Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b),what is the impact of a member state's interpretation of the word "incompatible"?
Answer(s): D
The purpose limitation principle requires that personal data be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. However, the GDPR does not provide a clear definition of what constitutes an incompatible purpose. Instead, it leaves room for interpretation by the member states, taking into account the context and circumstances of the processing. This means that the degree of flexibility a controller has in using personal data for a new purpose may vary depending on the member state's law and guidance. Some factors that may affect the compatibility assessment include the link between the original and the new purpose, the expectations of the data subject, the nature of the data, the impact of the further processing, and the safeguards applied by the controller.
GDPR Article 5(1)(b), which states the purpose limitation principle. GDPR Article 6(4), which lists the criteria for assessing the compatibility of a new purpose. ICO guidance, which explains the purpose limitation principle and provides examples of compatible and incompatible purposes.[EDPB guidelines], which provide further guidance on the application of the purpose limitationprinciple.
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?
Answer(s): C
The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures1. This principle is known as integrity and confidentiality, or sometimes as security2. Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it3. By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage.
1: Article 5(1)(f) of the GDPR 2: A guide to the data protection principles | ICO 3: Encryption | ICOhttps://www.icaew.com/technical/technology/data/data-protection/data-protection- articles/do-i- have-to-encrypt-personal-data-to-comply-with-dpa-2018
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?
According to the GDPR, consent is one of the six lawful bases for processing personal data, but not the only one. The other five are: contract, legal obligation, vital interests, public task and legitimate interests. Legitimate interests can be invoked by controllers who process personal data for their own benefit or for the benefit of third parties, as long as such processing does not override the rights and freedoms of the data subjects, especially if they are children. The GDPR also recognizes that processing personal data for journalistic purposes or the purposes of academic, artistic or literary expression may be necessary for the exercise of the right to freedom of expression and information, which is a legitimate interest. Therefore, the company may not need to obtain the consent of everyone whose image they use for their documentary, if they can demonstrate that their processing is necessary for the purposes of their journalistic, artistic or literary expression, and that they have taken into account the reasonable expectations of the data subjects and the potential impact on their privacy. The company should also comply with any relevant national laws or codes of conduct that may apply to such processing.
GDPR, Article 6(1)(a)-(f)GDPR, Recital 47GDPR, Article 85
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?
According to Article 13 of the GDPR, the controller (in this case, the electricity supplier) has the obligation to provide the data subject (in this case, the customer) with information about the processing of their personal data, including the recipients or categories of recipients of the personal data, if any. However, before providing such information, the controller must verify the identity of the data subject, to ensure that the information is not disclosed to unauthorized persons. This verification can be done by other means than the personal data already collected, such as asking for additional information, sending a verification code, or using a secure online portal. The other options (A, B, and C) are not relevant for this verification, as they do not relate to the identity of the data subject, but to the scope, purpose, and history of the processing.
Article 13 of the GDPRThe right to be informed (transparency) (Article 13 & 14 GDPR) Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive/EC (General Data Protection Regulation)https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
Answer(s): A
According to Article 14 of the GDPR, where personal data is not obtained directly from the data subject, the controller must provide the data subject with certain information about the processing, such as the identity of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject12. However, there are some exceptions to this obligation, as specified in Article 14(5). One of them is when the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing12. In such cases, the controller must take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available12.
CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Right to be Informed - General Data Protection Regulation (GDPR)https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide- information-to-the- individual-data-subject/
SCENARIOPlease use the following to answer the next question:Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:NameAddressDate of BirthPayroll numberNational Insurance numberSick pay entitlementMaternity/paternity pay entitlementHoliday entitlementPension and benefits contributionsTrade union contributionsJenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data.Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full.Company A enters into the contract.Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.Under the GDPR, which of Company B's actions would NOT be likely to trigger a potential enforcement action?
While Company B made several mistakes in handling Company A's employee data, not all of them would likely trigger a potential enforcement action under the GDPR. Here's an analysis of each option:A . Omission of data protection provisions in the contract with Company C: This is a clear violation of the GDPR. Company B, as the data controller, is responsible for ensuring that any third-party processors comply with data protection requirements. By omitting data protection provisions in the contract, Company B failed to take appropriate steps to ensure the security and privacy of the personal data. This would be a likely trigger for an enforcement action.B . Failure to provide sufficient security safeguards to Company A's data: This is another violation of the GDPR. Company B has a legal obligation to implement appropriate technical and organizational security measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. The outdated IT security system at Company C's U.S. server demonstrates a failure to meet this obligation. This would also be a likely trigger for an enforcement action. C . Engagement of Company C to improve their payroll service: While outsourcing certain aspects of data processing is permitted under the GDPR, the data controller remains ultimately responsible for compliance. However, simply engaging another company to improve a service itself isn't necessarily a violation. As long as the proper safeguards are in place and the data processing is carried out in accordance with the GDPR, this action alone would not likely trigger an enforcement action. D . Decision to operate without a data protection officer: The GDPR requires certain organizations to appoint a data protection officer (DPO). While Company B may be required to have a DPO depending on its size and activities, the absence of a DPO wouldn't automatically trigger an enforcement action. However, it could indicate a lack of compliance culture and contribute to other violations, increasing the likelihood of an enforcement action.Therefore, while Company B made several mistakes, only the ones that directly violate specific data protection requirements, such as omitting data protection provisions in contracts or failing to implement appropriate security measures, are likely to trigger an enforcement action. Engaging a third-party to improve a service, as long as it's done in a compliant manner, isn't a violation in itself.
SCENARIOPlease use the following to answer the next question:Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:NameAddressDate of BirthPayroll numberNational Insurance numberSick pay entitlementMaternity/paternity pay entitlementHoliday entitlementPension and benefits contributionsTrade union contributionsJenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data.Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full.Company A enters into the contract.Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B.This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?
Article 82 of the GDPR1234 regulates the right to compensation and liability for any person who has suffered material or non-material damage as a result of an infringement of the GDPR. Paragraph 4 of Article 821234 states that a controller or processor shall be exempt from liability under paragraph 2 (which holds them liable for the damage caused by processing which infringes the GDPR) if it proves that it is not in any way responsible for the event giving rise to the damage. Therefore, the right to compensation and liability under the GDPR provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.
1: Art. 82 GDPR Right to compensation and liability - General Data Protection Regulation (GDPR)2: Art. 82 GDPR - Right to compensation and liability - GDPR.eu3: GDPR Article 82: Right to compensation and liability - Advisera4: Article 82 GDPR | Right to compensation and liabilityhttps://www.knowyourcompliance.com/gdpr-technical-organisational-measures/
In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?
A layered notice is a privacy notice designed to respond to problems with excessively long notices1. A short notice -- the top layer -- provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2. The full notice -- the bottom layer -- covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23.
Share your comments for IAPP CIPP-E exam with other users:
just passed the exam on my first try using these dumps.
very helpful
these questions look good.
this is very helpful content
please provide the dumps
it is amazing
quesion 178 about "a banking system that predicts whether a loan will be repaid is an example of the" the answer is classification. not regresion, you should fix it.
please upload apache spark dumps
q14 is b&c to reduce you will switch off mail for every single alert and you will switch on daily digest to get a mail once per day, you might even skip the empty digest mail but i see this as a part of the daily digest adjustment
i think it is good question
good for students who wish to give certification.
is there a google drive link to the images? the links in questions are not working.
very promising, looks great, so much wow!
i scored 87% on the az-204 exam. thanks! i always trust
good need more
sample questions seems good
huawei is ok
good one nice
please continue
this exam dumps just did the job. i donot want to ruffle your feathers but your exam dumps and mock test engine is amazing.
nice questions
the explanation are really helpful
just passed my exam yesterday on my first attempt. these dumps were extremely helpful in passing first time. the questions were very, very similar to these questions!
cosmos db is paas not saas
what is the percentage of common questions in gcp exam compared to 197 dump questions? are they 100% matching with real gcp exam?
not able to see questions
by far one of the best sites for free questions. i have pass 2 exams with the help of this website.
excellent question bank.
it really helped
excelent material
the new versoin of this exam which i downloaded has all the latest questions from the exam. i only saw 3 new questions in the exam which was not in this dump.
question 8 - can cloudtrail be used for storing jobs? based on aws - aws cloudtrail is used for governance, compliance and investigating api usage across all of our aws accounts. every action that is taken by a user or script is an api call so this is logged to [aws] cloudtrail. something seems incorrect here.
question 13 tda - c01 answer : quick table calculation -> percentage of total , compute using table down
pls share teh dump