IAPP Updated CIPP-E Exam Questions and Answers by cataleya

The ECHR and the CJEU are part of two different legal systems: the Council of Europe and the European Union, respectively. The ECHR is a treaty that guarantees human rights and fundamental freedoms to individuals within the jurisdiction of its 47 member states. The CJEU is the judicial branch of the EU that ensures the uniform interpretation and application of EU law within its 27 member states. The ECHR can only hear complaints from individuals or states alleging violations of the rights enshrined in the convention, and it can only issue judgments that are binding on the respondent state. The CJEU, on the other hand, can hear cases from individuals, states, EU institutions, or national courts on any matter of EU law, and it can issue rulings that are binding on all EU member states and institutions. The CJEU can also impose sanctions or penalties on states that fail to comply with its judgments or EU law in general. Therefore, the CJEU has more power and authority to enforce EU law than the ECHR has to enforce human rights law. References: CIPP/E Certification, ECHR and the CJEU, The UK, the EU and a British Bill of Rights

 According to the Free CIPP/E Study Guide, page 14, “if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.” This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller’s own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 14

GDPR, Article 36

Before Anna determines whether Frank’s performance database is permissible, she needs to know more information about the following aspects of the data processing:

The purpose and legal basis of the data processing, which should be clearly defined and documented in a data protection impact assessment (DPIA) or a similar document12.

The nature and extent of the personal data involved, which should be limited to what is necessary for the purpose and not retained longer than necessary12.

The measures taken to ensure the security and confidentiality of the personal data, such as encryption, pseudonymization, access control, etc12.

The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict their personal data, as well as their right to object or withdraw consent12.

The potential risks and consequences of the data processing for the rights and freedoms of the data subjects, such as identity theft, discrimination, reputational damage, etc12.

In this case, Anna needs to know more information about what students have been told and how the research will be used. This is because:

The purpose of using student records for research purposes is not clear from Frank’s description. He does not specify whether he has obtained consent from the students or their parents/guardians, or whether he has informed them about his research objectives and methods.

The nature and extent of using student records for research purposes is not clear from Frank’s description. He does not specify which student records he is using (e.g., by name or by reference number), how many records he is using (e.g., by cohort or by class), or how long he will keep them (e.g., until graduation or indefinitely).

The measures taken to ensure the security and confidentiality of using student records for research purposes are not clear from Frank’s description. He does not specify whether he has encrypted his program or his laptop before transferring it to his home device, whether he has backed up his program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT department.

Therefore, Anna needs more information about these aspects before she can determine whether Frank’s performance database is permissible under the GDPR.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing1. The GDPR does not prescribe specific security measures, but rather provides a list of factors to consider when determining the appropriate level of security, such as:

The state of the art and the costs of implementation;

The nature, scope, context and purposes of processing;

The risk of varying likelihood and severity for the rights and freedoms of natural persons.

Therefore, the level of security required by the GDPR is not absolute, but relative to the specific circumstances of each processing activity. The GDPR also encourages the use of codes of conduct and certification mechanisms to demonstrate compliance with the security requirements1.

In the scenario, Natural Insight is a processor who receives customer information from BHealthy, a controller, for the purpose of providing pricing services. Natural Insight has a contractual obligation to implement technical and organisational measures to ensure the security of the data, as well as to comply with the GDPR. Natural Insight’s security obligations are not limited to the measures assessed by BHealthy prior to entering into the contract, nor to the level of security that a reasonable data subject would expect. Rather, Natural Insight must take into account the industry practices for protecting customer contact information and purchase history, as well as the potential risks that may arise from the processing, such as data breaches, identity theft, fraud, or discrimination. Natural Insight must also keep up with the state of the art and the costs of implementation, and adjust its security measures accordingly.

References:

4: Art. 32 GDPR Security of processing