Question 20 - IAPP CIPP-E Real Exam Questions [Feb 2026 Update]

Q: 20

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

Options

Correct Answer:

Explanation

The GDPR and the Convention 108 are two important data protection instruments that aim to protect

the rights and freedoms of individuals with regard to their personal data. They both have some

similarities and some differences, but one common feature is that they both require notification of

processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with

data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have

the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate

with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that

have established their own supervisory authorities or have agreed to be supervised by an external

authority2.

Notification of processing activities is a requirement for any controller or processor of personal data

that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person

who determines the purposes and means of the processing of personal data3. A processor is a

natural or legal person who processes personal data on behalf of a controller3. Notification means

informing the supervisory authority about certain aspects of the processing, such as:

The identity and contact details of the controller and processor

The categories and sources of personal data

The purposes and legal basis for processing

The recipients or categories of recipients of personal data

The retention period or criteria for determining it

The existence of any automated decision-making or profiling

The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

Submitting a written notification form

Publishing a notice on a website or other platform

Sending an email or other electronic message

Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information

about the processing. It should also be updated whenever there are significant changes in relation to

the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a

supervisory authority. This is one way to ensure transparency, accountability, and compliance with

data protection laws.

FLASH OFFER