Pass the IAPP Certified Information Privacy Professional CIPP-E Questions and answers with ExamsMirror

According to the GDPR, one of the legal bases for transferring personal data to a third country or an international organization is when the transfer is necessary for the protection of the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent (Article 49(1)©). This exception applies only in very limited and exceptional situations, such as life-threatening medical emergencies. In this scenario, ProStorage most likely relied on this legal basis to transfer Ruth’s medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. Ruth was presumably unable to give her consent due to her health condition, and the transfer of her medical information was necessary to protect her vital interests, such as her life or health. Therefore, this transfer mechanism was more appropriate than the other options, which either require consent or are not relevant to the situation.

References: GDPR, Article 49(1)©1; EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/6792, page 9.

According to the European Data Protection Law & Practice textbook, page 326, “the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” However, the CJEU also stated that “the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine’s results following a search made on the basis of the data subject’s name.” Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject’s right to be forgotten. References:

European Data Protection Law & Practice, page 326

CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, paragraphs 88 and 93

 A layered notice is a privacy notice designed to respond to problems with excessively long notices1. A short notice — the top layer — provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2. The full notice — the bottom layer — covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23. References: 2

1. A request may be manifestly unfounded or excessive if it has no clear purpose, is clearly frivolous or vexatious, is made repeatedly by the same data subject, or goes beyond what is reasonably necessary to fulfil the data subject’s request2. In such cases, the organisation can either charge a reasonable fee or refuse to act on the request, but it must be able to justify its decision and inform the data subject of the reasons and their right to lodge a complaint with a supervisory authority or a judicial remedy1. The other options are not correct, as they either do not reflect the conditions for charging a fee under the GDPR, or are not relevant to the question. References: Right of access | ICO, Charge for a Data Subject Request GDPR - GDPR Wiki

The GDPR establishes a two-tier system of administrative fines for infringements of its provisions, depending on the nature, gravity, and duration of the infringement, as well as other factors such as the intentional or negligent character of the infringement, the actions taken to mitigate the damage, the degree of co-operation with the supervisory authority, and any previous infringements1. The lower tier of fines can be up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The lower tier of fines applies to infringements of the GDPR relating to the following aspects1:

The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43;

The obligations of the certification body pursuant to Articles 42 and 43;

The obligations of the monitoring body pursuant to Article 41 (4). The higher tier of fines can be up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The higher tier of fines applies to infringements of the GDPR relating to the following aspects1:

The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9;

The data subjects’ rights pursuant to Articles 12 to 22;

The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

Any obligations pursuant to Member State law adopted under Chapter IX;

Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 (2) or failure to provide access in violation of Article 58 (1). Therefore, higher fines are assessed for GDPR violations due to violations of a data subject’s rights, as these are among the infringements that fall under the higher tier of fines. Data subjects’ rights are the rights granted to individuals whose personal data are processed by controllers or processors, such as the right to access, rectify, erase, restrict, object, or port their data, as well as the right to be informed, to withdraw consent, and to lodge a complaint1. Violations of these rights can cause significant harm to the data subjects and undermine the objectives of the GDPR. Therefore, option D is the correct answer. References: Art. 83 GDPR – General conditions for imposing administrative fines, Article 83 GDPR - GDPRhub

According to the transparency principle, data controllers must provide clear and transparent information to data subjects about how their personal data is processed. This information must be easily accessible and easy to understand. Providing a hyperlink to the organization’s home page, in a hard copy application form, is not considered a fair processing practice in relation to the transparency principle, because it does not directly inform the data subject about the specific purposes and legal basis of the processing, the data protection rights and obligations, and the contact details of the data controller and the data protection officer. This information should be provided in a concise, intelligible and easily accessible form, using clear and plain language, in a way that is appropriate to the means of communication. Providing a hyperlink to the organization’s home page, in a hard copy application form, does not meet these criteria and may also be inaccessible to some data subjects who do not have internet access or are not familiar with the use of hyperlinks. Therefore, this option is not a fair processing practice in relation to the transparency principle. References: 1234 https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent- processing/ https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/

 A lead supervisory authority (LSA) is the main point of contact for organisations that process personal data across multiple EU member states. The LSA is responsible for coordinating cross-border investigations, issuing binding decisions, and enforcing GDPR compliance1. Cross-border processing is the main concern of the LSA, as it involves data processing activities that affect data subjects in more than one member state, or that take place in more than one member state2. The other options are not the main concern of the LSA, as they are either covered by the national supervisory authorities of each member state, or are not specific to cross-border processing. References: Is it possible to choose your lead supervisory authority under the GDPR?, Art. 56 GDPR – Competence of the lead supervisory authority, Navigating GDPR Compliance with a Lead Supervisory Authority, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority

ABC Hotel Chain and XYZ Travel Agency are joint controllers in this relationship, because they jointly determine the purposes and means of the processing of personal data of their customers. According to Article 26 of the GDPR, joint controllers are two or more controllers who jointly participate in the decision-making process regarding the processing of personal data 1. In this scenario, ABC Hotel Chain and XYZ Travel Agency use a common platform for collecting and sharing customer data, and they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Therefore, they have a common influence on the processing of personal data and share a common objective of integrating their marketing efforts. Moreover, they offer a rewards program that allows customers to sign up to accumulate points that can be redeemed for free travel, which implies a joint benefit from the processing of personal data.

The other options are not correct because they do not reflect the actual roles of ABC Hotel Chain and XYZ Travel Agency in this relationship. A controller is a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data 2. A processor is a natural or legal person who processes personal data on behalf of the controller 3. In this scenario, neither ABC Hotel Chain nor XYZ Travel Agency act solely or on behalf of the other in processing the personal data of their customers. Rather, they act together in a collaborative manner and share the responsibility and accountability for the processing of personal data. Therefore, they are joint controllers, not independent controllers or controller and processor. References: 1: Article 26 of the GDPR 2: Article 4(7) of the GDPR 3: Article 4(8) of the GDPR

The GDPR defines processors as entities that process personal data on behalf of controllers, typically under a contract or other legal act that sets out the subject matter, duration, nature, purpose, type and categories of personal data, and the obligations and rights of the controller. Processors must act only on the documented instructions of the controller, unless required by law to act otherwise. Processors must also comply with the GDPR’s requirements regarding the security, confidentiality, transfer, sub-processing, notification, assistance, cooperation, and documentation of the personal data processing.

However, the GDPR does not prescribe the exact technical and organisational measures that processors must implement to ensure the security of the personal data processing. Instead, the GDPR requires that processors take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of data subjects. Therefore, processors have some discretion to determine their own type of hardware or software and the specific security measures for the processing, as long as they provide a level of security appropriate to the risk and comply with the controller’s instructions. Processors may also adhere to approved codes of conduct or certification mechanisms to demonstrate their compliance with the GDPR’s security requirements.

The other options listed in the question are not aspects of processing that the GDPR allows processors to determine for themselves. According to the GDPR:

Processors must inform the controller of any intended changes concerning the addition or replacement of other processors, and give the controller the opportunity to object to such changes. Processors must also impose the same data protection obligations on any sub-processors as those agreed with the controller.

Processors must not process the personal data for their own purposes, unless they have a legal basis to do so and inform the data subjects accordingly. Processors must only process the personal data for the purposes determined by the controller, and in accordance with the controller’s instructions.

Processors must not use the personal data relating to the controller’s customers for their own marketing campaigns, unless they have obtained the consent of the data subjects or have another legitimate interest to do so. Processors must respect the data subjects’ rights to object to direct marketing and to withdraw their consent at any time.

References:

GDPR, Articles 4, 28, 29, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42 and 43.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27 and 28.

Sandy should give this feedback to Dan and the marketing team, as it reflects the principle of data minimization, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1. Collecting birth date and salary information from customers who want to download white papers or register for events is not necessary for those purposes, and may pose risks for data protection and security. Moreover, such information may fall under the category of special data, which requires explicit consent from the data subjects and can only be processed under certain conditions2. The other options do not comply with the principle of data minimization, as they still involve collecting more data than needed, even if they are optional or in brackets. References:

Free CIPP/E Study Guide, page 23, section 3.1

CIPP/E Certification, page 18, section 3.1

The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1

Principles - General Data Protection Regulation (GDPR), Article 5

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9