According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?
When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?
SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in
Greece (5), Italy (15) and Spain (1), have registered their most profitable results
ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based
in ARRA's main Italian establishment, has organized a team event for its 420
employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic
wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the "party zone" of the hotel, and emits a buzz if the user
approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a
buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that
have been planned.
Along with the wristband, each guest receives a QR code that leads to the online
privacy notice describing the use of the wristband. The page also contains an
unchecked consent checkbox. In the case of employee family members under the
age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has
autonomously set up a photocall area, separate from the main event venue, where
employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing
purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is
displeased with the results of the photos in which he appears. He intends to file a
complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Which of the following is NOT necessarily considered a factor in identifying whether
the processing could be considered a "cross-border processing"?
According to the European Data Protection Board, data subjects should be aware of any video surveillance in operation. How should a retail shop operator ensure that data subjects receive at information required for such a purpose under EU data protection law?
Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.
Which would be the most appropriate legal basis for this processing under GDPR, Article 9 (Processing of special categories of personal data)?
How is the GDPR’s position on consent MOST likely to affect future app design and implementation?
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its
clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information
is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying
information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
For what reason would JaphSoft be considered a controller under the GDPR?
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?