Practice Exam Flashcards

Question

Each of the following should be considered when assessing which security measures would be most appropriate for an organisation **EXCEPT**? A. The cost of implementing security measures. B. The sensitivity of the information to individuals. C. The lawful basis for processing the personal data. D. The potential harm caused if there was a personal data breach.

Answer 1

C. The lawful basis for processing the personal data. | *Body of Knowledge Domain II, Subdomain C* ## Footnote The correct answer is C. Article 5(1)(f) of the Regulation states that personal data must be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”)’. To determine what is appropriate, an organisation will need to conduct a risk assessment. The assessment should consider the nature of the data being processed, potential threats and vulnerabilities to the data subject (such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed) and the cost of implementation (cost should be appropriate for the risks identified). The lawful basis for processing the personal data is unlikely to impact the integrity and confidentiality of the information being processed.

Answer 2

The company's products are marketed directly to EU customers. | *Body of Knowledge Domain II, Subdomain B* ## Footnote The correct answer is D. This is a non-EU company (1) explicitly targeting EU customers and (2) collecting data from persons in the EU. The GDPR aims to protect the privacy rights of all persons in the EU as well as the rights of any individuals who have their data processed by a company in the EU. As a result, non-EU companies explicitly targeting EU customers and therefore collecting the data of persons in the EU (such as the company in this scenario) must comply with the GDPR.

Answer 3

Parental consent for a child's use of the action figures would have to be obtained before any data could be collected. | *Body of Knowledge Domain II, Subdomain E* ## Footnote The correct answer is A. Under Article 8, where a controller relies on consent as the legitimate processing criterion and information society services are offered directly to a child, the processing of personal data is only lawful where the child is at least 16 years old. Where the child is under 16 years old, such processing is only lawful ‘if and to the extent that consent is given or authorised by the holder of personal responsibility over the child. Member states may set a minimum age of consent less than 16 years so long as the age is not lower than 13’.

Answer 4

The information about the data processing involved has not been specified or updated. | *Body of Knowledge Domain II, Subdomain E* ## Footnote The correct answer is C. The toy manufacturer’s privacy information does not clearly explain the processing that is taking place, resulting in a lack of transparency. This lack of transparency means that data subjects will not understand how and why their personal data is processed and will not be able to make an informed decision and may not be able to exercise their rights.

Answer 5

Encrypt the data while it is in transit over the wireless Bluetooth connection. | *Body of Knowledge Domain II, Subdomain G* ## Footnote The correct answer is A. A key principle of the GDPR is the security principle which requires personal data be processed securely by means of appropriate technical and organisational measures. To put the appropriate technical and organisational measures in place, a risk analysis needs to be conducted and organisational policies, together with physical and technical measures, need to be applied. The state of the art and costs of implementation are to be considered when deciding what measures to take, but they must be appropriate both to the circumstances and the risk the processing poses. Where appropriate, measures such as pseudonymisation and encryption are required. These measures must ensure the confidentiality, integrity and availability of the systems and services and the personal data being processed within them. These measures must also include the ability to restore access and availability to personal data in a timely manner in the event of a physical or technical incident. Companies are required to have appropriate processes in place to test the effectiveness of these measures and undertake any required improvements. In this question, we have a toy that collects data from a child and transmits it via Bluetooth to another device. Transmission of this data should be protected from people or devices trying to intercept the communication between devices. One way to mitigate this concern is to encrypt the data in transit over the wireless Bluetooth connection. See GDPR Article 32(1)(a).

Answer 6

Users will be presented with granular, specific consent requests for particular processing activities | *Body of Knowledge Domain III, Subdomain D* ## Footnote The correct answer is D. If consent is relied upon as the legal basis for processing, it must be specific, fully informed, freely given and revocable at any time (see GDPR Article 7). Because ‘the request for consent shall be presented in a manner which is clearly distinguishable from other matters’, granular and specific consent is required for each optional processing activity.

Answer 7

Honour the request by erasing the data without undue delay. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is C. Because the footage in question no longer meets the purpose for which it was initially stored (i.e., no vandalism occurred during the time the data subject passed by), there is, at the time of the request, no legitimate interest to store the data that would override the interests of the data subject. The controller must honour the request and erase the personal data without undue delay pursuant to GDPR Article 17.

Answer 8

The state of the art, the cost of implementation, and the nature, scope, context and purposes of processing, together with the impact on the data subject’s rights. | *Body of Knowledge Domain II, Subdomain G* ## Footnote The correct answer is B. Companies can reduce the probability of a data breach if they choose to encrypt personal data. The processing of personal data is naturally associated with a certain degree of risk. Therefore, risk management plays an ever-larger role in IT security, and data encryption is suited, amongst other means, for these companies. In general, encryption refers to the procedure that converts clear text into a hashed code using a key, where the outgoing information only becomes readable again by using the correct decryption key. This minimises the risk of an incident during data processing, as encrypted contents are basically unreadable for third parties who do not have the correct key. Encryption is the best way to protect data during transfer and one way to secure stored personal data. It also reduces the risk of abuse within a company, as access is limited only to authorised people with the right key. The GDPR also recognises these risks when processing personal data and places the responsibility on the controller and the processor to implement appropriate technical and organisational measures to secure personal data. The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case in order to accommodate individual factors. However, it gives the controller a catalogue of criteria to be considered when choosing methods to secure personal data. Those are the state of the art, implementation costs, and the nature, scope, context and purposes of the processing. See Recital 83 and Article 32 of the GDPR.

Answer 9

D. A journalist writing an article relating to the medical condition in question, who believes that the publication of such information is in the public interest. | *Body of Knowledge Domain II, Subdomain D* ## Footnote The correct answer is D. To be able to process health information, which is special category of data, the controller will need to have both a lawful basis under Article 6 and meet at least one condition under Article 9. Some of the conditions under Article 9 include where courts are acting in their judicial capacity, where it is necessary for reasons of public interest in the area of public health, and where processing is necessary to protect the vital interest of the data subject. For a journalist writing an article, processing is only permitted for reasons of substantial public interest where there is a basis in member state law.

Answer 10

Explicit consent. | *Body of Knowledge Domain III, Subdomain B* ## Footnote The correct answer is B. In this situation, the personal data being collected is biometric data under GDPR Article 9. Biometric data is defined in GDPR Article 4(14) as ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data’. Video footage on its own is not necessarily biometric data unless it results from specific technical processing relating to physical, physiological or behavioural characteristics, which allow unique identification of the individual. In this case, we are told the facial recognition data is used specifically to identify previously banned patrons who are entering the mall. The processing of biometric data is generally prohibited by GDPR Article 14(1), unless an exception in GDPR Article 14(2) applies. Of the answer choices, only explicit consent is listed as an exception under GDPR Article (14)(2)(a).

Answer 11

B. Consistency. | *Body of Knowledge Domain II, Subdomain E* ## Footnote The correct answer is B. While consistency is important, it is not listed as part of the fair processing information guidelines. When providing information to data subjects with respect to the processing of the data subject’s personal data, controllers should ensure that such information is: * Concise: Although there is a clear conflict between this requirement and the volume of fair processing information the Regulation mandates, controllers can assist data subjects by separating content into headed sections, using short sentences and paragraphs, and adopting a layered approach to information provision. * Transparent: Controllers should be genuine, open and honest with data subjects, and not misleading. Data subjects should not be surprised by processing and, where there are risks or important consequences associated with it, these should be spelled out. * Easily accessible: It should be clear where fair processing information is and how it can be accessed. Data subjects should not be required to search for it, including amongst other content, and the provision of information should be appropriate for the context in which personal data is obtained. Two additional requirements are that the information be: * Intelligible and in clear and plain language: The language used should be easy for the target audience to understand, and controllers should avoid overly legal language, jargon and terminology. * Accurate and up to date: Fair processing information should therefore be regularly reviewed.

Answer 12

The rights granted to data subjects under Articles 12 to 23. | *Body of Knowledge Domain I, Subdomain A* ## Footnote The correct answer is B. The individual participation principle of the OECD Guidelines refers to the right of the individual to obtain information about themselves from the data controller and to have that communication provided to them within a reasonable time, without excessive charge, in a reasonable manner, and in a form intelligible to them. The rights granted to data subjects under Articles 12 to 23 refer to articles of the GDPR that provide rights to the data subject. These rights align with those mentioned in the OECD principle, such as the right of access by the data subject.

Answer 13

D. When the data controller has taken subsequent measures to ensure that the risks to the data subject are no longer likely to materialise. | *Body of Knowledge Domain II, Subdomain G* ## Footnote The correct answer is D. Article 34(3) of the GDPR states three conditions that, if met, do not require notification to individuals in the event of a breach: (1) The controller has applied appropriate technical and organisational measures to protect personal data prior to the breach, in particular those measures that render personal data unintelligible to any person who is not authorised to access it. This could, for example, include protecting personal data with state-of-the-art encryption or by tokenisation. (2) Immediately following a breach, the controller has taken steps to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialise. For example, depending on the circumstances of the case, the controller may have immediately identified and acted against the individual who has accessed personal data before they were able to do anything with it. Due attention still needs to be given to the possible consequences of any breach of confidentiality, again, depending on the nature of the data concerned. (3) It would involve disproportionate effort to contact individuals, perhaps where their contact details have been lost as a result of the breach or are not known in the first place. See Article 34(3) of the GDPR and WP29 ‘Guidelines on Personal data breach notification under Regulation 2016/679’ (WP250 rev.01).

Answer 14

C. Data controller. | *Body of Knowledge Domain II, Subdomain A* ## Footnote The correct answer is C. A company can have multiple roles, depending on a specific processing activity. A company can be a data controller for some processing activities and a processor for others. In this scenario, the delivery company’s primary business is as a data processor, because they process data only at the instructions of the data controller (the restaurant) for the purpose of delivering orders. However, this question asks specifically about the role of the delivery company with respect to the processing of data used for the algorithm. As to that specific processing activity, the delivery company has gone outside the scope of processing directed by the controller and has redefined the purpose and means of processing that data, thereby making them a data controller for this activity. This scenario is further described by the European Data Protection Board’s ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’, adopted 7 July 2021.

Answer 15

Yes, because the company is processing special categories of EU personal data. | *Body of Knowledge Domain II, Subdomain H* ## Footnote The correct answer is C. Article 30’s record-keeping requirement has an exception for companies that employ fewer than 250 people. However, the under 250 employee exemption does not apply if (1) processing is likely to result in a risk to the rights and freedoms of the data subjects; (2) processing is frequent and not occasional; or (3) processing involves special categories of data including biometrics, health data, genetic data or data related to a person’s sex life or sexual orientation (also known as sensitive personal data). Health data processed by this data processor is considered sensitive personal data, and there will be frequent processing of the data (not occasional). This means the company cannot rely on the exception and must comply with the Article 30 requirement.

Answer 16

Their core activity involves processing EU sensitive data on a large scale. | *Body of Knowledge Domain II, Subdomain H* ## Footnote The correct answer is A. A company must appoint a DPO, whether it is a controller or a processor, if its core activities involve the processing of sensitive data on a large scale. ‘Large scale’ is defined as the number of data subjects concerned as a specific number or as proportion of the relevant population. Here, ABC Company will be processing all student health insurance applications in Ireland, which represents a large portion of the population.

Answer 17

D. The details of any third parties where the location data will be transmitted | *Body of Knowledge Domain II, Subdomain C* ## Footnote The correct answer is D. Under Article 9(1) of the ePrivacy Directive, the requirement is to inform users or subscribers prior to obtaining their consent whether the data will be transmitted to a third party. The directive does not require details of any third party to be included.

Answer 18

It must solicit informed consent from the customers through a notice on its website. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is B. The United States-based company is processing the personal data of European citizens and therefore must comply with the GDPR. Obtaining informed consent provides the strongest legal basis for processing personal data in this scenario. Informed consent may be in the form of a privacy notice that specifies the rights of the individual related to using personal data only for stated purposes, as well as informing data subjects of their ability to withdraw consent at any time. The notice must inform the website visitor about the software used, including automated decision-making systems, profiling and sharing personal data with other recipients. The privacy notice must include the contact details of the company, its EU representative and its data protection officer.

Answer 19

Court of Justice of the EU. | *Body of Knowledge Domain I, Subdomain C* ## Footnote The correct answer is D. The Court of Justice of the European Union (CJEU) interprets EU law to make certain it is applied in the same way across all member states and settles legal disputes between national governments and EU institutions. It can also, in certain circumstances, be used by individuals, companies or organisations to take action against an EU institution, if they feel it has somehow infringed their rights.

Answer 20

D. Transparency. | *Body of Knowledge Domain II, Subdomain E* ## Footnote The correct answer is D. This GDPR principle is first mentioned in Article 5(1)(a) as personal data that must be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject’. This question is primarily related to transparency. Transparency is mentioned again in GDPR Article 14(1) and requires the controller to provide data subjects with information about the data processing ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’. In this question, a Spanish company is knowingly engaged in the sale of products to consumers in countries where the primary language is not Spanish. Since the company is advertising to data subjects in non-Spanish speaking countries, they have an obligation to provide those data subjects with transparency around their processing activities in a language that is readable to them.

Answer 21

To ensure that the interests of data subjects residing outside the lead authority's jurisdiction are represented. | *Body of Knowledge Domain II, Subdomain J* ## Footnote The correct answer is C. For companies that process data outside of their lead supervisory authority’ location, the concept of ‘supervisory authority concerned’ gives the DPA the ability to also represent the interests of individuals residing outside of the lead authority’s jurisdiction. For example, where there is a regulatory problem that concerns a controller in one jurisdiction and a processor in another jurisdiction, the lead authority will be the controller’s while the processor’s authority will be a ‘supervisory authority concerned’. As noted in Article 56(2), ‘By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State’. (Reference section 13.5.2 in *European Data Protection, Second Edition*).

Answer 22

C. Allowing access to all apps on the device to monitor for security risks or flaws. | *Body of Knowledge Domain III, Subdomain A* ## Footnote The correct answer is C. Many companies allow for their employees to use personal devices for communications in the workplace (‘bring your own device’ or BYOD). Since allowing BYOD may raise a number of potential privacy issues, it is of utmost importance that the company put together a BYOD program in view of the GDPR provisions. Companies are required to respect the privacy of employees who use personal equipment in the context of their professional activity and should compartmentalise the areas of the device intended to be used in a professional context (e.g., create a security bubble) to ensure personal information cannot be accessed. Additionally, the company must ensure the user understands the risks of using their own device, including precautions to keep data safe.

Answer 23

D. They do not constitute a binding law on data controllers but are requirements for EU member states to enact legislation. | *Body of Knowledge Domain I, Subdomain C* ## Footnote The correct answer is D. The ePrivacy Directive is not a binding law. It sets forth guidance for the EU member states to create laws within their borders to achieve the specific requirements set forth in the Directive. The Directive regulates electronic communications including, but not limited to, cookie usage and digital marketing including phone, fax, email and text messages. While the Directive includes many privacy aspects, including data minimisation and consent requirements, it does not focus solely on personal data, which is the purview of the GDPR.

Answer 24

Racial or ethnic origin. | *Body of Knowledge Domain II, Subdomain A* ## Footnote The correct answer is B. GDPR Article 9 defines special categories of data as ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’. Notably, special categories of personal data do not include banking information or credit card numbers. Other countries, such as the United States, often consider this type of financial information to be in a special category of sensitive information. Under the GDPR, financial information such as a bank account number is classified as personal data but is not considered a special category of personal data.

Answer 25

The employer must show compelling legitimate grounds that override the rights of the data subjects. | *Body of Knowledge Domain III, Subdomain B* ## Footnote The correct answer is A. The question tells you the data subjects have exercised their right to object. The right to object is available to data subjects when the processing is based on legitimate interests or performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In this case, the controller is likely relying on their legitimate interest as the basis for the video surveillance. When data subjects exercise their right to object, the controller must stop the processing unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. GDPR Article 21(1).

Answer 26

C. Demonstrate that the profiling is for the purposes of direct marketing and in the controller’s best interest. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is C. Direct marketing is not a compelling justification to continue profiling when the data subject has objected to that processing. Demonstrating legitimate interest requires a balancing test between the purposes of profiling and the rights and freedoms of the data subject. To justify profiling, the balance test would consider the importance of profiling to the controller’s particular objective, as well as weigh the interests of the controller against the basis for objection by considering the impact of profiling on the data subject.

Answer 27

B. If the data subject is already aware of the processing of their personal data. | *Body of Knowledge Domain II, Subdomain C* ## Footnote The correct answer is B. Whether the personal data is obtained from the data subject or from another legitimate source, an organisation will need to meet its transparency obligations by providing data subjects with specific information under GDPR Articles 13 and 14 unless an exemption applies. Exemptions apply when: * personal data is collected directly from the data subject and the data subject has already been provided with the required information; * personal data is obtained from other sources and the data subject has already been provided with the required information; * personal data is obtained from other sources and providing the required information to the data subject would be impossible; * personal data is obtained from other sources and providing the required information to the data subject would involve a disproportionate effort; * personal data is obtained from other sources and providing the required information to the individual would render impossible or seriously impair the achievement of the objectives of the processing; * you are required by law to obtain or disclose the personal data; or * you are subject to an obligation of professional secrecy regulated by law that covers the personal data.

Answer 28

That the museum stop using their names and voices via social media channels. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is A. Museum visitors who signed the consent form are entitled to request that the museum stop using their names and voices via social media, because that use was not included in the consent form. However, the museum should immediately stop using and processing any information for unauthorised uses and not wait for visitors to contact them. Although visitors have a right to request a copy of the images and videos created from their introductions, the consent form specified that these would be deleted after 24 hours and, if handled correctly, should not still be available for a visitor's personal use. Visitors could request monetary compensation for the use of their personal data; however, this does not directly address the reuse of voice data without permission from the data subject. Likewise, although the visitors could ask that the museum stop processing their personal data immediately ‘upon receipt’ of their request, this does not allow for validation of the request and should not be necessary if the museum was handling the data as specified in the consent form.

Answer 29

B. As the controller, Museum4yourSenses is responsible for the audio-visual vendor’s processing of personal data as provided in the contract between the museum and the vendor. | *Body of Knowledge Domain II, Subdomain A* ## Footnote The correct answer is B. In this scenario, Museum4yourSenses is the data controller and therefore they are responsible for establishing the terms of processing in the vendor agreement with the audio-visual company. The audio-visual company is considered the data processor as they are processing personal data on behalf of Museum4yourSenses. Museum4yourSenses is the key decision-maker as they have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing. The vendor is a third party in this scenario and would not have direct communication with the visitors.

Answer 30

C. Submit a complaint with the supervisory authority requesting that Museum4yourSenses restrict processing, citing the large number of children and sensitive data elements that were being processed. | *Body of Knowledge Domain II, Subdomain D* ## Footnote The correct answer is C. Supervisory authorities can enforce data subject rights. The other answer choices lack enforcement ability. When a child is below 16 years old (may be lower as allowed in some member states), the processing of such data may be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Answer 31

C. Binding corporate rules provide a global solution for all the entities of a company that are bound by the intra-group agreement. | *Body of Knowledge Domain II, Subdomain I* ## Footnote The correct answer is C. BCRs are legally binding rules and policies that allow a company established in the EU to transfer personal data outside the EU within a multinational company group (such as from a parent company to a subsidiary). Details about BCRs can be found in Article 47 of the GDPR.

Answer 32

C. Everything as a Service (EaaS). | *Body of Knowledge Domain III, Subdomain D* ## Footnote The correct answer is C. While many organisations are adopting the ‘as-a-Service’ model for delivery of almost everything, as reflected by EaaS (sometimes noted as XaaS), the three common service models for cloud computing are IaaS, PaaS and SaaS. IaaS provides computing resources (e.g., storage, servers, hardware and support) remotely. PaaS offers a cloud-based environment in which customers can build, host and deliver their own SaaS applications. SaaS offers software and applications that can be accessed over the internet and are managed by the cloud service provider (CSP) or vendor, not the customer.

Answer 33

The company took all necessary steps to mitigate this breach. | *Body of Knowledge Domain II, Subdomain J* ## Footnote The correct answer is C. All necessary steps have been taken to mitigate this low-impact breach. The risk assessment is carried out as per GDPR Recitals 76 and 85. The company has taken all steps under Article 33 to ensure that the incident is unlikely to result in a high risk to the affected individuals.

Answer 34

The obligations with which an organisation must comply to demonstrate and show evidence of their compliance. | *Body of Knowledge Domain II, Subdomain H* ## Footnote The correct answer is A. Traditionally, accountability has been part of the Fair Information Practice Principles stating that due diligence and reasonable steps should be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles. According to the European Data Protection Supervisor, the GDPR integrates accountability as a principle which requires organisations to put in place appropriate technical and organisational measures and be able to demonstrate and provide evidence of how they complied with the law and the effectiveness of compliance measures. Internal allocation of privacy responsibilities and the development of internal policies outlining how data should be processed and handled across the organisational are tools for compliance demonstration. The obligation for controllers to provide data subjects with information about the processing of their personal data allows the organisation to demonstrate transparency, but not necessarily accountability.

Answer 35

Whether the stated purpose for collecting the personal data still applies. | *Body of Knowledge Domain II, Subdomain C* ## Footnote The correct answer is A. Article 5(1)(e) of the Regulation states that personal data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’. An organisation should set the retention period based on how long it will need to retain the data to fulfil the purpose for which it was collected. Other considerations when setting retention periods would include any legal obligations to retain data for a defined period and relevant industry standards and guidelines.

Answer 36

B. When personal data is being shared between commercial organisations acting as joint data controllers. | *Body of Knowledge Domain II, Subdomain G* ## Footnote The correct answer is B. When personal data is being shared between commercial organisations acting as joint data controllers, it is recommended that they determine their respective responsibilities for compliance with their obligations under the GDPR by means of an arrangement. The determination of their respective responsibilities must address the exercise of data subjects’ rights and the duties to provide information. In addition to this, the distribution of responsibilities should cover other controllers’ obligations, such as the general data protection principles, legal bases, security measures, data breach notification obligations, data protection impact assessments, the use of processors, third-country transfers and contacts with data subjects and supervisory authorities. The legal form of the arrangement amongst joint controllers is not specified by the GDPR. For the sake of legal certainty, and in order to provide for transparency and accountability, the EDPB recommends that such arrangement be made in the form of a binding document such as a sharing agreement. See GDPR Article 26 and EDPB ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’.

Answer 37

1992 Maastricht Treaty. | *Body of Knowledge Domain I, Subdomain C* ## Footnote The correct answer is C. The 1992 Maastricht Treaty, also known as the Treaty on European Union, is the foundation treaty that created the EU. The Treaty gave EU citizenship to all citizens of the member states. It provided for a central banking system with a common currency and called for greater cooperation between member states with regard to foreign and security policies, environmental issues, policing and social policies.

Answer 38

Background checks on European employees will be regulated by data protection and employment laws in the appropriate member state. | *Body of Knowledge Domain III, Subdomain A* ## Footnote The correct answer is C. Because background check provisions vary across the EU countries, the company would have to analyse its feasibility and possible restrictions on a case-by-case basis. It is important to note that the GDPR does not set specific guidelines for background checks; however, the privacy principles set forth therein must be taken into consideration together with the applicable member state’s laws. Additionally, Article 10 of the GDPR states that criminal conviction data may only be processed when authorised under the laws of the applicable member state, or when under the control of an official authority.

Answer 39

A notice wherein the key information is presented initially, and more detailed information is made available on a secondary page. | *Body of Knowledge Domain II, Subdomain E* ## Footnote The correct answer is D. In a layered notice, the key information is provided in a short initial notice. More detailed information is available in a subsequent layer should a data subject wish to know more. The EDPB states that the first layer should include the purpose of processing, the controller’s identity, and the rights granted by the Regulation, together with information about processing that could surprise or have an impact on the data subject. This layer should enable the data subject to understand what fair processing information is available to them and where it is.

Answer 40

File a complaint with her local supervisory authority stating she cannot reach Novatours directly and ask them to demand that Novatours and its partners stop processing her personal data. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is B. Under Article 15, Isabelle has the right to rectify or erase personal data or restrict processing of personal data concerning herself as well as to object to such processing. Isabelle has the right to lodge a complaint with her local supervisory authority.

Answer 41

D. Novatours must stop processing Isabelle’s personal data once she has verified her identity and exercised her right to restrict processing. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is D. As the data controller, Novatours, after confirming Isabelle’s identity, must stop processing her data without undue delay and if requested, erase Isabelle’s personal data. Article 17 of the GDPR requires controllers to limit or erase personal information without undue delay when provisions for multiple grounds exist, including if Isabelle withdrew her consent, the personal data was unlawfully processed, or personal data was collected in relation to the offer of information services for a child at least 16 years old. The verification processes do not require multi-factor authentication, have no time constraint, and do not require that requests come from a supervisory authority in order to be honoured.

Answer 42

A. Respond within 30 days of receipt of the request. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is A. Article 12(3) of the GDPR details how an organisation must handle a data subject request and what is expected from the controller. This includes the requirement that a controller receiving such a request must respond within 30 days. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. Not all requests may be honoured; some requests may be considered excessive and therefore may not be accepted.

Answer 43

D. Document the loss of availability to demonstrate accountability. | *Body of Knowledge Domain II, Subdomain H* ## Footnote The correct answer is D. While Article 32 of the GDPR sets forth the circumstances that constitute a breach, Article 33 includes the notification requirements for when a breach occurs. According to the WP29 guidance, ‘As with a permanent loss or destruction of personal data (or indeed any other type of breach), a breach involving the temporary loss of availability should be documented in accordance with Article 33(5). This assists the controller in demonstrating accountability to the supervisory authority, which may ask to see those records’. Since the loss of accessibility to customer data was limited to a few hours, and did not result in harm to data subjects, it is sufficient for Company Z to document the specifics of the situation.

Answer 44

The Council of Europe’s Convention 108. | *Body of Knowledge Domain I, Subdomain C* ## Footnote The correct answer is C. Convention 108, also known as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, is a Council of Europe Treaty. Despite its name, the Council of Europe is an international human rights organisation and is not limited to participation by European Union countries or countries located within the continent of Europe. Directive 95/46/EC, the Treaty of Lisbon, and the Charter of Fundamental Rights of the European Union only apply to countries within the EU.

Answer 45

During the entire project life cycle. | *Body of Knowledge Domain II, Subdomain H* ## Footnote The correct answer is A. Data protection by design (privacy by design) should be applied to the entire life cycle of a project. In this manner, organisations can provide the best policies, procedures and technologies to respect individuals’ privacy, protect personal data appropriately, and still provide accessibility to the personal data as necessary and appropriate.

Answer 46

A. The request is manifestly unfounded or excessive. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is A. A request may be manifestly unfounded if, as in this example, the individual clearly has no intention to exercise their right of access – here, they are willing to take compensation to withdraw the request. A request also can be manifestly unfounded if it is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. Analysing requests for being manifestly unfounded is not a mechanical process. The request must be considered in the context in which it is made. If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.

Answer 47

C. Individuals can take their complaints to DPAs and/or to the courts, regardless of whether they made prior complaints to the controller or processor. | *Body of Knowledge Domain II, Subdomain K* ## Footnote The correct answer is C. Individuals are free to choose the option to pursue in exercising their rights under the GDPR in cases of noncompliance. They can pursue litigation in accordance with their national laws, complain to their regulator, or, indeed, they can pursue both remedies at the same time. They can do so regardless of whether they have complained to the controller or processor. Please refer to GDPR Articles 77–79.

Answer 48

A. Automated decision-making that would otherwise be prohibited is allowed if it is authorised by law. | *Body of Knowledge Domain II, Subdomain F* ## Footnote The correct answer is A. Automated decision-making that would otherwise be prohibited is allowed if it is authorised by law, is based on the data subject’s explicit consent, or is necessary for the preparation and execution of a contract. Because automated decision-making increases the risk for harmful profiling, the GDPR generally prohibits fully automated decision-making in most other cases. The risk may be mitigated by human involvement provided such involvement has a direct influence on the result of the processing. Data subjects cannot object to automated decision-making unless it produces legal effects concerning the data subject or similarly affects them in a significant way. Because of the risks associated with automated decision-making, data subjects do not have to formally object to such processing as a condition of benefiting from it.

Answer 49

Consent and legitimate interest. | *Body of Knowledge Domain II, Subdomain C* ## Footnote The correct answer is A. The recipient's prior consent is required and must be given to the sender. There is a limited exception for an existing customer relationship when offering similar products or services. Individuals must be given an opportunity to opt out of direct marketing at the time their personal data is collected. If they do not opt out, recipients must be given on each communication an opportunity to opt out (unsubscribe). The lawful basis will be legitimate interest.

Answer 50

A. Data subjects are entitled to know about the risk of security breaches involving their personal data. | *Body of Knowledge Domain II, Subdomain K* ## Footnote The correct answer is A. Data subjects are not entitled to know about the risk of security breaches; they are only entitled to be informed when there is an actual breach involving their personal data. Data processors are subject to joint and several liability. If one of the controllers or processors involved pays the data subject the full amount of damages, the controller or processor can then seek contribution from other parties. While it is likely that data subjects will start any complaint process by contacting the applicable controller, doing so is not a mandatory first step.

Answer 51

B. The criteria of whether and to what extent fines may be imposed can vary depending on the member state, which would affect the total fines to be imposed. | *Body of Knowledge Domain II, Subdomain J* ## Footnote The correct answer is B. GDPR Article 83 states that without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each member state may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that member state. If a violation affects individuals in more than one member state, a company could be fined by each member state according to its rules. This could result in a very significant financial impact on any company found violating fair notice requirements.

Answer 52

Notify the data protection supervisory authority as soon as possible that a data breach may have taken place. | *Body of Knowledge Domain II, Subdomain G* ## Footnote The correct answer is A. Article 33 of the GDPR sets out the requirements for notification of personal data breaches: ‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, provide notification to the supervisory authority competent, as described in Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’.

Answer 53

What is the least amount of personal data necessary to run the app and provide the scheduled pickup time. | *Body of Knowledge Domain II, Subdomain H* ## Footnote The correct answer is D. While the Regulation does not state how to comply, it does state that ‘the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed’. Data minimisation is one of the key Fair Information Practices (FIPs) emphasised by privacy by design/default.

Answer 54

Scope, reporting incidents and employee responsibilities. | *Body of Knowledge Domain II, Subdomain H* ## Footnote The correct answer is C. There are a number of key matters that should be addressed in an internal privacy policy including scope, policy statement, employee responsibility, management responsibility, reporting incidents and policy compliance. These matters will weave in the GDPR principles for processing personal data. The policy itself should reflect how those principles are applied by restaurant employees and app administrators.

Answer 55

D. The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’). | *Body of Knowledge Domain I, Subdomain C* ## Footnote The correct answer is D. Convention 108 is a legally binding treaty for the member states of the Council of Europe and any other country that signs on to the treaty. The OECD Guidelines, APEC Privacy Framework, and UN Declaration are not legally binding instruments but instead offer guidance to organisations and governments.

Answer 56

Pharma must comply with all applicable privacy laws based on the country where the data subject resides. ## Footnote The correct answer is C. Any data collected by a non-EU controller from persons in the EU is subject to GDPR, even if it is pseudonymised. However, any data collected by a non-EU controller from persons outside of the EU is not subject to the GDPR. However, it may be subject to applicable laws in the relevant country of origin.

Answer 57

The Treaty of Lisbon. | *Body of Knowledge Domain I, Subdomain B* ## Footnote The correct answer is B. The Lisbon Treaty of 2007 significantly affected the data protection framework and amended many of the provisions of the Treaty on European Union and the Treaty Establishing the European Community. It recognised the protection of personal data as a fundamental right and made the Charter of Fundamental Rights a legally enforceable document.

Answer 58

A. The transfer is done after suitable safeguards are in place. | *Body of Knowledge Domain II, Subdomain I* ## Footnote The correct answer is A. Article 45 of the GDPR states the requirements the European Commission must take into consideration regarding adequacy decisions. Articles 46 and 47 set forth alternate means of transferring data, including legally binding instruments with authorities, standard contractual clauses and binding corporate rules. However, there are situations where neither Article applies and yet data transfers must occur, e.g., intra-group transfers within an international organisational group. For these limited and specific situations, Article 49 sets forth derogations which may be utilised provided certain conditions are met.

Answer 59

C. A bank is implementing surveillance cameras outside each of their buildings to help them identify possible bank thieves. | *Body of Knowledge Domain II, Subdomain H* ## Footnote The correct answer is C. The GDPR makes it mandatory for companies to undertake a DPIA for any new projects that are likely to create ‘high risks’ or before proceeding with ‘risky’ personal data processing. Implementing surveillance cameras outside will systematically monitor a publicly accessible area on a large scale. Further we are unsure how they will identify possible bank thieves. Could this identification incorrectly profile people as thieves? There are several situations in the bank scenario that would require a DPIA to understand risks. The other scenarios in this question do not pose high risks to individuals and thus would not require a DPIA.

Answer 60

D. The data is processed to maintain a CRM database of webinar attendees. | *Body of Knowledge Domain II, Subdomain C* ## Footnote The correct answer is D. If the original purpose for processing and retaining the personal data has expired, it should be securely deleted or anonymised so that it is no longer ‘in a form which permits identification of data subjects’. The personal data was collected to administer the webinar, not to maintain a CRM database. Personal data can only be retained indefinitely if it is being held for: * archiving purposes in the public interest; * scientific or historical research purposes; or * statistical purposes.

Answer 61

C. The GDPR does not apply. | *Body of Knowledge Domain III, Subdomain B* ## Footnote The correct answer is C. The cameras are fake and therefore are not collecting any personal data, therefore the GDPR does not apply. This example is mentioned in the European Data Protection Board’s (EDPB) ‘Guidelines 3/2019 on processing of personal data through video devices’ which states that although the GDPR does not apply, in some member states the situation might be subject to other legislation.

Answer 62

Only where the personal data is handled in a sufficiently structured manner to form part of a filing system. | *Body of Knowledge Domain II, Subdomain B* ## Footnote The correct answer is A. The GDPR applies to any personal data that is structured – in other words, it applies to personal data that is included in a filing system, whether digital or in hard copy. If the data is not organised in any way (for example, an untagged pile of documents), there is no system and, therefore, the GDPR would not apply. This is a key reason why it is essential to have internal hard copies organised or catalogued in a way that is accessible according to specific criteria, so that adequate protections can be offered to data subjects.

Answer 63

C. Uruguay. | *Body of Knowledge Domain II, Subdomain I* ## Footnote The correct answer is C. The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. ‘Adequate’ third countries are those for which the Commission has confirmed an ‘essentially equivalent’ level of data protection. In those countries, national laws provide a level of protection for personal data that is comparable to EU law. List of adequate countries: * * Andorra * * Argentina * * Canada (commercial organizations) * * Faroe Islands * * Guernsey * * Israel * * Isle of Man * * Japan * * Jersey * * New Zealand * * Republic of Korea * * Switzerland * * United Kingdom * * Uruguay

Answer 64

D. Render the processing unfair, as well as constitute a violation of the Regulation’s information provision obligations. | *Body of Knowledge Domain II, Subdomain E* ## Footnote The correct answer is D. Under the Data Protection Directive, transparency was expressly linked to the concept of fairness of processing. The GDPR retains this link, explaining that ‘the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes’. Failure to provide fair processing information where required by the Regulation, or failure to process personal data in accordance with the information provided, is therefore likely to render the processing unfair, as well as to constitute a violation of a number of the Regulation’s specific information provision obligations.

Answer 65

16. | *Body of Knowledge Domain II, Subdomain D* ## Footnote The correct answer is B. GDPR Article 8 – ‘Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member states may provide by law for a lower age for those purposes provided that such lower age is not below 13 years’.

Answer 66

A. Providing a privacy notice to inform data subjects of how their personal data is going to be processed. | *Body of Knowledge Domain II, Subdomain C* ## Footnote The correct answer is A. The concept of fairness is linked to the idea that the data subject must be informed of the existence of the processing operation and its purpose. A privacy notice is used to provide individuals with information about who is processing their personal data and how and why their data will be used.