Activedumpsnet Logo
Pursuant to the EDPB Guidelines 8/2022, all of the following criteria must be considered when identifying a lead supervisory authority of a controller EXCEPT?
Which of the following is NOT recognized as being a common characteristic of cloud-computing services?
If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?
In the EDPB's Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, all of the following practices follow from the principles relating to the processing of personal data under EU data protection law EXCEPT?
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you
first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. […]
2.Applicable law. […]
3.Limitation of liability. […]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?
It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3
A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?
Start-up company MagicAI is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT Team decides to collect data about users' ethnic origin, nationality, and gender.
Which would be the most appropriate legal basis for this processing under the GDPR, Article 9 (Processing of special categories of personal data)?
Which statement provides an accurate description of a directive?
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?
What is the key difference between the European Council and the Council of the European Union?
SCENARIO
Please use the following to answer the next question:
Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients.
Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to participate in Market4U’s forum, and attending events. Such fields include birth date and salary.
What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U’s forms?
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a
program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has
done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Anna will find that a risk analysis is NOT necessary in this situation as long as?
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?
After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?
Two companies, Gellcoat and Freifish, make plans to launch a co-branded product the prototype of which is called Gellifish 9090. The companies want to organize an event to introduce the new product, so they decide to share data from their client databases and come up with a list of people to invite. They agree on the content of the invitations and together build an app to gather feedback at the event.
In this scenario, Gellcoat and Freifish are considered to be?
SCENARIO
Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.
What is the time period in which Mike should receive a response to his request?
Many businesses print their employees’ photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?
SCENARIO
Please use the following to answer the next question:
TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.
During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.
Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.
After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?
The transparency principle is most directly related to which of the following rights?
What is the main task of the European Data Protection Board?
Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or consent?
Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?
SCENARIO - Please use the following to answer the next question:
It has been a tough season for the Spanish Handball League, with acts of violence and racism having increased exponentially during their last few matches.
In order to address this situation, the Spanish Minister of Sports, in conjunction with the National Handball League Association, issued an Administrative Order (the "Act") obliging all the professional clubs to install a fingerprint-reading system for accessing some areas of the sports halls, primarily the ones directly behind the goalkeepers. The rest of the areas would retain the current access system, which allows any spectators access as long as they hold valid tickets.
The Act named a selected hardware and software provider, New Digital Finger, Ltd., for the creation of the new fingerprint system. Additionally, it stipulated that any of the professional clubs that failed to install this system within a two-year period would face fines under the Act.
The Murla HB Club was the first to install the new system, renting the New Digital Finger hardware and software. Immediately afterward, the Murla HB Club automatically renewed current supporters' subscriptions, while introducing a new contractual clause requiring supporters to access specific areas of the hall through the new fingerprint reading system installed at the gates.
After the first match hosted by the Murla HB Club, a local supporter submitted a complaint to the club and to the Spanish Data Protection Authority (the AEPD), claiming that the new access system violates EU data protection laws. Having been notified by the AEPD of the upcoming investigation regarding this complaint, the Murla HB Club immediately carried out a Data Protection Impact Assessment (DPIA), the conclusions of which stated that the new access system did not pose any high risks to data subjects’ privacy rights.
The Murla HB Club should have carried out a DPIA before the installation of the new access system and at what other time?
A company would like to implement CCTV monitoring in its offices for safety and security purposes. Which of the following would be the best legal basis for the company to rely upon?
Which of the following is the weakest lawful basis for processing employee personal data?
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new
employees are sourced, interviewed, hired, and onboarded efficiently. To help with
this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go
through ProStorage's vendor risk review process so she can work with Ruth to
make the final decision. As part of the review process, Jackie, who is responsible
for maintaining ProStorage's privacy program (including maintaining controller
BCRs and conducting vendor risk assessments), reviewed both vendors but
completed a transfer impact assessment only for InstaHR. After her review of both
vendors, she determined that InstaHR satisfied more of the requirements as it
boasted a more established privacy program and provided third-party attestations,
whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the
company by focusing on industries where it needed to grow its market share. To
help with this, the team selected as a partner UpFinance, a US based company
with deep connections to financial industry customers. During ProStorage's
diligence process, Jackie from the privacy team noted in the transfer impact
assessment that UpFinance implements several data protection measures
including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of
business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance
processes on its behalf prior to disclosing such data.
What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?
Through a combination of hardware failure and human error, the decryption key for a bank's customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?
SCENARIO
Please use the following to answer the next question:
BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.
Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.
What is the nature of BHealthy and Natural Insight’s relationship?
In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?
Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?
Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?
If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you
first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. […]
2.Applicable law. […]
3.Limitation of liability. […]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
What is one potential problem Vigotron’s age policy might encounter under the GDPR?
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in
Greece (5), Italy (15) and Spain (1), have registered their most profitable results
ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based
in ARRA's main Italian establishment, has organized a team event for its 420
employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic
wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the "party zone" of the hotel, and emits a buzz if the user
approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a
buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that
have been planned.
Along with the wristband, each guest receives a QR code that leads to the online
privacy notice describing the use of the wristband. The page also contains an
unchecked consent checkbox. In the case of employee family members under the
age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has
autonomously set up a photocall area, separate from the main event venue, where
employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing
purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is
displeased with the results of the photos in which he appears. He intends to file a
complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Assuming that there is a cross-border processing of personal data, which of the
following criteria would NOT be useful to the lead supervisory authority responsible
for the Greek employee's complaint when trying to determine the location of the
controller's main establishment?
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?
A private company has establishments in France, Poland, the United Kingdom, and most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.
What is the lead supervisory authority for the SaaS service?
According to the GDPR, how is pseudonymous personal data defined?
An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request?
Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?
What should a controller do after a data subject opts out of a direct marketing activity?
SCENARIO
Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you
first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions
1.Jurisdiction. […]
2.Applicable law. […]
3.Limitation of liability. […]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review. Which of the following is Sam most likely to point out as the biggest problem with Emily’s consent provision?
SCENARIO
Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B’s actions would NOT be likely to trigger a potential enforcement action?
Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.
Why is this company obligated to comply with the GDPR?
As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his
name, and has used the email address registered in your system.
What would be the most appropriate way to confirm the identity of the customer?
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new
employees are sourced, interviewed, hired, and onboarded efficiently. To help with
this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go
through ProStorage's vendor risk review process so she can work with Ruth to
make the final decision. As part of the review process, Jackie, who is responsible
for maintaining ProStorage's privacy program (including maintaining controller
BCRs and conducting vendor risk assessments), reviewed both vendors but
completed a transfer impact assessment only for InstaHR. After her review of both
vendors, she determined that InstaHR satisfied more of the requirements as it
boasted a more established privacy program and provided third-party attestations,
whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the
company by focusing on industries where it needed to grow its market share. To
help with this, the team selected as a partner UpFinance, a US based company
with deep connections to financial industry customers. During ProStorage's
diligence process, Jackie from the privacy team noted in the transfer impact
assessment that UpFinance implements several data protection measures
including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of
business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance
processes on its behalf prior to disclosing such data.
What transfer mechanism did ProStorage most likely rely on to transfer Ruth's
medical information to the hospital?
What was the main failing of Convention 108 that led to the creation of the Data Protection Directive (Directive 95/46/EC)?
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?
A company wishes to transfer personal data to a country outside of the European Union/EEA In order to do so, they are planning an assessment of the country's laws and practices, knowing that these may impinge upon the transfer safeguards they intend to use
All of the following factors would be relevant for the company to consider EXCEPT'?
To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.
Regarding the domain of the controller-processor relationships, how is this situation considered?
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?
Once an organization has conducted an internal investigation to determine the scope of a ransomware attack, what is the appropriate next step in the process?
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?
A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany
Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
What is the best option for the lead regulator when responding to the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint?
In which of the following situations would an individual most likely to be able to withdraw her consent for processing?
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
In support of Ruth's strategic goals of hiring more sales representatives, the Human
Resources team is focused on improving its processes to ensure that new
employees are sourced, interviewed, hired, and onboarded efficiently. To help with
this, Mary identified two vendors, HRYourWay, a German based company, and
InstaHR, an Australian based company. She decided to have both vendors go
through ProStorage's vendor risk review process so she can work with Ruth to
make the final decision. As part of the review process, Jackie, who is responsible
for maintaining ProStorage's privacy program (including maintaining controller
BCRs and conducting vendor risk assessments), reviewed both vendors but
completed a transfer impact assessment only for InstaHR. After her review of both
vendors, she determined that InstaHR satisfied more of the requirements as it
boasted a more established privacy program and provided third-party attestations,
whereas HRYourWay was a small vendor with minimal data protection operations.
Thus, she recommended InstaHR.
ProStorage's marketing team also worked to meet the strategic goals of the
company by focusing on industries where it needed to grow its market share. To
help with this, the team selected as a partner UpFinance, a US based company
with deep connections to financial industry customers. During ProStorage's
diligence process, Jackie from the privacy team noted in the transfer impact
assessment that UpFinance implements several data protection measures
including end-to-end encryption, with encryption keys held by the customer.
Notably, UpFinance has not received any government requests in its 7 years of
business. Still, Jackie recommended that the contract require UpFinance to notify
ProStorage if it receives a government request for personal data UpFinance
processes on its behalf prior to disclosing such data.
What transfer mechanism should Jackie recommend for using InstaHR?
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?
SCENARIO
Please use the following to answer the next question:
Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:
Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
Under their security policy, the University encrypts all of its personal data records in transit and at rest.
In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a
program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.
One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.
Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use
of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.
Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.
Before Anna determines whether Frank’s performance database is permissible, what additional information does she need?
Which sentence BEST summarizes the concepts of “fairness,” “lawfulness” and “transparency”, as expressly required by Article 5 of the GDPR?
Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?
In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the importance of using a “layered notice” to provide data subjects with what?
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:
“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”
“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”
“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.”
What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying
information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in
Greece (5), Italy (15) and Spain (1), have registered their most profitable results
ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based
in ARRA's main Italian establishment, has organized a team event for its 420
employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic
wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the "party zone" of the hotel, and emits a buzz if the user
approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a
buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that
have been planned.
Along with the wristband, each guest receives a QR code that leads to the online
privacy notice describing the use of the wristband. The page also contains an
unchecked consent checkbox. In the case of employee family members under the
age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has
autonomously set up a photocall area, separate from the main event venue, where
employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing
purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is
displeased with the results of the photos in which he appears. He intends to file a
complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Which of the following is NOT necessarily considered a factor in identifying whether
the processing could be considered a "cross-border processing"?
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?
When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?