IAPP CIPP-E Practice Test - Questions Answers, Page 17

Ben's collection of additional data from customers, especially sensitive data such as philosophical beliefs and political opinions, created several potential issues for the company, such as:

The risk of violating the data minimization principle, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1.

The risk of infringing the rights and freedoms of the data subjects, who may not be aware of or consent to the secondary use of their data by Ben Knows Best, or the unauthorized access and copying of their data by Sam.

The risk of non-compliance with the GDPR's requirements for processing special categories of data, which include data revealing philosophical beliefs and political opinions.Such data can only be processed under certain conditions, such as explicit consent, substantial public interest, or legal claims2.

The risk of data breaches or losses, as the data is transferred to a separate database, copied by Sam, and stored on the company's servers in Vermont, which may not have adequate security measures or safeguards.

Therefore, the company would most likely require a data protection impact assessment (DPIA) to identify and mitigate these risks.A DPIA is a process that helps assess the impact of the envisaged processing operations on the protection of personal data, and consult with the supervisory authority if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk3. The other options are not necessarily required by the GDPR, although they may be good practices or contractual terms.Reference:

Free CIPP/E Study Guide, page 32, section 4.1.2

CIPP/E Certification, page 27, section 4.1.2

The Ultimate CIPP/E Study Guide for 2023, page 36, section 4.1.2

Principles - General Data Protection Regulation (GDPR), Article 5

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

Data protection impact assessment - General Data Protection Regulation (GDPR), Article 35

Convention 108, also known as the "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was adopted by the Council of Europe in 1981.It was the first legally binding international instrument on data protection and required signatories to take steps in their domestic legislation to apply the principles it lays down in order to ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data1. The Convention covers both the public and private sectors, and applies to any type of data processing, whether automated or not.The Convention also provides for the establishment of independent supervisory authorities and the facilitation of transborder data flows2.

The other options are incorrect because:

B) The General Data Protection Regulation (GDPR) is a regulation of the European Union that came into force in 2018.It is not the first legally binding international instrument on data protection, but rather a successor of the EU Directive 95/46/EC, which was adopted in 1995 and implemented by the EU member states in their national laws3.

C) The Universal Declaration of Human Rights (UDHR) is a resolution of the United Nations General Assembly that was adopted in 1948. It is not a legally binding international instrument, but rather a declaration of common principles and values that guide the development of human rights law.The UDHR does not explicitly mention data protection, but rather recognizes the right to privacy as a fundamental human right in Article 124.

D) The EU Directive on Privacy and Electronic Communications (e-Privacy Directive) is a directive of the European Union that was adopted in 2002 and amended in 2009.It is not the first legally binding international instrument on data protection, but rather a specific instrument that complements the EU Directive 95/46/EC and the GDPR by providing additional rules for the protection of personal data in the context of electronic communications services5.

A multinational company that is appointing a mandatory data protection officer (DPO) must also consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.According to Article 37 (1) of the GDPR, a DPO must be designated by the controller or the processor in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences1.However, Article 37 (4) of the GDPR also allows Member States to provide for additional cases where a DPO must be designated by law1. Therefore, a multinational company must consult the national laws of the EU jurisdictions in which it operates to ensure that it complies with any additional requirements for appointing a DPO.

The other options are not correct because they are not directly related to the appointment of a DPO. Conducting a Data Protection Privacy Assessment, assessing the number of employees, and revising the data processing activities are all good practices for ensuring compliance with the GDPR, but they are not mandatory actions for designating a DPO.Moreover, the number of employees is not a relevant criterion for appointing a DPO, as the GDPR does not set any threshold based on the size of the organization2.Reference:1: Article 37 of the GDPR2:Guidelines on Data Protection Officers ('DPOs')

According to the Treaty on European Union (TEU), the European Parliament shall, jointly with the Council, exercise legislative and budgetary functions.It shall also exercise functions of political control and consultation as laid down in the Treaties1. The Council of the European Union, also known as the Council, is the institution that represents the governments of the Member States.Together with the European Parliament, it adopts European legislation and coordinates the policies of the Member States2.The other options are not correct because: (A) The European Commission is the institution that proposes and implements EU policies, ensures the application of EU law, and represents the Union in international affairs3; (B) The Article 29 Working Party was an advisory body composed of representatives of the national data protection authorities, the European Data Protection Supervisor and the European Commission.It was replaced by the European Data Protection Board in 20184; (D) The European Data Protection Board is an independent body that ensures the consistent application of the General Data Protection Regulation and promotes cooperation among the national data protection authorities5.Reference:1: Article 14(1) of the TEU;2:The Council of the European Union;3:The European Commission;4:Article 29 Working Party;5: [European Data Protection Board].

ccording to the GDPR, the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not1.The GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union1.

In this scenario, a U.S. company's website sells widgets to customers in the EU and places cookies to monitor their behavior.These factors would subject the company to the GDPR, as they indicate that the company is offering goods or services and monitoring the behavior of data subjects in the Union2.However, the fact that the website is in English and French, and is accessible in France, would not in itself subject the company to the GDPR, as these factors do not necessarily imply an intention to target customers in the Union3.The language and accessibility of the website are not sufficient to establish a relevant and sufficient degree of stability and continuity of the company's activities in the Union3. Therefore, the correct answer is B.

Art. 3 GDPR -- Territorial scope

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

What does territorial scope mean under the GDPR?

I hope this helps you understand the GDPR and territorial scope better. If you have any other questions, please feel free to ask me.

According to the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, exporters of personal data to third countries must monitor, on an ongoing basis, developments in those third countries that could affect the level of protection of the personal data they transfer1. This means that exporters must reevaluate whether the transfer tool they rely on, such as standard contractual clauses, binding corporate rules, codes of conduct, or certification mechanisms, is effectively providing a level of personal data protection that is in compliance with the EU level.The EDPB recommends that exporters document this reevaluation and any changes that result from it1. The EDPB does not specify a fixed time interval for this reevaluation, but rather states that it should be done on an ongoing basis, taking into account the specific circumstances of each transfer and any relevant developments in the third country.

1: EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, adopted on 18 June 2021, paragraphs 85-86.

The Court of Justice of the European Union (CJEU) is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. The CJEU consists of two courts: the Court of Justice and the General Court. The CJEU ensures the uniform interpretation and application of EU law across the EU and settles disputes between EU institutions, member states, and individuals. The other options are not correct, as they are not the judicial bodies that make decisions on actions taken by individuals wishing to enforce their rights under EU law. The Court of Auditors is the EU's independent external auditor that checks the legality and regularity of the EU's revenue and expenditure, and the soundness of its financial management. The European Court of Human Rights (ECHR) is an international court that oversees the European Convention on Human Rights and Fundamental Freedoms of 1950. The ECHR is not linked to the EU institutions, and it covers human rights laws across Europe, including in many non-EU countries. The European Data Protection Board (EDPB) is an independent body that ensures the consistent application of the GDPR and issues opinions on various aspects of data protection, but it does not have judicial authority.

Court of Justice of the European Union

Court of Justice of the European Union - International Association of Privacy Professionals

Judicial enforcement of EU law | European Foundation for the Improvement of Living and Working Conditions

Competences of the Court of Justice of the European Union

Sandy should give this feedback to Dan and the marketing team, as it reflects the principle of data minimization, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1. Collecting birth date and salary information from customers who want to download white papers or register for events is not necessary for those purposes, and may pose risks for data protection and security.Moreover, such information may fall under the category of special data, which requires explicit consent from the data subjects and can only be processed under certain conditions2. The other options do not comply with the principle of data minimization, as they still involve collecting more data than needed, even if they are optional or in brackets.Reference:

Free CIPP/E Study Guide, page 23, section 3.1

CIPP/E Certification, page 18, section 3.1

The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1

Principles - General Data Protection Regulation (GDPR), Article 5

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

According to the GDPR, pseudonymization is a technique that replaces or removes information in a data set that identifies an individual.Pseudonymized data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately and subject to technical and organizational measures to ensure non-attribution1.Pseudonymization is not a method of anonymization, which means that the data is irreversibly altered in such a way that a data subject can no longer be identified2.Pseudonymized data is still considered personal data and subject to the GDPR, but it benefits from some relaxations of the rules, such as the possibility of further processing for compatible purposes, the exemption from some data subject rights, and the facilitation of data transfers3.

In this scenario, Market4U is an advertising technology company that collects and processes a large amount of personal data from its contacts, including sensitive data such as birth date and salary. This data can be used to gain insights into the preferences and behavior of its potential customers, as well as to identify trends and opportunities in different industry verticals. However, this data also poses significant risks for Market4U, such as data breaches, non-compliance, reputational damage, and legal liability.Therefore, Market4U needs to apply the principle of data minimization, which means that it should only collect and process the data that is necessary and relevant for its purposes, and delete the data that is no longer needed4.

One of the ways that Market4U can achieve data minimization is by pseudonymizing the personal data that it uses for analysis. By doing so, Market4U can reduce the risks associated with the processing of personal data, while still retaining the utility and value of the data for its purposes.Pseudonymization can also help Market4U to comply with other GDPR principles, such as purpose limitation, storage limitation, and integrity and confidentiality5.Pseudonymization can also enable Market4U to rely on legitimate interests as a legal basis for the processing of personal data for analysis, as long as it conducts a balancing test and respects the rights and interests of the data subjects6.

Therefore, the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U is to conduct analysis only on pseudonymized personal data. This option would allow Market4U to use the data for its legitimate business purposes, without compromising the privacy and security of the data subjects.

The other options are incorrect because:

A) Conducting analysis only on anonymized personal data would not be feasible or effective for Market4U, as anonymization is a very difficult and complex process that requires the removal or alteration of any information that can identify an individual, directly or indirectly. Anonymization may also result in the loss of accuracy, quality, and utility of the data, which would undermine the value and purpose of the analysis.Moreover, anonymization is irreversible, which means that Market4U would not be able to restore the original data if needed2.

C) Deleting all data collected prior to May 2018 after conducting the trend analysis would not be compliant with the GDPR, as it would violate the principle of storage limitation, which requires that personal data should be kept only for as long as necessary for the purposes for which it is processed. Market4U cannot justify the retention of the data for longer than needed, especially if the data is outdated, irrelevant, or excessive.Moreover, deleting the data after the analysis would not eliminate the risks associated with the processing of the data, such as data breaches or unauthorized access4.

D) Procuring a third party to conduct the analysis and delete the data from Market4U's systems would not be a good solution for Market4U, as it would involve the transfer of personal data to another data controller or processor, which would require additional safeguards and obligations under the GDPR. Market4U would still be responsible for ensuring the compliance and security of the data, and would have to enter into a data processing agreement with the third party, as well as inform and obtain the consent of the data subjects, if applicable.Furthermore, procuring a third party would entail additional costs and risks for Market4U, such as losing control and visibility over the data, or exposing the data to unauthorized or unlawful processing by the third party7.