Pass the IAPP Certified Information Privacy Professional CIPP-E Questions and answers with CertsForce

The EU Artificial Intelligence Act (AI Act) is a proposed regulation that aims to establish harmonised rules on the development and use of artificial intelligence in the EU. The AI Act classifies AI systems according to their level of risk and imposes various requirements and obligations on providers and users of such systems. The AI Act also provides for the enforcement of its rules by national competent authorities and the European Commission. According to Article 71 of the AI Act, the sanctions for non-compliance with the AI Act depend on the type and severity of the infringement. The maximum fine for the most serious infringements, such as placing on the market or putting into service prohibited AI systems, or failing to comply with the data and data governance requirements for high-risk AI systems, is the higher of up to 30 million Euro or up to 6% of the total worldwide annual turnover of the preceding financial year of the legal entity concerned. This is the same level of fine as for the most serious infringements of the General Data Protection Regulation (GDPR).

References:

•EUR-Lex - 52021PC0206 - EN - EUR-Lex1

•European Parliament Adopts Negotiating Position on the AI Act2

The GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. The company must also identify a lawful basis for processing personal data, such as legal obligation, legitimate interest, or consent, and respect the data subject rights, such as the right to information, access, rectification, erasure, restriction, objection, and portability. Moreover, the company must be aware of the specific rules and restrictions regarding the processing of special categories of data (such as biometric, health, or political data) and data relating to criminal convictions and offences, which are subject to Article 10 of the GDPR and the laws of each member state. The company must also consider the national employment laws and the guidelines of the relevant supervisory authorities, which may impose additional conditions or limitations on the scope, methods, and purposes of background checks. For example, some member states may require prior authorization, notification, or consultation with the supervisory authority, the data subject, or the works council before conducting background checks. Some member states may also prohibit or restrict certain types of background checks, such as social media screening, credit checks, or criminal record checks, unless they are necessary, proportionate, and relevant for the specific job position or sector. Therefore, the company must conduct a thorough assessment of the legal framework and the risks and benefits of background checks in each member state where it operates or recruits employees, and ensure that it has a clear and consistent policy and procedure for conducting background checks in a GDPR-compliant manner. References: How to ‘background check’ under the GDPR, How to perform GDPR compliant background checks, GDPR and the processing of criminal conviction data across Europe, Pre-employment vetting: Data protection and criminal records, How GDPR Affects Background Checking

According to the CIPP/E study guide, Article 33 of the GDPR requires data controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons1. Article 34 of the GDPR requires data controllers to communicate the personal data breach to the data subject without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons2. Both articles specify the minimum information that the data controller must provide to the supervisory authority and the data subject, which includes: the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the name and contact details of the data protection officer or other contact point, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its possible adverse effects12. However, neither article requires the data controller to disclose the type of security safeguards used to protect the data, as this information is not relevant for the purposes of notification and may even compromise the security of the data further3. References: 1: CIPP/E study guide, page 84; Art. 33 GDPR; Guidelines 01/2021 on Examples regarding Data Breach Notification2: CIPP/E study guide, page 85; [Art. 34 GDPR]; Guidelines 01/2021 on Examples regarding Data Breach Notification3: Personal Data Breach | European Data Protection Supervisor; What is a data breach and what do we have to do … - European Commission.

The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive states that the use of cookies on websites and mobile applications is conditioned upon the prior consent of users, unless the cookies are strictly necessary for the provision of the service. Users must also be given clear and comprehensive information about the purposes of the cookies and the means to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing of personal data through cookies, but does not specifically address the consent requirement for cookies. The other answer choices are not relevant to the consent requirement for cookies, as they regulate different aspects of the digital economy and society. The E-Commerce Directive establishes the legal framework for online services in the EU, such as information society services, electronic contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication providers to retain certain data for a period of time for the purpose of law enforcement and national security. The EU Cybersecurity Directive aims to enhance the security of network and information systems across the EU, by setting common standards and obligations for operators of essential services and digital service providers. References:

Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu

What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script

EU Cookie Law - Data Protection and Cookies - Cookiebot™

ePrivacy Directive - Regulations - Learn how CookiePro Helps

Hello, this is Bing. I can help you with your question by providing you with some relevant information from the web. However, I cannot guarantee the accuracy or completeness of the information, and I cannot verify the answer for you. You should always consult the official sources and documents for the CIPP/E certification exam.

Based on my web search results, the most likely answer is B. E-Privacy Directive 2002/58/EC. Here is a summary of why:

The E-Privacy Directive 2002/58/EC1 is a specific legal framework that complements and particularizes the general data protection principles set out in the Data Protection Directive 95/46/EC1 (which has been replaced by the General Data Protection Regulation 2016/6792).

The E-Privacy Directive 2002/58/EC1 covers the processing of personal data and the protection of privacy in the electronic communications sector, including the use of cookies and similar technologies3.

Article 5.3 of the E-Privacy Directive 2002/58/EC1 states that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information14.

Therefore, an entity’s website that stores text files (such as cookies) on EU users’ computer and mobile device browsers must comply with the E-Privacy Directive 2002/58/EC1 and provide users with notices containing information and consent before doing so45.

 The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4(2)). This is a broad definition that covers almost any activity involving personal data, regardless of the method or means used. The GDPR also specifies that processing should be lawful, fair and transparent, and should respect the principles of data protection by design and by default (Article 5). References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, [GDPR - EUR-Lex]

I hope this helps. If you have any other questions, please let me know. ????