IAPP Updated CIPP-E Exam Questions and Answers by atlas

When assessing the level of risk created by a data breach, the size of any data processor involved would not have to be taken into consideration. According to the GDPR, a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” 1. The GDPR requires data controllers and processors to notify the relevant supervisory authority of a data breach within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons 2. The GDPR also requires data controllers to communicate the data breach to the affected data subjects without undue delay, if the breach is likely to result in a high risk to their rights and freedoms 3.

The GDPR does not specify the exact criteria for determining the level of risk, but it provides some guidance in Recital 85, which states that “the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing” . The recital also mentions some factors that could increase the risk, such as the ease of identification of individuals, the special categories of personal data, the large scale of the processing, or the special characteristics of the data controller . Therefore, these factors should be taken into consideration when assessing the level of risk created by a data breach.

However, the size of any data processor involved is not relevant for the risk assessment, as it does not affect the impact of the breach on the data subjects. The data processor is only responsible for processing the personal data on behalf of the data controller, and has no direct relationship with the data subjects . The data processor’s obligations in case of a data breach are to notify the data controller without undue delay, and to assist the data controller in complying with its obligations under the GDPR . The data processor’s size may affect its ability to fulfill these obligations, but it does not change the level of risk created by the data breach itself. References: 1: Article 4(12) of the GDPR 2: Article 33 of the GDPR 3: Article 34 of the GDPR : Recital 85 of the GDPR : Article 4(8) of the GDPR : Article 28 of the GDPR

I hope this helps. If you have any other questions, please feel free to ask. ?

ABC Hotel Chain and XYZ Travel Agency are joint controllers in this relationship, because they jointly determine the purposes and means of the processing of personal data of their customers. According to Article 26 of the GDPR, joint controllers are two or more controllers who jointly participate in the decision-making process regarding the processing of personal data 1. In this scenario, ABC Hotel Chain and XYZ Travel Agency use a common platform for collecting and sharing customer data, and they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Therefore, they have a common influence on the processing of personal data and share a common objective of integrating their marketing efforts. Moreover, they offer a rewards program that allows customers to sign up to accumulate points that can be redeemed for free travel, which implies a joint benefit from the processing of personal data.

The other options are not correct because they do not reflect the actual roles of ABC Hotel Chain and XYZ Travel Agency in this relationship. A controller is a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data 2. A processor is a natural or legal person who processes personal data on behalf of the controller 3. In this scenario, neither ABC Hotel Chain nor XYZ Travel Agency act solely or on behalf of the other in processing the personal data of their customers. Rather, they act together in a collaborative manner and share the responsibility and accountability for the processing of personal data. Therefore, they are joint controllers, not independent controllers or controller and processor. References: 1: Article 26 of the GDPR 2: Article 4(7) of the GDPR 3: Article 4(8) of the GDPR

 According to Article 47(2)(a) of the GDPR, binding corporate rules (BCRs) must be legally binding and apply to and be enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees1. This means that all employees within the group must comply with the BCRs, irrespective of their location or the jurisdiction where they operate. The other options are incorrect, as they do not reflect the requirements of the GDPR or the guidance of the European Data Protection Board (EDPB) on BCRs23. References:

• GDPR Article 47(2)(a)
• EDPB Guidelines 3/2018 on the territorial scope of the GDPR
• EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679