IAPP CIPP-E Practice Test - Questions Answers, Page 8

The GDPR requires that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons1.A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. In this scenario, the company ABCD is the controller of the client data, and the loss of the memory stick containing unencrypted and clear text personal data is a personal data breach that may pose a risk to the rights and freedoms of the data subjects, such as identity theft, fraud, financial loss, or reputational damage.Therefore, the company ABCD should notify the data protection supervisory authority as soon as possible, and provide the information specified in Article 33(3) of the GDPR, such as the nature of the breach, the categories and number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach1. Option A is the correct answer, as it reflects the obligation of the controller under the GDPR. Options B, C and D are incorrect, as they do not comply with the GDPR requirements.Option B would delay the notification beyond the 72-hour deadline, which could result in administrative fines or other sanctions3.Option C would misuse the "disproportionate effort" exception, which only applies to the communication of the breach to the data subjects, not to the notification to the supervisory authority, and only when the controller has implemented appropriate technical and organisational protection measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access it4.Option D would prematurely notify the customers of the company without first notifying the supervisory authority, and without assessing the level of risk and the necessity of such communication, which should be done in consultation with the supervisory authority5.Reference:1: Article 33(1) of the GDPR2: Article 4(12) of the GDPR3: Article 83(4)(a) of the GDPR4: Article 34(3)(a) of the GDPR5: Article 34(1) and (2) of the GDPR

According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12:

the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

the categories of processing carried out on behalf of each controller;

where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D.Reference:

GDPR, Article 30(2)

GDPR, Article 35

ICO, Documentation1

ICO, Data protection impact assessments1

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident1.A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. Therefore, a power outage that results in the loss of availability of customer data for six hours is considered a personal data breach under the GDPR.

Based on the WP 29's February, 2018 guidance, which was endorsed by the European Data Protection Board, company Z should document the loss of availability to demonstrate accountability3. The guidance states that controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, regardless of whether the breach needs to be notified to the supervisory authority or the data subjects.This documentation must enable the supervisory authority to verify compliance with the GDPR and must be made available to the supervisory authority on request4.

The other options (A, C, and D) are not required by the GDPR or the guidance, although they may be advisable or beneficial depending on the circumstances.Option A is not mandatory, as the GDPR only requires the controller to communicate the personal data breach to the data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons5. A temporary loss of availability may not pose such a high risk, unless it affects the data subject's essential services or activities.Option C is also not obligatory, as the GDPR only requires the controller to notify the supervisory authority of the personal data breach within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons6. A short-term loss of availability may not entail such a risk, unless it affects a large number of data subjects or sensitive data. Option D is not specified by the GDPR or the guidance, although it may be a good practice to conduct a thorough audit of all security systems after a personal data breach to identify and address any vulnerabilities or weaknesses that may have contributed to the incident or may lead to future incidents.Reference:

1:Article 32 of the GDPR

2:Article 4 (12) of the GDPR

3:Endorsed WP29 Guidelines

4:Article 33 (5) of the GDPR

5:Article 34 (1) of the GDPR

6:Article 33 (1) of the GDPR

7:Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01

8:Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

9:https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

According to Article 46(2) of the GDPR, standard contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) can be used as a legal basis for data transfers to third countries12. This means that, in addition to the European Commission, national data protection authorities can adopt standard contractual clauses, provided that they meet the conditions and requirements set out in the GDPR and obtain the approval of the Commission. The other options are not correct, as approved data controllers, the Council of the European Union and the European Data Protection Supervisor do not have the power to adopt standard contractual clauses under the GDPR.Reference:CIPP/E Certification - International Association of Privacy Professionals,Free CIPP/E Study Guide - International Association of Privacy Professionals,GDPR - EUR-Lex,Standard Contractual Clauses (SCC) - European Commission

I hope this helps. If you have any other questions, please let me know. .

:A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project that involves personal data, especially when using new technologies or processing that is likely to result in a high risk to individuals1.The UK GDPR requires data controllers to carry out a DPIA before starting such processing and to consult the supervisory authority if the DPIA indicates a high risk that cannot be mitigated1.The UK GDPR also provides some general guidance on the content and methodology of a DPIA, but it does not prescribe a specific format or procedure1.Therefore, to effectively assist Zandelay in conducting their DPIA, it would be helpful to refer to existing DPIA guides published by local supervisory authorities, such as the ICO in the UK or the DPC in Ireland23.These guides offer more detailed and practical advice on how to conduct a DPIA, what to include in it, how to assess and mitigate the risks, and when to consult the authority23.They also provide templates, checklists, examples, and case studies to illustrate the DPIA process23. By following these guides, Zandelay can ensure that their DPIA is comprehensive, consistent, and compliant with the UK GDPR and the relevant national laws.

The other options are not as effective as option C, because:

Option A: Information about DPIAs found in Articles 38 through 40 of the UK GDPR is too general and vague to assist Zandelay in conducting their DPIA.These articles only outline the basic requirements and principles of a DPIA, but do not provide any specific guidance on how to conduct one, what to include in it, or how to assess and mitigate the risks1. Zandelay would need more detailed and practical advice to effectively perform a DPIA.

Option B: Data breach documentation that data controllers are required to maintain is not relevant to conducting a DPIA.A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data1.A data controller must document any data breaches, including the facts, effects, and remedial actions taken, and notify the supervisory authority and the affected individuals without undue delay1.However, a data breach is not the same as a data protection risk, which is the potential for adverse effects on individuals as a result of the processing of their personal data2.A DPIA is a proactive and preventive measure to identify and minimise the data protection risks of a project, not a reactive and corrective measure to deal with the consequences of a data breach2.

Option D: Records of processing activities that data controllers are required to maintain are not sufficient to assist Zandelay in conducting their DPIA.A record of processing activities is a document that contains information about the purposes, categories, recipients, transfers, retention periods, and security measures of the processing of personal data by a data controller or a data processor1.A data controller must maintain a record of processing activities under its responsibility and make it available to the supervisory authority upon request1.However, a record of processing activities is not the same as a DPIA, which is a more in-depth and systematic analysis of the data protection risks and the measures to address them2.A record of processing activities may provide some useful information for a DPIA, such as the nature, scope, context, and purposes of the processing, but it does not cover other aspects, such as the necessity, proportionality, compliance, and impact of the processing2.

https://blog.netwrix.com/2021/02/17/data-protection-impact-assessment/

https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

According to Article 36 of the GDPR, when a controller intends to process personal data that would result in a high risk to the rights and freedoms of data subjects, and a data protection impact assessment under Article 35 indicates that the risk cannot be mitigated by the controller, the controller must consult the supervisory authority before processing. The purpose of this prior consultation is to seek the advice of the supervisory authority on whether the processing complies with the GDPR and what measures can be taken to ensure compliance. During the prior consultation, the controller must provide the supervisory authority with the following information:

the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

the purposes and means of the intended processing;

the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;

the contact details of the data protection officer, if any;

the data protection impact assessment provided for in Article 35; and

any other information requested by the supervisory authority.

Therefore, the correct answer is B. An explanation of the purposes and means of the intended processing. This information is essential for the supervisory authority to understand the nature and scope of the processing and to assess its compliance with the GDPR. The other options are not required by Article 36, although they may be relevant for other aspects of the GDPR, such as the data protection by design and by default principle (A), the lawfulness of processing , or the designation of the data protection officer (D).Reference:

Article 36 of the GDPR, which regulates the prior consultation with the supervisory authority.

ICO guidance, which explains the process and requirements of the prior consultation.

EDPB guidelines, which provide further guidance on the criteria and procedure of the prior consultation.

The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1.One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2.The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3.One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs.Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5.Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6.Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7.Reference:1: Article 46(1) of the GDPR2:Standard Contractual Clauses (SCC) - European Commission3:EU Standard Contractual Clauses (Word documents)4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/6795: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/6796: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/6797: Article 31 of the GDPR

Adequacy is a term that the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an 'essentially equivalent' level of data protection to that which exists within the EU. An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does.The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary12.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection13.On 28 June 2021, the EU Commission published two adequacy decisions in respect of the UK: one for transfers under the EU GDPR; and the other for transfers under the Law Enforcement Directive (LED)2. These decisions contain the European Commission's detailed assessment of the UK's laws and systems for protecting personal data, as well as the legislation designating the UK as adequate.Both adequacy decisions are expected to last until 27 June 20252.

Among the four options given, only Switzerland has been granted an adequacy decision by the EU, which means that it will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary. Greece is a member state of the EU, so it does not need an adequacy decision to receive personal data from the EU. Norway is a member of the European Economic Area (EEA), which also includes Iceland and Liechtenstein, and has incorporated the GDPR into its national law, so it also does not need an adequacy decision.Australia has not been recognised as adequate by the EU, so transfers of personal data from the EU to Australia require appropriate safeguards or derogations13. Therefore, the correct answer is D. Switzerland.Reference:

https://pages.iapp.org/Free-Study-Guides_CIPPE-PPC-EU.html https://data-privacy-office.eu/courses/cipp-e-official-training-course/

According to the GDPR, transfers of personal data to third countries or international organisations are only allowed if the controller or processor complies with the conditions laid down in Chapter V of the GDPR1.One of these conditions is the existence of an adequacy decision by the European Commission, which means that the third country or international organisation ensures an adequate level of protection for the personal data2.However, if there is no adequacy decision, the controller or processor must provide appropriate safeguards for the data transfer, such as binding corporate rules (BCR) or standard contractual clauses (SCC)3.

Binding corporate rules (BCR) are internal rules adopted by a group of undertakings or enterprises engaged in a joint economic activity, which define its global policy with regard to the international transfers of personal data within the same corporate group or business partners located in third countries4. BCR must include all the general data protection principles and enforceable rights to ensure appropriate safeguards for the data transfers.They must be legally binding and enforced by every member concerned of the group5.BCR must be approved by the competent supervisory authority in accordance with the consistency mechanism provided by the GDPR6.

Standard contractual clauses (SCC) are sets of contractual terms and conditions that the controller or processor and the recipient of the data agree to apply to the data transfer.SCC are adopted by the European Commission or by a supervisory authority in accordance with the consistency mechanism and are available in the Official Journal of the European Union7.SCC must offer sufficient safeguards on data protection for the data to be transferred internationally8.

In the given scenario, option C is the statement that would help the company make an effective decision between BCR and SCC, as it highlights the main advantage of BCR over SCC, which is the global and comprehensive solution that BCR provide for all the entities of a company that are bound by the intra-group agreement. BCR are especially suitable for large and complex organisations that have frequent and high-volume data transfers within the same corporate group or business partners located in third countries. BCR also offer more flexibility and legal certainty than SCC, as they are tailored to the specific needs and structure of the group and do not require individual contracts for each data transfer.

The other options (A, B, and D) are either incorrect or misleading statements that would not help the company make an effective decision between BCR and SCC. Option A is incorrect, as BCR are not recommended for small and medium companies, but rather for large and complex ones, as explained above. Option B is misleading, as it implies that the data exporter can be located outside the EU for the SCC, which is true, but not relevant for the comparison with BCR, as the data exporter can also be located outside the EU for the BCR, as long as it is subject to the GDPR by virtue of Article 3(2). Option D is also misleading, as it implies that the company will need the prior authorization of all EU data protection authorities for concluding SCC, which is false, as the company will only need the prior authorization of the competent supervisory authority in the Member State where the data exporter is established, unless the SCC are modified or supplemented by additional clauses or safeguards.Reference:

1: [Article 44 of the GDPR]

2: [Article 45 of the GDPR]

3: [Article 46 of the GDPR]

4: [Article 4 (20) of the GDPR]

5: [Article 47 of the GDPR]

6: [Article 63 of the GDPR]

7: [Article 93 of the GDPR]

8: [Article 46 (2) and (d) of the GDPR]

: [Binding Corporate Rules (BCR)]

: [Article 3 (2) of the GDPR]

: [Article 46 (3) (a) and (b) of the GDPR]

: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]

: [Binding Corporate Rules (BCR) - European Commission]

: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]

: [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en]

: [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679]

: [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en]