IAPP CIPP-E Practice Test - Questions Answers, Page 22

The transparency principle, as stated in Article 5(1)(a) of the GDPR, requires that personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject. This principle is closely linked to the right to be informed, as specified in Articles 13 and 14 of the GDPR, which oblige the controller to provide the data subject with certain information about the processing of their personal data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the existence of the data subject's rights, and the retention period or criteria for the personal data. The right to be informed aims to ensure that the data subject is aware of and can verify the lawfulness of the processing, and to enable them to exercise their rights effectively. Therefore, the transparency principle is most directly related to the right to be informed.Reference:

Article 5(1)(a) of the GDPR

Article 13 of the GDPR

Article 14 of the GDPR

IAPP CIPP/E Study Guide, page 31

According to the CJEU, the ePrivacy Directive does not define the concept of consent, but refers to the GDPR for its interpretation1. Therefore, the GDPR standard of consent applies to the use of cookies and similar technologies that require consent under the ePrivacy Directive.The GDPR defines consent as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her2.The CJEU also clarified that the consent requirements apply regardless of whether the cookies constitute personal data or not, as the ePrivacy Directive covers any information stored or accessed on the user's device1.The other options are incorrect, as the CJEU ruled that pre-checked boxes, implicit consent by scrolling, and insufficient information on the cookies do not meet the GDPR standard of consent1.Reference:

Free CIPP/E Study Guide, page 14, section 2.3

GDPR, Article 4 (11)

ePrivacy Directive, Article 5 (3)

Planet49: CJEU Rules on Cookie Consent

CURIA - List of results

Article 82 of the GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR1.Article 82 (1) states that any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered1.Article 82 (2) states that any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR1.A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller1.Article 82 (3) states that a controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage1. In this case, Jack is liable for the damage caused by the data breach, as he violated the GDPR by posting the patient's name and health information, along with disparaging comments, on a social media website.This constitutes an infringement of the GDPR, as it violates the principles of lawfulness, fairness, and transparency (Article 5 (1) (a)), purpose limitation (Article 5 (1) (b)), data minimisation (Article 5 (1) ), accuracy (Article 5 (1) (d)), integrity and confidentiality (Article 5 (1) (f)), and the rights of the data subject (Articles 12-23)1. The pharmaceutical company is not liable for the damage caused by the data breach, as it can prove that it is not in any way responsible for the event giving rise to the damage. The company provided privacy training to Jack, informed him of the privacy policy, obtained his consent, and dismissed him as soon as the breach was discovered.Therefore, the company complied with the obligations of the GDPR, such as the accountability principle (Article 5 (2)), the data protection by design and by default principle (Article 25), the security of processing principle (Article 32), and the notification of a personal data breach to the supervisory authority principle (Article 33)1. Therefore, option D is the correct answer.Reference:Art. 82 GDPR -- Right to compensation and liability,Article 82 GDPR - GDPRhub

According to Article 15 of the GDPR, data subjects have the right to access and receive a copy of their personal data, and other supplementary information, from the data controller1. However, this right is not absolute and may be subject to limitations or restrictions.One of the grounds for refusing or limiting a data subject access request (DSAR) is when the request is manifestly unfounded or excessive, in particular because of its repetitive character1.In such cases, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information, or refuse to act on the request1.The controller must inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy1.

In this scenario, Jack's DSAR is likely to be considered excessive, as he requests a copy of all personal data, including internal emails, that were sent or received by him or where he is directly or indirectly identifiable from the contents. This is a very broad and vague request, which would require the company to search and review a large amount of information, and potentially disclose confidential or sensitive data about other employees or third parties. The company has already contacted Jack, asking him to be more specific about what information he requires, but he refused to narrow the scope of his request.Therefore, the company has a valid reason to decline to provide any information, as the amount of information requested is too excessive to provide in one month, which is the general time limit for responding to a DSAR under the GDPR1. Therefore, option B is the correct answer.

Option A is incorrect because the company's headquarters location is irrelevant for the purpose of the DSAR, as the GDPR applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not2. The company has an establishment in Ireland, where Jack worked, and therefore is subject to the GDPR.

Option C is incorrect because the company cannot agree to provide the information requested in Jack's original DSAR within a period of 3 months, as this would violate the data subject's right of access and the principle of accountability under the GDPR.The company can only extend the time limit to respond to a DSAR by a further two months if the request is complex or if the controller receives a number of requests from the same data subject1.However, the company must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. In this case, the company has not done so, and has instead asked Jack to be more specific about his request.

Option D is incorrect because the company cannot provide all requested information except for the emails, as this would not comply with the data subject's right of access and the principle of transparency under the GDPR.The company must provide the data subject with a copy of the personal data undergoing processing, unless this adversely affects the rights and freedoms of others1. The emails are part of the personal data undergoing processing, and the company cannot exclude them from the DSAR without a valid reason.The company must also provide the data subject with the following supplementary information, unless the data subject already has it1:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

the right to lodge a complaint with a supervisory authority;

where the personal data are not collected from the data subject, any available information as to their source;

the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Right of access

Territorial scope

According to the GDPR, the right to be forgotten, also known as the right to erasure, is not an absolute right and only applies in certain circumstances1.One of the exceptions to this right is when the processing of personal data is necessary for the establishment, exercise or defence of legal claims2. In this scenario, the company may need to retain the personal data of Jack, such as his employment records, performance reviews, and internal emails, in order to defend itself against a possible legal action of unfair dismissal. Therefore, the company should not erase the data at this time, unless it is confident that it has no legal basis to keep it.The company should also inform Jack of the reasons for not complying with his request and of his right to lodge a complaint with a supervisory authority or a judicial remedy3.Reference:1: Everything you need to know about the "Right to be forgotten''2: Article 17(3)(e) of the GDPR3: Article 12(4) of the GDPR.

According to Article 17 of the GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). However, Article 17(3) provides that the right to erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information. Therefore, this would not be a valid ground for data subject delisting requests.

Reference:

Article 17 of the GDPR

EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)

According to Article 23 of the GDPR, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, may be restricted by a legislative measure of a Member State or the Union, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard certain public interests or the rights and freedoms of others1.However, Article 23 does not include Article 77, which grants the data subject the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR2.Therefore, this right cannot be restricted by any legislative measure, as it is essential for the effective judicial protection of the data subject and the enforcement of the GDPR3.Reference:

Free CIPP/E Study Guide, page 14, section 2.3

GDPR, Article 77

GDPR, Article 23

Guidelines on restrictions of data subject rights under Art. 23 of the GDPR, page 4, section 2

Statement on restrictions on data subject rights in connection to the COVID-19 pandemic, page 2, section 2

An adequacy decision is a decision adopted by the European Commission, which determines that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data1.This means that the third country or organisation provides a level of protection that is essentially equivalent to that guaranteed within the European Union (EU), taking into account its domestic law and international commitments, as well as the respect for the rule of law, human rights and fundamental freedoms, relevant legislation, and the existence and effective functioning of independent supervisory authorities1.An adequacy decision is one of the transfer tools that can be used to transfer personal data to a third country or organisation without requiring any further authorisation1.However, an adequacy decision is not permanent and can be amended, suspended or repealed by the Commission at any time, if the conditions are no longer met1.Therefore, according to the recommendations of the European Data Protection Board (EDPB), the additional action that should be taken when a transfer to a third country is based upon an adequacy decision is to monitor changes in the law or practice of the third country that would lower the level of protection of personal data2.This means that the data exporter should stay informed of any developments in the third country or organisation that could affect the validity of the adequacy decision, and take appropriate measures if the level of protection is no longer adequate2.The data exporter should also cooperate with the competent supervisory authority and inform it of any issues that may affect the compliance with the adequacy decision2. Therefore, option D is the correct answer.Reference:Art. 45 GDPR -- Transfers on the basis of an adequacy decision,Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing1. The GDPR does not prescribe specific security measures, but rather provides a list of factors to consider when determining the appropriate level of security, such as:

The state of the art and the costs of implementation;

The nature, scope, context and purposes of processing;

The risk of varying likelihood and severity for the rights and freedoms of natural persons.

Therefore, the level of security required by the GDPR is not absolute, but relative to the specific circumstances of each processing activity.The GDPR also encourages the use of codes of conduct and certification mechanisms to demonstrate compliance with the security requirements1.

In the scenario, Natural Insight is a processor who receives customer information from BHealthy, a controller, for the purpose of providing pricing services. Natural Insight has a contractual obligation to implement technical and organisational measures to ensure the security of the data, as well as to comply with the GDPR. Natural Insight's security obligations are not limited to the measures assessed by BHealthy prior to entering into the contract, nor to the level of security that a reasonable data subject would expect. Rather, Natural Insight must take into account the industry practices for protecting customer contact information and purchase history, as well as the potential risks that may arise from the processing, such as data breaches, identity theft, fraud, or discrimination. Natural Insight must also keep up with the state of the art and the costs of implementation, and adjust its security measures accordingly.

4: Art. 32 GDPR Security of processing