CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

 According to Article 13 of the GDPR, when personal data are collected from the data subject, the data controller must provide the data subject with the following information, among others1:

The identity and the contact details of the controller and, where applicable, of the controller’s representative;

The contact details of the data protection officer, where applicable;

The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

The recipients or categories of recipients of the personal data, if any;

Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In the scenario, Wonderkids provides some of this information in their Privacy Statement, but not all. They do not specify the categories of recipients with whom they will share the personal data of their customers and their children. They only state that they will share the data with businesses that they see as adding real value to the customers, which is vague and ambiguous. This does not comply with the GDPR requirement to inform the data subjects about the recipients or categories of recipients of their personal data, if any. Therefore, Wonderkids must provide this additional information in their Privacy Statement.

References:

1: Art. 13 GDPR Information to be provided where personal data are collected from the data subject

 According to the UK GDPR, employees have the right to access and receive a copy of their personal data, and other supplementary information, from their employer. This is known as a data subject access request (DSAR). Employers must respond to a DSAR without delay and within one month of receipt of the request, unless the request is complex or excessive. Employers should perform a reasonable search for the requested information and provide it in an accessible, concise and intelligible format. Employers can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. Some of the exemptions that may apply in the employment context are: legal privilege, management forecasting, confidential references, negotiations, regulatory functions, and criminal convictions and offences. Employers should disclose the information securely and inform the employee of their rights and the source of the data. References:

Right of access | ICO

Subject access request Q and As for employers | ICO

Data Subject Access Request (Employers’ Guide) | DavidsonMorris

The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers. According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community. The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches. References: e-Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breaches

According to the European Data Protection Law & Practice textbook, page 326, “the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” However, the CJEU also stated that “the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine’s results following a search made on the basis of the data subject’s name.” Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject’s right to be forgotten. References:

European Data Protection Law & Practice, page 326

CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González, paragraphs 88 and 93

According to Article 35 of the GDPR, the controller must carry out a data protection impact assessment (DPIA) prior to processing that is likely to result in a high risk to the rights and freedoms of natural persons. The DPIA is a process for assessing and mitigating the potential impact of the processing on the protection of personal data. The controller must seek the advice of the DPO, where designated, when carrying out a DPIA. The DPO can assist the controller in conducting the DPIA and ensuring its compliance with the GDPR requirements. The DPO can also monitor the performance of the DPIA and act as a contact point for the supervisory authority and the data subjects. References:

Article 35 of the GDPR

European Data Protection Law & Practice textbook, Chapter 7: Data Protection Impact Assessment, Section 7.2: When is a DPIA required?, Subsection 7.2.1: The role of the DPO

Roles and Responsibilities of a Data Protection Officer

The GDPR defines profiling as any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, such as their preferences, behaviour, or interests1. Profiling is subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality2. The GDPR also provides specific rights for data subjects who are subject to profiling, such as the right to be informed, the right to access, the right to rectify, the right to object, and the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on them3.

In the given scenario, the online shop is engaging in profiling by tracking the browsing behaviour of its European customers and predicting future purchases. It is also sharing this information with third parties, which may involve further processing of the personal data. Therefore, the online shop must comply with the GDPR requirements for profiling and ensure that it has a valid legal basis for the processing. According to Article 6 of the GDPR, there are six possible legal bases for processing personal data: consent, contract, legal obligation, vital interests, public interest, or legitimate interests4. However, not all of them are equally applicable or appropriate for profiling activities, especially when they involve sensitive or special categories of data, such as biometric, genetic, or health data, which require additional safeguards under Article 9 of the GDPR5.

In this case, the most relevant and suitable legal basis for the online shop’s profiling is consent, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their personal data for one or more specific purposes6. Consent must be freely given, specific, informed, and unambiguous, and must be obtained before the processing begins7. The online shop must also inform the data subject about the nature and purpose of the profiling, the logic involved, the consequences, and the rights they have in relation to it. The online shop must also respect the data subject’s right to withdraw their consent at any time and to object to the profiling.

Therefore, the online shop’s primary obligation while engaging in this kind of profiling is to solicit informed consent through a notice on its website, which must be clear, concise, and easily accessible, and must not be bundled with other terms and conditions. The online shop must also provide a simple and effective mechanism for the data subject to give or revoke their consent, such as a checkbox, a slider, or a button. The online shop must also keep records of the consent obtained and be able to demonstrate that it has complied with the GDPR requirements for consent.

The other options (B, C, and D) are not the primary obligation for the online shop, as they are either irrelevant or insufficient for the GDPR compliance. Seeking authorization from the European supervisory authorities is not necessary, unless the online shop is involved in a cross-border processing that requires a prior consultation under Article 36 of the GDPR. Demonstrating a prior business relationship with the customers is not a valid legal basis for the profiling, as it does not imply consent or legitimate interests. Proving that it uses sufficient security safeguards to protect customer data is a general obligation for any processing of personal data, but it does not address the specific issues and risks of profiling, such as discrimination, manipulation, or loss of control. References:

1: What is automated individual decision-making and profiling?

2: Article 5 of the GDPR

3: Rights related to automated decision making including profiling

4: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]

5: Article 9 of the GDPR

6: Article 4 (11) of the GDPR

7: Article 7 of the GDPR

: Article 13 and 14 of the GDPR

: Article 21 of the GDPR

: Article 12 of the GDPR

: [Guidelines on consent under Regulation 2016/679]

: Article 24 of the GDPR

: Article 36 of the GDPR

: [Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679]

: [https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf]

: [https://edpb.europa.eu/sites/edpb/files/files/file1/20171104_wp251rev01_en.pdf]

According to the WP29 guidance on DPIA1, conducting a single DPIA to address multiple processing operations is allowed when the following conditions are met:

The processing operations present similar high risks, which would result in very similar mitigating measures;

The DPIA is reviewed and updated regularly to take into account any changes or new risks;

The DPIA is complemented by ad hoc assessments where necessary to address more specific issues.

The WP29 guidance cites the example of a railway operator who plans to evaluate the same video surveillance in all the train stations of his company as a case where a single DPIA would be sufficient, provided that the above conditions are met2. The other options do not meet these conditions, as they involve different types of processing operations, different purposes, different data subjects, or different technologies. References:

WP29 guidance on DPIA

WP29 guidance on DPIA, page 16