Under the GDPR, the processing of personal data of a child on the basis of consent requires the

consent of the holder of parental responsibility over the child, unless the child is at least 16 years old

or the applicable national law provides for a lower age (not below 13 years). However, there are

some situations where the processing of personal data of a child without parental consent may be

justified by other lawful grounds, such as the performance of a contract, the compliance with a legal

obligation, the protection of vital interests, the performance of a task carried out in the public

interest, or the legitimate interests of the controller or a third party. One of these situations is when

the processing is necessary for providing preventive or counselling services to the child, especially in

the context of information society services. This is recognised by Recital 38 of the GDPR, which states

that:

“Children merit specific protection with regard to their personal data, as they may be less aware of

the risks, consequences and safeguards concerned and their rights in relation to the processing of

personal data. Such specific protection should, in particular, apply to the use of personal data of

children for the purposes of marketing or creating personality or user profiles and the collection of

personal data with regard to children when using services offered directly to a child. The consent of

the holder of parental responsibility should not be necessary in the context of preventive or

counselling services offered directly to a child.”

Therefore, the processing of personal data of a child without parental consent may be lawful if it is

necessary for providing preventive or counselling services to the child, such as health, education,

social or legal services, that are offered directly to the child and that aim to protect the child’s well-

being, safety, development or rights. This may include, for example, online counselling platforms,

sexual health advice services, anti-bullying or mental health support services, or child protection

helplines. In such cases, the controller should ensure that the processing is fair, transparent,

proportionate and respectful of the child’s best interests, and that appropriate safeguards are in

place to protect the child’s personal data and rights.

The other options are not likely to justify the processing of personal data of a child without parental

consent, as they do not meet the criteria of necessity, proportionality or legitimacy. The processing

of personal data of a child for market research purposes is not necessary for the performance of a

contract, the compliance with a legal obligation, the protection of vital interests, the performance of

a task carried out in the public interest, or the legitimate interests of the controller or a third party,

and may pose significant risks to the child’s privacy and autonomy. Therefore, such processing

requires the consent of the holder of parental responsibility over the child, unless the child is old

enough to give their own consent. The provision of materials purely for educational use to a child

may not require the processing of personal data of the child at all, or may only require the processing

of minimal personal data, such as the child’s name or email address. In such cases, the processing

may be based on the consent of the child, if the child is old enough to understand the implications of

their consent, or on the legitimate interests of the controller, if the processing is necessary for the

provision of the educational materials and does not override the interests or rights of the child.

However, the controller should still inform the child and the holder of parental responsibility about

the processing and provide them with the opportunity to object or withdraw their consent. The

existence of a legitimate business interest does not automatically justify the processing of personal

data of a child without parental consent, as the controller must also consider the impact of the

processing on the rights and freedoms of the child, and whether the processing is necessary and

proportionate for the pursuit of that interest. Moreover, the controller must balance the legitimate

business interest against the interests or rights of the child, and ensure that the processing does not

cause any harm or disadvantage to the child. If the processing involves the use of personal data of a

child for the purposes of marketing or creating personality or user profiles, the controller must obtain

the consent of the holder of parental responsibility over the child, unless the child is old enough to

give their own consent, as these purposes pose a high risk to the child’s privacy and

autonomy. Reference: GDPR Article 6, GDPR Article 8, GDPR Recital 38, Children and the UK GDPR |

ICO, Guidelines on consent under Regulation 2016/679 - European Data Protection Board

According to Article 3(1) of the GDPR1, personal data shall be processed in any member state only on

the basis of a decision taken at a Union level that is binding for that member state, unless it is

derogated from by national law. This means that the GDPR applies to any processing of personal data

within the EU, regardless of where the controller or processor is located, as long as it is based on a

decision made at a Union level that is binding for that member state.

Therefore, option B would most likely trigger the extraterritorial effect of the GDPR, as it involves

personal data of EU citizens being processed by a controller or processor based outside the EU,

which may be subject to a decision made at a Union level that is binding for that member state.

Option A would not trigger the extraterritorial effect of the GDPR, as it involves monitoring

suspected terrorists, which is not considered processing under Article 4(1) and (2) of the GDPR1.

Monitoring may fall under other legal frameworks, such as national security or counter-terrorism

laws.

Option C would not trigger the extraterritorial effect of the GDPR, as it involves monitoring EU

citizens outside the EU by non-EU law enforcement bodies, which may not be subject to any decision

made at a Union level that is binding for that member state.

Option D would not trigger the extraterritorial effect of the GDPR, as it involves processing personal

data of EU residents by a non-EU business that targets EU customers, which may not be subject to

any decision made at a Union level that is binding for that member state.

Reference: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals.

Reference: https://hsfnotes.com/data/2019/12/02/edpb-adopts-final-guidelines-on-gdpr-extraterritoriality/

Before Anna determines whether Frank’s performance database is permissible, she needs to know

more information about the following aspects of the data processing:

The purpose and legal basis of the data processing, which should be clearly defined and documented

in a data protection impact assessment (DPIA) or a similar document12.

The nature and extent of the personal data involved, which should be limited to what is necessary for

the purpose and not retained longer than necessary12.

The measures taken to ensure the security and confidentiality of the personal data, such as

encryption, pseudonymization, access control, etc12.

The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict

their personal data, as well as their right to object or withdraw consent12.

The potential risks and consequences of the data processing for the rights and freedoms of the data

subjects, such as identity theft, discrimination, reputational damage, etc12.

In this case, Anna needs to know more information about what students have been told and how the

research will be used. This is because:

The purpose of using student records for research purposes is not clear from Frank’s description. He

does not specify whether he has obtained consent from the students or their parents/guardians, or

whether he has informed them about his research objectives and methods.

The nature and extent of using student records for research purposes is not clear from Frank’s

description. He does not specify which student records he is using (e.g., by name or by reference

number), how many records he is using (e.g., by cohort or by class), or how long he will keep them

(e.g., until graduation or indefinitely).

The measures taken to ensure the security and confidentiality of using student records for research

purposes are not clear from Frank’s description. He does not specify whether he has encrypted his

program or his laptop before transferring it to his home device, whether he has backed up his

program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT

department.

Therefore, Anna needs more information about these aspects before she can determine whether

Frank’s performance database is permissible under the GDPR.

Reference: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E

Certification - International Association of Privacy Professionals

According to the CIPP/E study guide, Article 56 of the GDPR establishes the concept of the lead

supervisory authority, which is the supervisory authority of the main or single establishment of the

data controller or processor in the EU1. The lead supervisory authority has the primary responsibility

for dealing with cross-border data processing, in cooperation with other concerned supervisory

authorities1. Article 60 of the GDPR requires the lead supervisory authority to cooperate with the

other supervisory authorities concerned in an endeavour to reach consensus2. The other supervisory

authorities concerned are those that are established in a Member State where the data controller or

processor has an establishment or where data subjects are substantially affected or likely to be

substantially affected by the processing2. In the scenario, T-Craze is a German-headquartered

company that has a French affiliate responsible for all marketing and sales activities. Therefore, the

French supervisory authority is the lead supervisory authority for the processing of personal data

related to the marketing and sales activities of T-Craze, as it is the supervisory authority of the main

establishment of the data controller in the EU. The Spanish supervisory authority is a concerned

supervisory authority, as it is the supervisory authority of the Member State where data subjects are

likely to be substantially affected by the processing, such as Sofia who filed a complaint. Therefore,

the Spanish supervisory authority notifies the French supervisory authority when it opens an

investigation into T-Craze based on Sofia’s complaint, in order to cooperate with the lead supervisory

authority and seek consensus on the action to be taken2. Reference: 1: CIPP/E study guide, page

87; Art. 56 GDPR; Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)2: CIPP/E study

guide, page 88; Art. 60 GDPR; Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).

Section: (none)

The European Council and the Council of the European Union are two different EU institutions that

have similar names but distinct roles and memberships. The European Council is the body of leaders

(heads of state or government) of the 27 EU member states that defines the EU’s general political

direction and priorities1. The European Council does not adopt EU legislation, but rather sets the

agenda and gives guidance to the other EU institutions1. The Council of the European Union,

informally known as the Council, is composed of national ministers from each EU member state,

grouped by policy area1. The Council is one of the two legislative bodies of the EU, along with the

European Parliament, and negotiates and adopts EU laws, coordinates member states’ policies, and

develops the EU’s common foreign and security policy1. The key difference between the two

institutions is that the European Council is comprised of the heads of each EU member state, while

the Council of the European Union is comprised of the ministers of each EU member

state12. Reference: European Council | Council of the European Union, What is the difference

between EU Council, Council of the European Union, and Council of Europe?

Reference: https://www.quora.com/What-is-the-difference-between-the-European-Council-theCouncil-of-the- European-Union-and-the-Council-of-Europe

One of the main differences between a Regulation and a Directive in the EU law is that a Regulation

is directly applicable and binding in all EU member states, without the need for national

implementing measures, while a Directive sets out the objectives and principles that the member

states must achieve, but leaves them the choice of form and methods to transpose it into their

national laws. Therefore, by taking the form of a Regulation, the GDPR aims to harmonize and unify

the data protection rules across the EU, and to ensure a consistent implementation and enforcement

of the data protection laws throughout the EU. The other aspects of the GDPR listed in the question,

such as the one-stop shop mechanism, the mandatory notification of large-scale data breaches, and

the mandatory appointment of a data protection officer, are also important features of the GDPR, but

they do not have the same impact on the consistency of the data protection laws as the form of a

Regulation.

Reference: Difference between A Regulation And Directive (European Law)1; EUR-Lex - 310401_2 -

EN - EUR-Lex2; EU GDPR vs. European Data Protection Directive 95/46/EC - Advisera3; Difference

between GDPR and Data Protection Directive - Profolus

According to the CIPP/E study guide1, the European Commission is the EU institution that has the

power to propose new data protection legislation on its own initiative, as well as amend or repeal

existing laws. The European Commission is also responsible for implementing and enforcing the EU

data protection framework, in cooperation with other institutions and national authorities.

Reference: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals

Reference: https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501

The accountability principle found in Article 5, Section 2 of the GDPR requires data controllers to

take responsibility for complying with the GDPR and to be able to demonstrate their

compliance1. This means that data controllers must implement appropriate technical and

organisational measures to ensure and show that they process personal data in accordance with the

GDPR2. One of the measures that can demonstrate compliance with the accountability principle is

conducting regular audits of the data protection program. Audits are systematic and independent

assessments of the data processing activities and the data protection policies and procedures of an

organisation3. They can help to identify and address any gaps or risks in the data protection program,

as well as to verify the effectiveness and efficiency of the data protection measures3. Audits can also

provide evidence of compliance to the supervisory authorities and the data subjects, as well as to

enhance the trust and reputation of the organisation3. Therefore, conducting regular audits of the

data protection program is a way to demonstrate compliance with the accountability

principle. Reference: 1: CIPP/E study guide, page 15; Art. 5 GDPR; Accountability principle | ICO2:

CIPP/E study guide, page 16; Art. 24 GDPR; [Guide to accountability and governance | ICO]3: CIPP/E

study guide, page 91; [Auditing | ICO]; [GDPR Audits: What You Need to Know - IT Governance Blog].

According to the GDPR, consent is one of the six lawful bases for processing personal data, but not

the only one. The other five are: contract, legal obligation, vital interests, public task and legitimate

interests. Legitimate interests can be invoked by controllers who process personal data for their own

benefit or for the benefit of third parties, as long as such processing does not override the rights and

freedoms of the data subjects, especially if they are children. The GDPR also recognizes that

processing personal data for journalistic purposes or the purposes of academic, artistic or literary

expression may be necessary for the exercise of the right to freedom of expression and information,

which is a legitimate interest. Therefore, the company may not need to obtain the consent of

everyone whose image they use for their documentary, if they can demonstrate that their processing

is necessary for the purposes of their journalistic, artistic or literary expression, and that they have

taken into account the reasonable expectations of the data subjects and the potential impact on their

privacy. The company should also comply with any relevant national laws or codes of conduct that

may apply to such processing. Reference:

GDPR, Article 6(1)(a)-(f)

GDPR, Recital 47

GDPR, Article 85

The GDPR and the Convention 108 are two important data protection instruments that aim to protect

the rights and freedoms of individuals with regard to their personal data. They both have some

similarities and some differences, but one common feature is that they both require notification of

processing activities to a supervisory authority.

A supervisory authority is an independent public body that monitors and enforces compliance with

data protection laws. In the EU, there are 47 national data protection authorities (DPAs) that have

the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate

with other authorities1. In the Council of Europe, there are 54 parties to the Convention 108 that

have established their own supervisory authorities or have agreed to be supervised by an external

authority2.

Notification of processing activities is a requirement for any controller or processor of personal data

that falls under the scope of the GDPR or the Convention 108. A controller is a natural or legal person

who determines the purposes and means of the processing of personal data3. A processor is a

natural or legal person who processes personal data on behalf of a controller3. Notification means

informing the supervisory authority about certain aspects of the processing, such as:

The identity and contact details of the controller and processor

The categories and sources of personal data

The purposes and legal basis for processing

The recipients or categories of recipients of personal data

The retention period or criteria for determining it

The existence of any automated decision-making or profiling

The rights of data subjects and how they can exercise them

Notification can be done in various ways, such as:

Submitting a written notification form

Publishing a notice on a website or other platform

Sending an email or other electronic message

Using an online system or portal

Notification should be done as soon as possible after becoming aware of any relevant information

about the processing. It should also be updated whenever there are significant changes in relation to

the processing4.

Therefore, both the GDPR and the Convention 108 require notification of processing activities to a

supervisory authority. This is one way to ensure transparency, accountability, and compliance with

data protection laws.

Reference: https://rm.coe.int/090000168093b851