IAPP Updated CIPP-E Exam Questions and Answers by benji

 According to the GDPR, location data is a type of personal data that can reveal information about an individual’s habits, preferences, or movements1. Location data can also be considered as a special category of personal data if it reveals information about an individual’s health, ethnic origin, or religious beliefs2. Therefore, location data is subject to the GDPR’s rules on the lawful processing of personal data, which require a valid legal basis, such as consent, contract, legal obligation, vital interest, public interest, or legitimate interest2.

In this scenario, Who-R-U decides to track locations using its app, which means that it collects and processes location data from its app users. This data can be used to identify the app users, as well as to infer information about their interests, preferences, or behavior. Therefore, Who-R-U needs to comply with the GDPR, even if it only offers its services to Canadians, because it monitors the behavior of individuals in the EU2.

One of the possible legal bases for processing location data is consent, which means that the app users must give their informed, specific, and freely given agreement to the collection and use of their location data2. Consent must be obtained before the processing starts, and it must be easy to withdraw at any time2. Consent must also be granular, meaning that the app users must be able to choose which purposes and types of location data they agree to share1.

Therefore, if Who-R-U decides to track locations using its app, it must get consent from the app users, and provide them with clear and transparent information about how, why, and for how long their location data will be processed, who will have access to it, and what rights they have under the GDPR12. Who-R-U must also ensure that the consent is voluntary, and that the app users can opt out of location tracking without affecting the functionality or quality of the app12. References: 1 Policy Brief: Location Data Under Existing Privacy Laws | FPF. Available at: 5 (Accessed: 11 December 2023)2 What is the General Data Protection Regulation (GDPR)? | Cloudflare. Available at: 6 (Accessed: 11 December 2023).

Under the GDPR, using CCTV on business premises involves the processing of personal data, which requires compliance with the data protection principles and obligations. However, notifying the appropriate data protection authority (DPA) is not one of the steps that a company should take before using CCTV, unless the DPA has specifically requested it or the CCTV involves high-risk processing that requires prior consultation. The other steps are necessary to ensure GDPR compliance, as explained below:

Performing a data protection impact assessment (DPIA) is a mandatory requirement for any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, such as large-scale or systematic monitoring of public areas. A DPIA is a process that helps identify and mitigate the potential privacy risks of using CCTV, and document the measures taken to address them. A DPIA should include a description of the processing, its purpose and necessity, its risks and benefits, the safeguards and security measures, and the consultation with stakeholders. A DPIA should be carried out before the CCTV system is installed or upgraded, and reviewed regularly or whenever there is a significant change in the processing.

Creating an information retention policy for those who operate the system is a good practice to ensure that the personal data collected by CCTV is not kept longer than necessary for the purpose for which it was collected, and that it is securely deleted or anonymised when no longer needed. The retention period should be determined by the specific purpose and context of using CCTV, and take into account any legal or contractual obligations, as well as the expectations and rights of the data subjects. The retention policy should also specify who is responsible for managing and deleting the CCTV footage, and how the deletion process is verified and documented.

Ensuring that safeguards are in place to prevent unauthorized access to the footage is an essential requirement to comply with the GDPR principle of integrity and confidentiality, which states that personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage. The safeguards may include technical and organisational measures, such as encryption, access control, logging, audit, training, policies and procedures, that aim to protect the CCTV footage from unauthorized or unlawful access, disclosure, alteration, or destruction, both during transmission and storage. References: GDPR Article 35, GDPR Article 36, GDPR Article 5, CCTV and video surveillance | ICO, 5 Step Guide to Check if Your CCTV is GDPR Compliant

 According to GDPR Article 4(22), a supervisory authority is concerned by the processing of personal data if the data subjects residing in its member state are substantially affected or likely to be substantially affected by the processing, or if a complaint has been lodged with it. This concept is mainly introduced to ensure that the rights and interests of data subjects are protected by the supervisory authorities that are closest to them, regardless of where the controller or processor is established or where the lead supervisory authority is located. The concerned supervisory authorities have the right to participate in the one-stop-shop and consistency mechanisms, and to express their views and objections on the draft decisions of the lead supervisory authority. They also have the duty to cooperate and assist each other in the performance of their tasks. References: GDPR Article 4(22), GDPR Article 60, GDPR Article 63, The role of the ’supervisory authority concerned’ (Chapter 3.1 …

Cross-border processing is defined in Article 4(23) of the GDPR as either:

•processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

•processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Therefore, the factors that are relevant for identifying whether the processing could be considered a cross-border processing are:

•the location and number of establishments of the controller or processor in the EU;

•the connection between the processing and the activities of the establishments;

•the substantial effect or likelihood of substantial effect on data subjects in more than one Member State.

The total number of the data subjects interested is not necessarily a factor, as the processing could affect only a few data subjects but still have a substantial impact on them. For example, a processing that involves the disclosure of sensitive personal data of a small group of data subjects in different Member States could be considered a cross-border processing.

References:

•GDPR Article 4 - Definitions1

•Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority2