IAPP Updated CIPP-E Exam Questions and Answers by miya

The GDPR defines profiling as any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, such as their preferences, behaviour, or interests1. Profiling is subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality2. The GDPR also provides specific rights for data subjects who are subject to profiling, such as the right to be informed, the right to access, the right to rectify, the right to object, and the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on them3.

In the given scenario, the online shop is engaging in profiling by tracking the browsing behaviour of its European customers and predicting future purchases. It is also sharing this information with third parties, which may involve further processing of the personal data. Therefore, the online shop must comply with the GDPR requirements for profiling and ensure that it has a valid legal basis for the processing. According to Article 6 of the GDPR, there are six possible legal bases for processing personal data: consent, contract, legal obligation, vital interests, public interest, or legitimate interests4. However, not all of them are equally applicable or appropriate for profiling activities, especially when they involve sensitive or special categories of data, such as biometric, genetic, or health data, which require additional safeguards under Article 9 of the GDPR5.

In this case, the most relevant and suitable legal basis for the online shop’s profiling is consent, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their personal data for one or more specific purposes6. Consent must be freely given, specific, informed, and unambiguous, and must be obtained before the processing begins7. The online shop must also inform the data subject about the nature and purpose of the profiling, the logic involved, the consequences, and the rights they have in relation to it. The online shop must also respect the data subject’s right to withdraw their consent at any time and to object to the profiling.

Therefore, the online shop’s primary obligation while engaging in this kind of profiling is to solicit informed consent through a notice on its website, which must be clear, concise, and easily accessible, and must not be bundled with other terms and conditions. The online shop must also provide a simple and effective mechanism for the data subject to give or revoke their consent, such as a checkbox, a slider, or a button. The online shop must also keep records of the consent obtained and be able to demonstrate that it has complied with the GDPR requirements for consent.

The other options (B, C, and D) are not the primary obligation for the online shop, as they are either irrelevant or insufficient for the GDPR compliance. Seeking authorization from the European supervisory authorities is not necessary, unless the online shop is involved in a cross-border processing that requires a prior consultation under Article 36 of the GDPR. Demonstrating a prior business relationship with the customers is not a valid legal basis for the profiling, as it does not imply consent or legitimate interests. Proving that it uses sufficient security safeguards to protect customer data is a general obligation for any processing of personal data, but it does not address the specific issues and risks of profiling, such as discrimination, manipulation, or loss of control. References:

1: What is automated individual decision-making and profiling?

2: Article 5 of the GDPR

3: Rights related to automated decision making including profiling

4: [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]

5: Article 9 of the GDPR

6: Article 4 (11) of the GDPR

7: Article 7 of the GDPR

: Article 13 and 14 of the GDPR

: Article 21 of the GDPR

: Article 12 of the GDPR

: [Guidelines on consent under Regulation 2016/679]

: Article 24 of the GDPR

: Article 36 of the GDPR

: [Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679]

: [https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf]

: [https://edpb.europa.eu/sites/edpb/files/files/file1/20171104_wp251rev01_en.pdf]

According to the GDPR, a data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art 4(7) of GDPR). A data processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art 4(8) of GDPR). In this case, JaphSoft would be considered a controller under the GDPR because it uses the personal data it receives from Liem and EcoMick to improve its own products and services through machine learning. This means that JaphSoft determines the purposes and means of this processing activity, which is not covered by the agreement with Liem and EcoMick. JaphSoft also decides how long to retain the personal data, which is another indication of its controller role. The other options are not sufficient to establish JaphSoft as a controller, as they could also apply to a processor. Having access to personal data in the MarketIQ database does not imply that JaphSoft determines the purposes and means of the processing. It could be acting on behalf of Liem and EcoMick, who are the controllers of the data in the database. Making decisions regarding the technical and organizational measures necessary to protect the personal data is also a duty of a processor, who must implement appropriate security measures in accordance with the GDPR and the instructions of the controller (Art 28 and Art 32 of GDPR). References:

GDPR, Art 4, Art 28, Art 32

Free CIPP/E Study Guide, p. 15

European Data Protection Law & Practice, p. 123

What is a data controller or a data processor?

CNIL publishes guidance on data processing roles under EU GDPR

Guide for multi-controller situations under the GDPR