According to the CIPP/E study guide, Article 33 of the GDPR requires data controllers to notify the

supervisory authority of a personal data breach without undue delay and, where feasible, not later

than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights

and freedoms of natural persons1. Article 34 of the GDPR requires data controllers to communicate

the personal data breach to the data subject without undue delay when the breach is likely to result

in a high risk to the rights and freedoms of natural persons2. Both articles specify the minimum

information that the data controller must provide to the supervisory authority and the data subject,

which includes: the nature of the breach, the categories and approximate number of data subjects

and personal data records concerned, the name and contact details of the data protection officer or

other contact point, the likely consequences of the breach, and the measures taken or proposed to

address the breach and mitigate its possible adverse effects12. However, neither article requires the

data controller to disclose the type of security safeguards used to protect the data, as this

information is not relevant for the purposes of notification and may even compromise the security of

the data further3. Reference: 1: CIPP/E study guide, page 84; Art. 33 GDPR; Guidelines 01/2021 on

Examples regarding Data Breach Notification2: CIPP/E study guide, page 85; [Art. 34

GDPR]; Guidelines 01/2021 on Examples regarding Data Breach Notification3: Personal Data Breach |

European Data Protection Supervisor; What is a data breach and what do we have to do … - European

Commission.

Reference: https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protectionimpact- assessments

According to Article 47(2)(a) of the GDPR, binding corporate rules (BCRs) must be legally binding and

apply to and be enforced by every member concerned of the group of undertakings, or group of

enterprises engaged in a joint economic activity, including their employees1. This means that all

employees within the group must comply with the BCRs, irrespective of their location or the

jurisdiction where they operate. The other options are incorrect, as they do not reflect the

requirements of the GDPR or the guidance of the European Data Protection Board (EDPB) on

BCRs23. Reference:

GDPR Article 47(2)(a)

EDPB Guidelines 3/2018 on the territorial scope of the GDPR

EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679

The ePrivacy Directive, also known as the Cookie Law, is the EU legislation that regulates the use of

cookies and other tracking technologies on websites and mobile applications. The ePrivacy Directive

states that the use of cookies on websites and mobile applications is conditioned upon the prior

consent of users, unless the cookies are strictly necessary for the provision of the service. Users must

also be given clear and comprehensive information about the purposes of the cookies and the means

to refuse them. The ePrivacy Directive complements the GDPR, which also applies to the processing

of personal data through cookies, but does not specifically address the consent requirement for

cookies. The other answer choices are not relevant to the consent requirement for cookies, as they

regulate different aspects of the digital economy and society. The E-Commerce Directive establishes

the legal framework for online services in the EU, such as information society services, electronic

contracts, and liability of intermediaries. The Data Retention Directive requires telecommunication

providers to retain certain data for a period of time for the purpose of law enforcement and national

security. The EU Cybersecurity Directive aims to enhance the security of network and information

systems across the EU, by setting common standards and obligations for operators of essential

services and digital service providers. Reference:

Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu

What is the EU Cookie Law (ePrivacy Directive)? - Cookie Script

EU Cookie Law - Data Protection and Cookies - Cookiebot™

ePrivacy Directive - Regulations - Learn how CookiePro Helps

Reference: https://www.iubenda.com/en/help/5525-cookies-gdpr-requirements

According to GDPR Article 4(22), a supervisory authority is concerned by the processing of personal

data if the data subjects residing in its member state are substantially affected or likely to be

substantially affected by the processing, or if a complaint has been lodged with it. This concept is

mainly introduced to ensure that the rights and interests of data subjects are protected by the

supervisory authorities that are closest to them, regardless of where the controller or processor is

established or where the lead supervisory authority is located. The concerned supervisory

authorities have the right to participate in the one-stop-shop and consistency mechanisms, and to

express their views and objections on the draft decisions of the lead supervisory authority. They also

have the duty to cooperate and assist each other in the performance of their tasks. Reference: GDPR

Article 4(22), GDPR Article 60, GDPR Article 63, The role of the ’supervisory authority concerned’

(Chapter 3.1 …

Adequacy is a term that the EU uses to describe other countries, territories, sectors or international

organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that

which exists within the EU. An adequacy decision is a formal decision made by the EU which

recognises that another country, territory, sector or international organisation provides an equivalent

level of protection for personal data as the EU does. The effect of such a decision is that personal

data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any

further safeguard being necessary12.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial

organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of

Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United States (commercial

organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing

adequate protection13. On 28 June 2021, the EU Commission published two adequacy decisions in

respect of the UK: one for transfers under the EU GDPR; and the other for transfers under the Law

Enforcement Directive (LED)2. These decisions contain the European Commission’s detailed

assessment of the UK’s laws and systems for protecting personal data, as well as the legislation

designating the UK as adequate. Both adequacy decisions are expected to last until 27 June 20252.

Among the four options given, only Switzerland has been granted an adequacy decision by the EU,

which means that it will continue to enjoy adequacy status under the GDPR, pending any future

European Commission decision to the contrary. Greece is a member state of the EU, so it does not

need an adequacy decision to receive personal data from the EU. Norway is a member of the

European Economic Area (EEA), which also includes Iceland and Liechtenstein, and has incorporated

the GDPR into its national law, so it also does not need an adequacy decision. Australia has not been

recognised as adequate by the EU, so transfers of personal data from the EU to Australia require

appropriate safeguards or derogations13. Therefore, the correct answer is D. Switzerland. Reference:

https://pages.iapp.org/Free-Study-Guides_CIPPE-PPC-EU.html https://data-privacyoffice.eu/courses/cipp-e-official-training-course/

Reference: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-dataprotection/ adequacy-decisions_en

Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data

that reveal sensitive information about the data subject and may pose a high risk to their rights and

freedoms. The GDPR defines 10 types of personal data as special categories, which are:

personal data revealing racial or ethnic origin;

personal data revealing political opinions;

personal data revealing religious or philosophical beliefs;

personal data revealing trade union membership;

genetic data;

biometric data (where used for identification purposes);

data concerning health;

data concerning a person’s sex life; and

data concerning a person’s sexual orientation.

Among the answer choices, only option C is not one of these categories, as financial data is not

considered to reveal any sensitive information about the data subject. However, financial data is still

subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency,

accuracy, security, etc. Reference:

Special category data | ICO

Art. 9 GDPR Processing of special categories of personal data

Special Categories of Data - International Association of Privacy Professionals

Reference: https://www.privacy-regulation.eu/en/article-9-processing-of-special-categories-ofpersonal-data-

GDPR.htm#:~:text=Processing%20of%20personal%20data%20revealing,concerning%20a%20natural

% 20person%27s%20sex

According to Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is required when

the processing of data is likely to result in a high risk to the rights and freedoms of natural persons,

especially when using new technologies. A DPIA is supposed to show the characteristics of the

processing, the risks and the measures adopted to mitigate them. The GDPR also provides some

examples of processing operations that require a DPIA, such as:

a systematic and extensive evaluation of personal aspects based on automated processing, including

profiling, and on which decisions are based that produce legal or significant effects on the data

subject;

processing on a large scale of special categories of data or data relating to criminal convictions and

offences; or

a systematic monitoring of a publicly accessible area on a large scale.

Among the answer choices, only option C falls under the first example, as it involves a systematic and

extensive evaluation of personal aspects based on location data and data from third-party sources,

which could be used for profiling and matching purposes. This could have significant effects on the

data subjects’ privacy, personal relationships and reputation. Therefore, a DPIA would be required for

this processing operation.

Option A does not necessarily involve a systematic and extensive evaluation of personal aspects, nor

does it produce legal or significant effects on the data subject. It could be considered a legitimate

interest of the company to offer more personalized service, as long as it respects the principles of

data minimization, purpose limitation and transparency.

Option B does not involve a decision based on the processing, nor does it produce legal or significant

effects on the data subject. It could be considered a form of direct marketing, which is subject to

specific rules under the GDPR and the ePrivacy Directive.

Option D does not involve personal data relating to natural persons, but rather to delivery trucks.

Therefore, it does not pose a high risk to the rights and freedoms of natural persons.

Reference:

GDPR Article 35

Guidelines on DPIA

Art. 35 GDPR - Data protection impact assessment - GDPR.eu

Reference: http://webcache.googleusercontent.com/search?q=cache:aQkU17eX9sQJ:https://

www.shlegal.com/insights/article-29-data-protection-working-party-gdpr-guidelines-on-data-

protection-impact- assessments&client=firefox-b-e&hl=en&gl=pk&strip=1&vwsrc=0

The aim of the European Data Protection Directive 95/46/EC was to establish a common legal

framework for the protection of personal data within the European Union, and to ensure the free

movement of such data within the internal market. The Directive was based on the recognition that

the processing of personal data affects the fundamental rights and freedoms of individuals,

especially their right to privacy, and that these rights need to be respected and safeguarded. At the

same time, the Directive acknowledged that the free flow of personal data is essential for the

economic and social development of the EU, and that the harmonization of data protection laws

would facilitate the exchange of information and the provision of services across the member states.

Therefore, the Directive aimed to strike a balance between the protection of individuals’ rights and

the promotion of the internal market, by laying down the key principles, obligations and rights for

the processing of personal data, and by providing mechanisms for cooperation and coordination

among the national data protection authorities. Reference: Directive 95/46/EC of the European

Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the

processing of personal data and on the free movement of such data, Data Protection Directive -

Wikipedia

Reference: https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf (3)

Article 30 of the GDPR requires controllers and processors to maintain records of their processing

activities, which include information such as the purposes of the processing, the categories of

personal data, the recipients of the data, the retention periods, and the security measures12.

However, Article 30 does not require controllers to keep records of incidents of personal data

breaches, whether disclosed or not. This is a separate obligation under Article 33 and Article 34,

which require controllers to notify the supervisory authority and the data subjects of any personal

data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural

persons34. Reference: 1: Article 30 of the GDPR 2: What do we need to document under Article 30 of

the UK GDPR? | ICO 3: Article 33 of the GDPR 4: Article 34 of the GDPR

Section: (none)

Reference: https://medium.com/golden-data/what-records-must-controllers-and-processors-keepto-comply- with-eu-data-protection-law-3e8bac177695

According to Article 14 of the GDPR, if the controller obtains personal data from other sources, such

as third parties or publicly accessible sources, the controller must provide the data subject with the

necessary privacy information, such as the identity and contact details of the controller, the purposes

and legal basis of the processing, the categories of personal data concerned, the recipients or

categories of recipients of the personal data, and the rights of the data subject. The controller must

provide this information within a reasonable period after obtaining the personal data, but no later

than one month, having regard to the specific circumstances in which the personal data are

processed. However, there are some exceptions to this rule, such as if the data subject already has

the information, if the provision of the information proves impossible or would involve a

disproportionate effort, if the obtaining or disclosure of the data is expressly laid down by EU or

member state law, or if the personal data must remain confidential subject to an obligation of

professional secrecy12. Reference:

GDPR, Article 14

Free CIPP/E Study Guide, page 19, section 2.5.1

CIPP/E Certification, page 14, section 1.2.1

Art. 14 GDPR - Information to be provided where personal data have not been obtained from the

data subject

Article 14 GDPR - GDPRhub

Reference: https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provideinformation-to-the- individual-data-subject/