CIPP-E Exam Dumps - Certified Information Privacy Professional/Europe (CIPP/E)

The NIS2 Directive is the EU’s legislation on cybersecurity that updates and replaces the previous NIS Directive. It aims to create a high common level of cybersecurity across the EU by setting up legal measures for the security of network and information systems used by essential and important entities in various sectors and by enhancing cooperation among the member states. The NIS2 Directive does not establish a common controls framework that every organization must adopt, but rather allows each member state to define the appropriate security measures and incident reporting requirements for the entities under its jurisdiction, taking into account the specificities of each sector and subsector. However, the NIS2 Directive does provide some general principles and objectives for the security measures, such as proportionality, risk-based approach, state of the art, and regular review and update. The NIS2 Directive also introduces minimum harmonised rules for the supervision and enforcement of the security measures and incident reporting obligations, including the possibility of imposing administrative fines.

References:

NIS2 Directive, Articles 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

The NIS2 Directive: A high common level of cybersecurity in the EU, pages 1, 2, 3, 4, 5, 6, 7, and 8.

According to the GDPR, when personal data is collected from the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the contact details of the data protection officer, the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, the data subject’s rights, and any other information necessary to ensure fair and transparent processing1. This information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language2. Therefore, Building Block should have provided its employees with information about who they can contact with any queries regarding the monitoring, such as the data protection officer or the Privacy Office, as part of the information notice before implementing the security measures. This would enable the employees to exercise their rights, such as the right to access, rectify, erase, restrict or object to the processing of their personal data, or the right to lodge a complaint with a supervisory authority3. References: 1 Art. 13 GDPR – Information to be provided where personal data are collected from the data subject - General Data Protection Regulation (GDPR)2 Art. 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject - General Data Protection Regulation (GDPR)3 Art. 15-22 GDPR – Rights of the data subject - General Data Protection Regulation (GDPR).

 The Individual Participation Principle is one of the Fair Information Practice Principles (FIPPs) that are not part of any legal framework, but are widely adopted by many data privacy regulations in force today1. The FIPPs are a set of guidelines for fair information practices that aim to protect the privacy and security of personal information. The Individual Participation Principle holds that individuals have a number of rights, including the right to have their personal data corrected or erased, the right to access and obtain confirmation of their personal data, the right to be informed about how their personal data is used and who it is shared with, and the right to object or withdraw consent for certain purposes2.

The General Data Protection Regulation (GDPR) is a legal framework that implements the European Union’s (EU) Data Protection Directive and provides comprehensive protection for all individuals within the EU regarding their personal data. The GDPR grants individuals a number of rights, such as the right to access, rectify, erase, restrict, port, object, or not be subject to automated decision-making based on their personal data. These rights are similar to those under the FIPPs and can be found in Articles 12 to 22 of the GDPR.

Therefore, the parts of the GDPR that provide the closest equivalent to the Individual Participation Principle are Articles 12 to 22.

References:

OECD Privacy Principles

What are the 7 main principles of GDPR?

Fair Information Practice Principles (FIPPs)

Individual Participation - International Association of Privacy Professionals

What is the right to be forgotten? | Right to erasure | Cloudflare

General Data Protection Regulation - Wikipedia

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2)). Therefore, the GDPR would apply to the following entities:

A South American company that regularly collects European customers’ personal data, as it is offering goods or services to data subjects in the EU.

A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state, as it has an establishment in the EU.

A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers, as it has an establishment in the EU and is offering goods or services to data subjects in the EU.

The GDPR would not apply to the following entity:

A North American company servicing customers in South Africa that uses a cloud storage system made by a European company, as it does not have an establishment in the EU, nor is it offering goods or services to data subjects in the EU, nor is it monitoring their behaviour within the EU. The fact that it uses a cloud storage system made by a European company does not trigger the application of the GDPR, unless the cloud provider is also processing personal data on behalf of the North American company in the context of its activities in the EU.

References: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Art. 3 GDPR – Territorial scope - General Data Protection Regulation (GDPR)

Before Anna determines whether Frank’s performance database is permissible, she needs to know more information about the following aspects of the data processing:

The purpose and legal basis of the data processing, which should be clearly defined and documented in a data protection impact assessment (DPIA) or a similar document12.

The nature and extent of the personal data involved, which should be limited to what is necessary for the purpose and not retained longer than necessary12.

The measures taken to ensure the security and confidentiality of the personal data, such as encryption, pseudonymization, access control, etc12.

The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict their personal data, as well as their right to object or withdraw consent12.

The potential risks and consequences of the data processing for the rights and freedoms of the data subjects, such as identity theft, discrimination, reputational damage, etc12.

In this case, Anna needs to know more information about what students have been told and how the research will be used. This is because:

The purpose of using student records for research purposes is not clear from Frank’s description. He does not specify whether he has obtained consent from the students or their parents/guardians, or whether he has informed them about his research objectives and methods.

The nature and extent of using student records for research purposes is not clear from Frank’s description. He does not specify which student records he is using (e.g., by name or by reference number), how many records he is using (e.g., by cohort or by class), or how long he will keep them (e.g., until graduation or indefinitely).

The measures taken to ensure the security and confidentiality of using student records for research purposes are not clear from Frank’s description. He does not specify whether he has encrypted his program or his laptop before transferring it to his home device, whether he has backed up his program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT department.

Therefore, Anna needs more information about these aspects before she can determine whether Frank’s performance database is permissible under the GDPR.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals