IAPP CIPP-E Practice Test - Questions Answers, Page 18

The Data Retention Directive (2006/24/EC) was a legal framework that required Member States to ensure that providers of publicly available electronic communications services or of public communications networks retained certain data for a period of between six months and two years, for the purpose of the prevention, investigation, detection and prosecution of serious crime1.However, on 8 April 2014, the Court of Justice of the European Union (CJEU) declared the Directive invalid, as it entailed a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without limiting the access of the competent national authorities to the data retained to what was strictly necessary2.The CJEU also found that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and against any unlawful access and use of the data2. Therefore, the Directive is no longer part of EU law.

Directive 2006/24/EC of the European Parliament and of the Council

Court of Justice of the European Union PRESS RELEASE No 54/14

I hope this helps you understand the GDPR and data retention better. If you have any other questions, please feel free to ask me.

According to the GDPR, consent is one of the six lawful bases for processing personal data, but it is not always the most appropriate one.Consent must be freely given, specific, informed and unambiguous, and the data subject must have the right to withdraw it at any time1.In the context of employment, consent is often not a valid lawful basis, because there is a clear imbalance of power between the employer and the employee, which means that the consent is not freely given2. Moreover, consent can be difficult to manage and document, and it can pose practical problems if the employee withdraws it.Therefore, consent is the weakest lawful basis for processing employee personal data, and employers should rely on other lawful bases, such as contract, legal obligation, vital interests, public task or legitimate interests, depending on the purpose and necessity of the processing3.Reference:1: Article 4(11) and Article 7 of the GDPR;2: [EDPB Guidelines], page 6;3:A Guide to Lawful Basis for Processing Employee Personal Data.

According to the GDPR, data subjects have the right to access, rectify, erase, restrict, port and object to the processing of their personal data. These rights are not absolute and may be subject to limitations and conditions. One of these conditions is that the controller may charge a reasonable fee for the administrative costs of complying with the request if it is manifestly unfounded or excessive, in particular because of its repetitive character (Art 12(5) of GDPR). The controller has the burden of proving the manifestly unfounded or excessive character of the request. The fee must not exceed the actual costs incurred by the controller and must not prevent the exercise of the data subject's rights.Reference:

GDPR, Art 12(5)

Free CIPP/E Study Guide, p. 13

European Data Protection Law & Practice, p. 121

The Court of Justice of the European Union (CJEU) is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. The CJEU consists of two courts: the Court of Justice and the General Court. The CJEU ensures the uniform interpretation and application of EU law across the EU and settles disputes between EU institutions, member states, and individuals.

According to the EU Treaties, EU Member-States' courts may -- or, in case no appeal from their decisions is possible, must -- ask the CJEU to rule on the interpretation and validity of disputed provisions of EU law. Such decisions are known as preliminary rulings, by which the CJEU expresses its ultimate authority to interpret EU law and which are binding for all national courts in the EU when they apply those specific provisions in individual cases. Since May 2018 -- when the GDPR became applicable across the EU -, the CJEU has played an important role in clarifying the meaning and scope of some of its key concepts. For instance, the Court notably ruled that two parties as different as a website owner that has embedded a Facebook plugin and Facebook may be qualified as joint controllers by taking converging decisions ( Fashion ID case ), that consent for online data processing is not validly expressed through pre-ticked boxes ( Planet49 case) and that the European Commission Decision to grant adequacy to the EU-US Privacy Shield framework is invalid as a mechanism for international data transfers, and supplemental measures may be necessary to lawfully transfer data outside of the EU on the basis of Commission-vetted model clauses (in the Schrems II case ).

Therefore, to receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to the Court of Justice of the European Union, which is the ultimate authority on EU law and the GDPR.

GDPR

Court of Justice of the European Union

Court of Justice of the European Union - International Association of Privacy Professionals

Judicial enforcement of EU law | European Foundation for the Improvement of Living and Working Conditions

[Competences of the Court of Justice of the European Union]

The use of facial recognition technology to track student attendance involves the processing of biometric data, which is a special category of personal data under the GDPR.Such data can only be processed under certain conditions, one of which is the explicit consent of the data subject1. Therefore, the school may provide a lawful basis for this processing if it obtains the explicit consent of the students (or their legal guardians, if the students are minors).The consent must be freely given, specific, informed and unambiguous, and the students must have the right to withdraw their consent at any time2. The other options do not provide a lawful basis for this processing, as they do not meet the requirements for processing special categories of data.Placing a notice near each camera does not constitute consent, nor does it comply with the transparency principle3.Processing for the legitimate interests of the school may be a valid basis for processing personal data in general, but not for processing biometric data, unless it is authorised by a specific law that provides suitable safeguards4.A state law that requires facial recognition to verify attendance may also be a valid basis for processing personal data in general, but not for processing biometric data, unless it is necessary for reasons of substantial public interest and provides suitable safeguards5.Reference:

Free CIPP/E Study Guide, page 24, section 3.2

CIPP/E Certification, page 19, section 3.2

Cipp-e Study guides, Class notes & Summaries, page 17, section 3.2

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

Consent - General Data Protection Regulation (GDPR), Article 7

Principles - General Data Protection Regulation (GDPR), Article 5

Lawfulness of processing - General Data Protection Regulation (GDPR), Article 6

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

:According to the GDPR, the right of access by the data subject is one of the rights granted to individuals to obtain information about the processing of their personal data by a data controller1.The data controller must provide a copy of the personal data undergoing processing and additional information, such as the purposes, the categories, the recipients, the retention period, the rights, the source, and the automated decision-making of the processing1.The data controller must also inform the data subject of the existence of the right to access and the means to exercise it2.

The GDPR also specifies the time limit for responding to a data subject access request.The data controller must provide the information without undue delay and in any event within one month of receipt of the request1.This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, but the data controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1.The data controller must also verify the identity of the data subject before providing the information, but this verification should not extend the time limit for responding to the request3.

In this scenario, Mike is an EU resident who has booked travel itineraries through XYZ Travel Agency and stayed at ABC Hotel Chain's locations. Both companies are U.S.-based multinational companies that use a common platform for collecting and sharing their customer data. Mike has signed the agreement to be a rewards program member of XYZ Travel Agency. Mike wants to know what personal information the company holds about him and sends an email requesting access to his data.

Assuming that both companies are subject to the GDPR, either because they offer goods or services to individuals in the EU or because they monitor the behavior of individuals in the EU4, they must comply with the right of access by the data subject and provide Mike with the information he requests. The time period in which Mike should receive a response to his request is not more than one month of receipt of his request, unless there are grounds for extending the period by two further months. The companies must also verify Mike's identity before providing the information, but this verification should not affect the time limit for responding to the request.

Therefore, the correct answer is A. Not more than one month of receipt of Mike's request.

ABC Hotel Chain and XYZ Travel Agency are joint controllers in this relationship, because they jointly determine the purposes and means of the processing of personal data of their customers.According to Article 26 of the GDPR, joint controllers are two or more controllers who jointly participate in the decision-making process regarding the processing of personal data1. In this scenario, ABC Hotel Chain and XYZ Travel Agency use a common platform for collecting and sharing customer data, and they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Therefore, they have a common influence on the processing of personal data and share a common objective of integrating their marketing efforts. Moreover, they offer a rewards program that allows customers to sign up to accumulate points that can be redeemed for free travel, which implies a joint benefit from the processing of personal data.

The other options are not correct because they do not reflect the actual roles of ABC Hotel Chain and XYZ Travel Agency in this relationship.A controller is a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data2.A processor is a natural or legal person who processes personal data on behalf of the controller3. In this scenario, neither ABC Hotel Chain nor XYZ Travel Agency act solely or on behalf of the other in processing the personal data of their customers. Rather, they act together in a collaborative manner and share the responsibility and accountability for the processing of personal data.Therefore, they are joint controllers, not independent controllers or controller and processor.Reference:1: Article 26 of the GDPR2: Article 4(7) of the GDPR3: Article 4(8) of the GDPR

According to the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject1.The data subject also has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her2. Therefore, options A, B and D are valid data access requests that ABC Hotel Chain and XYZ Travel Agency have to honor, as they fall within the scope of the right of access and rectification. However, option C is not a valid data access request, as it involves the right to erasure, which is a separate right from the right of access.The right to erasure, also known as the right to be forgotten, entitles the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)3.However, the right to erasure is not absolute and does not apply where processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims4. In this scenario, Mike's request to obtain access and erasure of his personal data while keeping his rewards membership is not a valid data access request, as it contradicts the right to erasure. If Mike wants to exercise his right to erasure, he has to withdraw his consent for the processing of his personal data by ABC Hotel Chain and XYZ Travel Agency, which means that he cannot keep his rewards membership, as it is based on the processing of his personal data. Moreover, ABC Hotel Chain and XYZ Travel Agency may have other legal grounds for retaining his personal data, such as compliance with a legal obligation or the establishment, exercise or defence of legal claims.Therefore, option C is the correct answer, as it is the only situation where ABC Hotel Chain and XYZ Travel Agency do not have to honor Mike's data access request.Reference:1: Article 15 of the GDPR;2: Article 16 of the GDPR;3: Article 17(1) of the GDPR;4: Article 17(3) of the GDPR;Free CIPP/E Study Guide, pages 33-35.

The Convention 108+ is the modernized version of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which was opened for signature on 10 October 20181.The Convention 108+ aims to reinforce the individuals' protection, strengthen the implementation of the Convention, and promote it as a universal standard for data protection2.The Convention 108+ reflects the same principles as those enshrined in the EU's General Data Protection Regulation (GDPR), which applies from 25 May 20183. Therefore, the Convention 108+ and the GDPR are largely consistent and coherent in their provisions and objectives.

However, one of the principles of the Convention 108+ that is not consistent with a principle found in the GDPR is the necessity of the bulk collection of personal data by the government. The Convention 108+ allows for the possibility of bulk collection of personal data by the government for national security purposes, subject to certain safeguards and oversight mechanisms. The GDPR, on the other hand, does not regulate the processing of personal data by the government for national security purposes, as this falls outside the scope of EU law. The GDPR also does not explicitly endorse the bulk collection of personal data by the government, but rather requires that any processing of personal data must be based on a legal basis, respect the principles of data protection, and ensure the rights and freedoms of data subjects. Therefore, the correct answer is C.

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

Convention 108+ and the GDPR

General Data Protection Regulation

[Convention 108+: the consultative committee of the convention for the protection of individuals with regard to the processing of personal data (T-PD) publishes its guidelines on artificial intelligence and data protection]

[Article 3 GDPR -- Territorial scope]

[Article 5 GDPR -- Principles relating to processing of personal data]

I hope this helps you understand the Convention 108+ and the GDPR better. If you have any other questions, please feel free to ask me.