Pass the IAPP Certified Information Privacy Professional CIPP-E Questions and answers with ValidTests

When assessing the level of risk created by a data breach, the size of any data processor involved would not have to be taken into consideration. According to the GDPR, a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” 1. The GDPR requires data controllers and processors to notify the relevant supervisory authority of a data breach within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons 2. The GDPR also requires data controllers to communicate the data breach to the affected data subjects without undue delay, if the breach is likely to result in a high risk to their rights and freedoms 3.

The GDPR does not specify the exact criteria for determining the level of risk, but it provides some guidance in Recital 85, which states that “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing” . The recital also mentions some factors that could increase the risk, such as the ease of identification of individuals, the special categories of personal data, the large scale of the processing, or the special characteristics of the data controller . Therefore, these factors should be taken into consideration when assessing the level of risk created by a data breach.

However, the size of any data processor involved is not relevant for the risk assessment, as it does not affect the impact of the breach on the data subjects. The data processor is only responsible for processing the personal data on behalf of the data controller, and has no direct relationship with the data subjects . The data processor’s obligations in case of a data breach are to notify the data controller without undue delay, and to assist the data controller in complying with its obligations under the GDPR . The data processor’s size may affect its ability to fulfill these obligations, but it does not change the level of risk created by the data breach itself. References: 1: Article 4(12) of the GDPR 2: Article 33 of the GDPR 3: Article 34 of the GDPR : Recital 85 of the GDPR : Article 4(8) of the GDPR : Article 28 of the GDPR

I hope this helps. If you have any other questions, please feel free to ask. ????

 The “one-stop-shop” mechanism of the GDPR is a system of co-operation and consistency procedures that aims to ensure that the data protection regulation is enforced uniformly across all member states and calls on the data protection authorities (DPAs) across member states to co-operate with each other and the Commission to ensure consistent application of the GDPR1. The “one-stop-shop” mechanism applies to organisations that conduct cross-border data processing, which means that they process personal data in the context of the activities of their establishments in more than one member state, or that they target or monitor data subjects in more than one member state1. Under the “one-stop-shop” mechanism, such organisations will have to deal primarily with the DPA of the member state where they have their main establishment or their single establishment in the EU, which will act as their lead supervisory authority for all matters related to their cross-border data processing1. The lead supervisory authority will co-ordinate with other concerned supervisory authorities, which are the DPAs of the member states where the data subjects are affected by the data processing1. The lead supervisory authority will have the competence to adopt binding decisions regarding measures to ensure compliance with the GDPR, such as imposing administrative fines or ordering the suspension of data flows1. However, the “one-stop-shop” mechanism does not prevent the concerned supervisory authorities from acting against organisations in exceptional cases, even if they do not have any type of establishment in the member state of the respective authority1. These exceptional cases include the following situations2:

When a complaint is lodged with a supervisory authority, the subject matter relates only to an establishment in its member state or substantially affects data subjects only in its member state;

When a supervisory authority is addressing a possible infringement related to the offering of goods or services to data subjects in its member state or to the monitoring of their behaviour in its member state;

When a supervisory authority adopts provisional measures intended to produce legal effects in its own member state;

When an urgent need to act arises in order to protect the rights and freedoms of data subjects. In these cases, the concerned supervisory authority will inform the lead supervisory authority and the other concerned supervisory authorities, and will try to reach a consensus on the action to be taken2. If no consensus is reached, the consistency mechanism will apply, which involves the intervention of the European Data Protection Board (EDPB) to issue a binding decision on the matter2. Therefore, option D is the correct answer. References: Art. 60 GDPR – Cooperation between the lead supervisory authority and the other supervisory authorities concerned, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

According to the CIPP/E study guide, data controllers should use the least intrusive means of verifying the identity of data subjects who make requests under the GDPR. Asking for a copy of an ID document or a bank account statement may be disproportionate and excessive, as they contain more personal data than necessary for authentication. Asking for the bank account number may not be sufficient, as it may be easily obtained by third parties. Therefore, the most appropriate way to confirm the identity of the customer is to ask additional security questions that only the customer would know, such as the date of the last transaction, the amount of the last deposit, or the name of the beneficiary of a recurring payment.

References: CIPP/E Study Guide, page 28; CIPP/E Textbook, page 136.

Section: (none)

Explanation

Online Behavioural Advertising (OBA) means the collection of data from a particular computer or device regarding web viewing behaviours over time and across multiple web domains not under Common Control for the purpose of using such data to predict web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such web viewing behaviours1. OBA is subject to the EU law on consent to the processing of personal data, which requires a clear affirmative action by the data subject indicating his or her agreement to the processing2. The consent must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time2. The consent must also be obtained prior to the collection and use of data for OBA purposes3. Therefore, Brady Box’s OBA practice is most likely to be

According to Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is required when the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies. A DPIA is supposed to show the characteristics of the processing, the risks and the measures adopted to mitigate them. The GDPR also provides some examples of processing operations that require a DPIA, such as:

a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal or significant effects on the data subject;

processing on a large scale of special categories of data or data relating to criminal convictions and offences; or

a systematic monitoring of a publicly accessible area on a large scale.

Among the answer choices, only option C falls under the first example, as it involves a systematic and extensive evaluation of personal aspects based on location data and data from third-party sources, which could be used for profiling and matching purposes. This could have significant effects on the data subjects’ privacy, personal relationships and reputation. Therefore, a DPIA would be required for this processing operation.

Option A does not necessarily involve a systematic and extensive evaluation of personal aspects, nor does it produce legal or significant effects on the data subject. It could be considered a legitimate interest of the company to offer more personalized service, as long as it respects the principles of data minimization, purpose limitation and transparency.

Option B does not involve a decision based on the processing, nor does it produce legal or significant effects on the data subject. It could be considered a form of direct marketing, which is subject to specific rules under the GDPR and the ePrivacy Directive.

Option D does not involve personal data relating to natural persons, but rather to delivery trucks. Therefore, it does not pose a high risk to the rights and freedoms of natural persons.

References:

GDPR Article 35

Guidelines on DPIA

Art. 35 GDPR - Data protection impact assessment - GDPR.eu

A DPIA is not a one-time activity. While it's crucial to conduct a DPIA before implementing a new system that processes personal data (like the fingerprint system), the GDPR requires organizations to review and update their DPIAs periodically, especially when there are changes that might affect the risk to data subjects.

Here's why the other options are incorrect:

A. After the complaint of the supporter: While a complaint might trigger a review of the processing, the DPIA should have been done proactively before any issues arose.

C. At the end of every match of the season: This frequency is excessive and doesn't align with the idea of assessing risks when changes occur.

D. After the AEPD notification of the investigation: Similar to option A, this is reactive rather than proactive.

References:

GDPR Article 35 - Data protection impact assessment

IAPP CIPP/E textbook, Chapter 4: Accountability and Data Governance (specifically, sections on DPIAs and ongoing review)

WP29 Guidelines on Data Protection Impact Assessment (DPIA)

Data adjustment is not a valid basic anonymization technique according to the PDPC’s guide12. Data adjustment refers to the modification of the original data values by adding or subtracting a random amount, or multiplying or dividing by a random factor3. This technique may preserve some statistical properties of the data, but it also introduces errors and inaccuracies that may affect the utility and quality of the data3. Moreover, data adjustment may not sufficiently protect the identity of individuals, as the adjusted data may still be linked or matched with other data sources3. Therefore, data adjustment is not recommended by the PDPC as a basic anonymization technique.

References:

1: GUIDE TO BASIC DATA ANONYMISATION TECHNIQUES Published 25 January 2018 - PDPC 2: GUIDE TO BASIC ANONYMISATION - PDPC 3: Guide to basic anonymisation and free tool from PDPC

 According to Recital 51 of the GDPR, photographs are not automatically considered as biometric data, unless they are processed by a specific technical means that allows the unique identification or authentication of a natural person1. This means that printing employees’ photographs on building passes does not necessarily involve biometric data, as long as the photographs are not used for facial recognition or other similar purposes. The other options are incorrect, as they do not reflect the definition of biometric data or the conditions for processing special categories of personal data under the GDPR2. References:

Recital 51 of the GDPR

ICO guidance on special category data

Reference https://ess.csa.canon.com/rs/206-CLL-191/images/IAPP-Top-10-Operational-Impacts-of- GDPR.pdf?TC=DM &CN=CSA_OMNIA_Partners&CS=CSA&CR=T1_Gov%20GenNonProfit (11)