CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

Section: (none)

Explanation

The GDPR provides more latitude for a company to process data beyond its original collection purpose when the data has been pseudonymized, which means that the data can no longer be attributed to a specific data subject without the use of additional information. Pseudonymization is a technique that reduces the linkability of personal data with the data subject, and enhances the security and privacy of the data processing. According to the GDPR, pseudonymization is one of the measures that can help the company to implement the principles of data protection by design and by default, and to demonstrate compliance with the GDPR obligations. Moreover, the GDPR states that the further processing of pseudonymized data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered to be incompatible with the initial purposes, provided that appropriate safeguards are in place to protect the rights and freedoms of the data subjects. Therefore, pseudonymization can enable the company to use the data for other purposes that are beneficial for society or for innovation, without compromising the privacy of the individuals. References:

GDPR, Article 4 (5), Article 5 (1) (b), Article 6 (4) (e), Article 25, Article 32 (1) (a), Article 40 (2) (d), Article 89

Free CIPP/E Study Guide, page 17, section 2.4.1

CIPP/E Certification, page 12, section 1.1.3

Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 45, section 2.4.1

[Pseudonymisation techniques and best practices]

The GDPR applies to all personal data, regardless of whether it exists in physical form or not. The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as names, identification numbers, location data, or online identifiers1. Therefore, any information that can be linked directly or indirectly to a natural person is considered personal data under the GDPR.

However, the GDPR also distinguishes between different types of processing activities and their legal bases. Processing activities are the operations performed on personal data, such as collection, storage, use, disclosure, or deletion. Processing activities can be either automated or manual. Automated processing means using technology to perform processing activities without human intervention. Manual processing means using human intervention to perform processing activities.

The GDPR requires that any processing activity that involves personal data must comply with certain principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These principles and conditions apply to both automated and manual processing activities.

Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by an automated means in some way that affects its rights and freedoms. For example, if a company scans paper documents and stores them electronically in a database without deleting them after a certain period of time or when they are no longer needed for the original purpose for which they were collected (Article 6), then this would be considered an automated processing activity that involves personal data in physical form.

However, the GDPR does not apply to personal data that exists in physical form when it is handled in a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps paper documents in folders labeled with names and dates on their office shelves without scanning them or storing them electronically anywhere else (Article 5), then this would not be considered an automated processing activity that involves personal data in physical form.

References:

Physical Data - GDPR Summary

What GDPR Means for Your Physical Records - Access

Personal Data - Data Protection Act 2018

Article 9 of the GDPR prohibits the processing of special category data, which includes biometric data for the purpose of uniquely identifying a natural person1. However, there are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’2. These are:

(a) Explicit consent

(b) Employment, social security and social protection (if authorised by law)

© Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims and judicial acts

(g) Substantial public interest conditions

(h) Health or social care

(i) Public health

(j) Archiving, research and statistics

Option A is not one of these exceptions, and therefore it is not a valid reason to process biometric data under Article 9. Option B, C and D are all valid exceptions, as they correspond to conditions ©, (f) and (a) respectively. Therefore, the correct answer is A.

References:

4: Art. 9 GDPR Processing of special categories of personal data

6: What are the rules on special category data? | ICO

Article 8 of the ECHR protects the right to respect for private and family life, home and correspondence. However, this right is not absolute and can be subject to limitations by a public authority in accordance with the law and for a legitimate aim. The European Court of Human Rights (ECtHR) has developed a two-stage test to determine whether such limitations are justified. First, the court must examine whether there is a legitimate aim pursued by the public authority, such as national security, public safety or the prevention of crime. Second, the court must assess whether the means used by the public authority are appropriate and necessary to achieve that aim, taking into account all relevant factors such as proportionality, necessity and less restrictive alternatives12. Therefore, the right to privacy is not an absolute right but a qualified one that has to be balanced against other rights under the ECHR. References:

Article 8 - Protection of personal data

Your right to respect for private and family life

Right to respect for private and family life

Guide on Article 8 of the European Convention on Human Rights

European Convention on Human Rights - Article 8

 Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:

personal data revealing racial or ethnic origin;

personal data revealing political opinions;

personal data revealing religious or philosophical beliefs;

personal data revealing trade union membership;

genetic data;

biometric data (where used for identification purposes);

data concerning health;

data concerning a person’s sex life; and

data concerning a person’s sexual orientation.

Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

Special category data | ICO

Art. 9 GDPR Processing of special categories of personal data

Special Categories of Data - International Association of Privacy Professionals