guidance on the criteria and procedure of the prior consultation.

 The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system1. However, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity2. This means that individuals can process personal data without being subject to the GDPR, as long as the processing is not related to a professional or commercial activity. For example, the GDPR does not apply to an individual who keeps a personal address book or who posts photos of their family and friends on a social media platform, as long as the platform is not used for business purposes3. References: 1: Article 2(1) of the GDPR 2: Article 2(2)© of the GDPR 3: Recital 18 of the GDPR

Under the GDPR, using CCTV on business premises involves the processing of personal data, which requires compliance with the data protection principles and obligations. However, notifying the appropriate data protection authority (DPA) is not one of the steps that a company should take before using CCTV, unless the DPA has specifically requested it or the CCTV involves high-risk processing that requires prior consultation. The other steps are necessary to ensure GDPR compliance, as explained below:

• Performing a data protection impact assessment (DPIA) is a mandatory requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, such as large-scale or systematic monitoring of public areas. A DPIA is a process that helps identify and mitigate the potential privacy risks of using CCTV, and document the measures taken to address them. A DPIA should include a description of the processing, its purpose and necessity, its risks and benefits, the safeguards and security measures, and the consultation with stakeholders. A DPIA should be carried out before the CCTV system is installed or upgraded, and reviewed regularly or whenever there is a significant change in the processing.
• Creating an information retention policy for those who operate the system is a good practice to ensure that the personal data collected by CCTV is not kept longer than necessary for the purpose for which it was collected, and that it is securely deleted or anonymised when no longer needed. The retention period should be determined by the specific purpose and context of using CCTV, and take into account any legal or contractual obligations, as well as the expectations and rights of the data subjects. The retention policy should also specify who is responsible for managing and deleting the CCTV footage, and how the deletion process is verified and documented.
• Ensuring that safeguards are in place to prevent unauthorized access to the footage is an essential requirement to comply with the GDPR principle of integrity and confidentiality, which states that personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage. The safeguards may include technical and organisational measures, such as encryption, access control, logging, audit, training, policies and procedures, that aim to protect the CCTV footage from unauthorized or unlawful access, disclosure, alteration, or destruction, both during transmission and storage. References: GDPR Article 35, GDPR Article 36, GDPR Article 5, CCTV and video surveillance | ICO, 5 Step Guide to Check if Your CCTV is GDPR Compliant

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU1. Therefore, after leaving the EU under the terms of Brexit, the UK became a third country for the purposes of the GDPR, meaning that personal data transfers from the EU to the UK are subject to the rules on international data transfers under Chapter V of the GDPR2. In order to ensure the continuity and stability of data flows between the EU and the UK, the UK sought an adequacy decision from the European Commission, which is a formal recognition that a third country provides an equivalent level of data protection to that of the EU3. On 28 June 2021, the European Commission adopted two adequacy decisions in respect of the UK: one for transfers under the GDPR and the other for transfers under the Law Enforcement Directive (LED)4. These decisions allow personal data to flow freely from the EU to the UK without any further safeguard being necessary, and are expected to last until 27 June 2025, unless they are amended, suspended or repealed earlier5. References:

• GDPR, Article 3
• GDPR, Chapter V
• Data protection adequacy for non-EU countries, section “Adequacy decisions”
• UK government welcomes the European Commission’s draft data adequacy decisions
• Adequacy, section “What does the EU GDPR adequacy decision say?”

According to the CIPP/E study guide1, the European Commission is the EU institution that has the power to propose new data protection legislation on its own initiative, as well as amend or repeal existing laws. The European Commission is also responsible for implementing and enforcing the EU data protection framework, in cooperation with other institutions and national authorities.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals

 According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations. References: 1 https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/

 A layered notice is a privacy notice designed to respond to problems with excessively long notices1. A short notice — the top layer — provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2. The full notice — the bottom layer — covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23. References: 2

The “soft opt-in” rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:

• the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;
• the sender only sends direct marketing relating to its own similar products or services; and
• the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual’s details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the “soft opt-in” rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. References: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR

According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. References:

• Article 35 of the GDPR
• European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO
• Roles and Responsibilities of a Data Protection Officer

According to the GDPR, the right to be forgotten, also known as the right to erasure, is not an absolute right and only applies in certain circumstances1. One of the exceptions to this right is when the processing of personal data is necessary for the establishment, exercise or defence of legal claims2. In this scenario, the company may need to retain the personal data of Jack, such as his employment records, performance reviews, and internal emails, in order to defend itself against a possible legal action of unfair dismissal. Therefore, the company should not erase the data at this time, unless it is confident that it has no legal basis to keep it. The company should also inform Jack of the reasons for not complying with his request and of his right to lodge a complaint with a supervisory authority or a judicial remedy3. References: 1: Everything you need to know about the “Right to be forgotten”2: Article 17(3)(e) of the GDPR3: Article 12(4) of the GDPR.

Consent is one of the legal bases for processing personal data under the GDPR, but it must meet certain conditions to be valid. According to Article 4(11) of the GDPR, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In this scenario, consent would not be considered an adequate legal basis for accessing the party zone, because it is not freely given. Freely given consent means that the data subject has a genuine and free choice to agree or disagree to the processing, and that there is no detriment, coercion, or significant negative consequences if the data subject does not consent. However, in this case, the consent is conditional on accessing the party zone, which is the main purpose of the event. Therefore, the data subject does not have a real choice, and may feel pressured or obliged to consent in order to participate in the event. This violates the principle of free consent, and could invalidate the consent as a legal basis.

References:

•GDPR Article 4 - Definitions1

•GDPR Article 7 - Conditions for consent2

•Guidelines 05/2020 on consent under Regulation 2016/6793

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU). References:

• IAPP CIPP/E Study Guide, page 7
• [Universal Declaration of Human Rights]
• [Article 12 of the UDHR]

The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules1. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects23. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects23. References: 1: Article 49 of the GDPR 2: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO

The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive states that the use of cookies on websites and mobile applications is conditioned upon the prior consent of users, unless the cookies are strictly necessary for the provision of the service. Users must also be given clear and comprehensive information about the purposes of the cookies and the means to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing of personal data through cookies, but does not specifically address the consent requirement for cookies. The other answer choices are not relevant to the consent requirement for cookies, as they regulate different aspects of the digital economy and society. The E-Commerce Directive establishes the legal framework for online services in the EU, such as information society services, electronic contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication providers to retain certain data for a period of time for the purpose of law enforcement and national security. The EU Cybersecurity Directive aims to enhance the security of network and information systems across the EU, by setting common standards and obligations for operators of essential services and digital service providers. References:

• Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
• What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script
• EU Cookie Law - Data Protection and Cookies - Cookiebot™
• ePrivacy Directive - Regulations - Learn how CookiePro Helps

Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’2. These are:

• (a) Explicit consent
• (b) Employment, social security and social protection (if authorised by law)
• © Vital interests
• (d) Not-for-profit bodies
• (e) Made public by the data subject
• (f) Legal claims and judicial acts
• (g) Substantial public interest conditions
• (h) Health or social care
• (i) Public health
• (j) Archiving, research and statistics

Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions ©, (f) and (a) respectively. Therefore, the correct answer is A.

References:

• 4: Art. 9 GDPR Processing of special categories of personal data
• 6: What are the rules on special category data? | ICO

Article 58 of the GDPR lists the powers of supervisory authorities in EU member states. Among these powers are the investigative powers, which include the right to access data and information from controllers and processors, as well as to access their premises and equipment. This power enables the supervisory authorities to perform their tasks of monitoring and enforcing the GDPR. The other options are not powers of supervisory authorities under Article 58 of the GDPR. References: Art. 58 GDPR – Powers, Article 58 Powers - GDPR, Article 58 GDPR - GDPRhub

One of the main reasons why the CJEU invalidated the Privacy Shield was that it found that the US surveillance programs were not limited to what is strictly necessary and proportionate, as required by the EU law. The CJEU also criticized the lack of effective judicial remedies for EU data subjects whose data was accessed by US authorities. The Trans-Atlantic Data Privacy Framework is intended to address these issues by introducing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and by creating a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The Framework also enhances the oversight and transparency of US surveillance practices.

References: EU–US Data Privacy Framework - Wikipedia; FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House; United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework; European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework; A practical approach to the new Trans-Atlantic Data Privacy Framework.

Section: (none)

Explanation

 The European Council and the Council of the European Union are two different EU institutions that have similar names but distinct roles and memberships. The European Council is the body of leaders (heads of state or government) of the 27 EU member states that defines the EU’s general political direction and priorities1. The European Council does not adopt EU legislation, but rather sets the agenda and gives guidance to the other EU institutions1. The Council of the European Union, informally known as the Council, is composed of national ministers from each EU member state, grouped by policy area1. The Council is one of the two legislative bodies of the EU, along with the European Parliament, and negotiates and adopts EU laws, coordinates member states’ policies, and develops the EU’s common foreign and security policy1. The key difference between the two institutions is that the European Council is comprised of the heads of each EU member state, while the Council of the European Union is comprised of the ministers of each EU member state12. References: European Council | Council of the European Union, What is the difference between EU Council, Council of the European Union, and Council of Europe?

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not1. This means that the GDPR applies to any controller or processor that has a branch, office, subsidiary, or other stable arrangement in the EU, even if the data processing occurs outside the EU. However, the GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union1. This means that the GDPR applies to any controller or processor that targets or tracks EU data subjects, even if they do not have a presence in the EU. In this case, the website operator is not required to comply with the GDPR because it does not have an establishment in the EU (option B), and it does not offer goods or services or monitor the behaviour of EU data subjects. The website operator reports primarily on North American events, does not block connections from outside the U.S., and only accepts payments in U.S. dollars, which indicate that it does not intend to target or track EU data subjects. Therefore, option B is the correct answer. References: Art. 3 GDPR – Territorial scope, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), [What does territorial scope mean under the GDPR?]

The GDPR requires that the information provided to data subjects about the processing of their personal data must be concise, transparent, intelligible and easily accessible, using clear and plain language1. However, this can be challenging when the processing activities are complex, diverse or voluminous. Therefore, a good practice is to use a layered privacy notice, which consists of providing a short notice with the key elements of the privacy information, such as the identity of the controller, the purposes and legal basis of the processing, the recipients of the data, the data subject’s rights, and the contact details of the data protection officer or the supervisory authority. The short notice can then contain links to more detailed information, either by expanding each section or by directing the user to a separate page or document. This way, the user can easily access the information that is most relevant or important to them, without being overwhelmed by a long and complex notice23. A layered privacy notice can be used on websites, in emails, in mobile apps, or in any other medium where space or attention span is limited4. References: 1 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)2 Layered Notice - International Association of Privacy Professionals3 What methods can we use to provide privacy information? | ICO. 4 Layered Notice - West Virginia.

The aim of the European Data Protection Directive 95/46/EC was to establish a common legal framework for the protection of personal data within the European Union, and to ensure the free movement of such data within the internal market. The Directive was based on the recognition that the processing of personal data affects the fundamental rights and freedoms of individuals, especially their right to privacy, and that these rights need to be respected and safeguarded. At the same time, the Directive acknowledged that the free flow of personal data is essential for the economic and social development of the EU, and that the harmonization of data protection laws would facilitate the exchange of information and the provision of services across the member states. Therefore, the Directive aimed to strike a balance between the protection of individuals’ rights and the promotion of the internal market, by laying down the key principles, obligations and rights for the processing of personal data, and by providing mechanisms for cooperation and coordination among the national data protection authorities. References: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Data Protection Directive - Wikipedia

 The GDPR aims to harmonize the data protection rules across the EU and to ensure consistent and effective enforcement of those rules. However, the GDPR also recognizes that there may be some differences in the interpretation and application of the law among the member states, depending on their national legislation, culture and practices. Therefore, the GDPR introduces the concept of the “main establishment” of a controller or processor, which is the place where the decisions on the purposes and means of the processing of personal data are taken in the EU1. The main establishment determines which national supervisory authority will act as the lead authority for the cross-border processing activities of that controller or processor, and which national law will apply in case of a dispute or a complaint2. The Article 29 Working Party, which is an advisory body composed of representatives of the national supervisory authorities, the European Data Protection Supervisor and the European Commission, has issued guidelines on how to identify the main establishment of a controller or processor under the GDPR3. The guidelines emphasize that the main establishment must reflect the reality of the processing activities and the effective and real exercise of management power over those activities. The guidelines also warn against the practice of “forum shopping”, which occurs when a controller or processor designates its main establishment in a member state with the most flexible or lenient data protection regime, regardless of the actual location of the decision-making or the data processing. The guidelines state that such a practice is forbidden under the GDPR, and that the supervisory authorities will closely monitor and verify the criteria used by the controllers or processors to determine their main establishment. If the supervisory authorities find that the main establishment does not correspond to the factual situation, they may challenge the designation and apply the relevant corrective measures4. References: 1 Art. 4 (16) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Art. 56-58 GDPR – Cooperation and consistency - General Data Protection Regulation (GDPR)3 Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - European Data Protection Board4 Ibid, p. 14-15.

 This is not a valid set of standard contractual clauses because it does not correspond to any of the decisions adopted by the European Commission under the GDPR or the previous Data Protection Directive 95/46. The correct decision for EU processor to non-EU or EEA controller is Decision 2010/87/EU, which was amended by Decision 2004/915/EC. Decision 2007/72/EC is actually related to the recognition of the adequacy of the protection of personal data in Switzerland. References:

• Free CIPP/E Study Guide, page 18, section 3.4.2
• Standard contractual clauses for international transfers, section 1.1
• Standard Contractual Clauses (SCC), section 2.1
• Decision 2007/72/EC

 According to Article 5 of the GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)1. The company’s decision to install cameras in the entrance of the building, hallways and offices may violate this principle, as it may expose the personal data of the employees and visitors to unnecessary risks, such as hacking, misuse or disclosure. Moreover, the company must also comply with the other principles of data processing, such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation1. The company must have a legitimate and specific purpose for installing the cameras, and must inform the data subjects about the processing of their personal data. The company must also ensure that the cameras collect only the minimum amount of data necessary for the purpose, and that the data are accurate and kept for no longer than necessary. The company must also respect the rights and freedoms of the data subjects, and provide them with the means to exercise their rights, such as the right to access, rectify, erase, restrict, object or port2.

The most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR is to restrict the camera placement to building entrances only. This would limit the scope and impact of the data processing, and reduce the risks to the personal data of the employees and visitors. The company would still need to inform the data subjects about the processing, and ensure that the footage is securely stored and transferred, especially if it is monitored by the home office in the United States, which is a third country that may not offer adequate protection for personal data3. The company would also need to consider the possibility of obtaining the consent of the data subjects, or relying on another legal basis for the processing, such as the legitimate interests of the company or the performance of a contract4. References:

• Article 5 of the GDPR
• [Article 12-23 of the GDPR]
• [Article 44-50 of the GDPR]
• [Article 6 of the GDPR]

According to the CJEU, the ePrivacy Directive does not define the concept of consent, but refers to the GDPR for its interpretation1. Therefore, the GDPR standard of consent applies to the use of cookies and similar technologies that require consent under the ePrivacy Directive. The GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2. The CJEU also clarified that the consent requirements apply regardless of whether the cookies constitute personal data or not, as the ePrivacy Directive covers any information stored or accessed on the user’s device1. The other options are incorrect, as the CJEU ruled that pre-checked boxes, implicit consent by scrolling, and insufficient information on the cookies do not meet the GDPR standard of consent1. References:

• Free CIPP/E Study Guide, page 14, section 2.3
• GDPR, Article 4 (11)
• ePrivacy Directive, Article 5 (3)
• Planet49: CJEU Rules on Cookie Consent
• CURIA - List of results

While Company B made several mistakes in handling Company A's employee data, not all of them would likely trigger a potential enforcement action under the GDPR. Here's an analysis of each option:

A. Omission of data protection provisions in the contract with Company C: This is a clear violation of the GDPR. Company B, as the data controller, is responsible for ensuring that any third-party processors comply with data protection requirements. By omitting data protection provisions in the contract, Company B failed to take appropriate steps to ensure the security and privacy of the personal data. This would be a likely trigger for an enforcement action.

B. Failure to provide sufficient security safeguards to Company A's data: This is another violation of the GDPR. Company B has a legal obligation to implement appropriate technical and organizational security measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The outdated IT security system at Company C's U.S. server demonstrates a failure to meet this obligation. This would also be a likely trigger for an enforcement action.

C. Engagement of Company C to improve their payroll service: While outsourcing certain aspects of data processing is permitted under the GDPR, the data controller remains ultimately responsible for compliance. However, simply engaging another company to improve a service itself isn't necessarily a violation. As long as the proper safeguards are in place and the data processing is carried out in accordance with the GDPR, this action alone would not likely trigger an enforcement action.

D. Decision to operate without a data protection officer: The GDPR requires certain organizations to appoint a data protection officer (DPO). While Company B may be required to have a DPO depending on its size and activities, the absence of a DPO wouldn't automatically trigger an enforcement action. However, it could indicate a lack of compliance culture and contribute to other violations, increasing the likelihood of an enforcement action.

Therefore, while Company B made several mistakes, only the ones that directly violate specific data protection requirements, such as omitting data protection provisions in contracts or failing to implement appropriate security measures, are likely to trigger an enforcement action. Engaging a third-party to improve a service, as long as it's done in a compliant manner, isn't a violation in itself.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2)). Therefore, the GDPR would apply to the following entities:

• A South American company that regularly collects European customers’ personal data, as it is offering goods or services to data subjects in the EU.
• A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state, as it has an establishment in the EU.
• A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers, as it has an establishment in the EU and is offering goods or services to data subjects in the EU.

The GDPR would not apply to the following entity:

• A North American company servicing customers in South Africa that uses a cloud storage system made by a European company, as it does not have an establishment in the EU, nor is it offering goods or services to data subjects in the EU, nor is it monitoring their behaviour within the EU. The fact that it uses a cloud storage system made by a European company does not trigger the application of the GDPR, unless the cloud provider is also processing personal data on behalf of the North American company in the context of its activities in the EU.

References: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Art. 3 GDPR – Territorial scope - General Data Protection Regulation (GDPR)

According to Article 46 of the GDPR, in the absence of an adequacy decision by the European Commission, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. One of the possible appropriate safeguards is the use of standard data protection clauses adopted by the Commission or by a supervisory authority. However, Article 46(5) states that the possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority shall not affect the possibility for the controller or processor to rely upon other appropriate safeguards provided for in paragraph 2 of this Article, provided that they ensure that data subjects have enforceable and effective rights as regards the processing of their data. Therefore, in this case, Jackie’s recommendation of requiring UpFinance to notify ProStorage if it receives a government request for personal data UpFinance processes on its behalf prior to disclosing such data is an additional measure that could be considered as an appropriate safeguard, especially since UpFinance implements several data protection measures, including end-to-end encryption, with encryption keys held by the customer, which would ensure a high level of security and confidentiality of the personal data transferred. References:

• Article 46 of the GDPR
• IAPP CIPP/E Study Guide, page 67

Directive 2002/58/EC, also known as the ePrivacy Directive, regulates the use of electronic communications services within the European Union. It covers issues such as confidentiality of communications, processing of traffic and location data, spam, cookies, and security breaches. It complements and particularises Directive 95/46/EC, also known as the Data Protection Directive, which sets out the general principles for the protection of personal data in the EU. The ePrivacy Directive was amended by Directive 2009/136/EC, which introduced new provisions on consent, cookies, and breach notification. The ePrivacy Directive is currently under review and will be replaced by a new Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which is still being negotiated by the EU institutions. References: Directive 2002/58/EC, Directive 2009/136/EC, [ePrivacy Regulation]

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing1. The GDPR does not prescribe specific security measures, but rather provides a list of factors to consider when determining the appropriate level of security, such as:

• The state of the art and the costs of implementation;
• The nature, scope, context and purposes of processing;
• The risk of varying likelihood and severity for the rights and freedoms of natural persons.

Therefore, the level of security required by the GDPR is not absolute, but relative to the specific circumstances of each processing activity. The GDPR also encourages the use of codes of conduct and certification mechanisms to demonstrate compliance with the security requirements1.

In the scenario, Natural Insight is a processor who receives customer information from BHealthy, a controller, for the purpose of providing pricing services. Natural Insight has a contractual obligation to implement technical and organisational measures to ensure the security of the data, as well as to comply with the GDPR. Natural Insight’s security obligations are not limited to the measures assessed by BHealthy prior to entering into the contract, nor to the level of security that a reasonable data subject would expect. Rather, Natural Insight must take into account the industry practices for protecting customer contact information and purchase history, as well as the potential risks that may arise from the processing, such as data breaches, identity theft, fraud, or discrimination. Natural Insight must also keep up with the state of the art and the costs of implementation, and adjust its security measures accordingly.

References:

• 4: Art. 32 GDPR Security of processing

 According to the UK GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions1. The controller must stop the processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims1. The WP 29 Guidelines on Automated individual decision-making and Profiling provide some guidance on how to assess the existence of such compelling legitimate grounds2. The controller needs to carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection, consider the impact of the profiling on the data subject’s interest, rights and freedoms, and consider the importance of the profiling to their particular objective2. However, the controller does not need to demonstrate that the profiling is for the purposes of direct marketing, as this is a separate ground for objection under Article 21(2) of the UK GDPR, which gives the data subject an absolute right to object to such processing13. Therefore, option C is the correct answer, as it is not required by the controller to demonstrate that it has compelling legitimate grounds for profiling. References: 132

https://gdpr.eu/article-21-right-to-object/ https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

 This is not an explicit right granted to data subjects under the GDPR, as the GDPR does not specifically address the sale of personal data. However, the GDPR does require that data subjects give their consent to any processing of their personal data that is not based on another legal basis, such as a contract or a legal obligation1. Therefore, data subjects have the right to withdraw their consent at any time, and the controller must inform them of this right before obtaining their consent2. The other options are explicit rights granted to data subjects under the GDPR, as they are listed in Chapter 3 of the regulation3. References:

• Free CIPP/E Study Guide, page 23, section 3.1
• CIPP/E Certification, page 18, section 3.1
• The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1
• GDPR data subject rights - 8 fundamental & additional rights, paragraph 4
• Rights of the data subject - General Data Protection Regulation (GDPR), Article 7
• Rights of the data subject - General Data Protection Regulation (GDPR), Chapter 3

 According to the UK GDPR, employees have the right to access and receive a copy of their personal data, and other supplementary information, from their employer. This is known as a data subject access request (DSAR). Employers must respond to a DSAR without delay and within one month of receipt of the request, unless the request is complex or excessive. Employers should perform a reasonable search for the requested information and provide it in an accessible, concise and intelligible format. Employers can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. Some of the exemptions that may apply in the employment context are: legal privilege, management forecasting, confidential references, negotiations, regulatory functions, and criminal convictions and offences. Employers should disclose the information securely and inform the employee of their rights and the source of the data. References:

• Right of access | ICO
• Subject access request Q and As for employers | ICO
• Data Subject Access Request (Employers’ Guide) | DavidsonMorris

The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers. According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community. The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches. References: e-Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breaches

The steps listed in the question are part of a best practice framework for implementing a secure BYOD program, which allows employees to use their personal devices to access organizational data and applications. A BYOD program poses significant privacy and security risks, such as data leakage, unauthorized access, malware infection, and compliance violations. Therefore, an organization should follow a comprehensive approach to discover, monitor, manage, and secure the devices, apps, and data involved in a BYOD program. This approach can help the organization meet the GDPR requirements for data protection by design and by default, data security, accountability, and data breach notification. References:

• Free CIPP/E Study Guide, page 15, section 2.3.3
• CIPP/E Certification, page 10, section 1.1.2
• Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 42, section 2.3.3

According to the GDPR, consent must be freely given, specific, informed and unambiguous1. However, in the context of employment, there is often an imbalance of power between the employer and the employee, which may affect the validity of consent. The employee may feel pressured or coerced to give consent, or may not be able to withdraw it without negative consequences. Therefore, consent is not a reliable or appropriate legal basis for processing employee data in most cases23. The employer should consider other lawful bases, such as contractual necessity, legal obligation, legitimate interests or specific conditions for special category data45. References: 1 Art. 4 (11) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Can my employer require me to give my consent to use my personal data? | European Commission. 3 When is consent appropriate? | ICO. 4 Art. 6 (1) GDPR – Lawfulness of processing - General Data Protection Regulation (GDPR)5 Art. 9 (2) GDPR – Processing of special categories of personal data - General Data Protection Regulation (GDPR).

 According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Bioface is not established in the Union, but it is collecting photographs of data subjects in the Union and using a facial recognition algorithm to identify them. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Bioface does not have any establishment in the Union, as it only collects data from web-based services, which does not imply the existence of stable arrangements in the Union2; (B) Bioface is not offering services in the Union, as it only targets government agencies and companies in the US and Canada, and does not intend to provide its service to data subjects in the Union3; © Bioface collects data from subjects and uses it for automated processing, but this is not a sufficient criterion to determine the territorial scope of the GDPR, as it does not relate to the offering of goods or services or the monitoring of behavior in the Union4. References: 1: Article 3(2) of the GDPR; 2: EDPB Guidelines, paragraph 20; 3: EDPB Guidelines, paragraph 38; 4: EDPB Guidelines, paragraph 50.

The GDPR defines profiling as any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, such as their preferences, behaviour, or interests1. Profiling is subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality2. The GDPR also provides specific rights for data subjects who are subject to profiling, such as the right to be informed, the right to access, the right to rectify, the right to object, and the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on them3.

In the given scenario, the online shop is engaging in profiling by tracking the browsing behaviour of its European customers and predicting future purchases. It is also sharing this information with third parties, which may involve further processing of the personal data. Therefore, the online shop must comply with the GDPR requirements for profiling and ensure that it has a valid legal basis for the processing. According to Article 6 of the GDPR, there are six possible legal bases for processing personal data: consent, contract, legal obligation, vital interests, public interest, or legitimate interests4. However, not all of them are equally applicable or appropriate for profiling activities, especially when they involve sensitive or special categories of data, such as biometric, genetic, or health data, which require additional safeguards under Article 9 of the GDPR5.

In this case, the most relevant and suitable legal basis for the online shop’s profiling is consent, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their personal data for one or more specific purposes6. Consent must be freely given, specific, informed, and unambiguous, and must be obtained before the processing begins7. The online shop must also inform the data subject about the nature and purpose of the profiling, the logic involved, the consequences, and the rights they have in relation to it. The online shop must also respect the data subject’s right to withdraw their consent at any time and to object to the profiling.

Therefore, the online shop’s primary obligation while engaging in this kind of profiling is to solicit informed consent through a notice on its website, which must be clear, concise, and easily accessible, and must not be bundled with other terms and conditions. The online shop must also provide a simple and effective mechanism for the data subject to give or revoke their consent, such as a checkbox, a slider, or a button. The online shop must also keep records of the consent obtained and be able to demonstrate that it has complied with the GDPR requirements for consent.

The other options (B, C, and D) are not the primary obligation for the online shop, as they are either irrelevant or insufficient for the GDPR compliance. Seeking authorization from the European supervisory authorities is not necessary, unless the online shop is involved in a cross-border processing that requires a prior consultation under Article 36 of the GDPR. Demonstrating a prior business relationship with the customers is not a valid legal basis for the profiling, as it does not imply consent or legitimate interests. Proving that it uses sufficient security safeguards to protect customer data is a general obligation for any processing of personal data, but it does not address the specific issues and risks of profiling, such as discrimination, manipulation, or loss of control. References:

• 1: What is automated individual decision-making and profiling?
• 2: Article 5 of the GDPR
• 3: Rights related to automated decision making including profiling
• 4: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]
• 5: Article 9 of the GDPR
• 6: Article 4 (11) of the GDPR
• 7: Article 7 of the GDPR
• : Article 13 and 14 of the GDPR
• : Article 21 of the GDPR
• : Article 12 of the GDPR
• : [Guidelines on consent under Regulation 2016/679]
• : Article 24 of the GDPR
• : Article 36 of the GDPR
• : [Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679]
• : [https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf]
• : [https://edpb.europa.eu/sites/edpb/files/files/file1/20171104_wp251rev01_en.pdf]

 According to Recital 51 of the GDPR, photographs are not automatically considered as biometric data, unless they are processed by a specific technical means that allows the unique identification or authentication of a natural person1. This means that printing employees’ photographs on building passes does not necessarily involve biometric data, as long as the photographs are not used for facial recognition or other similar purposes. The other options are incorrect, as they do not reflect the definition of biometric data or the conditions for processing special categories of personal data under the GDPR2. References:

• Recital 51 of the GDPR
• ICO guidance on special category data

Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM &CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)

The CJEU ruled that the consent required by the ePrivacy Directive for the use of cookies must comply with the conditions laid down in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. Therefore, pre-checked boxes or implied consent by scrolling are not valid forms of consent for cookies. The CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user’s device, regardless of whether it is personal data or not. Furthermore, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.

References: CIPP/E Study Guide, page 29; CIPP/E Textbook, page 137; Planet49 case

The territorial scope of the GDPR is determined by Article 3 of the Regulation, which sets out two main criteria for applying the GDPR to the processing of personal data: the establishment criterion and the targeting criterion. The establishment criterion applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The targeting criterion applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. In addition, the GDPR applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

Therefore, the territorial scope of the GDPR does not depend on the membership of a country to a particular international agreement or organisation, but on the location and activities of the controller or processor and the data subjects involved in the processing. The Paris Agreement is an international treaty on climate change that aims to limit global warming and reduce greenhouse gas emissions. It does not have any direct or indirect relevance to the GDPR or the protection of personal data. Hence, being a party to the Paris Agreement does not affect the applicability of the GDPR to a country or a controller or processor established in that country.

The other options are incorrect because they are either directly or indirectly related to the GDPR or the protection of personal data. The European Economic Area (EEA) consists of all EU member states plus Iceland, Liechtenstein and Norway. The EEA Agreement allows these three countries to participate in the EU’s internal market and to adopt most of the EU legislation, including the GDPR. Therefore, the GDPR applies to all EEA countries as if they were EU member states. The Treaty of Lisbon is an international agreement that amends the two treaties which form the constitutional basis of the EU. The Treaty of Lisbon introduces several changes to the EU’s institutional structure, decision-making process, and policy areas, including the recognition of the Charter of Fundamental Rights of the EU as legally binding. The Charter of Fundamental Rights of the EU includes the right to the protection of personal data as a fundamental right, and provides the legal basis for the GDPR. Therefore, the GDPR applies to all EU member states that are parties to the Treaty of Lisbon. The European Union (EU) is a political and economic union of 27 member states that are located primarily in Europe. The EU has developed an internal single market through a standardised system of laws that apply in all member states, including the GDPR. Therefore, the GDPR applies to all EU member states by virtue of their membership to the EU. References: Art. 3 GDPR – Territorial scope, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Paris Agreement - Wikipedia, European Economic Area - Wikipedia, Treaty of Lisbon - Wikipedia, European Union - Wikipedia

Binding Corporate Rules (BCRs) are a data transfer mechanism under the GDPR that allow multinational companies to transfer personal data within their group entities outside the EU, provided that they comply with the data protection principles and rights of the GDPR. BCRs are internal codes of conduct that must be legally binding and enforced by every member of the group.

According to Article 47 of the GDPR, BCRs must be approved by the competent Data Protection Authority (DPA) in the EU, following the consistency mechanism set out in Article 63 of the GDPR. This means that the DPA that receives the application for approval of the BCRs must communicate its draft decision to the European Data Protection Board (EDPB), which will issue its opinion on the BCRs. The EDPB is an independent body composed of representatives of the national DPAs and the European Data Protection Supervisor. The EDPB ensures the consistent application of the GDPR across the EU and issues guidelines, recommendations, and best practices on various aspects of the GDPR.

Therefore, the data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from the Data Protection Authority, which is the supervisory authority responsible for authorising and monitoring the BCRs. The company cannot rely on the BCRs as a valid legal basis for transferring personal data from the EU to the US without the DPA’s approval.

The other options are not correct, as they are not the authorities that approve the BCRs under the GDPR. The Court of Justice of the European Union (CJEU) is the judicial body of the EU that interprets and applies EU law and ensures its uniformity across the EU. The CJEU does not approve the BCRs, but it may rule on the validity or interpretation of the GDPR or other EU laws that affect data protection. The European Data Protection Board (EDPB) is an independent body that ensures the consistent application of the GDPR and issues opinions on the BCRs, but it does not approve them. The EDPB’s opinions are not binding, but they must be taken into account by the DPAs. The European Commission is the executive branch of the EU that proposes and implements EU laws and policies. The European Commission does not approve the BCRs, but it may adopt adequacy decisions that recognise that a third country or an international organisation ensures an adequate level of data protection, which is another data transfer mechanism under the GDPR.

References:

• GDPR
• Binding Corporate Rules (BCR)
• Binding Corporate Rules - PwC
• Binding Corporate Rules - GDPR Summary
• A Guide for Binding Corporate Rules - Hunton Andrews Kurth
• Personal data transfers: binding corporate rules (BCRs) under the GDPR

According to Article 23 of the GDPR, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, may be restricted by a legislative measure of a Member State or the Union, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard certain public interests or the rights and freedoms of others1. However, Article 23 does not include Article 77, which grants the data subject the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR2. Therefore, this right cannot be restricted by any legislative measure, as it is essential for the effective judicial protection of the data subject and the enforcement of the GDPR3. References:

• Free CIPP/E Study Guide, page 14, section 2.3
• GDPR, Article 77
• GDPR, Article 23
• Guidelines on restrictions of data subject rights under Art. 23 of the GDPR, page 4, section 2
• Statement on restrictions on data subject rights in connection to the COVID-19 pandemic, page 2, section 2

 The Individual Participation Principle is one of the Fair Information Practice Principles (FIPPs) that are not part of any legal framework, but are widely adopted by many data privacy regulations in force today1. The FIPPs are a set of guidelines for fair information practices that aim to protect the privacy and security of personal information. The Individual Participation Principle holds that individuals have a number of rights, including the right to have their personal data corrected or erased, the right to access and obtain confirmation of their personal data, the right to be informed about how their personal data is used and who it is shared with, and the right to object or withdraw consent for certain purposes2.

The General Data Protection Regulation (GDPR) is a legal framework that implements the European Union’s (EU) Data Protection Directive and provides comprehensive protection for all individuals within the EU regarding their personal data. The GDPR grants individuals a number of rights, such as the right to access, rectify, erase, restrict, port, object, or not be subject to automated decision-making based on their personal data. These rights are similar to those under the FIPPs and can be found in Articles 12 to 22 of the GDPR.

Therefore, the parts of the GDPR that provide the closest equivalent to the Individual Participation Principle are Articles 12 to 22.

References:

• OECD Privacy Principles
• What are the 7 main principles of GDPR?
• Fair Information Practice Principles (FIPPs)
• Individual Participation - International Association of Privacy Professionals
• What is the right to be forgotten? | Right to erasure | Cloudflare
• General Data Protection Regulation - Wikipedia

 The definition of personal data under the GDPR is broad and covers any information that relates to an identified or identifiable natural person. This means that personal data can include information such as name, email, phone number, address, date of birth, race, gender, political opinions and more. The GDPR protects personal data on all levels, platforms and technologies, and requires organizations to process it only for a specific purpose and keep it for a limited time.

The unlinked aggregated data used for statistical purposes by an Italian company would most likely NOT be covered by the definition of personal data under the GDPR. Aggregated data is data that has been processed in such a way that individual records are no longer identifiable. For example, if a company collects the names and email addresses of its customers and then calculates the average age of its customers, the resulting data is aggregated and not personal. Therefore, this type of data would not be subject to the GDPR.

However, this does not mean that the Italian company can use this type of data without any restrictions or obligations. The GDPR still applies to any processing activity that involves personal data in any form or manner. For example, if the Italian company uses this type of data to create a profile or a segment of its customers based on their characteristics or preferences, it may still need to comply with certain principles and conditions under the GDPR. For instance, it may need to obtain consent from its customers before using their aggregated data for marketing purposes; it may need to ensure that its aggregated data is accurate and up-to-date; it may need to limit the retention period of its aggregated data; and it may need to respect the rights of its customers regarding their personal data.

References:

• What is personal data? | ICO
• What is considered personal data under the EU GDPR?
• [GDPR personal data – what information does this cover?]

 According to the GDPR, the right of access by the data subject is one of the rights granted to individuals to obtain information about the processing of their personal data by a data controller1. The data controller must provide a copy of the personal data undergoing processing and additional information, such as the purposes, the categories, the recipients, the retention period, the rights, the source, and the automated decision-making of the processing1. The data controller must also inform the data subject of the existence of the right to access and the means to exercise it2.

The GDPR also specifies the time limit for responding to a data subject access request. The data controller must provide the information without undue delay and in any event within one month of receipt of the request1. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, but the data controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. The data controller must also verify the identity of the data subject before providing the information, but this verification should not extend the time limit for responding to the request3.

In this scenario, Mike is an EU resident who has booked travel itineraries through XYZ Travel Agency and stayed at ABC Hotel Chain’s locations. Both companies are U.S.-based multinational companies that use a common platform for collecting and sharing their customer data. Mike has signed the agreement to be a rewards program member of XYZ Travel Agency. Mike wants to know what personal information the company holds about him and sends an email requesting access to his data.

Assuming that both companies are subject to the GDPR, either because they offer goods or services to individuals in the EU or because they monitor the behavior of individuals in the EU4, they must comply with the right of access by the data subject and provide Mike with the information he requests. The time period in which Mike should receive a response to his request is not more than one month of receipt of his request, unless there are grounds for extending the period by two further months. The companies must also verify Mike’s identity before providing the information, but this verification should not affect the time limit for responding to the request.

Therefore, the correct answer is A. Not more than one month of receipt of Mike’s request.

References: 1 Article 15 of the GDPR2 Article 13 and 14 of the GDPR3 Guidelines on the right to data portability | European Data Protection Board34 Article 3 of the GDPR.

According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data. References:

• Art. 13 GDPR - Information to be provided where personal data are collected from the data subject
• Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
• Article 13: Information to be provided where personal data are collected from the data subject - GDPR

The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures1. This principle is known as integrity and confidentiality, or sometimes as security2. Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it3. By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage. References: 1: Article 5(1)(f) of the GDPR 2: A guide to the data protection principles | ICO 3: Encryption | ICO

According to the EU glossary1, a directive is a legal act that sets out a goal that EU countries must achieve, but leaves them the choice of form and methods to reach it. A directive is binding on the EU countries to which it is addressed, but it does not apply directly at the national level. Instead, it has to be transposed into national law by the national authorities, usually within a specified time limit. This allows for some flexibility and adaptation to the specific circumstances of each country. A directive is different from a regulation, which is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force, without needing to be transposed into national law. References:

• Free CIPP/E Study Guide, page 14, section 2.3
• Types of legislation, section 2
• What are EU directives?

 According to the ICO guidance on the use of cookies and similar technologies1, browser settings and other control mechanisms can be relied upon for the lawful application of cookies only if they meet the following conditions:

• They are designed to protect users’ privacy and provide them with control over the use of cookies and similar technologies;
• They are prominent and easy to use, and do not require users to take unnecessary steps or provide unnecessary information;
• They are specific and granular enough to allow users to express their preferences for different types and purposes of cookies and similar technologies;
• They are sufficiently informed and clear about the cookies and similar technologies that will be set or accessed, and the purposes for which they will be used;
• They are regularly reviewed and updated to reflect any changes in the cookies and similar technologies that are used or the purposes for which they are used;
• They are not overridden or circumvented by other software or settings that may interfere with users’ choices;
• They provide an effective means of withdrawing consent at any time.

Therefore, browser settings and other control mechanisms can be a valid way of obtaining consent for cookies and similar technologies, but only if they meet these high standards and ensure that users have a real and meaningful choice over the use of cookies and similar technologies on their devices. References: 1 How do we comply with the cookie rules? | ICO. Available at: 4 (Accessed: 11 December 2023).

The material scope of the GDPR is outlined in Article 21. The Regulation applies to ‘processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’1 However, the Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity1. This exemption is meant to protect the privacy of individuals in their private sphere and to exclude activities that have no connection with a professional or commercial activity2. The exemption covers activities such as correspondence, social networking, online publication of photos or videos, and the use of online services for personal purposes2. However, the exemption does not apply if the processing of personal data affects the rights and freedoms of others, such as when the data is made accessible to an indefinite number of people3. Therefore, the processing of personal data by a natural person in the course of a large-scale but purely personal or household activity is not exempt from the material scope of the GDPR, as it may have an impact on the privacy of other individuals. The other options are exempt from the material scope of the GDPR, as they involve small-scale, purely personal or household activities that do not affect the rights and freedoms of others. References: 1: Article 2 of the GDPR2: Recital 18 of the GDPR3: CJEU, Case C-101/01, Lindqvist, 2003.

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.

Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:

• The identity and contact details of the controller and processor
• The categories and sources of personal data
• The purposes and legal basis for processing
• The recipients or categories of recipients of personal data
• The retention period or criteria for determining it
• The existence of any automated decision-making or profiling
• The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

• Submitting a written notification form
• Publishing a notice on a website or other platform
• Sending an email or other electronic message
• Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.

Cross-border processing is defined in Article 4(23) of the GDPR as either:

•processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

•processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Therefore, the factors that are relevant for identifying whether the processing could be considered a cross-border processing are:

•the location and number of establishments of the controller or processor in the EU;

•the connection between the processing and the activities of the establishments;

•the substantial effect or likelihood of substantial effect on data subjects in more than one Member State.

The total number of the data subjects interested is not necessarily a factor, as the processing could affect only a few data subjects but still have a substantial impact on them. For example, a processing that involves the disclosure of sensitive personal data of a small group of data subjects in different Member States could be considered a cross-border processing.

References:

•GDPR Article 4 - Definitions1

•Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority2

 According to the GDPR, the lead supervisory authority is the supervisory authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority is determined according to the location of the main establishment or the single establishment of the controller or processor in the EU. The main establishment is the place where the decisions about the purposes and means of the processing are taken, or where the controller has its central administration in the EU. The single establishment is the only place where the controller or processor is established in the EU. Therefore, in this scenario, T-Craze’s lead supervisory authority is Germany, because that is where T-Craze is headquartered and where it has its main product-design office, which implies that the decisions about the processing of personal data are taken there. The other options are not correct, because the location of the processing, the market or the affiliates are not relevant for determining the lead supervisory authority. References: Free CIPP/E Study Guide, page 39; CIPP/E Certification, page 19; GDPR, Article 4(16), Article 4(22), Article 56, Recital 36.

The GDPR defines personal data as “any information relating to an identified or identifiable natural person” (Article 4(1)). This includes names, quotations, and any other data that can be linked to a specific individual. The GDPR also requires that personal data be processed lawfully, fairly, and transparently, and that it be collected for specified, explicit, and legitimate purposes (Article 5(1)). Furthermore, the GDPR grants data subjects the right to object to the processing of their personal data for direct marketing purposes or for the purposes of the legitimate interests of the controller or a third party (Article 21).

In this scenario, Serge may have grounds to object to the use of his quotation on Brady Box’s home webpage, as it constitutes the processing of his personal data outside of the original purpose for which it was collected. Serge posted the quotation on Brady Box’s SNS, which is a separate service from Brady Box’s web page design service. By using the quotation on the home webpage, Brady Box is processing Serge’s personal data for a different purpose than the one for which Serge provided it, and without his consent or a legitimate interest. This may violate the principles of purpose limitation and lawfulness under the GDPR. Moreover, Serge may object to the use of his quotation as it implies his endorsement of Brady Box’s service, which may affect his reputation or interests.

The other options are less likely to be valid grounds for objection, as they are not directly related to the GDPR’s provisions on personal data protection. The misrepresentation of personal data as an endorsement may be a matter of contract law or consumer protection law, but not necessarily a GDPR issue. The juxtaposition of the quotation with others’ quotations may not affect Serge’s rights or interests, unless it creates a false or misleading impression of his views or opinions. The misapplication of the household exception in relation to a SNS may not apply in this case, as the household exception only covers the processing of personal data by a natural person in the course of a purely personal or household activity (Article 2(2)©). Serge’s posting of the quotation on a SNS may not qualify as a purely personal or household activity, as it involves the disclosure of personal data to a wider audience.

References:

• GDPR
• GDPR and social media
• How does GDPR affect social media marketing?
• Data Protection & Social Media: How GDPR Influences Today’s Social Media Marketing

According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover. References:

• GDPR Article 83
• GDPR Article 25
• GDPR Article 7
• GDPR Article 5
• GDPR Article 16

According to the WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’, the communication of a personal data breach to the data subjects should be clear, concise, transparent, easily accessible and understandable, and use clear and plain language. The communication should also be made as soon as reasonably feasible and in close cooperation with the supervisory authority. The guidelines provide some examples of methods that may be effective for communicating a breach to data subjects, such as a direct electronic message (e.g. email, SMS, direct message), a postal notification, a prominent advertisement in print media, or a notice on the homepage of the affected website. However, the guidelines also state that a notice on a corporate blog or social media would not be an effective method of communication, as it would not reach all the affected data subjects and would not allow them to take immediate action to protect themselves. Therefore, the correct answer is C. A notice on a corporate blog. References:

• WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’, pages 20-211

Article 30 of the GDPR requires controllers and processors to maintain records of their processing activities, which include information such as the purposes of the processing, the categories of personal data, the recipients of the data, the retention periods, and the security measures12. However, Article 30 does not require controllers to keep records of incidents of personal data breaches, whether disclosed or not. This is a separate obligation under Article 33 and Article 34, which require controllers to notify the supervisory authority and the data subjects of any personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons34. References: 1: Article 30 of the GDPR 2: What do we need to document under Article 30 of the UK GDPR? | ICO 3: Article 33 of the GDPR 4: Article 34 of the GDPR

Section: (none)

Explanation

Pseudonymisation is a method that allows you to switch the original data set (for example, e-mail or a name) with an alias or pseudonym, or, in other words, a value which does not allow the individual to be directly identified1. It is a reversible process that de-identifies data but allows the re-identification later on if necessary1. This is a well-known data management technique highly recommended by the General Data Protection Regulation (GDPR) as one of the data protection methods2. To make personal data pseudonymous, a data controller must separately hold any information that would allow linking the data to the data subject, such as a key or a code, and ensure that this information is kept securely and subject to technical and organisational measures to prevent unauthorised access or re-identification23. The other options are not correct, as they either describe other data protection methods, such as encryption or anonymisation, or do not meet the definition of pseudonymisation under the GDPR. References: Pseudonymization according to the GDPR, Pseudonymisation - Wikipedia, Anonymisation and pseudonymisation | Data Protection Commissioner

Works councils are employee representative bodies that exist in some European countries, such as Germany, France, Spain and Italy. They have various roles and powers depending on the national laws and collective agreements, but generally they aim to protect and promote the interests of the employees in relation to the employer. Some of the common roles of works councils are:

• Determining whether to approve or reject certain decisions of the employer that affect employees, such as transfers, dismissals, redundancies, working hours, health and safety, etc.
• Determining whether employees’ personal data can be processed or not, based on the principle of co-determination, which means that the employer needs the consent of the works council for any data processing that involves employee monitoring, evaluation or control.
• Determining what changes will affect employee working conditions, such as wages, benefits, training, social facilities, etc.

However, works councils do not have the role of determining the monetary fines to be levied against employers for data breach violations of employee data. This is the role of the data protection authorities, which are independent public bodies that supervise, through investigative and corrective powers, the application of the data protection law. Works councils may cooperate with the data protection authorities or file complaints on behalf of the employees, but they do not have the authority to impose sanctions on the employers. References: Free CIPP/E Study Guide, page 27; CIPP/E Certification, page 13.

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of home and have the character’s abilities remain intact.

Why is this company obligated to comply with the GDPR?

A. The company has offices in the EU. B. The company employs staff in the EU. C. The company’s data center is located in a country outside the EU. D. The company’s products are marketed directly to EU customers.

Answer:

Verified Answer: D. The company’s products are marketed directly to EU customers.

Comprehensive Explanation: According to section 6(1)© of the GDPR1, personal data shall be processed by organisations, which offer goods or services or otherwise carry out activities, in relation to which processing of personal data may be regarded as relevant for their legitimate interests. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance of a task carried out in their name or on their behalf, or for their own purposes. The legitimate interests referred to are those arising from the performance

The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source12. This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller’s representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing34. This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5. Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data. Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory. References: 1: Article 13 of the GDPR 2: Article 14 of the GDPR 3: Article 13(1)(a) and © of the GDPR 4: Article 14(1)(a) and © of the GDPR 5: Recital 60 of the GDPR

According to Article 14 of the GDPR, where personal data is not obtained directly from the data subject, the controller must provide the data subject with certain information about the processing, such as the identity of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject12. However, there are some exceptions to this obligation, as specified in Article 14(5). One of them is when the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing12. In such cases, the controller must take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available12. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Right to be Informed - General Data Protection Regulation (GDPR)

According to Article 37(2) of the GDPR, a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment12. This means that the DPO should be able to communicate effectively with the data subjects and the supervisory authorities in the relevant languages and jurisdictions, and to perform the tasks referred to in Article 39 of the GDPR34. The accessibility of the DPO does not necessarily depend on the physical location of the DPO, but rather on the availability of the DPO to the relevant stakeholders via various means of communication34. Therefore, the DPO does not have to be located in the country where the data controller has its main establishment, nor does the group of undertakings have to obtain approval from a supervisory authority or be comprised of organizations of similar sizes and functions to appoint a single DPO. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What’s different about a group data protection officer?, Data Protection Officers: What US Companies Need to Know - Cooley