CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

According to the UK GDPR, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” 1. One of the requirements for consent to be informed is that the data subject should be aware of the identity of the controller who is processing the personal data 2. In this scenario, Ms. Iman only gave consent to Liem to process her personal data for marketing purposes, but she was not informed that JaphSoft, a third-party controller, would also access and process her personal data. Therefore, her consent was not valid in regard to JaphSoft, as she did not know who was processing her personal data and for what purposes. References:

• UK GDPR Article 4 (11)
• UK GDPR Recital 42

Article 82 of the GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR1. Article 82 (1) states that any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered1. Article 82 (2) states that any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR1. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller1. Article 82 (3) states that a controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage1. In this case, Jack is liable for the damage caused by the data breach, as he violated the GDPR by posting the patient’s name and health information, along with disparaging comments, on a social media website. This constitutes an infringement of the GDPR, as it violates the principles of lawfulness, fairness, and transparency (Article 5 (1) (a)), purpose limitation (Article 5 (1) (b)), data minimisation (Article 5 (1) ©), accuracy (Article 5 (1) (d)), integrity and confidentiality (Article 5 (1) (f)), and the rights of the data subject (Articles 12-23)1. The pharmaceutical company is not liable for the damage caused by the data breach, as it can prove that it is not in any way responsible for the event giving rise to the damage. The company provided privacy training to Jack, informed him of the privacy policy, obtained his consent, and dismissed him as soon as the breach was discovered. Therefore, the company complied with the obligations of the GDPR, such as the accountability principle (Article 5 (2)), the data protection by design and by default principle (Article 25), the security of processing principle (Article 32), and the notification of a personal data breach to the supervisory authority principle (Article 33)1. Therefore, option D is the correct answer. References: Art. 82 GDPR – Right to compensation and liability, Article 82 GDPR - GDPRhub

According to the CIPP/E study guide1, the European Commission is the EU institution that has the power to propose new data protection legislation on its own initiative, as well as amend or repeal existing laws. The European Commission is also responsible for implementing and enforcing the EU data protection framework, in cooperation with other institutions and national authorities.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals

 The GDPR requires that consent must be freely given, specific, informed and unambiguous1. This means that app developers must provide clear and transparent information about the purposes and legal basis of the data processing, and allow users to choose which types of processing they agree to and which they do not. For example, users should be able to consent separately to different types of cookies, such as functional, analytical or marketing cookies2. Users should also be able to withdraw their consent at any time as easily as they gave it1. Therefore, app design and implementation must take into account these requirements and provide users with granular and user-friendly consent options, rather than relying on pre-ticked boxes, implied consent or default settings3. References: 1 Art. 4 (11) and Art. 7 GDPR – Definitions and Conditions for consent - General Data Protection Regulation (GDPR)2 Guidelines 05/2020 on consent under Regulation 2016/679 - European Data Protection Board3 How To Make Compliant GDPR Consent Forms (With Examples) - Termly.

 According to Article 9 of the GDPR, special category data is personal data that needs more protection because it is sensitive. The GDPR defines 10 types of personal data as special categories, which are:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

Among the answer choices, only option B falls under one of these categories, as trade union membership is considered to reveal political opinions or beliefs. Option A, C and D are not considered as special category data, as they do not reveal any sensitive information about the data subject. However, they are still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

• Special category data | ICO
• Art. 9 GDPR Processing of special categories of personal data
• Special Categories of Data - International Association of Privacy Professionals

Ben’s collection of additional data from customers, especially sensitive data such as philosophical beliefs and political opinions, created several potential issues for the company, such as:

• The risk of violating the data minimization principle, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1.
• The risk of infringing the rights and freedoms of the data subjects, who may not be aware of or consent to the secondary use of their data by Ben Knows Best, or the unauthorized access and copying of their data by Sam.
• The risk of non-compliance with the GDPR’s requirements for processing special categories of data, which include data revealing philosophical beliefs and political opinions. Such data can only be processed under certain conditions, such as explicit consent, substantial public interest, or legal claims2.
• The risk of data breaches or losses, as the data is transferred to a separate database, copied by Sam, and stored on the company’s servers in Vermont, which may not have adequate security measures or safeguards.

Therefore, the company would most likely require a data protection impact assessment (DPIA) to identify and mitigate these risks. A DPIA is a process that helps assess the impact of the envisaged processing operations on the protection of personal data, and consult with the supervisory authority if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk3. The other options are not necessarily required by the GDPR, although they may be good practices or contractual terms. References:

• Free CIPP/E Study Guide, page 32, section 4.1.2
• CIPP/E Certification, page 27, section 4.1.2
• The Ultimate CIPP/E Study Guide for 2023, page 36, section 4.1.2
• Principles - General Data Protection Regulation (GDPR), Article 5
• Special categories of personal data - General Data Protection Regulation (GDPR), Article 9
• Data protection impact assessment - General Data Protection Regulation (GDPR), Article 35

According to Article 45 of the GDPR, the European Commission has the power to determine whether a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data. This means that personal data can flow from the EU and the EEA to that third country without any further safeguard being necessary. The adequacy decision is based on an assessment of the legal framework, the enforcement mechanisms, the access by public authorities, the international commitments and the cooperation with the EU of the third country or organisation. The European Commission also monitors the functioning of the adequacy decisions and can repeal, amend or suspend them if the level of protection is no longer ensured. The European Commission has so far recognised several countries and organisations as providing adequate protection, such as Japan, Canada, Switzerland, the UK and the EU-US Data Privacy Framework. References: GDPR Article 45, Data protection adequacy for non-EU countries, Adequacy decisions | European Data Protection Board

• Article 82 of the GDPR1234 regulates the right to compensation and liability for any person who has suffered material or non-material damage as a result of an infringement of the GDPR.
• Paragraph 4 of Article 821234 states that a controller or processor shall be exempt from liability under paragraph 2 (which holds them liable for the damage caused by processing which infringes the GDPR) if it proves that it is not in any way responsible for the event giving rise to the damage.
• Therefore, the right to compensation and liability under the GDPR provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.

References:

1: Art. 82 GDPR – Right to compensation and liability - General Data Protection Regulation (GDPR)

2: Art. 82 GDPR - Right to compensation and liability - GDPR.eu

3: GDPR Article 82: Right to compensation and liability - Advisera

4: Article 82 GDPR | Right to compensation and liability

The EU Artificial Intelligence Act (AI Act) is a proposed regulation that aims to establish harmonised rules on the development and use of artificial intelligence in the EU. The AI Act classifies AI systems according to their level of risk and imposes various requirements and obligations on providers and users of such systems. The AI Act also provides for the enforcement of its rules by national competent authorities and the European Commission. According to Article 71 of the AI Act, the sanctions for non-compliance with the AI Act depend on the type and severity of the infringement. The maximum fine for the most serious infringements, such as placing on the market or putting into service prohibited AI systems, or failing to comply with the data and data governance requirements for high-risk AI systems, is the higher of up to 30 million Euro or up to 6% of the total worldwide annual turnover of the preceding financial year of the legal entity concerned. This is the same level of fine as for the most serious infringements of the General Data Protection Regulation (GDPR).

References:

•EUR-Lex - 52021PC0206 - EN - EUR-Lex1

•European Parliament Adopts Negotiating Position on the AI Act2

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1. Body temperature is a type of personal data that can reveal information about an individual’s health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR. The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

• A. Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.
• C. Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.
• D. The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

References: 1 Article 4(1) of the GDPR2 Policy Brief: Location Data Under Existing Privacy Laws | FPF23 Article 2(1) of the GDPR4 Article 4(5) of the GDPR5 Article 9(2) of the GDPR.

The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means.

In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject’s rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject’s sensitive medical information without their knowledge or consent. References:

• Article 4 (15) and Article 9 of the GDPR
• Health data | ICO
• What does the GDPR mean for personal data in medical reports?
• Sensitive data and medical confidentiality - FutureLearn
• Health data and data privacy: storing sensitive data under GDPR

 According to GDPR Article 4(22), a supervisory authority is concerned by the processing of personal data if the data subjects residing in its member state are substantially affected or likely to be substantially affected by the processing, or if a complaint has been lodged with it. This concept is mainly introduced to ensure that the rights and interests of data subjects are protected by the supervisory authorities that are closest to them, regardless of where the controller or processor is established or where the lead supervisory authority is located. The concerned supervisory authorities have the right to participate in the one-stop-shop and consistency mechanisms, and to express their views and objections on the draft decisions of the lead supervisory authority. They also have the duty to cooperate and assist each other in the performance of their tasks. References: GDPR Article 4(22), GDPR Article 60, GDPR Article 63, The role of the ’supervisory authority concerned’ (Chapter 3.1 …

According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on the basis of a decision taken at a Union level that is binding for that member state, unless it is derogated from by national law. This means that the GDPR applies to any processing of personal data within the EU, regardless of where the controller or processor is located, as long as it is based on a decision made at a Union level that is binding for that member state.

Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves personal data of EU citizens being processed by a controller or processor based outside the EU, which may be subject to a decision made at a Union level that is binding for that member state.

Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1. Monitoring may fall under other legal frameworks, such as national security or counter-terrorism laws.

Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision made at a Union level that is binding for that member state.

Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal data of EU residents by a non-EU business that targets EU customers, which may not be subject to any decision made at a Union level that is binding for that member state.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals.

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.

References: EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, page 151; CIPP/E Textbook, page 136.

 Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

• Special category data | ICO
• Art. 9 GDPR Processing of special categories of personal data
• Special Categories of Data - International Association of Privacy Professionals

 The ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) are two EU laws that regulate different aspects of personal data processing. The ePD focuses on electronic communications and the use of cookies and similar technologies, while the GDPR covers the broader principles and rights of data protection. Both laws apply to any organization that processes personal data of individuals in the EU, regardless of where the organization is located.

Option D involves both electronic communication and personal data processing, and therefore requires compliance with both ePD and GDPR. Paying a search engine company to give prominence to certain products and services within specific search results implies the use of cookies or similar technologies to track the online behavior of users and target them with personalized ads. This requires the consent of the users under the ePD, as well as the provision of clear and comprehensive information about the purpose and scope of the data processing. Moreover, the organization must comply with the GDPR requirements for data protection by design and by default, data minimization, data security, data subject rights, and accountability.

Option A only involves the use of cookies or similar technologies, and therefore only requires compliance with the ePD. Creating an untargeted pop-up ad on a website does not involve the processing of personal data, as the ad is not based on the online behavior or preferences of the users. However, the organization must still obtain the consent of the users for the use of cookies or similar technologies, and provide them with clear and comprehensive information about the purpose and scope of the data processing.

Option B only involves the processing of personal data, and therefore only requires compliance with the GDPR. Calling a potential customer to notify her of an upcoming product sale involves the collection and use of the customer’s personal data, such as name, phone number, and purchase history. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure.

Option C only involves the processing of personal data, and therefore only requires compliance with the GDPR. Emailing a customer to announce that his recent order should arrive earlier than expected involves the use of the customer’s personal data, such as name, email address, and order details. The organization must have a lawful basis for the data processing, such as consent, contract, or legitimate interest, and must respect the data subject rights, such as the right to object, the right to access, and the right to erasure. References:

• Free CIPP/E Study Guide, page 15, section 2.3.3
• CIPP/E Certification, page 10, section 1.1.2
• Cipp-e Study guides, Class notes & Summaries, document “CIPP/E Exam Summary 2023”, page 42, section 2.3.3
• ePrivacy: The EU’s other data protection rule
• The New Rules of Data Privacy
• A guide to GDPR data privacy requirements
• A guide to the data protection principles

 According to the UK GDPR, the processing of personal data must be lawful, fair and transparent1. Lawfulness means that there must be a valid legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task or legitimate interests1. Fairness means that the processing must not be detrimental, unexpected or misleading to the individuals concerned1. Transparency means that the individuals must be informed about how their data is used, who it is shared with, what rights they have and how they can exercise them1. Therefore, the sentence that best summarizes these concepts is option A, which states that fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations. References: 1 https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/

 According to Article 42 of the GDPR, the Commission may approve certification mechanisms, seals and marks for the purpose of demonstrating the existence of appropriate safeguards for personal data transfers to third countries or international organisations. These certification mechanisms, seals and marks are voluntary and transparent, and are issued by accredited certification bodies or by the competent supervisory authorities. They are subject to the general provisions on certification in Articles 42 and 43 of the GDPR. They are intended to enhance the trust of data subjects and facilitate the free flow of personal data within the Union and beyond. They are also subject to periodic review and withdrawal or suspension if the conditions for certification are not or are no longer met. References:

• Article 42 of the GDPR
• European Data Protection Law & Practice textbook, Chapter 8: Transfers of Personal Data to Third Countries, Section 8.3: Appropriate Safeguards, Subsection 8.3.4: Certification Mechanisms, Seals and Marks
• Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation

The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive states that the use of cookies on websites and mobile applications is conditioned upon the prior consent of users, unless the cookies are strictly necessary for the provision of the service. Users must also be given clear and comprehensive information about the purposes of the cookies and the means to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing of personal data through cookies, but does not specifically address the consent requirement for cookies. The other answer choices are not relevant to the consent requirement for cookies, as they regulate different aspects of the digital economy and society. The E-Commerce Directive establishes the legal framework for online services in the EU, such as information society services, electronic contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication providers to retain certain data for a period of time for the purpose of law enforcement and national security. The EU Cybersecurity Directive aims to enhance the security of network and information systems across the EU, by setting common standards and obligations for operators of essential services and digital service providers. References:

• Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
• What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script
• EU Cookie Law - Data Protection and Cookies - Cookiebot™
• ePrivacy Directive - Regulations - Learn how CookiePro Helps

 According to Article 33 of the GDPR, processors must notify controllers without undue delay after becoming aware of a personal data breach1. Even though Leon and Fred did not disclose the data to anyone else, the unauthorized access and copying of the log files still constitutes a personal data breach2. Therefore, Techiva, as a processor, has a legal responsibility to report it to TripBliss Inc., as the controller. The other options are not legal obligations for processors, although they may be good practices or contractual terms. References:

• Free CIPP/E Study Guide, page 32, section 4.1.2
• CIPP/E Certification, page 27, section 4.1.2
• Cipp-e Study guides, Class notes & Summaries, page 38, section 4.1.2
• New IAPP CIPP-E Exam Practice Questions, question 141
• Processors’ responsibilities, paragraph 2

According to Article 13 of the GDPR, when a controller obtains personal data directly from the data subject, the controller must provide the data subject with certain information about the processing of their data, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the recipients or categories of recipients, the period of storage, the rights of the data subject, the right to lodge a complaint, etc. However, the controller does not have to provide the data subject with the categories of personal data concerned, as this information is already known by the data subject, since they provided the data themselves. This is different from Article 14, which applies when the controller obtains personal data from a source other than the data subject, and requires the controller to inform the data subject of the categories of personal data concerned, as well as the source of the data. References:

• Art. 13 GDPR - Information to be provided where personal data are collected from the data subject
• Art. 14 GDPR - Information to be provided where personal data have not been obtained from the data subject
• Article 13: Information to be provided where personal data are collected from the data subject - GDPR

According to the transparency principle, data controllers must provide clear and transparent information to data subjects about how their personal data is processed. This information must be easily accessible and easy to understand. Providing a hyperlink to the organization’s home page, in a hard copy application form, is not considered a fair processing practice in relation to the transparency principle, because it does not directly inform the data subject about the specific purposes and legal basis of the processing, the data protection rights and obligations, and the contact details of the data controller and the data protection officer. This information should be provided in a concise, intelligible and easily accessible form, using clear and plain language, in a way that is appropriate to the means of communication. Providing a hyperlink to the organization’s home page, in a hard copy application form, does not meet these criteria and may also be inaccessible to some data subjects who do not have internet access or are not familiar with the use of hyperlinks. Therefore, this option is not a fair processing practice in relation to the transparency principle. References: 1234 https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/ https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/lawful-fair-and-transparent-processing/

The GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. The company must also identify a lawful basis for processing personal data, such as legal obligation, legitimate interest, or consent, and respect the data subject rights, such as the right to information, access, rectification, erasure, restriction, objection, and portability. Moreover, the company must be aware of the specific rules and restrictions regarding the processing of special categories of data (such as biometric, health, or political data) and data relating to criminal convictions and offences, which are subject to Article 10 of the GDPR and the laws of each member state. The company must also consider the national employment laws and the guidelines of the relevant supervisory authorities, which may impose additional conditions or limitations on the scope, methods, and purposes of background checks. For example, some member states may require prior authorization, notification, or consultation with the supervisory authority, the data subject, or the works council before conducting background checks. Some member states may also prohibit or restrict certain types of background checks, such as social media screening, credit checks, or criminal record checks, unless they are necessary, proportionate, and relevant for the specific job position or sector. Therefore, the company must conduct a thorough assessment of the legal framework and the risks and benefits of background checks in each member state where it operates or recruits employees, and ensure that it has a clear and consistent policy and procedure for conducting background checks in a GDPR-compliant manner. References: How to ‘background check’ under the GDPR, How to perform GDPR compliant background checks, GDPR and the processing of criminal conviction data across Europe, Pre-employment vetting: Data protection and criminal records, How GDPR Affects Background Checking

According to Article 49 of the GDPR, transfers of personal data to third countries or international organisations may take place in the absence of an adequacy decision or appropriate safeguards, such as standard contractual clauses or binding corporate rules, only if one of the derogations listed in that article applies1. One of the derogations is when the transfer is necessary for the protection of the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent1. This derogation is intended to cover only urgent situations, such as medical emergencies, where the transfer is essential for the data subject’s life or health2.

In this scenario, ProStorage most likely relied on this derogation to transfer Ruth’s medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. The transfer was necessary for the protection of Ruth’s vital interests, as she was in a critical condition and needed urgent medical care. Ruth was also physically or legally incapable of giving consent, as she was unconscious or incapacitated. Therefore, option B is the correct answer.

Option A is incorrect because Ruth’s implied consent is not a valid transfer mechanism under the GDPR. Consent must be explicit, informed, specific, and freely given for the transfer of personal data to third countries or international organisations1. Ruth did not give any explicit consent for the transfer of her medical information to the hospital, nor was she informed or asked about it. Moreover, consent cannot be relied on as a transfer mechanism when the data subject is in a situation of distress or dependence, such as a medical emergency, as it would not be considered freely given2.

Option C is incorrect because the performance of a contract with Ruth is not a valid transfer mechanism under the GDPR. The transfer of personal data to third countries or international organisations on the basis of a contract with the data subject is only allowed if the transfer is necessary for the performance of that contract or for the implementation of pre-contractual measures taken at the data subject’s request1. In this scenario, there is no contract between ProStorage and Ruth that requires or justifies the transfer of her medical information to the hospital. The transfer is not necessary for the performance of Ruth’s employment contract with ProStorage, nor for any pre-contractual measures taken by Ruth.

Option D is incorrect because the protection against legal liability from Ruth is not a valid transfer mechanism under the GDPR. The transfer of personal data to third countries or international organisations on the grounds of legal claims or defence is only allowed if the transfer is necessary for the establishment, exercise or defence of legal claims1. In this scenario, there is no legal claim or defence involved in the transfer of Ruth’s medical information to the hospital. The transfer is not necessary for the establishment, exercise or defence of any legal claim by or against ProStorage or Ruth.

References:

• Derogations for specific situations
• Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

The GDPR and the Convention 108 are two important data protection instruments that aim to protect the rights and freedoms of individuals with regard to their personal data. They both have some similarities and some differences, but one common feature is that they both require notification of processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that have established their own supervisory authorities or have agreed to be supervised by an external authority2.

Notification of processing activities is a requirement for any controller or processor of personal data that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person who determines the purposes and means of the processing of personal data3. A processor is a natural or legal person who processes personal data on behalf of a controller3. Notification means informing the supervisory authority about certain aspects of the processing, such as:

• The identity and contact details of the controller and processor
• The categories and sources of personal data
• The purposes and legal basis for processing
• The recipients or categories of recipients of personal data
• The retention period or criteria for determining it
• The existence of any automated decision-making or profiling
• The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

• Submitting a written notification form
• Publishing a notice on a website or other platform
• Sending an email or other electronic message
• Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information about the processing. It should also be updated whenever there are significant changes in relation to the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a supervisory authority. This is one way to ensure transparency, accountability, and compliance with data protection laws.

The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules1. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects23. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects23. References: 1: Article 49 of the GDPR 2: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO

ISO 31700 is an international standard that provides high-level requirements and recommendations for organizations that use privacy by design (PbD) in the development, maintenance and operation of consumer goods and services. PbD is a concept that aims to integrate privacy into products, services and systems by default, following seven main principles: proactive not reactive, privacy as the default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, and respect for user privacy. PbD is also a legal requirement under many prominent privacy regulations across the world, such as the GDPR. ISO 31700 is based on a consumer-centric approach, where the consumer’s privacy rights and preferences are placed at the center of product development and operation.

References: Meet the new ISO 31700 standard for Privacy by Design (PbD); 7 Steps to Comply with ISO 31700-1:2023; Privacy by Design: Embracing ISO 31700-1:2023’s Consumer Protection Guidelines.

According to the CIPP/E study guide, Article 33 of the GDPR requires data controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons1. Article 34 of the GDPR requires data controllers to communicate the personal data breach to the data subject without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons2. Both articles specify the minimum information that the data controller must provide to the supervisory authority and the data subject, which includes: the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the name and contact details of the data protection officer or other contact point, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its possible adverse effects12. However, neither article requires the data controller to disclose the type of security safeguards used to protect the data, as this information is not relevant for the purposes of notification and may even compromise the security of the data further3. References: 1: CIPP/E study guide, page 84; Art. 33 GDPR; Guidelines 01/2021 on Examples regarding Data Breach Notification2: CIPP/E study guide, page 85; [Art. 34 GDPR]; Guidelines 01/2021 on Examples regarding Data Breach Notification3: Personal Data Breach | European Data Protection Supervisor; What is a data breach and what do we have to do … - European Commission.

The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures1. This principle is known as integrity and confidentiality, or sometimes as security2. Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it3. By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage. References: 1: Article 5(1)(f) of the GDPR 2: A guide to the data protection principles | ICO 3: Encryption | ICO

The GDPR imposes several obligations on data controllers when they engage data processors to process personal data on their behalf. One of these obligations is to ensure that the contract or other legal act between the controller and the processor stipulates that the processor must assist the controller in complying with its obligations under the GDPR, including the obligation to notify personal data breaches to the competent supervisory authority and, where applicable, to the affected data subjects1. However, this does not mean that the processor can directly notify the supervisory authority without the involvement of the controller. The GDPR clearly states that it is the controller’s responsibility to notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach2. The processor must only notify the controller without undue delay after becoming aware of the breach3. Therefore, requiring that the processor directly notify the appropriate supervisory authority is not an action that a data controller can depend upon to avoid liability in the event of a security breach, as it would be contrary to the GDPR and the controller’s own obligation. Options A, B and D are actions that a data controller can take to reduce the risk of liability, as they demonstrate that the controller has exercised due diligence, assessed the potential impact of outsourcing, and chosen a reliable and compliant processor. References: 1: Article 28(3)(f) of the GDPR 2: Article 33(1) of the GDPR 3: Article 33(2) of the GDPR

According to Article 36 of the GDPR, when a controller intends to process personal data that would result in a high risk to the rights and freedoms of data subjects, and a data protection impact assessment under Article 35 indicates that the risk cannot be mitigated by the controller, the controller must consult the supervisory authority before processing. The purpose of this prior consultation is to seek the advice of the supervisory authority on whether the processing complies with the GDPR and what measures can be taken to ensure compliance. During the prior consultation, the controller must provide the supervisory authority with the following information:

• the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
• the purposes and means of the intended processing;
• the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;
• the contact details of the data protection officer, if any;
• the data protection impact assessment provided for in Article 35; and
• any other information requested by the supervisory authority.

Therefore, the correct answer is B. An explanation of the purposes and means of the intended processing. This information is essential for the supervisory authority to understand the nature and scope of the processing and to assess its compliance with the GDPR. The other options are not required by Article 36, although they may be relevant for other aspects of the GDPR, such as the data protection by design and by default principle (A), the lawfulness of processing ©, or the designation of the data protection officer (D). References:

• Article 36 of the GDPR, which regulates the prior consultation with the supervisory authority.
• ICO guidance, which explains the process and requirements of the prior consultation.
• EDPB guidelines, which provide further guidance on the criteria and procedure of the prior consultation.

 According to the GDPR, the right of access by the data subject is one of the rights granted to individuals to obtain information about the processing of their personal data by a data controller1. The data controller must provide a copy of the personal data undergoing processing and additional information, such as the purposes, the categories, the recipients, the retention period, the rights, the source, and the automated decision-making of the processing1. The data controller must also inform the data subject of the existence of the right to access and the means to exercise it2.

The GDPR also specifies the time limit for responding to a data subject access request. The data controller must provide the information without undue delay and in any event within one month of receipt of the request1. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, but the data controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay1. The data controller must also verify the identity of the data subject before providing the information, but this verification should not extend the time limit for responding to the request3.

In this scenario, Mike is an EU resident who has booked travel itineraries through XYZ Travel Agency and stayed at ABC Hotel Chain’s locations. Both companies are U.S.-based multinational companies that use a common platform for collecting and sharing their customer data. Mike has signed the agreement to be a rewards program member of XYZ Travel Agency. Mike wants to know what personal information the company holds about him and sends an email requesting access to his data.

Assuming that both companies are subject to the GDPR, either because they offer goods or services to individuals in the EU or because they monitor the behavior of individuals in the EU4, they must comply with the right of access by the data subject and provide Mike with the information he requests. The time period in which Mike should receive a response to his request is not more than one month of receipt of his request, unless there are grounds for extending the period by two further months. The companies must also verify Mike’s identity before providing the information, but this verification should not affect the time limit for responding to the request.

Therefore, the correct answer is A. Not more than one month of receipt of Mike’s request.

References: 1 Article 15 of the GDPR2 Article 13 and 14 of the GDPR3 Guidelines on the right to data portability | European Data Protection Board34 Article 3 of the GDPR.

The GDPR requires that data subjects are provided with certain information when their personal data are collected, either from the data subject themselves or from another source12. This information includes, among other things, the identity and contact details of the controller (and, where applicable, of the controller’s representative and the data protection officer), and the purposes of the processing for which the personal data are intended as well as the legal basis for the processing34. This information is necessary to ensure fair and transparent processing of personal data, and to enable data subjects to exercise their rights under the GDPR5. Therefore, option C is the correct answer, as it contains two of the essential pieces of information that must be provided to data subjects before collecting their personal data. Options A, B and D are incorrect, as they do not include all the required information or include information that is not mandatory. References: 1: Article 13 of the GDPR 2: Article 14 of the GDPR 3: Article 13(1)(a) and © of the GDPR 4: Article 14(1)(a) and © of the GDPR 5: Recital 60 of the GDPR

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU). References:

• IAPP CIPP/E Study Guide, page 7
• [Universal Declaration of Human Rights]
• [Article 12 of the UDHR]

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing1. The GDPR does not prescribe specific security measures, but rather provides a list of factors to consider when determining the appropriate level of security, such as:

• The state of the art and the costs of implementation;
• The nature, scope, context and purposes of processing;
• The risk of varying likelihood and severity for the rights and freedoms of natural persons.

Therefore, the level of security required by the GDPR is not absolute, but relative to the specific circumstances of each processing activity. The GDPR also encourages the use of codes of conduct and certification mechanisms to demonstrate compliance with the security requirements1.

In the scenario, Natural Insight is a processor who receives customer information from BHealthy, a controller, for the purpose of providing pricing services. Natural Insight has a contractual obligation to implement technical and organisational measures to ensure the security of the data, as well as to comply with the GDPR. Natural Insight’s security obligations are not limited to the measures assessed by BHealthy prior to entering into the contract, nor to the level of security that a reasonable data subject would expect. Rather, Natural Insight must take into account the industry practices for protecting customer contact information and purchase history, as well as the potential risks that may arise from the processing, such as data breaches, identity theft, fraud, or discrimination. Natural Insight must also keep up with the state of the art and the costs of implementation, and adjust its security measures accordingly.

References:

• 4: Art. 32 GDPR Security of processing

 According to the CIPP/E study guide, the Court of Justice of the European Union (CJEU) ruled in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González1 that an Internet search engine operator is responsible for the processing of personal data that appear on web pages published by third parties, and that such operator must comply with the EU data protection law when it has an establishment in the EU. The CJEU held that Google Spain and Google Inc. were inextricably linked in their businesses, since Google Spain promoted and sold advertising space offered by Google Inc., which oriented its activity towards the inhabitants of Spain. Therefore, Google Inc. was subject to the EU data protection law through its subsidiary Google Spain, even though the personal data processing was carried out by Google Inc. outside the EU. This implies that search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten if they have an establishment in the EU that is inextricably linked to their parent company. References: 1: CIPP/E study guide, page 16; Google Spain v AEPD and Mario Costeja González

One of the main reasons why the CJEU invalidated the Privacy Shield was that it found that the US surveillance programs were not limited to what is strictly necessary and proportionate, as required by the EU law. The CJEU also criticized the lack of effective judicial remedies for EU data subjects whose data was accessed by US authorities. The Trans-Atlantic Data Privacy Framework is intended to address these issues by introducing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and by creating a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The Framework also enhances the oversight and transparency of US surveillance practices.

References: EU–US Data Privacy Framework - Wikipedia; FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House; United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework; European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework; A practical approach to the new Trans-Atlantic Data Privacy Framework.

According to Article 37(2) of the GDPR, a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment12. This means that the DPO should be able to communicate effectively with the data subjects and the supervisory authorities in the relevant languages and jurisdictions, and to perform the tasks referred to in Article 39 of the GDPR34. The accessibility of the DPO does not necessarily depend on the physical location of the DPO, but rather on the availability of the DPO to the relevant stakeholders via various means of communication34. Therefore, the DPO does not have to be located in the country where the data controller has its main establishment, nor does the group of undertakings have to obtain approval from a supervisory authority or be comprised of organizations of similar sizes and functions to appoint a single DPO. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, What’s different about a group data protection officer?, Data Protection Officers: What US Companies Need to Know - Cooley

 According to the European Data Protection Board, the principles relating to the processing of personal data under EU data protection law are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability1. These principles imply certain concepts or practices that data controllers and processors should follow, such as access control management, frequent pseudonymization key rotation, and error propagation avoidance along the processing chain2. However, data ownership allocation is not a concept or practice that follows from these principles, as the GDPR does not recognize the notion of data ownership by either the data subject or the data controller3. Therefore, option A is the correct answer. References:

• Data protection basics
• Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
• CIPP/E Study Guide, page 11

 A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project that involves personal data, especially when using new technologies or processing that is likely to result in a high risk to individuals1. The UK GDPR requires data controllers to carry out a DPIA before starting such processing and to consult the supervisory authority if the DPIA indicates a high risk that cannot be mitigated1. The UK GDPR also provides some general guidance on the content and methodology of a DPIA, but it does not prescribe a specific format or procedure1. Therefore, to effectively assist Zandelay in conducting their DPIA, it would be helpful to refer to existing DPIA guides published by local supervisory authorities, such as the ICO in the UK or the DPC in Ireland23. These guides offer more detailed and practical advice on how to conduct a DPIA, what to include in it, how to assess and mitigate the risks, and when to consult the authority23. They also provide templates, checklists, examples, and case studies to illustrate the DPIA process23. By following these guides, Zandelay can ensure that their DPIA is comprehensive, consistent, and compliant with the UK GDPR and the relevant national laws.

The other options are not as effective as option C, because:

• Option A: Information about DPIAs found in Articles 38 through 40 of the UK GDPR is too general and vague to assist Zandelay in conducting their DPIA. These articles only outline the basic requirements and principles of a DPIA, but do not provide any specific guidance on how to conduct one, what to include in it, or how to assess and mitigate the risks1. Zandelay would need more detailed and practical advice to effectively perform a DPIA.
• Option B: Data breach documentation that data controllers are required to maintain is not relevant to conducting a DPIA. A data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data1. A data controller must document any data breaches, including the facts, effects, and remedial actions taken, and notify the supervisory authority and the affected individuals without undue delay1. However, a data breach is not the same as a data protection risk, which is the potential for adverse effects on individuals as a result of the processing of their personal data2. A DPIA is a proactive and preventive measure to identify and minimise the data protection risks of a project, not a reactive and corrective measure to deal with the consequences of a data breach2.
• Option D: Records of processing activities that data controllers are required to maintain are not sufficient to assist Zandelay in conducting their DPIA. A record of processing activities is a document that contains information about the purposes, categories, recipients, transfers, retention periods, and security measures of the processing of personal data by a data controller or a data processor1. A data controller must maintain a record of processing activities under its responsibility and make it available to the supervisory authority upon request1. However, a record of processing activities is not the same as a DPIA, which is a more in-depth and systematic analysis of the data protection risks and the measures to address them2. A record of processing activities may provide some useful information for a DPIA, such as the nature, scope, context, and purposes of the processing, but it does not cover other aspects, such as the necessity, proportionality, compliance, and impact of the processing2.

https://blog.netwrix.com/2021/02/17/data-protection-impact-assessment/

https://ico.org.uk/for-organisations-2/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

According to the Free CIPP/E Study Guide, page 12, “the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

• Free CIPP/E Study Guide, page 12
• GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1. One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2. The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3. One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs. Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5. Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6. Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7. References: 1: Article 46(1) of the GDPR 2: Standard Contractual Clauses (SCC) - European Commission 3: EU Standard Contractual Clauses (Word documents) 4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 5: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 6: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 7: Article 31 of the GDPR

According to Article 82 of the GDPR1, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. Any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Therefore, Javier can sue any one of the EVETFIT branches that were involved in processing his personal data without his consent and in violation of his rights, and he can claim full compensation from that branch. The branch that pays the compensation can then claim back from the other branches involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage. References: 1 Art. 82 GDPR – Right to compensation and liability - General Data Protection Regulation (GDPR)

 The GDPR aims to harmonize the data protection rules across the EU and to ensure consistent and effective enforcement of those rules. However, the GDPR also recognizes that there may be some differences in the interpretation and application of the law among the member states, depending on their national legislation, culture and practices. Therefore, the GDPR introduces the concept of the “main establishment” of a controller or processor, which is the place where the decisions on the purposes and means of the processing of personal data are taken in the EU1. The main establishment determines which national supervisory authority will act as the lead authority for the cross-border processing activities of that controller or processor, and which national law will apply in case of a dispute or a complaint2. The Article 29 Working Party, which is an advisory body composed of representatives of the national supervisory authorities, the European Data Protection Supervisor and the European Commission, has issued guidelines on how to identify the main establishment of a controller or processor under the GDPR3. The guidelines emphasize that the main establishment must reflect the reality of the processing activities and the effective and real exercise of management power over those activities. The guidelines also warn against the practice of “forum shopping”, which occurs when a controller or processor designates its main establishment in a member state with the most flexible or lenient data protection regime, regardless of the actual location of the decision-making or the data processing. The guidelines state that such a practice is forbidden under the GDPR, and that the supervisory authorities will closely monitor and verify the criteria used by the controllers or processors to determine their main establishment. If the supervisory authorities find that the main establishment does not correspond to the factual situation, they may challenge the designation and apply the relevant corrective measures4. References: 1 Art. 4 (16) GDPR – Definitions - General Data Protection Regulation (GDPR)2 Art. 56-58 GDPR – Cooperation and consistency - General Data Protection Regulation (GDPR)3 Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - European Data Protection Board4 Ibid, p. 14-15.

The European model for data protection is best described as comprehensive, because it covers all sectors and types of data processing, and applies to any organization that targets or collects data related to people in the EU. The GDPR is the main legal instrument of this model, and it establishes a set of principles, rights, and obligations for data protection, as well as a harmonized framework for enforcement and cooperation among EU member states and data protection authorities. The GDPR also aims to ensure consistency with other EU laws and policies, such as the ePrivacy Directive, the Charter of Fundamental Rights, and the European Data Strategy. The European model for data protection is based on the recognition of data protection as a fundamental right and a public interest, and it reflects the EU’s values and objectives of promoting human dignity, democracy, and the rule of law. References:

• Data protection in the EU, section “Legislation”
• What is GDPR, the EU’s new data protection law?, section “What is the GDPR?”
• European Data Protection, Third Edition, page 1, section “Introduction”
• European Data Protection: Law and Practice, page 1, section “Introduction”

Article 8 of the ECHR protects the right to respect for private and family life, home and correspondence. However, this right is not absolute and can be subject to limitations by a public authority in accordance with the law and for a legitimate aim. The European Court of Human Rights (ECtHR) has developed a two-stage test to determine whether such limitations are justified. First, the court must examine whether there is a legitimate aim pursued by the public authority, such as national security, public safety or the prevention of crime. Second, the court must assess whether the means used by the public authority are appropriate and necessary to achieve that aim, taking into account all relevant factors such as proportionality, necessity and less restrictive alternatives12. Therefore, the right to privacy is not an absolute right but a qualified one that has to be balanced against other rights under the ECHR. References:

• Article 8 - Protection of personal data
• Your right to respect for private and family life
• Right to respect for private and family life
• Guide on Article 8 of the European Convention on Human Rights
• European Convention on Human Rights - Article 8

Works councils are employee representative bodies that exist in some European countries, such as Germany, France, Spain and Italy. They have various roles and powers depending on the national laws and collective agreements, but generally they aim to protect and promote the interests of the employees in relation to the employer. Some of the common roles of works councils are:

• Determining whether to approve or reject certain decisions of the employer that affect employees, such as transfers, dismissals, redundancies, working hours, health and safety, etc.
• Determining whether employees’ personal data can be processed or not, based on the principle of co-determination, which means that the employer needs the consent of the works council for any data processing that involves employee monitoring, evaluation or control.
• Determining what changes will affect employee working conditions, such as wages, benefits, training, social facilities, etc.

However, works councils do not have the role of determining the monetary fines to be levied against employers for data breach violations of employee data. This is the role of the data protection authorities, which are independent public bodies that supervise, through investigative and corrective powers, the application of the data protection law. Works councils may cooperate with the data protection authorities or file complaints on behalf of the employees, but they do not have the authority to impose sanctions on the employers. References: Free CIPP/E Study Guide, page 27; CIPP/E Certification, page 13.

Section: (none)

Explanation

 The European Council and the Council of the European Union are two different EU institutions that have similar names but distinct roles and memberships. The European Council is the body of leaders (heads of state or government) of the 27 EU member states that defines the EU’s general political direction and priorities1. The European Council does not adopt EU legislation, but rather sets the agenda and gives guidance to the other EU institutions1. The Council of the European Union, informally known as the Council, is composed of national ministers from each EU member state, grouped by policy area1. The Council is one of the two legislative bodies of the EU, along with the European Parliament, and negotiates and adopts EU laws, coordinates member states’ policies, and develops the EU’s common foreign and security policy1. The key difference between the two institutions is that the European Council is comprised of the heads of each EU member state, while the Council of the European Union is comprised of the ministers of each EU member state12. References: European Council | Council of the European Union, What is the difference between EU Council, Council of the European Union, and Council of Europe?

According to the GDPR, any transfer of personal data to a third country or an international organisation must be based on an adequacy decision by the Commission, appropriate safeguards by the data exporter and importer, or derogations for specific situations1. In this scenario, InstaHR is an Australian based company that processes personal data on behalf of ProStorage, a Dutch based company. Australia is not recognised by the Commission as a country that provides an adequate level of data protection2, so the adequacy option is not available. Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies or organisations that define their global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries that do not provide an adequate level of protection3. However, BCRs are not applicable in this case, as InstaHR is not part of the same corporate group as ProStorage. Explicit consent of employees is a possible derogation for specific situations, but it is not a reliable or practical transfer mechanism, as it must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time4. Therefore, the most suitable transfer mechanism for using InstaHR is standard contractual clauses (SCCs). SCCs are contractual clauses that have been pre-approved by the Commission and that provide appropriate safeguards for data protection when transferring personal data from the EU/EEA to third countries. SCCs are legally binding and enforceable by data subjects, and they impose obligations on both the data exporter and the data importer. SCCs are widely used by data controllers and processors as a transfer mechanism under the GDPR. References: 1: Art. 44 GDPR - General principle for transfers22: Adequacy decisions - European Commission13: Binding corporate rules - European Commission14: Article 7 of the GDPR. : Standard Contractual Clauses (SCC) - European Commission1.

 A lead supervisory authority (LSA) is the main point of contact for organisations that process personal data across multiple EU member states. The LSA is responsible for coordinating cross-border investigations, issuing binding decisions, and enforcing GDPR compliance1. Cross-border processing is the main concern of the LSA, as it involves data processing activities that affect data subjects in more than one member state, or that take place in more than one member state2. The other options are not the main concern of the LSA, as they are either covered by the national supervisory authorities of each member state, or are not specific to cross-border processing. References: Is it possible to choose your lead supervisory authority under the GDPR?, Art. 56 GDPR – Competence of the lead supervisory authority, Navigating GDPR Compliance with a Lead Supervisory Authority, Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority

 According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12:

• the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
• the categories of processing carried out on behalf of each controller;
• where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
• where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D. References:

• GDPR, Article 30(2)
• GDPR, Article 35
• ICO, Documentation1
• ICO, Data protection impact assessments1

The Data Retention Directive was a EU law that required providers of electronic communications services to retain certain data, such as traffic and location data, for a period of between six months and two years, for the purpose of preventing, investigating, detecting and prosecuting serious crime1. However, in 2014, the Court of Justice of the European Union declared the Directive invalid, because it violated the fundamental rights to respect for private life and to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU2. The Court found that the Directive entailed a wide-ranging and particularly serious interference with those rights, without being limited to what is strictly necessary3. One of the reasons for this finding was that the Directive applied to all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception, thus affecting the entire population of the EU4. The Court also noted that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and unlawful access, and did not require the data to be retained within the EU5. References: 1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC2 Charter of Fundamental Rights of the European Union3 Press release No 54/14 - Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others4 Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others. Requests for a preliminary ruling from the High Court (Ireland) and the Verfassungsgerichtshof (Austria). Joined cases C-293/12 and C-594/125 Ibid.

According to the ePrivacy Directive (2002/58/EC), the use of cookies or similar devices that store or access information on the user’s device requires the user’s consent, unless the cookie is strictly necessary to enable the use of a service requested by the user. For example, a cookie that remembers the items in a shopping cart does not require consent, but a cookie that tracks the user’s browsing behavior for analytics or advertising purposes does. The consent must be freely given, specific, informed, and unambiguous, and can be obtained through appropriate settings of the browser or other application. The consent must also be separate from other consents, such as the consent to the processing of personal data. The categories of data involved or the recipients of the data do not affect the consent requirement for the use of cookies. The consent must also be obtained before the cookie is placed or accessed, unless the cookie is exempted. Therefore, option A is correct.

Option B is incorrect because explicit consent is not required for the use of cookies, unless the cookie also involves the processing of special categories of personal data under the GDPR. However, in this scenario, there is no indication that the cookies collect or process such data. Therefore, option B is incorrect.

Option C is incorrect because the consent requirement for the use of cookies does not depend on the recipients of the data or the level of aggregation of the data. The consent must be obtained from the user whose device is accessed or stored by the cookie, regardless of who receives the data or how it is processed. Therefore, option C is incorrect.

Option D is incorrect because the consent requirement for the use of cookies does not depend on the potential for location tracking. The consent must be obtained for any cookie that is not strictly necessary to enable the use of a service requested by the user, regardless of the type or purpose of the cookie. Therefore, option D is incorrect.

References:

• ePrivacy Directive, Article 5(3)
• GDPR, Article 4(11), Article 7, Article 9
• CIPP/E Study Guide, Chapter 5, Section 5.2.2

According to Article 21 of the GDPR, the data subject has the right to object at any time to the processing of his or her personal data for direct marketing purposes, which includes profiling related to such marketing. When the data subject exercises this right, the controller must stop processing the personal data for that purpose, unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. The controller must also inform the data subject of this right before the first communication with him or her, and in a clear and separate manner from other information. The controller must also provide the data subject with a simple and effective way to opt out of receiving direct marketing communications, such as an unsubscribe link or a STOP text message. The controller must respect the data subject’s choice and refrain from sending any further direct marketing messages of the relevant type (e.g., email, phone, post, etc.) to the data subject, unless he or she opts in again. The controller does not need to delete the personal data of the data subject who opts out, unless the data subject also requests the erasure of his or her data under Article 17 of the GDPR, or the data is no longer necessary for the purposes for which it was collected or processed. The controller may also retain some minimal information about the data subject (such as name and email address) to ensure that his or her opt-out request is honored and that he or she is not contacted again for direct marketing purposes. The controller must also ensure that any third parties to whom it has disclosed the personal data of the data subject for direct marketing purposes are informed of the opt-out request and comply with it, unless this proves impossible or involves disproportionate effort. References: Direct marketing rules and exceptions under the GDPR, Direct marketing and privacy and electronic communications, Marketing and advertising: the law: Direct marketing, Direct Marketing - What you need to know about direct marketing

Cross-border processing is defined in Article 4(23) of the GDPR as either:

•processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

•processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Therefore, the factors that are relevant for identifying whether the processing could be considered a cross-border processing are:

•the location and number of establishments of the controller or processor in the EU;

•the connection between the processing and the activities of the establishments;

•the substantial effect or likelihood of substantial effect on data subjects in more than one Member State.

The total number of the data subjects interested is not necessarily a factor, as the processing could affect only a few data subjects but still have a substantial impact on them. For example, a processing that involves the disclosure of sensitive personal data of a small group of data subjects in different Member States could be considered a cross-border processing.

References:

•GDPR Article 4 - Definitions1

•Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority2

According to the GDPR, the right to be forgotten, also known as the right to erasure, is not an absolute right and only applies in certain circumstances1. One of the exceptions to this right is when the processing of personal data is necessary for the establishment, exercise or defence of legal claims2. In this scenario, the company may need to retain the personal data of Jack, such as his employment records, performance reviews, and internal emails, in order to defend itself against a possible legal action of unfair dismissal. Therefore, the company should not erase the data at this time, unless it is confident that it has no legal basis to keep it. The company should also inform Jack of the reasons for not complying with his request and of his right to lodge a complaint with a supervisory authority or a judicial remedy3. References: 1: Everything you need to know about the “Right to be forgotten”2: Article 17(3)(e) of the GDPR3: Article 12(4) of the GDPR.

ABC Hotel Chain and XYZ Travel Agency are joint controllers in this relationship, because they jointly determine the purposes and means of the processing of personal data of their customers. According to Article 26 of the GDPR, joint controllers are two or more controllers who jointly participate in the decision-making process regarding the processing of personal data 1. In this scenario, ABC Hotel Chain and XYZ Travel Agency use a common platform for collecting and sharing customer data, and they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Therefore, they have a common influence on the processing of personal data and share a common objective of integrating their marketing efforts. Moreover, they offer a rewards program that allows customers to sign up to accumulate points that can be redeemed for free travel, which implies a joint benefit from the processing of personal data.

The other options are not correct because they do not reflect the actual roles of ABC Hotel Chain and XYZ Travel Agency in this relationship. A controller is a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data 2. A processor is a natural or legal person who processes personal data on behalf of the controller 3. In this scenario, neither ABC Hotel Chain nor XYZ Travel Agency act solely or on behalf of the other in processing the personal data of their customers. Rather, they act together in a collaborative manner and share the responsibility and accountability for the processing of personal data. Therefore, they are joint controllers, not independent controllers or controller and processor. References: 1: Article 26 of the GDPR 2: Article 4(7) of the GDPR 3: Article 4(8) of the GDPR

Hello, this is Bing. I can help you with your question by providing you with some relevant information from the web. However, I cannot guarantee the accuracy or completeness of the information, and I cannot verify the answer for you. You should always consult the official sources and documents for the CIPP/E certification exam.

Based on my web search results, the most likely answer is B. E-Privacy Directive 2002/58/EC. Here is a summary of why:

• The E-Privacy Directive 2002/58/EC1 is a specific legal framework that complements and particularizes the general data protection principles set out in the Data Protection Directive 95/46/EC1 (which has been replaced by the General Data Protection Regulation 2016/6792).
• The E-Privacy Directive 2002/58/EC1 covers the processing of personal data and the protection of privacy in the electronic communications sector, including the use of cookies and similar technologies3.
• Article 5.3 of the E-Privacy Directive 2002/58/EC1 states that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information14.
• Therefore, an entity’s website that stores text files (such as cookies) on EU users’ computer and mobile device browsers must comply with the E-Privacy Directive 2002/58/EC1 and provide users with notices containing information and consent before doing so45.

According to the Free CIPP/E Study Guide, page 14, “the GDPR requires controllers to carry out a data protection impact assessment (DPIA) prior to processing where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.” The GDPR also provides a list of examples of processing operations that require a DPIA, such as “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” (Article 35(3)(a)). Therefore, the fact that Dynaroux plans to undertake profiling of its customers through analysis of their purchasing patterns would trigger a DPIA under the GDPR, as it involves a systematic and extensive evaluation of personal aspects based on automated processing that may significantly affect the customers. The other options are not necessarily cases where a DPIA is required, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

• Free CIPP/E Study Guide, page 14
• GDPR, Article 35

 According to Article 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data. Encryption is a key security measure to protect the confidentiality, integrity and availability of personal data, especially when it is transferred between different entities or locations. Encryption ensures that only authorised parties can access and modify the data, and prevents unauthorised or unlawful access, disclosure, alteration or destruction. Encryption also reduces the risk of data breaches and the potential harm to the data subjects. Therefore, encrypting the transferred data in transit and at rest would be the most important security measure to apply to the health data transmission. References:

• Article 32 of the GDPR
• IAPP CIPP/E Study Guide, page 58

 A. Consent management and withdrawal. Comprehensive Explanation: Article 32 of the GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. These measures should take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. The three domains of security covered by Article 32 are:

• Preventative security: This refers to the measures that aim to prevent or reduce the likelihood of security incidents, such as unauthorized or unlawful access, disclosure, alteration, loss or destruction of personal data. Examples of preventative security measures include encryption, pseudonymization, access control, firewalls, antivirus software, etc.
• Incident detection and response: This refers to the measures that aim to detect, analyze, contain, eradicate and recover from security incidents, as well as to notify the relevant authorities and data subjects, and to document the facts and actions taken. Examples of incident detection and response measures include security monitoring, logging, auditing, incident response plans, breach notification procedures, etc.
• Remedial security: This refers to the measures that aim to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, as well as to mitigate the adverse effects of security incidents on the data subjects. Examples of remedial security measures include backup, disaster recovery, business continuity, compensation, etc.

Consent management and withdrawal is not a domain of security covered by Article 32, but rather a requirement for the lawfulness of processing based on consent under Article 6(1)(a) and Article 7 of the GDPR. Consent management and withdrawal involves obtaining, recording, updating and revoking the consent of data subjects for specific purposes of processing, as well as informing them of their right to withdraw their consent at any time. References: Free CIPP/E Study Guide, page 35; CIPP/E Certification, page 17; GDPR, Article 32, Article 6(1)(a), Article 7.

Pseudonymisation is a technique that replaces, removes or transforms information that identifies individuals, and keeps that information separate from the rest of the data. Pseudonymised data is still personal data under the GDPR, because it can be re-identified with the use of additional information. However, pseudonymisation can reduce the risks of processing personal data and help comply with data protection principles and obligations. Pseudonymisation is different from anonymisation, which is the process of irreversibly transforming personal data so that the data subject is no longer identifiable. References:

• GDPR Article 4(5), which defines pseudonymisation.
• GDPR Recital 26, which explains the difference between pseudonymisation and anonymisation.
• EDPS blog post, which provides an overview of pseudonymisation and its benefits.
• ICO guidance, which gives practical advice on how to implement pseudonymisation.

The ECHR and the CJEU are part of two different legal systems: the Council of Europe and the European Union, respectively. The ECHR is a treaty that guarantees human rights and fundamental freedoms to individuals within the jurisdiction of its 47 member states. The CJEU is the judicial branch of the EU that ensures the uniform interpretation and application of EU law within its 27 member states. The ECHR can only hear complaints from individuals or states alleging violations of the rights enshrined in the convention, and it can only issue judgments that are binding on the respondent state. The CJEU, on the other hand, can hear cases from individuals, states, EU institutions, or national courts on any matter of EU law, and it can issue rulings that are binding on all EU member states and institutions. The CJEU can also impose sanctions or penalties on states that fail to comply with its judgments or EU law in general. Therefore, the CJEU has more power and authority to enforce EU law than the ECHR has to enforce human rights law. References: CIPP/E Certification, ECHR and the CJEU, The UK, the EU and a British Bill of Rights

According to the GDPR, a data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art 4(7) of GDPR). A data processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art 4(8) of GDPR). In this case, JaphSoft would be considered a controller under the GDPR because it uses the personal data it receives from Liem and EcoMick to improve its own products and services through machine learning. This means that JaphSoft determines the purposes and means of this processing activity, which is not covered by the agreement with Liem and EcoMick. JaphSoft also decides how long to retain the personal data, which is another indication of its controller role. The other options are not sufficient to establish JaphSoft as a controller, as they could also apply to a processor. Having access to personal data in the MarketIQ database does not imply that JaphSoft determines the purposes and means of the processing. It could be acting on behalf of Liem and EcoMick, who are the controllers of the data in the database. Making decisions regarding the technical and organizational measures necessary to protect the personal data is also a duty of a processor, who must implement appropriate security measures in accordance with the GDPR and the instructions of the controller (Art 28 and Art 32 of GDPR). References:

• GDPR, Art 4, Art 28, Art 32
• Free CIPP/E Study Guide, p. 15
• European Data Protection Law & Practice, p. 123
• What is a data controller or a data processor?
• CNIL publishes guidance on data processing roles under EU GDPR
• Guide for multi-controller situations under the GDPR

According to the CIPP/E study guide, data controllers should use the least intrusive means of verifying the identity of data subjects who make requests under the GDPR. Asking for a copy of an ID document or a bank account statement may be disproportionate and excessive, as they contain more personal data than necessary for authentication. Asking for the bank account number may not be sufficient, as it may be easily obtained by third parties. Therefore, the most appropriate way to confirm the identity of the customer is to ask additional security questions that only the customer would know, such as the date of the last transaction, the amount of the last deposit, or the name of the beneficiary of a recurring payment.

References: CIPP/E Study Guide, page 28; CIPP/E Textbook, page 136.