IAPP CIPP-E Practice Test - Questions Answers, Page 16

The Customer for Life plan may conflict with Article 7 of the GDPR, which states that "the data subject shall have the right to withdraw his or her consent at any time" and that "it shall be as easy to withdraw as to give consent''1. The plan violates this principle by stating that customers agree not to withdraw direct marketing consent and that the company can ignore any attempts to do so.This is not a valid way of obtaining or maintaining consent, as consent must be freely given, specific, informed and unambiguous2.Moreover, the plan may also conflict with Article 21 of the GDPR, which gives data subjects the right to object to direct marketing at any time3.Reference:1: Article 7(3) of the GDPR2: Article 4(11) of the GDPR3: Article 21(2) of the GDPR

I hope this helps. If you have any other questions, please feel free to ask.

According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Who-R-U is not established in the Union, but it is collecting location information of its Canadian customers who use the app while traveling abroad, including in the EU. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR.The other options are not correct because: (A) Who-R-U does not have any establishment in the Union, as the naming-rights deal does not involve any technology or infrastructure; (B) Who-R-U is not offering goods or services to data subjects in the Union, as it only targets Canadian customers and blocks internet traffic from outside of Canada; Who-R-U is not engaging in commercial activities conducted in the Union, as it only accepts Canadian currency and does not process orders that request the DNA report to be sent outside of Canada.Reference:1: Article 3(2) of the GDPR;Free CIPP/E Study Guide, page 11.

According to the GDPR, a data breach must be notified to the supervisory authority of the member state where the controller or processor is established, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons1.The GDPR defines a controller as 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data'2.The GDPR also specifies that a controller or processor is considered to be established in the Union if it has "an effective and real exercise of activity through stable arrangements" in the Union, regardless of its legal form or location of its headquarters3.

In this scenario, Who-R-U is not a controller established in the Union, because it does not have any stable arrangements in the Union that involve the processing of personal data. The company only offers its services to Canadians, and does not target or monitor individuals in the Union. The fact that it has purchased the naming rights for a building in Germany, which comes with a few offices, does not constitute an effective and real exercise of activity in the Union, as the offices do not include any technology or infrastructure for processing personal data, and are only used by executives while traveling internationally. Therefore, Who-R-U is not subject to the GDPR's data breach notification obligation, and is not required to notify the local German DPA about the laptop theft.

Art. 33 GDPR -- Notification of a personal data breach to the supervisory authority

Art. 4 GDPR -- Definitions

Art. 3 GDPR -- Territorial scope

Guidelines 9/2022 on personal data breach notification under GDPR

Guidelines 3/2018 on the territorial scope of the GDPR

I hope this helps you understand the GDPR and data breach notification better. If you have any other questions, please feel free to ask me.

According to Article 13 of the GDPR, when personal data are collected from the data subject, the data controller must provide the data subject with the following information, among others1:

The identity and the contact details of the controller and, where applicable, of the controller's representative;

The contact details of the data protection officer, where applicable;

The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

The recipients or categories of recipients of the personal data, if any;

Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In the scenario, Wonderkids provides some of this information in their Privacy Statement, but not all. They do not specify the categories of recipients with whom they will share the personal data of their customers and their children. They only state that they will share the data with businesses that they see as adding real value to the customers, which is vague and ambiguous. This does not comply with the GDPR requirement to inform the data subjects about the recipients or categories of recipients of their personal data, if any. Therefore, Wonderkids must provide this additional information in their Privacy Statement.

1: Art. 13 GDPR Information to be provided where personal data are collected from the data subject

The GDPR (General Data Protection Regulation) applies to any organisation that processes personal data of EU residents, regardless of where the processing takes place. Therefore, WonderKids, as a data controller based in France, must comply with the GDPR when it transfers personal data to its hosting service provider in Switzerland, which acts as a data processor on behalf of WonderKids.

According to Article 28 of the GDPR, data controllers must only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects and the security of the data. The data controller and the data processor must also enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.

The contract must include, among other things, the following provisions:

The data processor must process the personal data only on documented instructions from the data controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or member state law;

The data processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

The data processor must take all measures required pursuant to Article 32 of the GDPR, which relates to the security of the processing;

The data processor must respect the conditions for engaging another processor, and inform the data controller of any intended changes concerning the addition or replacement of other processors, giving the data controller the opportunity to object to such changes;

The data processor must assist the data controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, which relate to the security of the processing, the notification of personal data breaches, the communication of personal data breaches to data subjects, the data protection impact assessment, and the prior consultation with the supervisory authority;

The data processor must, at the choice of the data controller, delete or return all the personal data to the data controller after the end of the provision of services relating to the processing, and delete existing copies unless EU or member state law requires storage of the personal data;

The data processor must make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

Therefore, among the four options, the one that must be included in the contract between WonderKids and the hosting service provider is the requirement to implement technical and organisational measures to protect the data, as this is part of the data processor's obligations under Article 28 and Article 32 of the GDPR.

The other options are not mandatory under the GDPR, although they may be advisable or desirable depending on the circumstances. Controller-to-controller model contract clauses are used when personal data is transferred from one data controller to another data controller, not from a data controller to a data processor. Audit rights for the data subjects are not explicitly required by the GDPR, although the data controller must ensure that the data processor allows for and contributes to audits conducted by the data controller or another auditor mandated by the data controller. A non-disclosure agreement may be useful to protect the confidentiality of the personal data, but it is not sufficient to ensure the compliance with the GDPR, as it does not cover all the aspects of the data processing relationship.

GDPR

Web Hosting and GDPR Compliance - What to Look For

The GDPR: Why you need to review your third-party service providers' security

GDPR Compliance for Third-Party Service Providers: Vendor Management

According to the ePrivacy Directive, which regulates direct electronic marketing in the EU, consent is generally required before sending marketing emails or texts.However, there is an exception known as the 'soft opt-in', which allows marketing emails or texts to be sent on an opt-out basis if the recipient's details were collected "in the context of the sale of a product or a service" and the marketing is for "similar products or services" provided by the same organisation12. Therefore, WonderKids can send direct marketing information by email without prior consent of the person booking the childcare, as long as the information is about similar products or services to those purchased from WonderKids, and the person is given a clear and easy way to opt out of receiving such emails. The other options are not allowed under the ePrivacy Directive, unless the person has given explicit consent to receive them.Reference:

Free CIPP/E Study Guide, page 33, section 4.1.3

CIPP/E Certification, page 28, section 4.1.3

Cipp-e Study guides, Class notes & Summaries, page 39, section 4.1.3

Direct marketing rules and exceptions under the GDPR, paragraph 5

Marketing | ICO, section "What does the 'soft opt-in' mean?''

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1.Body temperature is a type of personal data that can reveal information about an individual's health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR.The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual's personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

A)Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.

C)Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.

D)The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

When assessing the level of risk created by a data breach, the size of any data processor involved would not have to be taken into consideration.According to the GDPR, a data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed''1.The GDPR requires data controllers and processors to notify the relevant supervisory authority of a data breach within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons2.The GDPR also requires data controllers to communicate the data breach to the affected data subjects without undue delay, if the breach is likely to result in a high risk to their rights and freedoms3.

The GDPR does not specify the exact criteria for determining the level of risk, but it provides some guidance in Recital 85, which states that "the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing" . The recital also mentions some factors that could increase the risk, such as the ease of identification of individuals, the special categories of personal data, the large scale of the processing, or the special characteristics of the data controller . Therefore, these factors should be taken into consideration when assessing the level of risk created by a data breach.

However, the size of any data processor involved is not relevant for the risk assessment, as it does not affect the impact of the breach on the data subjects. The data processor is only responsible for processing the personal data on behalf of the data controller, and has no direct relationship with the data subjects . The data processor's obligations in case of a data breach are to notify the data controller without undue delay, and to assist the data controller in complying with its obligations under the GDPR .The data processor's size may affect its ability to fulfill these obligations, but it does not change the level of risk created by the data breach itself.Reference:1: Article 4(12) of the GDPR2: Article 33 of the GDPR3: Article 34 of the GDPR : Recital 85 of the GDPR : Article 4(8) of the GDPR : Article 28 of the GDPR

I hope this helps. If you have any other questions, please feel free to ask.

Article 80(1) of the GDPR states that the data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf1.These not-for-profit bodies, organisations or associations are commonly referred to as civil society organizations, as they represent the interests of citizens and groups in the public sphere2.The other options are not correct because: (A) Law firm organizations are not necessarily not-for-profit or active in the field of data protection; Human rights organizations are a subset of civil society organizations, but not all civil society organizations are focused on human rights; (D) Constitutional rights organizations are also a subset of civil society organizations, but not all civil society organizations are concerned with constitutional rights.Reference:1: Article 80(1) of the GDPR;2:Free CIPP/E Study Guide, page 48.