CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service. References:

[IAPP article on direct marketing (EU specific)]

Lexology article on direct marketing requirements under the GDPR

 According to Article 58 of the GDPR, each supervisory authority has the power to notify the controller or the processor of an alleged infringement of the GDPR as part of its investigative powers. This power allows the supervisory authority to alert the controller or the processor of a possible violation of the GDPR and to initiate further actions if necessary. The notification may also include recommendations or instructions on how to remedy the infringement or prevent further violations. References:

Article 58 of the GDPR

European Data Protection Law & Practice textbook, Chapter 9: Supervision and Enforcement, Section 9.2: Supervisory Authorities, Subsection 9.2.2: Powers of Supervisory Authorities

A multinational company that is appointing a mandatory data protection officer (DPO) must also consult national derogations to evaluate if there are additional cases to be considered in relation to the matter. According to Article 37 (1) of the GDPR, a DPO must be designated by the controller or the processor in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or © the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences 1. However, Article 37 (4) of the GDPR also allows Member States to provide for additional cases where a DPO must be designated by law 1. Therefore, a multinational company must consult the national laws of the EU jurisdictions in which it operates to ensure that it complies with any additional requirements for appointing a DPO.

The other options are not correct because they are not directly related to the appointment of a DPO. Conducting a Data Protection Privacy Assessment, assessing the number of employees, and revising the data processing activities are all good practices for ensuring compliance with the GDPR, but they are not mandatory actions for designating a DPO. Moreover, the number of employees is not a relevant criterion for appointing a DPO, as the GDPR does not set any threshold based on the size of the organization 2. References: 1: Article 37 of the GDPR 2: Guidelines on Data Protection Officers (‘DPOs’)

The reason why the consent provided by Ms. Iman would not be considered valid in regard to JaphSoft is not because she did not provide her consent for her personal data to be shared with EcoMick, but because she was not told which controller would be processing her personal data. JaphSoft is a controller, as it determines the purpose and means of the processing of personal data, which is to improve its marketing optimization models and to provide better services to its customers. JaphSoft does not act only on the instructions of Liem and EcoMick, who are the original controllers of the personal data, but rather uses the data for its own benefit and interest. Therefore, JaphSoft should have obtained a separate consent from Ms. Iman, or relied on another lawful basis, such as legitimate interest, to process her personal data. Ms. Iman only gave consent to Liem, not to JaphSoft, and she was not informed that her personal data would be shared with or processed by another controller.

According to Article 82 of the GDPR1, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. Any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Therefore, Javier can sue any one of the EVETFIT branches that were involved in processing his personal data without his consent and in violation of his rights, and he can claim full compensation from that branch. The branch that pays the compensation can then claim back from the other branches involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage. References: 1 Art. 82 GDPR – Right to compensation and liability - General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) introduces a mechanism for personal data transfers to third countries or international organisations that do not ensure an adequate level of data protection, based on approved certifications. According to Article 46 of the GDPR, contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission.

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. The Commission developed Questions and Answers (Q&As) to provide practical guidance on the use of the SCCs and assist stakeholders in their compliance efforts under the GDPR.

The Q&As state that businesses must do all of the following:

Consider the new optional docking clause, which expressly permits adding new parties to the SCCs. According to the Q&As, the docking clause allows controllers and processors that are not part of the original contract to accede to the SCCs at a later stage, either as data exporters or importers. This clause is intended to facilitate the use of the SCCs in complex processing chains and to avoid the need to enter into multiple contracts.

Migrate all contracts entered into before September 27, 2021, that use the old SCCs to the new SCCs by December 27, 2022. According to the Q&As, the old SCCs will be repealed on September 27, 2021. However, contracts concluded before that date on the basis of the old SCCs will remain valid until December 27, 2022, provided that the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) of the GDPR. After December 27, 2022, the old SCCs will no longer provide a valid legal basis for data transfers to third countries, and the new SCCs will have to be used instead.

Take steps to flow down the new SCCs to relevant parts of their supply chain using the new SCCs as of September 27, 2021, if the business is a data importer. According to the Q&As, the new SCCs require data importers to enter into contracts with any subprocessors that process the personal data transferred under the SCCs, and to include in those contracts the same data protection obligations as those imposed on the data importer under the SCCs. This means that data importers must ensure that the new SCCs are flowed down to their subprocessors as of September 27, 2021, and that any changes in the subprocessors are notified to the data exporter, who has the right to object.

The Q&As do not state that businesses must do the following:

Implement the new SCCs in the U.K. following Brexit, as the U.K. Information Commissioner’s Office does not have the authority to publish its own set of SCCs. This is not a valid statement, as the U.K. has its own data protection regime after leaving the EU, and the U.K. Information Commissioner’s Office (ICO) has the power to issue its own SCCs for data transfers from the U.K. to third countries. According to the ICO website, the ICO is currently developing bespoke U.K. SCCs, which will be subject to a public consultation and an opinion from the European Data Protection Board (EDPB). Until the U.K. SCCs are finalised, the ICO advises businesses to continue to use the EU SCCs for new contracts, as these clauses have been recognised as a valid transfer mechanism under the U.K. data protection law. However, the ICO also warns businesses that they may need to amend the EU SCCs to reflect that the U.K. is no longer an EU member state, and that they will need to update their contracts to the U.K. SCCs once they are available.

References:

GDPR, Articles 3, 4, 28, 29, 32, 44, 45, 46, 47, 48 and 49.

New Standard Contractual Clauses - Questions and Answers overview, paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 and 11.

Standard Contractual Clauses (SCC), paragraphs 1, 2, 3, 4, 5, 6, 7 and 8.

[Using international data transfers], paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9 and 10.