IAPP Updated CIPP-E Exam Questions and Answers by ariah

An adequacy decision is a decision adopted by the European Commission, which determines that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data1. This means that the third country or organisation provides a level of protection that is essentially equivalent to that guaranteed within the European Union (EU), taking into account its domestic law and international commitments, as well as the respect for the rule of law, human rights and fundamental freedoms, relevant legislation, and the existence and effective functioning of independent supervisory authorities1. An adequacy decision is one of the transfer tools that can be used to transfer personal data to a third country or organisation without requiring any further authorisation1. However, an adequacy decision is not permanent and can be amended, suspended or repealed by the Commission at any time, if the conditions are no longer met1. Therefore, according to the recommendations of the European Data Protection Board (EDPB), the additional action that should be taken when a transfer to a third country is based upon an adequacy decision is to monitor changes in the law or practice of the third country that would lower the level of protection of personal data2. This means that the data exporter should stay informed of any developments in the third country or organisation that could affect the validity of the adequacy decision, and take appropriate measures if the level of protection is no longer adequate2. The data exporter should also cooperate with the competent supervisory authority and inform it of any issues that may affect the compliance with the adequacy decision2. Therefore, option D is the correct answer. References: Art. 45 GDPR – Transfers on the basis of an adequacy decision, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.

The GDPR states that “where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing” and that “where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”3

This right applies regardless of whether the data subject has previously consented to the use of his or her data, or whether the data are required for a legal claim or a legitimate interest. The data subject must be informed of this right clearly and separately from any other information at the time of the first communication with him or her, and must be provided with an easy way to exercise it.2

Therefore, Louis can object to the use of his data by Bedrock and Accidentable for direct marketing purposes, and they must stop processing his data for such purposes as soon as they receive his objection. Louis can also withdraw his consent for any other processing of his data that he has previously agreed to, such as sharing his data with Bedrock’s affiliates.4

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU). References:

• IAPP CIPP/E Study Guide, page 7
• [Universal Declaration of Human Rights]
• [Article 12 of the UDHR]

Article 80(1) of the GDPR states that the data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf1. These not-for-profit bodies, organisations or associations are commonly referred to as civil society organizations, as they represent the interests of citizens and groups in the public sphere2. The other options are not correct because: (A) Law firm organizations are not necessarily not-for-profit or active in the field of data protection; © Human rights organizations are a subset of civil society organizations, but not all civil society organizations are focused on human rights; (D) Constitutional rights organizations are also a subset of civil society organizations, but not all civil society organizations are concerned with constitutional rights. References: 1: Article 80(1) of the GDPR; 2: Free CIPP/E Study Guide, page 48.