IAPP Updated CIPP-E Exam Questions and Answers by cassie

According to the GDPR, the right to be forgotten, also known as the right to erasure, is not an absolute right and only applies in certain circumstances1. One of the exceptions to this right is when the processing of personal data is necessary for the establishment, exercise or defence of legal claims2. In this scenario, the company may need to retain the personal data of Jack, such as his employment records, performance reviews, and internal emails, in order to defend itself against a possible legal action of unfair dismissal. Therefore, the company should not erase the data at this time, unless it is confident that it has no legal basis to keep it. The company should also inform Jack of the reasons for not complying with his request and of his right to lodge a complaint with a supervisory authority or a judicial remedy3. References: 1: Everything you need to know about the “Right to be forgotten”2: Article 17(3)(e) of the GDPR3: Article 12(4) of the GDPR.

 The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of electronic communications and prevent their indiscriminate interception or monitoring. It was adopted in 2002 and amended in 2009. It applies to all providers of electronic communication services, such as internet service providers, mobile network operators, and online platforms12.

One of the main objectives of the ePrivacy Directive is to ensure that the retention of communications traffic data for law enforcement purposes is subject to strict conditions and safeguards. Communications traffic data refers to any information relating to the transmission or routing of electronic communications, such as IP addresses, timestamps, and metadata3. Such data can be used by competent national authorities for the prevention, investigation, detection or prosecution of criminal offences and safeguarding national security4.

However, the ePrivacy Directive does not allow individual EU member states to engage in such data retention without harmonizing their rules. Article 6(1)(b) of the directive states that “Member States shall ensure that any measures taken by them in relation to the retention of traffic data are consistent with this Directive”. Therefore, each EU member state must adopt a national law that complies with the requirements and limitations set by the directive12.

The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common framework for the retention of communications traffic data for law enforcement purposes across all EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the Court of Justice of the European Union (CJEU) in 2014 on procedural grounds. The CJEU found that some provisions of the DRD were inconsistent with other EU directives and principles, such as Article 8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary interference with their privacy56.

The GDPR is a new EU regulation that implements some aspects of the DRD into national law through its provisions on processing personal data. However, it does not address directly the issue of communications traffic data retention for law enforcement purposes. Instead, it requires providers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing personal data. These measures include encryption, pseudonymisation, access control, and accountability7 . The GDPR also grants individuals certain rights regarding their personal data, such as access, rectification, erasure, portability, and objection7 .

Therefore, under current EU law, there is no single legal basis for retaining communications traffic data for law enforcement purposes across all EU member states. Each member state must adopt its own national law that respects the principles and limitations established by the ePrivacy Directive.

References:

ePrivacy Directive

ePrivacy Regulation

What is Communications Traffic Data?

How is Communications Traffic Data Retained?

Data Retention Directive

Data Retention Directive annulled by CJEU

General Data Protection Regulation

What are your rights regarding your personal data?

 According to GDPR Article 4(22), a supervisory authority is concerned by the processing of personal data if the data subjects residing in its member state are substantially affected or likely to be substantially affected by the processing, or if a complaint has been lodged with it. This concept is mainly introduced to ensure that the rights and interests of data subjects are protected by the supervisory authorities that are closest to them, regardless of where the controller or processor is established or where the lead supervisory authority is located. The concerned supervisory authorities have the right to participate in the one-stop-shop and consistency mechanisms, and to express their views and objections on the draft decisions of the lead supervisory authority. They also have the duty to cooperate and assist each other in the performance of their tasks. References: GDPR Article 4(22), GDPR Article 60, GDPR Article 63, The role of the ’supervisory authority concerned’ (Chapter 3.1 …