IAPP CIPP-E Practice Test - Questions Answers, Page 2

According to the GDPR, consent is one of the six lawful bases for processing personal data. Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent can be withdrawn at any time, and the withdrawal of consent must be as easy as giving it. Therefore, an individual can withdraw her consent for processing when she no longer wishes to be sent marketing materials from an organization, as this is a clear indication of her wishes and does not affect the lawfulness of the processing based on consent before its withdrawal. The other situations are not related to consent, but to other lawful bases such as contract, legitimate interest or legal obligation.Reference:Free CIPP/E Study Guide, page 9;CIPP/E Certification, page 3; GDPR, Article 4(11), Article 6(1)(a), Article 7(3).

According to the CIPP/E study guide, the Court of Justice of the European Union (CJEU) ruled in the case of Google Spain SL, Google Inc.v Agencia Espaola de Proteccin de Datos (AEPD), Mario Costeja Gonzlez1that an Internet search engine operator is responsible for the processing of personal data that appear on web pages published by third parties, and that such operator must comply with the EU data protection law when it has an establishment in the EU. The CJEU held that Google Spain and Google Inc. were inextricably linked in their businesses, since Google Spain promoted and sold advertising space offered by Google Inc., which oriented its activity towards the inhabitants of Spain. Therefore, Google Inc. was subject to the EU data protection law through its subsidiary Google Spain, even though the personal data processing was carried out by Google Inc. outside the EU.This implies that search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten if they have an establishment in the EU that is inextricably linked to their parent company.Reference:1: CIPP/E study guide, page 16;Google Spain v AEPD and Mario Costeja Gonzlez

According to theEuropean Data Protection Law & Practicetextbook, page 326, "the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person's name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful." However, the CJEU also stated that "the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine's results following a search made on the basis of the data subject's name." Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject's right to be forgotten.Reference:

European Data Protection Law & Practice, page 326

CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Espaola de Proteccin de Datos, Mario Costeja Gonzlez, paragraphs 88 and 93

According to Article 28(2) of the GDPR, the processor may not engage another processor (sub-processor) without the prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. Furthermore, Article 28(4) of the GDPR states that where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Therefore, the processor must ensure that the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.Reference:

Article 28 of the GDPR

European Data Protection Law & Practice textbook, Chapter 6: Data Processing Obligations, Section 6.3: Processor Obligations, Subsection 6.3.2: Sub-processors

According to Article 28(3)(f) of the GDPR, the written agreement between the controller and the processor must include an obligation on the processor to assist the controller in ensuring compliance with the controller's obligations pursuant to Articles 32 to 36 of the GDPR. These obligations include notifying the supervisory authority and the data subjects about personal data breaches, as well as conducting data protection impact assessments and consulting with the supervisory authority when required. The processor must assist the controller by taking appropriate technical and organisational measures, insofar as this is possible, and considering the nature of the processing and the information available to the processor.Reference:

GDPR Article 28(3)(f)

CIPP/E Textbook, Chapter 6, Section 6.2.2, page 154

Free CIPP/E Study Guide, page 18

The GDPR requires that the processor only processes personal data on behalf of the controller and according to the controller's instructions12.The agreement between the controller and the processor must include provisions that ensure that the processor does not process personal data for any other purposes or in a manner that is inconsistent with the controller's instructions34.Therefore, if the processor stores personal data that is not necessary for the performance of the contract with the controller, such as the social network followers of the client, this is a breach of the GDPR and the processor may be fined2. The fact that the data base is password-protected does not affect the applicability of the GDPR or the security principle, as the data is still personal data that can identify data subjects.The storage limitation principle also requires that personal data be kept for no longer than is necessary for the purposes for which the personal data are processed, so deleting the data base after the audit does not make the situation compliant.Reference:1: Article 28 of the GDPR2: Guidelines 07/2020 on the concepts of controller and processor in the GDPR3: Understanding Controller-to-Processor Agreements - GDPR Advisor4: New Guidelines on Data Controllers and Processors: Time to Review Data Processing Agreements : Article 4 of the GDPR : Article 5 of the GDPR

A) Consent management and withdrawal.Comprehensive Explanation:Article 32 of the GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. These measures should take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. The three domains of security covered by Article 32 are:

Preventative security:This refers to the measures that aim to prevent or reduce the likelihood of security incidents, such as unauthorized or unlawful access, disclosure, alteration, loss or destruction of personal data. Examples of preventative security measures include encryption, pseudonymization, access control, firewalls, antivirus software, etc.

Incident detection and response:This refers to the measures that aim to detect, analyze, contain, eradicate and recover from security incidents, as well as to notify the relevant authorities and data subjects, and to document the facts and actions taken. Examples of incident detection and response measures include security monitoring, logging, auditing, incident response plans, breach notification procedures, etc.

Remedial security:This refers to the measures that aim to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, as well as to mitigate the adverse effects of security incidents on the data subjects. Examples of remedial security measures include backup, disaster recovery, business continuity, compensation, etc.

Consent management and withdrawal is not a domain of security covered by Article 32, but rather a requirement for the lawfulness of processing based on consent under Article 6(1)(a) and Article 7 of the GDPR. Consent management and withdrawal involves obtaining, recording, updating and revoking the consent of data subjects for specific purposes of processing, as well as informing them of their right to withdraw their consent at any time.Reference:Free CIPP/E Study Guide, page 35;CIPP/E Certification, page 17; GDPR, Article 32, Article 6(1)(a), Article 7.

According to the CIPP/E study guide, Article 33 of the GDPR requires data controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons1.Article 34 of the GDPR requires data controllers to communicate the personal data breach to the data subject without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons2.Both articles specify the minimum information that the data controller must provide to the supervisory authority and the data subject, which includes: the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the name and contact details of the data protection officer or other contact point, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its possible adverse effects12.However, neither article requires the data controller to disclose the type of security safeguards used to protect the data, as this information is not relevant for the purposes of notification and may even compromise the security of the data further3.Reference:1: CIPP/E study guide, page 84;Art. 33 GDPR;Guidelines 01/2021 on Examples regarding Data Breach Notification2: CIPP/E study guide, page 85; [Art. 34 GDPR];Guidelines 01/2021 on Examples regarding Data Breach Notification3:Personal Data Breach | European Data Protection Supervisor;What is a data breach and what do we have to do ... - European Commission.

According to theFree CIPP/E Study Guide, page 14, "if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing." This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller's own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects.Reference:

Free CIPP/E Study Guide, page 14

GDPR, Article 36