Pass the IAPP Certified Information Privacy Professional CIPP-E Questions and answers with CertsForce

According to the GDPR, pseudonymization is a technique that reduces the linkability of personal data to a specific data subject by replacing identifying attributes with pseudonyms1. Pseudonymization is not a sufficient measure to anonymize personal data, which means that the data cannot be attributed to an identifiable person without additional information2. Pseudonymization can help data controllers and processors to comply with the GDPR principles of data minimization, purpose limitation, and storage limitation, as well as to enhance the security and confidentiality of personal data3.

In this scenario, JaphSoft’s use of pseudonymization is not in compliance with the GDPR because of option C: JaphSoft was in possession of information that could be used to identify data subjects. This is because JaphSoft did not keep the additional information (the contact information) separately from the pseudonymized data (the identifying information), and did not apply technical and organizational measures to prevent the re-identification of the data subjects4. This means that JaphSoft could potentially link the personal data to the individuals, and therefore, the data was not effectively pseudonymized. Moreover, JaphSoft did not have a deletion process for the data it received from clients, which could violate the principle of storage limitation that requires personal data to be kept no longer than necessary for the purposes for which they are processed.

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing1. The GDPR does not prescribe specific security measures, but rather provides a list of factors to consider when determining the appropriate level of security, such as:

The state of the art and the costs of implementation;

The nature, scope, context and purposes of processing;

The risk of varying likelihood and severity for the rights and freedoms of natural persons.

Therefore, the level of security required by the GDPR is not absolute, but relative to the specific circumstances of each processing activity. The GDPR also encourages the use of codes of conduct and certification mechanisms to demonstrate compliance with the security requirements1.

In the scenario, Natural Insight is a processor who receives customer information from BHealthy, a controller, for the purpose of providing pricing services. Natural Insight has a contractual obligation to implement technical and organisational measures to ensure the security of the data, as well as to comply with the GDPR. Natural Insight’s security obligations are not limited to the measures assessed by BHealthy prior to entering into the contract, nor to the level of security that a reasonable data subject would expect. Rather, Natural Insight must take into account the industry practices for protecting customer contact information and purchase history, as well as the potential risks that may arise from the processing, such as data breaches, identity theft, fraud, or discrimination. Natural Insight must also keep up with the state of the art and the costs of implementation, and adjust its security measures accordingly.

References:

4: Art. 32 GDPR Security of processing

The General Data Protection Regulation (GDPR) introduces a mechanism for personal data transfers to third countries or international organisations that do not ensure an adequate level of data protection, based on approved certifications. According to Article 46 of the GDPR, contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (SCCs) – that have been “pre-approved” by the European Commission.

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. The Commission developed Questions and Answers (Q&As) to provide practical guidance on the use of the SCCs and assist stakeholders in their compliance efforts under the GDPR.

The Q&As state that businesses must do all of the following:

Consider the new optional docking clause, which expressly permits adding new parties to the SCCs. According to the Q&As, the docking clause allows controllers and processors that are not part of the original contract to accede to the SCCs at a later stage, either as data exporters or importers. This clause is intended to facilitate the use of the SCCs in complex processing chains and to avoid the need to enter into multiple contracts.

Migrate all contracts entered into before September 27, 2021, that use the old SCCs to the new SCCs by December 27, 2022. According to the Q&As, the old SCCs will be repealed on September 27, 2021. However, contracts concluded before that date on the basis of the old SCCs will remain valid until December 27, 2022, provided that the processing operations that are the subject matter of the contract remain unchanged and that reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards within the meaning of Article 46(1) of the GDPR. After December 27, 2022, the old SCCs will no longer provide a valid legal basis for data transfers to third countries, and the new SCCs will have to be used instead.

Take steps to flow down the new SCCs to relevant parts of their supply chain using the new SCCs as of September 27, 2021, if the business is a data importer. According to the Q&As, the new SCCs require data importers to enter into contracts with any subprocessors that process the personal data transferred under the SCCs, and to include in those contracts the same data protection obligations as those imposed on the data importer under the SCCs. This means that data importers must ensure that the new SCCs are flowed down to their subprocessors as of September 27, 2021, and that any changes in the subprocessors are notified to the data exporter, who has the right to object.

The Q&As do not state that businesses must do the following:

Implement the new SCCs in the U.K. following Brexit, as the U.K. Information Commissioner’s Office does not have the authority to publish its own set of SCCs. This is not a valid statement, as the U.K. has its own data protection regime after leaving the EU, and the U.K. Information Commissioner’s Office (ICO) has the power to issue its own SCCs for data transfers from the U.K. to third countries. According to the ICO website, the ICO is currently developing bespoke U.K. SCCs, which will be subject to a public consultation and an opinion from the European Data Protection Board (EDPB). Until the U.K. SCCs are finalised, the ICO advises businesses to continue to use the EU SCCs for new contracts, as these clauses have been recognised as a valid transfer mechanism under the U.K. data protection law. However, the ICO also warns businesses that they may need to amend the EU SCCs to reflect that the U.K. is no longer an EU member state, and that they will need to update their contracts to the U.K. SCCs once they are available.

References:

GDPR, Articles 3, 4, 28, 29, 32, 44, 45, 46, 47, 48 and 49.

New Standard Contractual Clauses - Questions and Answers overview, paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 and 11.

Standard Contractual Clauses (SCC), paragraphs 1, 2, 3, 4, 5, 6, 7 and 8.

[Using international data transfers], paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9 and 10.

According to the GDPR, a transfer of personal data to a third country or an international organisation may take place only if the conditions laid down in Chapter V of the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation1. A third country is any country outside of the European Union (EU) and the European Economic Area (EEA)2. Therefore, a transfer impact assessment is only required when personal data is transferred to a third country or an international organisation that does not provide an adequate level of data protection, as recognised by the European Commission3. HRYourWay is a German based company, and Germany is a member state of the EU and the EEA. Thus, HRYourWay is not located in a third country, and no transfer impact assessment is needed for transferring personal data to it. The other options are incorrect, as they are not relevant to the question of whether a transfer impact assessment is required or not. References:

GDPR, Chapter V

GDPR, Article 4 (24)

GDPR, Article 45

ccording to the GDPR, the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not1. The GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union1.

In this scenario, a U.S. company’s website sells widgets to customers in the EU and places cookies to monitor their behavior. These factors would subject the company to the GDPR, as they indicate that the company is offering goods or services and monitoring the behavior of data subjects in the Union2. However, the fact that the website is in English and French, and is accessible in France, would not in itself subject the company to the GDPR, as these factors do not necessarily imply an intention to target customers in the Union3. The language and accessibility of the website are not sufficient to establish a relevant and sufficient degree of stability and continuity of the company’s activities in the Union3. Therefore, the correct answer is B.

References:

Art. 3 GDPR – Territorial scope

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

What does territorial scope mean under the GDPR?

I hope this helps you understand the GDPR and territorial scope better. If you have any other questions, please feel free to ask me. ????

The aim of the European Data Protection Directive 95/46/EC was to establish a common legal framework for the protection of personal data within the European Union, and to ensure the free movement of such data within the internal market. The Directive was based on the recognition that the processing of personal data affects the fundamental rights and freedoms of individuals, especially their right to privacy, and that these rights need to be respected and safeguarded. At the same time, the Directive acknowledged that the free flow of personal data is essential for the economic and social development of the EU, and that the harmonization of data protection laws would facilitate the exchange of information and the provision of services across the member states. Therefore, the Directive aimed to strike a balance between the protection of individuals’ rights and the promotion of the internal market, by laying down the key principles, obligations and rights for the processing of personal data, and by providing mechanisms for cooperation and coordination among the national data protection authorities. References: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Data Protection Directive - Wikipedia

Convention 108 was the first legally binding international instrument in the data protection field, adopted by the Council of Europe in 19811. However, it had some limitations that led to the creation of the Data Protection Directive (Directive 95/46/EC) by the European Union in 19952. One of the main failings of Convention 108 was that it was implemented in a fragmented manner by a small number of states, resulting in divergent and inconsistent national laws and practices3. The Data Protection Directive aimed to harmonize the data protection rules within the EU and to ensure a high level of protection for individuals’ rights and freedoms2. Therefore, option C is the correct answer. Option A is incorrect because Convention 108 did account for the rapid growth of the Internet by allowing for amendments and protocols to adapt to technological developments1. Option B is incorrect because Convention 108 did include protections for sensitive personal data, such as those revealing racial origin, political opinions, religious beliefs, health, or sexual life1. Option D is incorrect because Convention 108 did not prescribe specific penalties for violations of data protection rights, but left it to the Parties to adopt appropriate sanctions and remedies1. References:

Convention 108 and Protocols

CIPP/E Certification

Convention 108+ and the Data Protection Framework of the EU

The GDPR allows for derogations for specific situations when a transfer of personal data to a third country or an international organization cannot be based on an adequacy decision, appropriate safeguards, or binding corporate rules1. However, these derogations are exceptions to the general rule and should not become the norm. The EDPB confirmed that derogations should only be used as a last resort and when interpreted restrictively, taking into account the nature of the data, the purpose and duration of the processing, the country of origin and destination, and the rights and freedoms of data subjects23. The EDPB also stressed that the data exporter must assess the level of protection in the third country and ensure that the transfer does not undermine the essence of the fundamental rights and freedoms of data subjects23. References: 1: Article 49 of the GDPR 2: Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 3: A guide to international transfers | ICO

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The GDPR also provides some examples of such measures, including the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In this scenario, the company is processing personal data of children, such as their voice, questions, preferences, and location, through the connected toys that use a wireless Bluetooth connection to communicate with smartphones, tablets, cloud servers, and other toys. This poses a high risk to the security of the data, as Bluetooth is a short-range wireless technology that can be easily intercepted, hacked, or compromised by malicious actors. Therefore, the company should encrypt the data in transit over the Bluetooth connection, to prevent unauthorized access, disclosure, or alteration of the data. Encryption is a process of transforming data into an unreadable form, using a secret key or algorithm, that can only be reversed by authorized parties who have the corresponding key or algorithm. Encryption can protect the data from being accessed or modified by anyone who does not have the key or algorithm, thus ensuring the confidentiality and integrity of the data.

The other options are incorrect because:

B. Including dual-factor authentication before each use by a child in order to ensure a minimum amount of security is not a sufficient measure to protect the data in transit over the Bluetooth connection. Dual-factor authentication is a process of verifying the identity of a user by requiring two pieces of evidence, such as a password and a code sent to a phone or email. While this may enhance the security of the user’s account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, dual-factor authentication may not be suitable or convenient for children, who may not have access to a phone or email, or who may forget their passwords or codes.

C. Including three-factor authentication before each use by a child in order to ensure the best level of security possible is not a necessary or proportionate measure to protect the data in transit over the Bluetooth connection. Three-factor authentication is a process of verifying the identity of a user by requiring three pieces of evidence, such as a password, a code sent to a phone or email, and a biometric feature, such as a fingerprint or a face scan. While this may provide a high level of security for the user’s account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Furthermore, three-factor authentication may not be appropriate or feasible for children, who may not have access to a phone or email, or who may not have reliable biometric features, or who may find the process too complex or cumbersome.

D. Inserting contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union, is not a relevant measure to protect the data in transit over the Bluetooth connection. Contractual clauses are legal agreements that specify the obligations and responsibilities of the parties involved in a data transfer, such as the level of data protection, the rights of data subjects, and the remedies for breaches. While contractual clauses may be necessary to ensure the compliance of the data transfer to South Africa, which is a non-EU country that does not have an adequacy decision from the European Commission, they do not address the security of the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, contractual clauses are not a technical or organisational measure, but a legal measure, that falls under a different provision of the GDPR, namely Article 46.

References: Article 32 and Recitals (75), (76), (78), (83), and (85) of the GDPR, Security of processing, Encryption, Authentication, [Contractual clauses]