IAPP CIPP-E Exam Dumps

According to GDPR Article 4(22), a supervisory authority is concerned by the processing of personal data if the data subjects residing in its member state are substantially affected or likely to be substantially affected by the processing, or if a complaint has been lodged with it. This concept is mainly introduced to ensure that the rights and interests of data subjects are protected by the supervisory authorities that are closest to them, regardless of where the controller or processor is established or where the lead supervisory authority is located. The concerned supervisory authorities have the right to participate in the one-stop-shop and consistency mechanisms, and to express their views and objections on the draft decisions of the lead supervisory authority. They also have the duty to cooperate and assist each other in the performance of their tasks.Reference:GDPR Article 4(22),GDPR Article 60,GDPR Article 63,The role of the 'supervisory authority concerned' (Chapter 3.1 ...

The EDPB's Guidelines 4/2019 on Article 25 Data Protection by Design and by Default provide guidance on how to implement the requirements of Article 25 of the GDPR, which obliges controllers to design and implement appropriate technical and organisational measures and necessary safeguards to ensure that the processing of personal data complies with the data protection principles and protects the rights and freedoms of data subjects. The guidelines also explain how to apply the concept of data protection by default, which means that by default, only personal data that are necessary for each specific purpose of the processing are processed.

The guidelines do not mention data ownership allocation as a practice that follows from the principles relating to the processing of personal data under EU data protection law. Data ownership allocation is not a concept that is recognised or defined by the GDPR or the EDPB. Data ownership allocation refers to the idea that data subjects or controllers have some form of property rights over the personal data that they provide or process. However, the GDPR does not grant such rights, but rather establishes a set of rules and obligations for the processing of personal data, based on the notion of accountability and responsibility of the controllers and processors. The GDPR also recognises the rights and freedoms of data subjects, such as the right of access, rectification, erasure, restriction, portability, objection and not to be subject to automated decision-making, which are not dependent on the ownership of the personal data, but on the fact that the personal data relate to them.

The other practices listed in the question, namely access control management, frequent pseudonymization key rotation and error propagation avoidance along the processing chain, are examples of practices that follow from the principles relating to the processing of personal data under EU data protection law, as explained in the guidelines. Access control management follows from the principle of integrity and confidentiality, which requires that personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Frequent pseudonymization key rotation follows from the principle of data minimisation, which requires that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Error propagation avoidance along the processing chain follows from the principle of accuracy, which requires that personal data are accurate and, where necessary, kept up to date.

GDPR, Articles 5, 6, 7, 8, 9, 15, 16, 17, 18, 19, 20, 21, 22 and 25.

EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 and 28.

According to the GDPR, one of the legal bases for transferring personal data to a third country or an international organization is when the transfer is necessary for the protection of the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent (Article 49(1)). This exception applies only in very limited and exceptional situations, such as life-threatening medical emergencies. In this scenario, ProStorage most likely relied on this legal basis to transfer Ruth's medical information to the hospital in India, where she suffered a medical emergency and was hospitalized. Ruth was presumably unable to give her consent due to her health condition, and the transfer of her medical information was necessary to protect her vital interests, such as her life or health. Therefore, this transfer mechanism was more appropriate than the other options, which either require consent or are not relevant to the situation.

:The GDPR requires that personal data be kept for no longer than is necessary for the purposes for which the personal data are processed1.However, the GDPR also allows member states to provide for more specific rules on the processing of employees' personal data in the employment context, including the retention periods for erasure and deletion of categories of personal data2.Therefore, the employer should securely store the data that is required to be kept under local law, such as tax records, pension records, or health and safety records34.The employer should also ensure that the data is protected from unauthorized or unlawful access, accidental loss, destruction, or damage1.The employer should not store the data for longer than necessary or for purposes other than those for which the data was collected, unless the employee has given consent or there is another legal basis for doing so13.Reference:1: Article 5 of the GDPR2: Article 88 of the GDPR3: Data Protection and GDPR in the Workplace | Factsheets | CIPD4: How to Manage the Retention of Employee Data | GDPR Blog

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2)). Therefore, the GDPR would apply to the following entities:

A South American company that regularly collects European customers' personal data, as it is offering goods or services to data subjects in the EU.

A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state, as it has an establishment in the EU.

A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers, as it has an establishment in the EU and is offering goods or services to data subjects in the EU.

The GDPR would not apply to the following entity:

A North American company servicing customers in South Africa that uses a cloud storage system made by a European company, as it does not have an establishment in the EU, nor is it offering goods or services to data subjects in the EU, nor is it monitoring their behaviour within the EU. The fact that it uses a cloud storage system made by a European company does not trigger the application of the GDPR, unless the cloud provider is also processing personal data on behalf of the North American company in the context of its activities in the EU.