According to the GDPR, pseudonymization is a technique that reduces the linkability of personal data to a specific data subject by replacing identifying attributes with pseudonyms1. Pseudonymization is not a sufficient measure to anonymize personal data, which means that the data cannot be attributed to an identifiable person without additional information2. Pseudonymization can help data controllers and processors to comply with the GDPR principles of data minimization, purpose limitation, and storage limitation, as well as to enhance the security and confidentiality of personal data3.

In this scenario, JaphSoft’s use of pseudonymization is not in compliance with the GDPR because of option C: JaphSoft was in possession of information that could be used to identify data subjects. This is because JaphSoft did not keep the additional information (the contact information) separately from the pseudonymized data (the identifying information), and did not apply technical and organizational measures to prevent the re-identification of the data subjects4. This means that JaphSoft could potentially link the personal data to the individuals, and therefore, the data was not effectively pseudonymized. Moreover, JaphSoft did not have a deletion process for the data it received from clients, which could violate the principle of storage limitation that requires personal data to be kept no longer than necessary for the purposes for which they are processed.

The GDPR defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements12. Therefore, the relevant factors when determining if a processing activity would be considered profiling are:

whether the processing involves data that is considered personal data;

whether the processing of the data is done through automated means; and

whether the processing is used to predict the behavior of data subjects.

The identity of the processor, whether it is the controller or a third-party vendor, is not relevant for the definition of profiling. However, it may have implications for the accountability and responsibility of the parties involved, as well as the data protection rights of the data subjects34. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What is automated individual decision-making and profiling? | ICO, WP29 releases guidelines on profiling under the GDPR, UK: A Guide To GDPR Profiling And Automated Decision-Making - Mondaq

 According to the GDPR, consent is one of the six lawful bases for processing personal data. Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent can be withdrawn at any time, and the withdrawal of consent must be as easy as giving it. Therefore, an individual can withdraw her consent for processing when she no longer wishes to be sent marketing materials from an organization, as this is a clear indication of her wishes and does not affect the lawfulness of the processing based on consent before its withdrawal. The other situations are not related to consent, but to other lawful bases such as contract, legitimate interest or legal obligation. References: Free CIPP/E Study Guide, page 9; CIPP/E Certification, page 3; GDPR, Article 4(11), Article 6(1)(a), Article 7(3).

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

References: GDPR, Articles 4(12), 33, 341; EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification2

The right to data portability only applies when the processing is based on the data subject’s consent or on a contract with the data subject12. Therefore, if the processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller, the right to data portability does not apply12. This is because the data subject does not have a direct influence on the purpose or the means of the processing in such cases3. References: 1: Article 20 of the GDPR 2: Right to data portability | ICO 3: The right to data portability (Article 20 of the GDPR)

According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on the basis of a decision taken at a Union level that is binding for that member state, unless it is derogated from by national law. This means that the GDPR applies to any processing of personal data within the EU, regardless of where the controller or processor is located, as long as it is based on a decision made at a Union level that is binding for that member state.

Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves personal data of EU citizens being processed by a controller or processor based outside the EU, which may be subject to a decision made at a Union level that is binding for that member state.

Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1. Monitoring may fall under other legal frameworks, such as national security or counter-terrorism laws.

Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision made at a Union level that is binding for that member state.

Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal data of EU residents by a non-EU business that targets EU customers, which may not be subject to any decision made at a Union level that is binding for that member state.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals.

According to Article 14 of the GDPR, the data controller must provide the data subject with certain information when collecting personal data from a source other than the data subject1. However, there are some exceptions to this obligation, such as when the data subject already has the information, or when the provision of such information proves impossible or would involve a disproportionate effort2. The latter exception may apply, for example, when the personal data are collected from a large number of sources, or when the personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes3. The data controller must take appropriate measures to protect the data subject’s rights and interests, and make the information publicly available2. References: 1: Art. 14 GDPR – Information to be provided where personal data have not been obtained from the data subject2: Article 14(5)(b) of the GDPR3: Recital 62 of the GDPR.

According to the GDPR, when personal data is collected from the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the contact details of the data protection officer, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the data subject’s rights, and any other information necessary to ensure fair and transparent processing1. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language2. Therefore, Building Block should have provided its employees with information about who they can contact with any queries regarding the monitoring, such as the data protection officer or the Privacy Office, as part of the information notice before implementing the security measures. This would enable the employees to exercise their rights, such as the right to access, rectify, erase, restrict or object to the processing of their personal data, or the right to lodge a complaint with a supervisory authority3. References: 1 Art. 13 GDPR – Information to be provided where personal data are collected from the data subject - General Data Protection Regulation (GDPR)2 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)3 Art. 15-22 GDPR – Rights of the data subject - General Data Protection Regulation (GDPR).

The GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. The company must also identify a lawful basis for processing personal data, such as legal obligation, legitimate interest, or consent, and respect the data subject rights, such as the right to information, access, rectification, erasure, restriction, objection, and portability. Moreover, the company must be aware of the specific rules and restrictions regarding the processing of special categories of data (such as biometric, health, or political data) and data relating to criminal convictions and offences, which are subject to Article 10 of the GDPR and the laws of each member state. The company must also consider the national employment laws and the guidelines of the relevant supervisory authorities, which may impose additional conditions or limitations on the scope, methods, and purposes of background checks. For example, some member states may require prior authorization, notification, or consultation with the supervisory authority, the data subject, or the works council before conducting background checks. Some member states may also prohibit or restrict certain types of background checks, such as social media screening, credit checks, or criminal record checks, unless they are necessary, proportionate, and relevant for the specific job position or sector. Therefore, the company must conduct a thorough assessment of the legal framework and the risks and benefits of background checks in each member state where it operates or recruits employees, and ensure that it has a clear and consistent policy and procedure for conducting background checks in a GDPR-compliant manner. References: How to ‘background check’ under the GDPR, How to perform GDPR compliant background checks, GDPR and the processing of criminal conviction data across Europe, Pre-employment vetting: Data protection and criminal records, How GDPR Affects Background Checking

Convention 108+ is the modernised version of Convention 108, which was the first legally binding international instrument on data protection. The main purpose of Convention 108+ is to update and enhance the protection of personal data in light of the technological developments and the new challenges posed by the globalisation of data processing. Convention 108+ also aims to ensure the effective implementation and enforcement of data protection principles and rules, as well as to facilitate the free flow of data between the parties to the Convention.

References:

•Convention 108+ : the modernised version of a landmark instrument1

•Convention 108 and Protocols - Data Protection - The Council of Europe2

•Convention 108 - Council of Europe3

The GDPR requires that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. In this scenario, the company ABCD is the controller of the client data, and the loss of the memory stick containing unencrypted and clear text personal data is a personal data breach that may pose a risk to the rights and freedoms of the data subjects, such as identity theft, fraud, financial loss, or reputational damage. Therefore, the company ABCD should notify the data protection supervisory authority as soon as possible, and provide the information specified in Article 33(3) of the GDPR, such as the nature of the breach, the categories and number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach1. Option A is the correct answer, as it reflects the obligation of the controller under the GDPR. Options B, C and D are incorrect, as they do not comply with the GDPR requirements. Option B would delay the notification beyond the 72-hour deadline, which could result in administrative fines or other sanctions3. Option C would misuse the “disproportionate effort” exception, which only applies to the communication of the breach to the data subjects, not to the notification to the supervisory authority, and only when the controller has implemented appropriate technical and organisational protection measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access it4. Option D would prematurely notify the customers of the company without first notifying the supervisory authority, and without assessing the level of risk and the necessity of such communication, which should be done in consultation with the supervisory authority5. References: 1: Article 33(1) of the GDPR 2: Article 4(12) of the GDPR 3: Article 83(4)(a) of the GDPR 4: Article 34(3)(a) of the GDPR 5: Article 34(1) and (2) of the GDPR

Under the GDPR, using CCTV on business premises involves the processing of personal data, which requires compliance with the data protection principles and obligations. However, notifying the appropriate data protection authority (DPA) is not one of the steps that a company should take before using CCTV, unless the DPA has specifically requested it or the CCTV involves high-risk processing that requires prior consultation. The other steps are necessary to ensure GDPR compliance, as explained below:

Performing a data protection impact assessment (DPIA) is a mandatory requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, such as large-scale or systematic monitoring of public areas. A DPIA is a process that helps identify and mitigate the potential privacy risks of using CCTV, and document the measures taken to address them. A DPIA should include a description of the processing, its purpose and necessity, its risks and benefits, the safeguards and security measures, and the consultation with stakeholders. A DPIA should be carried out before the CCTV system is installed or upgraded, and reviewed regularly or whenever there is a significant change in the processing.

Creating an information retention policy for those who operate the system is a good practice to ensure that the personal data collected by CCTV is not kept longer than necessary for the purpose for which it was collected, and that it is securely deleted or anonymised when no longer needed. The retention period should be determined by the specific purpose and context of using CCTV, and take into account any legal or contractual obligations, as well as the expectations and rights of the data subjects. The retention policy should also specify who is responsible for managing and deleting the CCTV footage, and how the deletion process is verified and documented.

Ensuring that safeguards are in place to prevent unauthorized access to the footage is an essential requirement to comply with the GDPR principle of integrity and confidentiality, which states that personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage. The safeguards may include technical and organisational measures, such as encryption, access control, logging, audit, training, policies and procedures, that aim to protect the CCTV footage from unauthorized or unlawful access, disclosure, alteration, or destruction, both during transmission and storage. References: GDPR Article 35, GDPR Article 36, GDPR Article 5, CCTV and video surveillance | ICO, 5 Step Guide to Check if Your CCTV is GDPR Compliant

According to the Treaty on European Union (TEU), the European Parliament shall, jointly with the Council, exercise legislative and budgetary functions. It shall also exercise functions of political control and consultation as laid down in the Treaties1. The Council of the European Union, also known as the Council, is the institution that represents the governments of the Member States. Together with the European Parliament, it adopts European legislation and coordinates the policies of the Member States2. The other options are not correct because: (A) The European Commission is the institution that proposes and implements EU policies, ensures the application of EU law, and represents the Union in international affairs3; (B) The Article 29 Working Party was an advisory body composed of representatives of the national data protection authorities, the European Data Protection Supervisor and the European Commission. It was replaced by the European Data Protection Board in 20184; (D) The European Data Protection Board is an independent body that ensures the consistent application of the General Data Protection Regulation and promotes cooperation among the national data protection authorities5. References: 1: Article 14(1) of the TEU; 2: The Council of the European Union; 3: The European Commission; 4: Article 29 Working Party; 5: [European Data Protection Board].

The General Data Protection Regulation (GDPR) introduces several obligations for processors who process personal data on behalf of controllers. These obligations apply to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR’s list of processor obligations regarding cloud computing includes all of the following:

Controllers must be given notice of any subprocessors and have a right of objection. According to Article 28 of the GDPR, a processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Individuals authorized to process the personal data are subject to an obligation of confidentiality. According to Article 28 of the GDPR, the processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk. According to Article 32 of the GDPR, the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The GDPR’s list of processor obligations regarding cloud computing does not include the following:

Any personal data related to data subjects must be securely maintained for a maximum of ten years. The GDPR does not specify a precise time limit for the storage of personal data, but leaves it to the controller to determine the appropriate retention period, taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of data subjects. The GDPR also allows for the further storage of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate safeguards. Therefore, the processor must follow the instructions of the controller regarding the storage duration of the personal data, and delete or return the personal data to the controller after the end of the provision of services relating to the processing, unless required to store the personal data by Union or Member State law.

References:

GDPR, Articles 3, 4, 28, 29, 32, 51, 55, 56, 57, 58, 60, 61, 62, 63, 64, 65, 66, 67, and 68.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

Cloud Computing and GDPR: what you need to know | Combell, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.

GDPR Processor Obligations - Taylor Wessing, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU). References:

IAPP CIPP/E Study Guide, page 7

[Universal Declaration of Human Rights]

[Article 12 of the UDHR]

ABC Hotel Chain and XYZ Travel Agency are joint controllers in this relationship, because they jointly determine the purposes and means of the processing of personal data of their customers. According to Article 26 of the GDPR, joint controllers are two or more controllers who jointly participate in the decision-making process regarding the processing of personal data 1. In this scenario, ABC Hotel Chain and XYZ Travel Agency use a common platform for collecting and sharing customer data, and they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Therefore, they have a common influence on the processing of personal data and share a common objective of integrating their marketing efforts. Moreover, they offer a rewards program that allows customers to sign up to accumulate points that can be redeemed for free travel, which implies a joint benefit from the processing of personal data.

The other options are not correct because they do not reflect the actual roles of ABC Hotel Chain and XYZ Travel Agency in this relationship. A controller is a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data 2. A processor is a natural or legal person who processes personal data on behalf of the controller 3. In this scenario, neither ABC Hotel Chain nor XYZ Travel Agency act solely or on behalf of the other in processing the personal data of their customers. Rather, they act together in a collaborative manner and share the responsibility and accountability for the processing of personal data. Therefore, they are joint controllers, not independent controllers or controller and processor. References: 1: Article 26 of the GDPR 2: Article 4(7) of the GDPR 3: Article 4(8) of the GDPR

The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.

The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.

The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.

Based on the scenario, the main problem with the 24/7 camera monitoring is that it has no valid legal basis to be implemented in the context of Gentle Hedgehog’s business. This option is the most consistent with the GDPR’s principles and requirements, as it:

Is not based on a valid legal ground for the processing of personal data, as it does not rely on the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The legitimate interests of the employer to ensure the productivity, quality and security of the work performed by the employees must be balanced with the rights and freedoms of the employees, and the 24/7 camera monitoring is likely to be disproportionate and intrusive, especially if it covers non-work-related activities and communications. The performance of a contract with the employee does not justify the 24/7 camera monitoring, as it is not necessary for the fulfilment of the contractual obligations of the employee or the employer. The compliance with a legal obligation does not apply to the 24/7 camera monitoring, as there is no specific law or regulation that requires such a measure in the context of Gentle Hedgehog’s business.

Is not limited to what is necessary for the purposes of the monitoring, as it involves the collection and processing of excessive and irrelevant personal data, such as camera and microphone monitoring, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere. The 24/7 camera monitoring is also likely to capture personal data of third parties, such as customers, suppliers or visitors, whose consent is required for the monitoring, and whose rights and freedoms may be affected by the processing.

Is not transparent to the employees, as it does not inform them of the monitoring and its precise scope, and does not give them the opportunity to object or opt out of the monitoring. The monitoring is invisible by default, which means that the employees are not aware of when and how they are being monitored, and what personal data are being collected and processed. The so-called Transparent Mode, which regularly and conspicuously notifies all users about the monitoring and its precise scope, is also insufficient, as it does not provide the employees with a clear and comprehensive information notice, nor with a valid and specific consent form, as required by the GDPR.

Involves the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation. The facial recognition technology used by the monitoring system is a form of biometric data processing, which is prohibited by the GDPR, unless the data subject has given explicit consent, or the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the processing is necessary for reasons of substantial public interest. None of these exceptions apply to the scenario, as the facial recognition technology is not used for any of these purposes, but rather for verifying the identity of the employees each time they log in. The camera and microphone monitoring may also capture personal data revealing political opinions or trade union membership, which are also special categories of personal data, and which are not relevant or proportionate for the purposes of the monitoring.

Involves the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees. The monitoring data, including the facial recognition data, are securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France. However, Sauron Eye is a Chinese vendor of employee surveillance software, whose European headquarters is in Germany. This means that the monitoring data may be accessed or transferred by Sauron Eye to its parent company or other affiliates in China, which is a third country that does not ensure an adequate level of data protection, according to the European Commission. The transfer of personal data to China is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies. However, the scenario does not indicate that any of these safeguards or remedies are in place, and therefore the transfer of personal data to China may violate the GDPR.

The other options listed in the question are not the main problem with the 24/7 camera monitoring, as they:

Are not directly related to the GDPR’s principles and requirements, but rather to the national laws and regulations of the member states, which may vary depending on the specific context and circumstances of the monitoring. The GDPR does not specify a precise time limit for the operation of the camera monitoring, but leaves it to the national laws and regulations of the member states to determine the appropriate conditions and safeguards for the monitoring, taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of data subjects. The GDPR also does not require the approval of the trade union or the license from the national DPA for the camera monitoring, but leaves it to the national laws and regulations of the member states to establish the appropriate procedures and mechanisms for the consultation and involvement of the relevant stakeholders, such as the employees, the trade unions, the works councils, the DPAs or the courts.

Are not the main problem with the 24/7 camera monitoring, but rather the consequences or the implications of the main problem, which is the lack of a valid legal basis for the monitoring. The operation of the camera monitoring during non-business hours and employee holidays, or the accidental filming of third parties whose consent is required for the monitoring, are not the main problem, but rather the result of the main problem, which is the excessive and disproportionate collection and processing of personal data, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere. The approval of the trade union or the license from the national DPA are not the main problem, but rather the potential solutions or remedies for the main problem, which is the absence of transparency and accountability for the monitoring, which do not inform the employees of the monitoring and its precise scope, and do not give them the opportunity to object or opt out of the monitoring.

References:

GDPR, Articles 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.

EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

[EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR]

Before Anna determines whether Frank’s performance database is permissible, she needs to know more information about the following aspects of the data processing:

The purpose and legal basis of the data processing, which should be clearly defined and documented in a data protection impact assessment (DPIA) or a similar document12.

The nature and extent of the personal data involved, which should be limited to what is necessary for the purpose and not retained longer than necessary12.

The measures taken to ensure the security and confidentiality of the personal data, such as encryption, pseudonymization, access control, etc12.

The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict their personal data, as well as their right to object or withdraw consent12.

The potential risks and consequences of the data processing for the rights and freedoms of the data subjects, such as identity theft, discrimination, reputational damage, etc12.

In this case, Anna needs to know more information about what students have been told and how the research will be used. This is because:

The purpose of using student records for research purposes is not clear from Frank’s description. He does not specify whether he has obtained consent from the students or their parents/guardians, or whether he has informed them about his research objectives and methods.

The nature and extent of using student records for research purposes is not clear from Frank’s description. He does not specify which student records he is using (e.g., by name or by reference number), how many records he is using (e.g., by cohort or by class), or how long he will keep them (e.g., until graduation or indefinitely).

The measures taken to ensure the security and confidentiality of using student records for research purposes are not clear from Frank’s description. He does not specify whether he has encrypted his program or his laptop before transferring it to his home device, whether he has backed up his program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT department.

Therefore, Anna needs more information about these aspects before she can determine whether Frank’s performance database is permissible under the GDPR.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals

The GDPR requires that the information provided to data subjects about the processing of their personal data must be concise, transparent, intelligible and easily accessible, using clear and plain language1. However, this can be challenging when the processing activities are complex, diverse or voluminous. Therefore, a good practice is to use a layered privacy notice, which consists of providing a short notice with the key elements of the privacy information, such as the identity of the controller, the purposes and legal basis of the processing, the recipients of the data, the data subject’s rights, and the contact details of the data protection officer or the supervisory authority. The short notice can then contain links to more detailed information, either by expanding each section or by directing the user to a separate page or document. This way, the user can easily access the information that is most relevant or important to them, without being overwhelmed by a long and complex notice23. A layered privacy notice can be used on websites, in emails, in mobile apps, or in any other medium where space or attention span is limited4. References: 1 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)2 Layered Notice - International Association of Privacy Professionals3 What methods can we use to provide privacy information? | ICO. 4 Layered Notice - West Virginia.

According to the ePrivacy Directive, which regulates direct electronic marketing in the EU, consent is generally required before sending marketing emails or texts. However, there is an exception known as the ‘soft opt-in’, which allows marketing emails or texts to be sent on an opt-out basis if the recipient’s details were collected “in the context of the sale of a product or a service” and the marketing is for “similar products or services” provided by the same organisation12. Therefore, WonderKids can send direct marketing information by email without prior consent of the person booking the childcare, as long as the information is about similar products or services to those purchased from WonderKids, and the person is given a clear and easy way to opt out of receiving such emails. The other options are not allowed under the ePrivacy Directive, unless the person has given explicit consent to receive them. References:

Free CIPP/E Study Guide, page 33, section 4.1.3

CIPP/E Certification, page 28, section 4.1.3

Cipp-e Study guides, Class notes & Summaries, page 39, section 4.1.3

Direct marketing rules and exceptions under the GDPR, paragraph 5

Marketing | ICO, section “What does the ‘soft opt-in’ mean?”

Convention 108 was the first legally binding international instrument in the data protection field, adopted by the Council of Europe in 19811. However, it had some limitations that led to the creation of the Data Protection Directive (Directive 95/46/EC) by the European Union in 19952. One of the main failings of Convention 108 was that it was implemented in a fragmented manner by a small number of states, resulting in divergent and inconsistent national laws and practices3. The Data Protection Directive aimed to harmonize the data protection rules within the EU and to ensure a high level of protection for individuals’ rights and freedoms2. Therefore, option C is the correct answer. Option A is incorrect because Convention 108 did account for the rapid growth of the Internet by allowing for amendments and protocols to adapt to technological developments1. Option B is incorrect because Convention 108 did include protections for sensitive personal data, such as those revealing racial origin, political opinions, religious beliefs, health, or sexual life1. Option D is incorrect because Convention 108 did not prescribe specific penalties for violations of data protection rights, but left it to the Parties to adopt appropriate sanctions and remedies1. References:

Convention 108 and Protocols

CIPP/E Certification

Convention 108+ and the Data Protection Framework of the EU

Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.

The GDPR states that “where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing” and that “where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”3

This right applies regardless of whether the data subject has previously consented to the use of his or her data, or whether the data are required for a legal claim or a legitimate interest. The data subject must be informed of this right clearly and separately from any other information at the time of the first communication with him or her, and must be provided with an easy way to exercise it.2

Therefore, Louis can object to the use of his data by Bedrock and Accidentable for direct marketing purposes, and they must stop processing his data for such purposes as soon as they receive his objection. Louis can also withdraw his consent for any other processing of his data that he has previously agreed to, such as sharing his data with Bedrock’s affiliates.4

Article 58 of the GDPR lists the powers of supervisory authorities in EU member states. Among these powers are the investigative powers, which include the right to access data and information from controllers and processors, as well as to access their premises and equipment. This power enables the supervisory authorities to perform their tasks of monitoring and enforcing the GDPR. The other options are not powers of supervisory authorities under Article 58 of the GDPR. References: Art. 58 GDPR – Powers, Article 58 Powers - GDPR, Article 58 GDPR - GDPRhub

The GDPR defines personal data as “any information relating to an identified or identifiable natural person” (Article 4(1)). This includes names, quotations, and any other data that can be linked to a specific individual. The GDPR also requires that personal data be processed lawfully, fairly, and transparently, and that it be collected for specified, explicit, and legitimate purposes (Article 5(1)). Furthermore, the GDPR grants data subjects the right to object to the processing of their personal data for direct marketing purposes or for the purposes of the legitimate interests of the controller or a third party (Article 21).

In this scenario, Serge may have grounds to object to the use of his quotation on Brady Box’s home webpage, as it constitutes the processing of his personal data outside of the original purpose for which it was collected. Serge posted the quotation on Brady Box’s SNS, which is a separate service from Brady Box’s web page design service. By using the quotation on the home webpage, Brady Box is processing Serge’s personal data for a different purpose than the one for which Serge provided it, and without his consent or a legitimate interest. This may violate the principles of purpose limitation and lawfulness under the GDPR. Moreover, Serge may object to the use of his quotation as it implies his endorsement of Brady Box’s service, which may affect his reputation or interests.

The other options are less likely to be valid grounds for objection, as they are not directly related to the GDPR’s provisions on personal data protection. The misrepresentation of personal data as an endorsement may be a matter of contract law or consumer protection law, but not necessarily a GDPR issue. The juxtaposition of the quotation with others’ quotations may not affect Serge’s rights or interests, unless it creates a false or misleading impression of his views or opinions. The misapplication of the household exception in relation to a SNS may not apply in this case, as the household exception only covers the processing of personal data by a natural person in the course of a purely personal or household activity (Article 2(2)©). Serge’s posting of the quotation on a SNS may not qualify as a purely personal or household activity, as it involves the disclosure of personal data to a wider audience.

References:

GDPR

GDPR and social media

How does GDPR affect social media marketing?

Data Protection & Social Media: How GDPR Influences Today’s Social Media Marketing

According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data. References:

Art. 13 GDPR - Information to be provided where personal data are collected from the data subject

Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject

Article 13: Information to be provided where personal data are collected from the data subject - GDPR

Article 8 of the ECHR protects the right to respect for private and family life, home and correspondence. However, this right is not absolute and can be subject to limitations by a public authority in accordance with the law and for a legitimate aim. The European Court of Human Rights (ECtHR) has developed a two-stage test to determine whether such limitations are justified. First, the court must examine whether there is a legitimate aim pursued by the public authority, such as national security, public safety or the prevention of crime. Second, the court must assess whether the means used by the public authority are appropriate and necessary to achieve that aim, taking into account all relevant factors such as proportionality, necessity and less restrictive alternatives12. Therefore, the right to privacy is not an absolute right but a qualified one that has to be balanced against other rights under the ECHR. References:

Article 8 - Protection of personal data

Your right to respect for private and family life

Right to respect for private and family life

Guide on Article 8 of the European Convention on Human Rights

European Convention on Human Rights - Article 8

Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’2. These are:

(a) Explicit consent

(b) Employment, social security and social protection (if authorised by law)

© Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims and judicial acts

(g) Substantial public interest conditions

(h) Health or social care

(i) Public health

(j) Archiving, research and statistics

Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions ©, (f) and (a) respectively. Therefore, the correct answer is A.

References:

4: Art. 9 GDPR Processing of special categories of personal data

6: What are the rules on special category data? | ICO

The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive states that the use of cookies on websites and mobile applications is conditioned upon the prior consent of users, unless the cookies are strictly necessary for the provision of the service. Users must also be given clear and comprehensive information about the purposes of the cookies and the means to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing of personal data through cookies, but does not specifically address the consent requirement for cookies. The other answer choices are not relevant to the consent requirement for cookies, as they regulate different aspects of the digital economy and society. The E-Commerce Directive establishes the legal framework for online services in the EU, such as information society services, electronic contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication providers to retain certain data for a period of time for the purpose of law enforcement and national security. The EU Cybersecurity Directive aims to enhance the security of network and information systems across the EU, by setting common standards and obligations for operators of essential services and digital service providers. References:

Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu

What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script

EU Cookie Law - Data Protection and Cookies - Cookiebot™

ePrivacy Directive - Regulations - Learn how CookiePro Helps

According to Article 45 of the GDPR, the European Commission has the power to determine whether a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data. This means that personal data can flow from the EU and the EEA to that third country without any further safeguard being necessary. The adequacy decision is based on an assessment of the legal framework, the enforcement mechanisms, the access by public authorities, the international commitments and the cooperation with the EU of the third country or organisation. The European Commission also monitors the functioning of the adequacy decisions and can repeal, amend or suspend them if the level of protection is no longer ensured. The European Commission has so far recognised several countries and organisations as providing adequate protection, such as Japan, Canada, Switzerland, the UK and the EU-US Data Privacy Framework. References: GDPR Article 45, Data protection adequacy for non-EU countries, Adequacy decisions | European Data Protection Board

According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such as third parties or publicly accessible sources, the controller must provide the data subject with the necessary privacy information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. The controller must provide this information within a reasonable period after obtaining the personal data, but no later than one month, having regard to the specific circumstances in which the personal data are processed. However, there are some exceptions to this rule, such as if the data subject already has the information, if the provision of the information proves impossible or would involve a disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or member state law, or if the personal data must remain confidential subject to an obligation of professional secrecy12. References:

GDPR, Article 14

Free CIPP/E Study Guide, page 19, section 2.5.1

CIPP/E Certification, page 14, section 1.2.1

Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject

Article 14 GDPR - GDPRhub

According to Article 21 of the GDPR, the data subject has the right to object at any time to the processing of his or her personal data for direct marketing purposes, which includes profiling related to such marketing. When the data subject exercises this right, the controller must stop processing the personal data for that purpose, unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. The controller must also inform the data subject of this right before the first communication with him or her, and in a clear and separate manner from other information. The controller must also provide the data subject with a simple and effective way to opt out of receiving direct marketing communications, such as an unsubscribe link or a STOP text message. The controller must respect the data subject’s choice and refrain from sending any further direct marketing messages of the relevant type (e.g., email, phone, post, etc.) to the data subject, unless he or she opts in again. The controller does not need to delete the personal data of the data subject who opts out, unless the data subject also requests the erasure of his or her data under Article 17 of the GDPR, or the data is no longer necessary for the purposes for which it was collected or processed. The controller may also retain some minimal information about the data subject (such as name and email address) to ensure that his or her opt-out request is honored and that he or she is not contacted again for direct marketing purposes. The controller must also ensure that any third parties to whom it has disclosed the personal data of the data subject for direct marketing purposes are informed of the opt-out request and comply with it, unless this proves impossible or involves disproportionate effort. References: Direct marketing rules and exceptions under the GDPR, Direct marketing and privacy and electronic communications, Marketing and advertising: the law: Direct marketing, Direct Marketing - What you need to know about direct marketing

According to Article 45 of the GDPR, the European Commission has the power to determine, on the basis of an assessment, whether a non-EU country, a territory or a sector within that country, or an international organisation ensures an adequate level of data protection. This means that the data protection rules and standards in that country or organisation are equivalent to those in the EU. The effect of an adequacy decision is that personal data can flow freely from the EU to that country or organisation without any further safeguards or authorisations. The European Commission has adopted adequacy decisions for several countries and organisations, such as Japan, Canada, and the EU-US Data Privacy Framework. References: Data protection adequacy for non-EU countries, Adequate Level of Protection

According to the European Data Protection Law & Practice textbook, page 326, “the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” However, the CJEU also stated that “the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine’s results following a search made on the basis of the data subject’s name.” Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject’s right to be forgotten. References:

European Data Protection Law & Practice, page 326

CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, paragraphs 88 and 93

The European model for data protection is best described as comprehensive, because it covers all sectors and types of data processing, and applies to any organization that targets or collects data related to people in the EU. The GDPR is the main legal instrument of this model, and it establishes a set of principles, rights, and obligations for data protection, as well as a harmonized framework for enforcement and cooperation among EU member states and data protection authorities. The GDPR also aims to ensure consistency with other EU laws and policies, such as the ePrivacy Directive, the Charter of Fundamental Rights, and the European Data Strategy. The European model for data protection is based on the recognition of data protection as a fundamental right and a public interest, and it reflects the EU’s values and objectives of promoting human dignity, democracy, and the rule of law. References:

Data protection in the EU, section “Legislation”

What is GDPR, the EU’s new data protection law?, section “What is the GDPR?”

European Data Protection, Third Edition, page 1, section “Introduction”

European Data Protection: Law and Practice, page 1, section “Introduction”

The GDPR (General Data Protection Regulation) applies to any organisation that processes personal data of EU residents, regardless of where the processing takes place. Therefore, WonderKids, as a data controller based in France, must comply with the GDPR when it transfers personal data to its hosting service provider in Switzerland, which acts as a data processor on behalf of WonderKids.

According to Article 28 of the GDPR, data controllers must only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects and the security of the data. The data controller and the data processor must also enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.

The contract must include, among other things, the following provisions:

The data processor must process the personal data only on documented instructions from the data controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or member state law;

The data processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

The data processor must take all measures required pursuant to Article 32 of the GDPR, which relates to the security of the processing;

The data processor must respect the conditions for engaging another processor, and inform the data controller of any intended changes concerning the addition or replacement of other processors, giving the data controller the opportunity to object to such changes;

The data processor must assist the data controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, which relate to the security of the processing, the notification of personal data breaches, the communication of personal data breaches to data subjects, the data protection impact assessment, and the prior consultation with the supervisory authority;

The data processor must, at the choice of the data controller, delete or return all the personal data to the data controller after the end of the provision of services relating to the processing, and delete existing copies unless EU or member state law requires storage of the personal data;

The data processor must make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

Therefore, among the four options, the one that must be included in the contract between WonderKids and the hosting service provider is the requirement to implement technical and organisational measures to protect the data, as this is part of the data processor’s obligations under Article 28 and Article 32 of the GDPR.

The other options are not mandatory under the GDPR, although they may be advisable or desirable depending on the circumstances. Controller-to-controller model contract clauses are used when personal data is transferred from one data controller to another data controller, not from a data controller to a data processor. Audit rights for the data subjects are not explicitly required by the GDPR, although the data controller must ensure that the data processor allows for and contributes to audits conducted by the data controller or another auditor mandated by the data controller. A non-disclosure agreement may be useful to protect the confidentiality of the personal data, but it is not sufficient to ensure the compliance with the GDPR, as it does not cover all the aspects of the data processing relationship.

References:

GDPR

Web Hosting and GDPR Compliance - What to Look For

The GDPR: Why you need to review your third-party service providers’ security

GDPR Compliance for Third-Party Service Providers: Vendor Management

The CJEU ruled that the consent required by the ePrivacy Directive for the use of cookies must comply with the conditions laid down in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. Therefore, pre-checked boxes or implied consent by scrolling are not valid forms of consent for cookies. The CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user’s device, regardless of whether it is personal data or not. Furthermore, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.

References: CIPP/E Study Guide, page 29; CIPP/E Textbook, page 137; Planet49 case

 The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system1. However, the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity2. This means that individuals can process personal data without being subject to the GDPR, as long as the processing is not related to a professional or commercial activity. For example, the GDPR does not apply to an individual who keeps a personal address book or who posts photos of their family and friends on a social media platform, as long as the platform is not used for business purposes3. References: 1: Article 2(1) of the GDPR 2: Article 2(2)© of the GDPR 3: Recital 18 of the GDPR

According to the CIPP/E study guide, data controllers should use the least intrusive means of verifying the identity of data subjects who make requests under the GDPR. Asking for a copy of an ID document or a bank account statement may be disproportionate and excessive, as they contain more personal data than necessary for authentication. Asking for the bank account number may not be sufficient, as it may be easily obtained by third parties. Therefore, the most appropriate way to confirm the identity of the customer is to ask additional security questions that only the customer would know, such as the date of the last transaction, the amount of the last deposit, or the name of the beneficiary of a recurring payment.

References: CIPP/E Study Guide, page 28; CIPP/E Textbook, page 136.

According to the GDPR, a transfer of personal data to a third country or an international organisation may take place only if the conditions laid down in Chapter V of the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation1. A third country is any country outside of the European Union (EU) and the European Economic Area (EEA)2. Therefore, a transfer impact assessment is only required when personal data is transferred to a third country or an international organisation that does not provide an adequate level of data protection, as recognised by the European Commission3. HRYourWay is a German based company, and Germany is a member state of the EU and the EEA. Thus, HRYourWay is not located in a third country, and no transfer impact assessment is needed for transferring personal data to it. The other options are incorrect, as they are not relevant to the question of whether a transfer impact assessment is required or not. References:

GDPR, Chapter V

GDPR, Article 4 (24)

GDPR, Article 45

Article 9 of the GDPR outlines strict conditions for processing special categories of personal data, which includes data revealing racial or ethnic origin. While options B, C, and D might seem relevant, they don't fully align with the core purpose of MagicAI's data collection.

Here's why option A is the most appropriate:

Scientific Research: MagicAI aims to improve the accuracy and fairness of its AI system by understanding how it performs across different ethnicities, nationalities, and genders. This directly ties into scientific research aimed at improving healthcare and reducing bias in medical technology.

It's important to note that even with "scientific research" as the legal basis, MagicAI must still adhere to strict safeguards, such as:

Data Minimization: Collecting only the data absolutely necessary for the research.

Purpose Limitation: Using the data solely for the defined scientific purpose.

Appropriate Security Measures: Protecting the data against unauthorized access or disclosure.

Ethical Review: Ideally, obtaining ethical approval for the research project.

References:

GDPR Article 9 - Processing of special categories of personal data

GDPR Recital 159 - Conditions for processing special categories of data for scientific research purposes

IAPP CIPP/E textbook, Chapter 2: Key Data Protection Principles (specifically, sections on special categories of data)

 Under the GDPR, the processing of personal data of a child on the basis of consent requires the consent of the holder of parental responsibility over the child, unless the child is at least 16 years old or the applicable national law provides for a lower age (not below 13 years). However, there are some situations where the processing of personal data of a child without parental consent may be justified by other lawful grounds, such as the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party. One of these situations is when the processing is necessary for providing preventive or counselling services to the child, especially in the context of information society services. This is recognised by Recital 38 of the GDPR, which states that:

“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”

Therefore, the processing of personal data of a child without parental consent may be lawful if it is necessary for providing preventive or counselling services to the child, such as health, education, social or legal services, that are offered directly to the child and that aim to protect the child’s well-being, safety, development or rights. This may include, for example, online counselling platforms, sexual health advice services, anti-bullying or mental health support services, or child protection helplines. In such cases, the controller should ensure that the processing is fair, transparent, proportionate and respectful of the child’s best interests, and that appropriate safeguards are in place to protect the child’s personal data and rights.

The other options are not likely to justify the processing of personal data of a child without parental consent, as they do not meet the criteria of necessity, proportionality or legitimacy. The processing of personal data of a child for market research purposes is not necessary for the performance of a contract, the compliance with a legal obligation, the protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests of the controller or a third party, and may pose significant risks to the child’s privacy and autonomy. Therefore, such processing requires the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent. The provision of materials purely for educational use to a child may not require the processing of personal data of the child at all, or may only require the processing of minimal personal data, such as the child’s name or email address. In such cases, the processing may be based on the consent of the child, if the child is old enough to understand the implications of their consent, or on the legitimate interests of the controller, if the processing is necessary for the provision of the educational materials and does not override the interests or rights of the child. However, the controller should still inform the child and the holder of parental responsibility about the processing and provide them with the opportunity to object or withdraw their consent. The existence of a legitimate business interest does not automatically justify the processing of personal data of a child without parental consent, as the controller must also consider the impact of the processing on the rights and freedoms of the child, and whether the processing is necessary and proportionate for the pursuit of that interest. Moreover, the controller must balance the legitimate business interest against the interests or rights of the child, and ensure that the processing does not cause any harm or disadvantage to the child. If the processing involves the use of personal data of a child for the purposes of marketing or creating personality or user profiles, the controller must obtain the consent of the holder of parental responsibility over the child, unless the child is old enough to give their own consent, as these purposes pose a high risk to the child’s privacy and autonomy. References: GDPR Article 6, GDPR Article 8, GDPR Recital 38, Children and the UK GDPR | ICO, Guidelines on consent under Regulation 2016/679 - European Data Protection Board

According to the GDPR, data controllers must report personal data breaches to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Art 33 of GDPR). However, the notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art 33(1) of GDPR). In this case, TripBliss Inc. could argue that the stolen data was securely erased by Leon before it could be disclosed to anyone else, and therefore the risk of harm to the data subjects was minimal. TripBliss Inc. would have to provide evidence of the secure deletion of the data and the absence of any copies or backups. Alternatively, TripBliss Inc. could also invoke the exception of disproportionate effort to avoid notifying the data subjects directly, but only if they have made a public communication or similar measure to inform them in an equally effective manner (Art 34(3)(b) of GDPR). The other options are not valid defenses, as they do not affect the likelihood of risk to the data subjects. The incident was not caused by a third-party, but by an employee of Techiva, who was acting as a data processor on behalf of TripBliss Inc. As the data controller, TripBliss Inc. is responsible for ensuring that the data processor provides sufficient guarantees to implement appropriate technical and organisational measures to comply with the GDPR (Art 28 of GDPR). The sensitivity of the data categories is not relevant for the notification obligation, as any personal data breach could pose a risk to the data subjects, depending on the circumstances. The GDPR does not provide a threshold for the sensitivity of the data, but rather requires a case-by-case assessment of the potential impact of the breach. References:

GDPR, Art 33, Art 34, Art 28

Free CIPP/E Study Guide, p. 15

European Data Protection Law & Practice, p. 123-124

Personal data breach notification under the GDPR

According to Article 15 of the GDPR, data subjects have the right to access and receive a copy of their personal data, and other supplementary information, from the data controller1. However, this right is not absolute and may be subject to limitations or restrictions. One of the grounds for refusing or limiting a data subject access request (DSAR) is when the request is manifestly unfounded or excessive, in particular because of its repetitive character1. In such cases, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to act on the request1. The controller must inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy1.

In this scenario, Jack’s DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request. Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.

Option A is incorrect because the company’s headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.

Option C is incorrect because the company cannot agree to provide the information requested in Jack’s original DSAR within a period of 3 months, as this would violate the data subject’s right of access and the principle of accountability under the GDPR. The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1. However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.

Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject’s right of access and the principle of transparency under the GDPR. The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason. The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

the right to lodge a complaint with a supervisory authority;

where the personal data are not collected from the data subject, any available information as to their source;

the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

References:

Right of access

Territorial scope

According to Article 37 of the GDPR, the designation of a data protection officer (DPO) is mandatory for controllers and processors in three cases1:

When the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

When the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

The GDPR does not define what constitutes “regular and systematic monitoring” or “large scale”, but the Article 29 Working Party (now replaced by the European Data Protection Board) has provided some guidance on these concepts2. According to the guidance, “regular and systematic monitoring” includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising, but also offline activities such as CCTV or health data monitoring. The guidance also suggests some criteria to assess whether the processing is carried out on a large scale, such as the number of data subjects concerned, the volume of data or the range of data items processed, the duration or permanence of the processing activity, and the geographical extent of the processing.

In the given scenario, option D is the only one that clearly falls under the second case of mandatory DPO designation, as it implies that the controller or processor is engaged in regular and systematic monitoring of data subjects on a large scale as part of their core activities. This could include, for example, online behavioural advertising, location tracking, loyalty programs, or health data analytics. The other options are not sufficient to trigger the obligation to appoint a DPO, unless they are combined with other factors that indicate a large scale or a high risk of the processing. For instance, option A is not relevant, as the GDPR does not set a threshold based on the size or number of employees of the organisation. Option B is also not decisive, as the GDPR does not distinguish between for-profit or non-profit purposes of the processing. Option C may require a DPO if the processing of financial information or information relating to children is done on a large scale and involves special categories of data, but it is not a general rule. References:

1: Article 37 of the GDPR

2: Guidelines on Data Protection Officers (‘DPOs’)

3: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

4: https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf

5: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

6: [https://edpb.europa.eu/sites/edpb/files/files/file1/wp243rev01_en.pdf]

7: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.

Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:

The identity and contact details of the controller and processor

The categories and sources of personal data

The purposes and legal basis for processing

The recipients or categories of recipients of personal data

The retention period or criteria for determining it

The existence of any automated decision-making or profiling

The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

Submitting a written notification form

Publishing a notice on a website or other platform

Sending an email or other electronic message

Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.

The GDPR imposes several obligations on data controllers when they engage data processors to process personal data on their behalf. One of these obligations is to ensure that the contract or other legal act between the controller and the processor stipulates that the processor must assist the controller in complying with its obligations under the GDPR, including the obligation to notify personal data breaches to the competent supervisory authority and, where applicable, to the affected data subjects1. However, this does not mean that the processor can directly notify the supervisory authority without the involvement of the controller. The GDPR clearly states that it is the controller’s responsibility to notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach2. The processor must only notify the controller without undue delay after becoming aware of the breach3. Therefore, requiring that the processor directly notify the appropriate supervisory authority is not an action that a data controller can depend upon to avoid liability in the event of a security breach, as it would be contrary to the GDPR and the controller’s own obligation. Options A, B and D are actions that a data controller can take to reduce the risk of liability, as they demonstrate that the controller has exercised due diligence, assessed the potential impact of outsourcing, and chosen a reliable and compliant processor. References: 1: Article 28(3)(f) of the GDPR 2: Article 33(1) of the GDPR 3: Article 33(2) of the GDPR

According to the GDPR, a data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art 4(7) of GDPR). A data processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art 4(8) of GDPR). In this case, JaphSoft would be considered a controller under the GDPR because it uses the personal data it receives from Liem and EcoMick to improve its own products and services through machine learning. This means that JaphSoft determines the purposes and means of this processing activity, which is not covered by the agreement with Liem and EcoMick. JaphSoft also decides how long to retain the personal data, which is another indication of its controller role. The other options are not sufficient to establish JaphSoft as a controller, as they could also apply to a processor. Having access to personal data in the MarketIQ database does not imply that JaphSoft determines the purposes and means of the processing. It could be acting on behalf of Liem and EcoMick, who are the controllers of the data in the database. Making decisions regarding the technical and organizational measures necessary to protect the personal data is also a duty of a processor, who must implement appropriate security measures in accordance with the GDPR and the instructions of the controller (Art 28 and Art 32 of GDPR). References:

GDPR, Art 4, Art 28, Art 32

Free CIPP/E Study Guide, p. 15

European Data Protection Law & Practice, p. 123

What is a data controller or a data processor?

CNIL publishes guidance on data processing roles under EU GDPR

Guide for multi-controller situations under the GDPR

According to Article 28(2) of the GDPR, the processor may not engage another processor (sub-processor) without the prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. Furthermore, Article 28(4) of the GDPR states that where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Therefore, the processor must ensure that the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor. References:

Article 28 of the GDPR

European Data Protection Law & Practice textbook, Chapter 6: Data Processing Obligations, Section 6.3: Processor Obligations, Subsection 6.3.2: Sub-processors

 Under the GDPR, email marketing requires explicit and unambiguous consent from the recipients, meaning that they must actively agree to receive marketing communications, and the process for obtaining this consent must be clear and transparent. A prior opt-in consent is the most common and reliable way to demonstrate compliance with this requirement, as it involves a positive action from the data subject, such as ticking a box, clicking a button, or filling a form. A pre-checked box, a notice, or an opt-out option are not sufficient to obtain valid consent, as they do not indicate a clear expression of the data subject’s will. However, there is an exception to the consent rule for existing customers, known as the “soft opt-in”. This means that a company can send email marketing messages to its customers without prior consent, if the following conditions are met:

The company obtained the customer’s contact details in the course of a sale or negotiations for a sale of a product or service;

The company only sends marketing messages about its own similar products or services;

The company gives the customer a clear opportunity to opt out of receiving such messages both when first collecting the details and in every subsequent message.

References: GDPR Article 4(11), GDPR Article 6(1)(a), GDPR Article 7, GDPR Recital 32, GDPR Recital 47, GDPR for Marketing: The Definitive Guide for 2023 - SuperOffice, A Guide to GDPR Compliance for Email Marketers in 2023

ISO 31700 is an international standard that provides high-level requirements and recommendations for organizations that use privacy by design (PbD) in the development, maintenance and operation of consumer goods and services. PbD is a concept that aims to integrate privacy into products, services and systems by default, following seven main principles: proactive not reactive, privacy as the default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, and respect for user privacy. PbD is also a legal requirement under many prominent privacy regulations across the world, such as the GDPR. ISO 31700 is based on a consumer-centric approach, where the consumer’s privacy rights and preferences are placed at the center of product development and operation.

References: Meet the new ISO 31700 standard for Privacy by Design (PbD); 7 Steps to Comply with ISO 31700-1:2023; Privacy by Design: Embracing ISO 31700-1:2023’s Consumer Protection Guidelines.

 The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of electronic communications and prevent their indiscriminate interception or monitoring. It was adopted in 2002 and amended in 2009. It applies to all providers of electronic communication services, such as internet service providers, mobile network operators, and online platforms12.

One of the main objectives of the ePrivacy Directive is to ensure that the retention of communications traffic data for law enforcement purposes is subject to strict conditions and safeguards. Communications traffic data refers to any information relating to the transmission or routing of electronic communications, such as IP addresses, timestamps, and metadata3. Such data can be used by competent national authorities for the prevention, investigation, detection or prosecution of criminal offences and safeguarding national security4.

However, the ePrivacy Directive does not allow individual EU member states to engage in such data retention without harmonizing their rules. Article 6(1)(b) of the directive states that “Member States shall ensure that any measures taken by them in relation to the retention of traffic data are consistent with this Directive”. Therefore, each EU member state must adopt a national law that complies with the requirements and limitations set by the directive12.

The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common framework for the retention of communications traffic data for law enforcement purposes across all EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the Court of Justice of the European Union (CJEU) in 2014 on procedural grounds. The CJEU found that some provisions of the DRD were inconsistent with other EU directives and principles, such as Article 8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary interference with their privacy56.

The GDPR is a new EU regulation that implements some aspects of the DRD into national law through its provisions on processing personal data. However, it does not address directly the issue of communications traffic data retention for law enforcement purposes. Instead, it requires providers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing personal data. These measures include encryption, pseudonymisation, access control, and accountability7 . The GDPR also grants individuals certain rights regarding their personal data, such as access, rectification, erasure, portability, and objection7 .

Therefore, under current EU law, there is no single legal basis for retaining communications traffic data for law enforcement purposes across all EU member states. Each member state must adopt its own national law that respects the principles and limitations established by the ePrivacy Directive.

References:

ePrivacy Directive

ePrivacy Regulation

What is Communications Traffic Data?

How is Communications Traffic Data Retained?

Data Retention Directive

Data Retention Directive annulled by CJEU

General Data Protection Regulation

What are your rights regarding your personal data?

 According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations. References: 1 https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/

Section: (none)

Explanation

 The European Council and the Council of the European Union are two different EU institutions that have similar names but distinct roles and memberships. The European Council is the body of leaders (heads of state or government) of the 27 EU member states that defines the EU’s general political direction and priorities1. The European Council does not adopt EU legislation, but rather sets the agenda and gives guidance to the other EU institutions1. The Council of the European Union, informally known as the Council, is composed of national ministers from each EU member state, grouped by policy area1. The Council is one of the two legislative bodies of the EU, along with the European Parliament, and negotiates and adopts EU laws, coordinates member states’ policies, and develops the EU’s common foreign and security policy1. The key difference between the two institutions is that the European Council is comprised of the heads of each EU member state, while the Council of the European Union is comprised of the ministers of each EU member state12. References: European Council | Council of the European Union, What is the difference between EU Council, Council of the European Union, and Council of Europe?

 The ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) are two EU laws that regulate different aspects of personal data processing. The ePD focuses on electronic communications and the use of cookies and similar technologies, while the GDPR covers the broader principles and rights of data protection. Both laws apply to any organization that processes personal data of individuals in the EU, regardless of where the organization is located.

Option D involves both electronic communication and personal data processing, and therefore requires compliance with both ePD and GDPR. Paying a search engine company to give prominence to certain products and services within specific search results implies the use of cookies or similar technologies to track the online behavior of users and target them with personalized ads. This requires the consent of the users under the ePD, as well as the provision of clear and comprehensive information about the purpose and scope of the data processing. Moreover, the organization must comply with the GDPR requirements for data protection by design and by default, data minimization, data security, data subject rights, and accountability.

Option A only involves the use of cookies or similar technologies, and therefore only requires compliance with the ePD. Creating an untargeted pop-up ad on a website does not involve the processing of personal data, as the ad is not based on the online behavior or preferences of the users. However, the organization must still obtain the consent of the users for the use of cookies or similar technologies, and provide them with clear and comprehensive information about the purpose and scope of the data processing.

Option B only involves the processing of personal data, and therefore only requires compliance with the GDPR. Calling a potential customer to notify her of an upcoming product sale involves the collection and use of the customer’s personal data, such as name, phone number, and purchase history. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.

Option C only involves the processing of personal data, and therefore only requires compliance with the GDPR. Emailing a customer to announce that his recent order should arrive earlier than expected involves the use of the customer’s personal data, such as name, email address, and order details. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure. References:

Free CIPP/E Study Guide, page 15, section 2.3.3

CIPP/E Certification, page 10, section 1.1.2

Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 42, section 2.3.3

ePrivacy: The EU’s other data protection rule

The New Rules of Data Privacy

A guide to GDPR data privacy requirements

A guide to the data protection principles

According to Article 28(3)(f) of the GDPR, the written agreement between the controller and the processor must include an obligation on the processor to assist the controller in ensuring compliance with the controller’s obligations pursuant to Articles 32 to 36 of the GDPR. These obligations include notifying the supervisory authority and the data subjects about personal data breaches, as well as conducting data protection impact assessments and consulting with the supervisory authority when required. The processor must assist the controller by taking appropriate technical and organisational measures, insofar as this is possible, and considering the nature of the processing and the information available to the processor. References:

GDPR Article 28(3)(f)

CIPP/E Textbook, Chapter 6, Section 6.2.2, page 154

Free CIPP/E Study Guide, page 18

Sandy should give this feedback to Dan and the marketing team, as it reflects the principle of data minimization, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1. Collecting birth date and salary information from customers who want to download white papers or register for events is not necessary for those purposes, and may pose risks for data protection and security. Moreover, such information may fall under the category of special data, which requires explicit consent from the data subjects and can only be processed under certain conditions2. The other options do not comply with the principle of data minimization, as they still involve collecting more data than needed, even if they are optional or in brackets. References:

Free CIPP/E Study Guide, page 23, section 3.1

CIPP/E Certification, page 18, section 3.1

The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1

Principles - General Data Protection Regulation (GDPR), Article 5

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

 According to the EDPB guidelines on the concepts of controller and processor in the GDPR1, joint controllers are entities that jointly determine the purposes and means of the processing of personal data. Joint controllership can result from a common decision or from converging decisions that are necessary for the processing to take place. Joint controllers must have a transparent arrangement that sets out their respective roles and responsibilities, and must ensure that individuals can exercise their rights against each controller. In this scenario, Gellcoat and Freifish are joint controllers with respect to the personal data related to the event, because they both decided to share data from their client databases, to come up with a list of people to invite, to agree on the content of the invitations, and to build an app to gather feedback. These decisions are joint and inseparable, and they have a tangible impact on the determination of the purposes and means of the processing. However, Gellcoat and Freifish are separate controllers for their other purposes, such as maintaining their own client databases, marketing their own products, or complying with their own legal obligations. These purposes are independent and separate from the joint purpose of organizing the event. Therefore, option A is the correct answer. Option B is incorrect because joint controllership does not depend on the merging of databases or the ownership of data, but on the joint determination of purposes and means. Option C is incorrect because joint controllership does not require a written designation in a contract, but can be inferred from the factual circumstances. Option D is incorrect because separate controllers and processors have different roles and responsibilities under the GDPR, and Gellcoat and Freifish do not act as processors for each other. References:

Guidelines 07/2020 on the concepts of controller and processor in the GDPR

What does it mean if you are joint controllers?

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors under the GDPR

 The GDPR requires that the processor only processes personal data on behalf of the controller and according to the controller’s instructions12. The agreement between the controller and the processor must include provisions that ensure that the processor does not process personal data for any other purposes or in a manner that is inconsistent with the controller’s instructions34. Therefore, if the processor stores personal data that is not necessary for the performance of the contract with the controller, such as the social network followers of the client, this is a breach of the GDPR and the processor may be fined2. The fact that the data base is password-protected does not affect the applicability of the GDPR or the security principle, as the data is still personal data that can identify data subjects. The storage limitation principle also requires that personal data be kept for no longer than is necessary for the purposes for which the personal data are processed, so deleting the data base after the audit does not make the situation compliant. References: 1: Article 28 of the GDPR 2: Guidelines 07/2020 on the concepts of controller and processor in the GDPR 3: Understanding Controller-to-Processor Agreements - GDPR Advisor 4: New Guidelines on Data Controllers and Processors: Time to Review Data Processing Agreements : Article 4 of the GDPR : Article 5 of the GDPR

According to the EU glossary1, a directive is a legal act that sets out a goal that EU countries must achieve, but leaves them the choice of form and methods to reach it. A directive is binding on the EU countries to which it is addressed, but it does not apply directly at the national level. Instead, it has to be transposed into national law by the national authorities, usually within a specified time limit. This allows for some flexibility and adaptation to the specific circumstances of each country. A directive is different from a regulation, which is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force, without needing to be transposed into national law. References:

Free CIPP/E Study Guide, page 14, section 2.3

Types of legislation, section 2

What are EU directives?

The General Data Protection Regulation (GDPR) does not prohibit surveillance of employees in the workplace. Still, it requires employers to follow special rules to ensure that the rights and freedoms of employees are protected when processing their personal data. The GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR requires that any processing of personal data must be lawful, fair and transparent, and based on one of the six legal grounds specified in the regulation. The most relevant legal grounds for employee surveillance are the legitimate interests of the employer, the performance of a contract with the employee, or the compliance with a legal obligation. The GDPR also requires that any processing of personal data must be limited to what is necessary for the purposes for which they are processed, and that the data subjects must be informed of the purposes and the legal basis of the processing, as well as their rights and the safeguards in place to protect their data.

The GDPR also imposes specific obligations and restrictions on the processing of special categories of personal data, such as biometric data, which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or which are processed for the purpose of uniquely identifying a natural person. The processing of such data is prohibited, unless one of the ten exceptions listed in the regulation applies. The most relevant exceptions for employee surveillance are the explicit consent of the data subject, the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, or the necessity for reasons of substantial public interest.

The GDPR also sets out the rules and requirements for the transfer of personal data to third countries or international organisations, which do not ensure an adequate level of data protection. The transfer of such data is only allowed if the controller or processor has provided appropriate safeguards, such as binding corporate rules, standard contractual clauses, codes of conduct or certification mechanisms, and if the data subjects have enforceable rights and effective legal remedies.

Based on the scenario, the only monitoring that may be lawfully performed within the scope of Gentle Hedgehog’s business is the monitoring of emails, website browsing history and camera for internal video calls that are expressly marked as monitored. This option is the most consistent with the GDPR’s principles and requirements, as it:

Is based on the legitimate interests of the employer to ensure the productivity, quality and security of the work performed by the employees, as well as the performance of a contract with the employees and the compliance with a legal obligation to prevent fraud and protect confidential information.

Is limited to what is necessary for the purposes of the monitoring, as it only covers the work-related activities and communications of the employees, and excludes the private or personal ones.

Is transparent to the employees, as it informs them of the monitoring and its precise scope, and gives them the opportunity to object or opt out of the monitoring.

Does not involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring.

Does not involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.

The other options listed in the question are not lawful monitoring within the scope of Gentle Hedgehog’s business, as they:

Are not based on a valid legal ground for the processing of personal data, as they either rely on the consent of the employees, which is not freely given, informed and specific, or on the legitimate interests of the employer, which are not balanced with the rights and freedoms of the employees.

Are not limited to what is necessary for the purposes of the monitoring, as they involve the collection and processing of excessive and irrelevant personal data, such as camera and microphone monitoring, screen captures, keystrokes, and facial recognition data, which go beyond the scope of the work performed by the employees, and intrude into their private or personal sphere.

Are not transparent to the employees, as they do not inform them of the monitoring and its precise scope, and do not give them the opportunity to object or opt out of the monitoring.

Involve the processing of special categories of personal data, such as biometric data or data revealing political opinions or trade union membership, which are not necessary or proportionate for the purposes of the monitoring, and which do not fall under any of the exceptions listed in the regulation.

Involve the transfer of personal data to a third country, such as China, which does not provide an adequate level of data protection, and which may pose additional risks for the rights and freedoms of the employees.

References:

GDPR, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 44, 45, 46, 47, 48, and 49.

EDPB Guidelines 3/2019 on processing of personal data through video devices, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, pages 4, 5, 6, 7, 8, 9, 10, 11, and 12.

Data protection: GDPR and employee surveilance | Feature | Law Gazette, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.

cloud computing services are defined as the on-demand availability of computing resources (such as storage and infrastructure), as services over the internet. Cloud computing services share certain characteristics, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service, multi-tenancy, virtualization, resilient computing, flexible pricing models, security, automation, and sustainability234.

One of the characteristics that is not recognized as a common characteristic of cloud computing services is that the supplier assumes the vendor’s business risk associated with data processed by the supplier. This is not a characteristic of cloud computing services, but rather a contractual or legal issue that depends on the agreement between the supplier and the vendor. The supplier and the vendor may have different roles and responsibilities regarding the data processed by the supplier, such as controller, processor, or sub-processor, and they may have different obligations and liabilities under the applicable data protection laws, such as the GDPR. Therefore, the supplier does not necessarily assume the vendor’s business risk associated with data processed by the supplier, unless it is explicitly agreed by the parties or required by the law.

The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means.

In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject’s rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject’s sensitive medical information without their knowledge or consent. References:

Article 4 (15) and Article 9 of the GDPR

Health data | ICO

What does the GDPR mean for personal data in medical reports?

Sensitive data and medical confidentiality - FutureLearn

Health data and data privacy: storing sensitive data under GDPR

 Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:

personal data revealing racial or ethnic origin;

personal data revealing political opinions;

personal data revealing religious or philosophical beliefs;

personal data revealing trade union membership;

genetic data;

biometric data (where used for identification purposes);

data concerning health;

data concerning a person’s sex life; and

data concerning a person’s sexual orientation.

Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

Special category data | ICO

Art. 9 GDPR Processing of special categories of personal data

Special Categories of Data - International Association of Privacy Professionals

 A lead supervisory authority (LSA) is the main point of contact for organisations that process personal data across multiple EU member states. The LSA is responsible for coordinating cross-border investigations, issuing binding decisions, and enforcing GDPR compliance1. Cross-border processing is the main concern of the LSA, as it involves data processing activities that affect data subjects in more than one member state, or that take place in more than one member state2. The other options are not the main concern of the LSA, as they are either covered by the national supervisory authorities of each member state, or are not specific to cross-border processing. References: Is it possible to choose your lead supervisory authority under the GDPR?, Art. 56 GDPR – Competence of the lead supervisory authority, Navigating GDPR Compliance with a Lead Supervisory Authority, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority

This is not a common characteristic of cloud-computing services, as the supplier usually does not assume the vendor’s business risk. In fact, the supplier often limits its liability for data breaches or losses, and the vendor remains responsible for complying with data protection laws and regulations. The other options are common characteristics of cloud-computing services, as they reflect the nature of cloud computing as a flexible, scalable, and cost-effective way of processing data, but also pose challenges for data protection and security. References:

Free CIPP/E Study Guide, page 17, section 2.3.2

CIPP/E Certification, page 12, section 2.3.2

Cipp-e Study guides, Class notes & Summaries, page 23, section 2.3.2

The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules1. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects23. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects23. References: 1: Article 49 of the GDPR 2: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO