IAPP Updated CIPP-E Exam Questions and Answers by aayat

 According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed. References:

Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.

ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR.

EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.

The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers. According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community. The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches. References: e-Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breaches

According to Article 17 of the GDPR, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; © the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). However, Article 17(3) provides that the right to erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information. Therefore, this would not be a valid ground for data subject delisting requests. References:

Article 17 of the GDPR

EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)

 According to the Free CIPP/E Study Guide, page 14, “if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.” This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller’s own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 14

GDPR, Article 36