IAPP Updated CIPP-E Exam Questions and Answers by danny

According to Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is required when the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies. A DPIA is supposed to show the characteristics of the processing, the risks and the measures adopted to mitigate them. The GDPR also provides some examples of processing operations that require a DPIA, such as:

a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal or significant effects on the data subject;

processing on a large scale of special categories of data or data relating to criminal convictions and offences; or

a systematic monitoring of a publicly accessible area on a large scale.

Among the answer choices, only option C falls under the first example, as it involves a systematic and extensive evaluation of personal aspects based on location data and data from third-party sources, which could be used for profiling and matching purposes. This could have significant effects on the data subjects’ privacy, personal relationships and reputation. Therefore, a DPIA would be required for this processing operation.

Option A does not necessarily involve a systematic and extensive evaluation of personal aspects, nor does it produce legal or significant effects on the data subject. It could be considered a legitimate interest of the company to offer more personalized service, as long as it respects the principles of data minimization, purpose limitation and transparency.

Option B does not involve a decision based on the processing, nor does it produce legal or significant effects on the data subject. It could be considered a form of direct marketing, which is subject to specific rules under the GDPR and the ePrivacy Directive.

Option D does not involve personal data relating to natural persons, but rather to delivery trucks. Therefore, it does not pose a high risk to the rights and freedoms of natural persons.

References:

GDPR Article 35

Guidelines on DPIA

Art. 35 GDPR - Data protection impact assessment - GDPR.eu

 According to the GDPR, the lead supervisory authority is the supervisory authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority is determined according to the location of the main establishment or the single establishment of the controller or processor in the EU. The main establishment is the place where the decisions about the purposes and means of the processing are taken, or where the controller has its central administration in the EU. The single establishment is the only place where the controller or processor is established in the EU. Therefore, in this scenario, T-Craze’s lead supervisory authority is Germany, because that is where T-Craze is headquartered and where it has its main product-design office, which implies that the decisions about the processing of personal data are taken there. The other options are not correct, because the location of the processing, the market or the affiliates are not relevant for determining the lead supervisory authority. References: Free CIPP/E Study Guide, page 39; CIPP/E Certification, page 19; GDPR, Article 4(16), Article 4(22), Article 56, Recital 36.

One of the main differences between a Regulation and a Directive in the EU law is that a Regulation is directly applicable and binding in all EU member states, without the need for national implementing measures, while a Directive sets out the objectives and principles that the member states must achieve, but leaves them the choice of form and methods to transpose it into their national laws. Therefore, by taking the form of a Regulation, the GDPR aims to harmonize and unify the data protection rules across the EU, and to ensure a consistent implementation and enforcement of the data protection laws throughout the EU. The other aspects of the GDPR listed in the question, such as the one-stop shop mechanism, the mandatory notification of large-scale data breaches, and the mandatory appointment of a data protection officer, are also important features of the GDPR, but they do not have the same impact on the consistency of the data protection laws as the form of a Regulation.

References: Difference between A Regulation And Directive (European Law)1; EUR-Lex - 310401_2 - EN - EUR-Lex2; EU GDPR vs. European Data Protection Directive 95/46/EC - Advisera3; Difference between GDPR and Data Protection Directive - Profolus