CIPP-E Exam Dumps - IAPP Certified Information Privacy Professional Questions and Answers

According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data. References:

Art. 13 GDPR - Information to be provided where personal data are collected from the data subject

Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject

Article 13: Information to be provided where personal data are collected from the data subject - GDPR

 This is not an explicit right granted to data subjects under the GDPR, as the GDPR does not specifically address the sale of personal data. However, the GDPR does require that data subjects give their consent to any processing of their personal data that is not based on another legal basis, such as a contract or a legal obligation1. Therefore, data subjects have the right to withdraw their consent at any time, and the controller must inform them of this right before obtaining their consent2. The other options are explicit rights granted to data subjects under the GDPR, as they are listed in Chapter 3 of the regulation3. References:

Free CIPP/E Study Guide, page 23, section 3.1

CIPP/E Certification, page 18, section 3.1

The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1

GDPR data subject rights - 8 fundamental & additional rights, paragraph 4

Rights of the data subject - General Data Protection Regulation (GDPR), Article 7

Rights of the data subject - General Data Protection Regulation (GDPR), Chapter 3

According to the GDPR, any transfer of personal data to a third country or an international organisation must be based on an adequacy decision by the Commission, appropriate safeguards by the data exporter and importer, or derogations for specific situations1. In this scenario, InstaHR is an Australian based company that processes personal data on behalf of ProStorage, a Dutch based company. Australia is not recognised by the Commission as a country that provides an adequate level of data protection2, so the adequacy option is not available. Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies or organisations that define their global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries that do not provide an adequate level of protection3. However, BCRs are not applicable in this case, as InstaHR is not part of the same corporate group as ProStorage. Explicit consent of employees is a possible derogation for specific situations, but it is not a reliable or practical transfer mechanism, as it must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time4. Therefore, the most suitable transfer mechanism for using InstaHR is standard contractual clauses (SCCs). SCCs are contractual clauses that have been pre-approved by the Commission and that provide appropriate safeguards for data protection when transferring personal data from the EU/EEA to third countries. SCCs are legally binding and enforceable by data subjects, and they impose obligations on both the data exporter and the data importer. SCCs are widely used by data controllers and processors as a transfer mechanism under the GDPR. References: 1: Art. 44 GDPR - General principle for transfers22: Adequacy decisions - European Commission13: Binding corporate rules - European Commission14: Article 7 of the GDPR. : Standard Contractual Clauses (SCC) - European Commission1.

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1. Body temperature is a type of personal data that can reveal information about an individual’s health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR. The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

A. Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.

C. Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.

D. The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

References: 1 Article 4(1) of the GDPR2 Policy Brief: Location Data Under Existing Privacy Laws | FPF23 Article 2(1) of the GDPR4 Article 4(5) of the GDPR5 Article 9(2) of the GDPR.

 A layered notice is a privacy notice designed to respond to problems with excessively long notices1. A short notice — the top layer — provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2. The full notice — the bottom layer — covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23. References: 2

According to the GDPR, a data protection impact assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. A DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing. The GDPR provides a list of examples of processing operations that require a DPIA, such as:

Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.

Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.

Systematic monitoring of a publicly accessible area on a large scale.

Therefore, an example of a scenario where a controller is most likely required to undertake a DPIA is when personal data is being collected and combined with other personal data to profile the creditworthiness of individuals, as this involves a systematic and extensive evaluation of personal aspects based on automated processing and profiling, and may have significant effects on the individuals. The other scenarios are not necessarily indicative of a high risk to the rights and freedoms of natural persons, and do not fall under the examples of processing operations that require a DPIA provided by the GDPR. References: Free CIPP/E Study Guide, page 37; CIPP/E Certification, page 18; GDPR, Article 35, Recital 91.

According to the European Data Protection Law & Practice textbook, page 326, “the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” However, the CJEU also stated that “the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine’s results following a search made on the basis of the data subject’s name.” Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject’s right to be forgotten. References:

European Data Protection Law & Practice, page 326

CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, paragraphs 88 and 93

While all of the options present potential privacy issues, the lack of transparency about data processing poses the biggest risk for several reasons:

Uninformed Consent: Without clear information about data collection and usage, children and parents cannot make informed decisions about using the toys. This violates the principle of informed consent, which is a cornerstone of data protection laws.

Hidden Features: The packaging and privacy policy do not disclose the hidden functionality of the toys, including the connection to the cloud and data processing in South Africa. This lack of transparency creates distrust and raises concerns about potential misuse of data.

Unclear Data Flow: The explanation provided about the data flow is vague and incomplete. It is unclear what data is collected, how it is stored, for what purposes it is used, and who has access to it. This lack of clarity creates uncertainty and raises concerns about potential data breaches or leaks.

Limited Control: Without detailed information about data practices, users have limited control over their information. They cannot opt out of data collection or request deletion of their data, further hindering their privacy rights.

According to the GDPR, consent must be freely given, specific, informed and unambiguous1. However, in the context of employment, there is often an imbalance of power between the employer and the employee, which may affect the validity of consent. The employee may feel pressured or coerced to give consent, or may not be able to withdraw it without negative consequences. Therefore, consent is not a reliable or appropriate legal basis for processing employee data in most cases23. The employer should consider other lawful bases, such as contractual necessity, legal obligation, legitimate interests or specific conditions for special category data45. References: 1 Art. 4 (11) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Can my employer require me to give my consent to use my personal data? | European Commission. 3 When is consent appropriate? | ICO. 4 Art. 6 (1) GDPR – Lawfulness of processing - General Data Protection Regulation (GDPR)5 Art. 9 (2) GDPR – Processing of special categories of personal data - General Data Protection Regulation (GDPR).

The territorial scope of the GDPR is determined by Article 3 of the Regulation, which sets out two main criteria for applying the GDPR to the processing of personal data: the establishment criterion and the targeting criterion. The establishment criterion applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The targeting criterion applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. In addition, the GDPR applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

Therefore, the territorial scope of the GDPR does not depend on the membership of a country to a particular international agreement or organisation, but on the location and activities of the controller or processor and the data subjects involved in the processing. The Paris Agreement is an international treaty on climate change that aims to limit global warming and reduce greenhouse gas emissions. It does not have any direct or indirect relevance to the GDPR or the protection of personal data. Hence, being a party to the Paris Agreement does not affect the applicability of the GDPR to a country or a controller or processor established in that country.

The other options are incorrect because they are either directly or indirectly related to the GDPR or the protection of personal data. The European Economic Area (EEA) consists of all EU member states plus Iceland, Liechtenstein and Norway. The EEA Agreement allows these three countries to participate in the EU’s internal market and to adopt most of the EU legislation, including the GDPR. Therefore, the GDPR applies to all EEA countries as if they were EU member states. The Treaty of Lisbon is an international agreement that amends the two treaties which form the constitutional basis of the EU. The Treaty of Lisbon introduces several changes to the EU’s institutional structure, decision-making process, and policy areas, including the recognition of the Charter of Fundamental Rights of the EU as legally binding. The Charter of Fundamental Rights of the EU includes the right to the protection of personal data as a fundamental right, and provides the legal basis for the GDPR. Therefore, the GDPR applies to all EU member states that are parties to the Treaty of Lisbon. The European Union (EU) is a political and economic union of 27 member states that are located primarily in Europe. The EU has developed an internal single market through a standardised system of laws that apply in all member states, including the GDPR. Therefore, the GDPR applies to all EU member states by virtue of their membership to the EU. References: Art. 3 GDPR – Territorial scope, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Paris Agreement - Wikipedia, European Economic Area - Wikipedia, Treaty of Lisbon - Wikipedia, European Union - Wikipedia