A 'personal data breach' is defined under Article 4(12) of the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The key element is the involvement of personal data. An organisation's information security policy is a general procedural document and does not typically contain personal data. Therefore, its deletion is an information availability issue but not a personal data breach. The other scenarios all involve security incidents affecting the personal data of customers, employees, or students.

B. The unauthorised changing of a person's address details is a breach of data integrity affecting personal data.

C. The accidental destruction of an employee's HR file is a breach of data availability affecting personal data.

D. The loss of a memory stick with student details is a breach of confidentiality and availability affecting personal data.

1. Regulation (EU) 2016/679 (General Data Protection Regulation).

Article 4(12): Defines 'personal data breach' as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data..."

Article 4(1): Defines 'personal data' as "any information relating to an identified or identifiable natural person..."

2. Information Commissioner's Office (ICO). "Guide to the General Data Protection Regulation (GDPR) - Personal data breaches."

Section: "What is a personal data breach?" This official guidance states, "A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data." It confirms that the incident must involve personal data to be classified as such a breach.

3. European Data Protection Board (EDPB). "Guidelines 9/2022 on personal data breach notification under GDPR," Version 2.0, 28 March 2023.

Section 2.1, "Definition of a personal data breach": This document reiterates the GDPR definition and provides examples, clarifying that the three types of breaches (confidentiality, integrity, availability) must relate specifically to personal data. The deletion of a non-personal document like a policy does not meet this criterion.

Under the General Data Protection Regulation (GDPR), the 'main establishment' for a data controller is the "place of its central administration in the Union." This is the location where the ultimate decisions about the purposes and means of data processing are made. In this scenario, the "Company Board and administrative functions" are based in Germany. This indicates that Germany is the center of management and control where strategic decisions concerning data processing activities are taken for the entire company. The locations of retail outlets or specific departments like payroll do not override the location of the central administration as the primary determinant.

A. Belgium: This location has the highest number of retail outlets, indicating significant operational activity, but not the central decision-making authority required to be the main establishment.

B. France: Similar to Belgium, this is a location of operational retail activities, not the company's central administration where strategic data processing decisions are made.

D. Poland: While housing the DPO and a key processing function (payroll), this is an operational site. The location of a DPO is not the determining factor for the main establishment.

1. Regulation (EU) 2016/679 (General Data Protection Regulation), Article 4(16)(a): Defines 'main establishment' for a controller as "the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment...and the latter establishment has the power to have such decisions implemented, in which case the establishment where such decisions are taken is to be considered the main establishment."

2. Article 29 Working Party, "Guidelines for identifying a controller or processor’s lead supervisory authority" (WP244 rev.01), 5 April 2017, Section 2.1, page 7: "The GDPR clarifies that for a controller, the main establishment is the place of its central administration in the EU... The place of central administration is not defined in the GDPR but it can be understood as the head office or headquarters of a company where key management and control functions are exercised."

3. Regulation (EU) 2016/679 (General Data Protection Regulation), Recital 36: "The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements." The presence of the Company Board in Germany aligns with this recital.

The UK General Data Protection Regulation (UK GDPR), as implemented by the Data Protection Act 2018, establishes a two-tiered system for administrative fines. A significant security breach, involving the failure to protect personal data (violating the 'integrity and confidentiality' principle), falls into the higher tier. This tier carries a maximum penalty which is the greater of £17.5 million or 4% of the total annual worldwide turnover of the preceding financial year. As the question asks for the maximum possible fine for a serious breach, this higher tier applies.

B. The fixed monetary amount is incorrect for the higher penalty tier under the UK GDPR.

C. This option incorrectly combines the former EU GDPR monetary value (€20 million) with the percentage from the lower penalty tier.

D. This represents the lower maximum penalty tier (£8.7 million or 2% of turnover), which applies to less severe infringements, not a major breach of core principles.

---

1. Information Commissioner's Office (ICO). Guide to the UK General Data Protection Regulation (UK GDPR), Part 6: Enforcement, Penalties. The guide explicitly states: "The UK GDPR applies two tiers of administrative fines... The higher maximum is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher." It confirms that infringements of the basic principles for processing fall under this higher maximum. (Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/penalties/)

2. UK General Data Protection Regulation (UK GDPR). Article 83, Paragraph 5. This article lists the infringements subject to the highest level of administrative fines, including violations of "the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9". The failure to maintain security is a violation of the principle of 'integrity and confidentiality' outlined in Article 5(1)(f).

3. Data Protection Act 2018. Part 6, Section 157 (Maximum amount of penalty). This section of the UK's primary data protection legislation confirms that the maximum penalties are those set out in Article 83 of the UK GDPR. Post-Brexit regulations amended the Euro figures to the current Sterling amounts (£17.5m and £8.7m).

Under UK law, the right to a private life is a fundamental human right granted to all individuals. This right is enshrined in the Human Rights Act 1998, which incorporates Article 8 of the European Convention on Human Rights (ECHR) into domestic law. Article 8(1) explicitly states, "Everyone has the right to respect for his private and family life, his home and his correspondence." The term "Everyone" is universal and does not provide for exceptions based on profession or public status. While the courts may find that public figures have a lower reasonable expectation of privacy in certain circumstances, this does not extinguish their fundamental entitlement to the right itself.

B. Members of Parliament, like all other individuals, are entitled to a private life under the Human Rights Act 1998, although public interest can sometimes justify intrusion.

C. Public figures, including sportspeople and actors, are entitled to a private life. UK case law has repeatedly affirmed this, balancing their right against freedom of expression.

D. This is factually incorrect, as the right to a private life is explicitly protected by the Human Rights Act 1998.

1. Human Rights Act 1998, c. 42, Schedule 1, Part I, Article 8. The official UK legislation states: "1. Everyone has the right to respect for his private and family life, his home and his correspondence." This statutory text confirms the universal application of the right.

2. University of Oxford, Faculty of Law. In course materials for Human Rights Law, it is a foundational principle that rights under the ECHR, such as Article 8, are afforded to "everyone" within a state's jurisdiction, without prejudice to their status. The application may be balanced against other rights, but the entitlement is universal. (See, for example, discussions in the "ECHR and UK Human Rights Law" module).

3. Campbell v MGN Ltd [2004] UKHL 22. This landmark House of Lords judgment is a primary source for understanding privacy rights of public figures in the UK. The ruling confirmed that the model Naomi Campbell, a public figure, had a right to privacy regarding her medical treatment. Lord Hope of Craighead stated (at para 96), "The private nature of the information is not extinguished because the person to whom it relates is a public figure." This directly refutes option C.

The Data Protection Act 1984 was the United Kingdom's first piece of legislation to introduce and regulate data protection rights. This Act was established to control the processing of personal data held on computers and was enacted partly to allow the UK to ratify the Council of Europe's Convention 108. It created the role of the Data Protection Registrar (the precursor to the Information Commissioner) and established a set of principles for data handling. While subsequent acts in 1998 and 2018 significantly updated and replaced this law, the 1984 Act was the foundational legislation that first introduced these specific rights into UK law.

A. The Data Protection Act 1998 was a significant update that replaced the 1984 Act, but it was not the first of its kind.

B. There was no major Data Protection Act passed in 1992; this option is an incorrect date and serves as a distractor.

D. The Data Protection Act 2018 is the current primary legislation, which incorporated the GDPR, but it succeeded previous data protection laws.

---

1. UK Public General Acts. (1984). Data Protection Act 1984. legislation.gov.uk. The long title of the Act states its purpose: "An Act to regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information." This is the original statute introducing these rights. Available at: https://www.legislation.gov.uk/ukpga/1984/35/contents

2. Information Commissioner's Office (ICO). (n.d.). Our history. "1984: The Data Protection Act 1984 is passed by Parliament, giving effect to the Council of Europe Convention 108. The office of the Data Protection Registrar is created." This official source confirms the 1984 Act as the origin. Available at: https://ico.org.uk/about-the-ico/who-we-are/our-history/

3. Edwards, L. (2018). From the Data Protection Act 1984 to the General Data Protection Regulation: a UK perspective. International Data Privacy Law, 8(3), 227–229. The article's introduction explicitly states, "The United Kingdom’s first data protection law was the Data Protection Act 1984 (DPA 1984)." DOI: https://doi.org/10.1093/idpl/ipy014

A Data Protection Impact Assessment (DPIA) is an internal process used by an organisation to identify and minimise the data protection risks of a project. Under Article 36 of the GDPR, a controller is only required to consult the supervisory authority (such as the ICO in the UK) if the DPIA indicates that the processing would result in a high risk that cannot be mitigated. There is no general requirement to submit all DPIAs. The other options correctly state the core purposes of a DPIA: it is a key tool for demonstrating accountability (Article 5(2)), implementing data protection by design and by default (Article 25), and systematically identifying and mitigating risks to individuals' rights and freedoms (Article 35).

B. A DPIA provides documented evidence of risk assessment and mitigation, which is a fundamental aspect of the GDPR's accountability principle.

C. A DPIA is a key mechanism for embedding data protection considerations into the design of new projects, fulfilling the 'by design' requirement.

D. The primary function of a DPIA is to systematically assess processing operations to identify and find ways to mitigate risks to data subjects.

---

1. General Data Protection Regulation (EU) 2016/679, Article 36(1): "The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk." This text explicitly states that consultation (and submission of the DPIA) is conditional on unmitigated high risk, not a universal requirement.

2. Information Commissioner's Office (ICO), "Data protection impact assessments": In the section "When do we need to consult the ICO?", the official guidance states: "You must consult the ICO before you begin processing if your DPIA identifies a high risk and you cannot take any measures to reduce this risk." This confirms that not all DPIAs are submitted. The same guidance also links DPIAs to accountability and data protection by design.

3. University of Cambridge, "GDPR: Data Protection Impact Assessments (DPIA)": The university's official compliance documentation states, "A DPIA is a key element of the 'accountability' principle of the GDPR... It is also a key part of the 'data protection by design' approach." This source, from a reputable academic institution, validates that options B and C are core purposes of a DPIA.

According to Article 28(2) of the General Data Protection Regulation (GDPR), a processor is explicitly prohibited from engaging another processor (a sub-processor) without obtaining prior written authorisation from the controller. This authorisation can be either specific to a particular sub-processor or a general written authorisation for the processor to engage sub-processors. In the case of a general authorisation, the processor must inform the controller of any changes, giving the controller the opportunity to object. This requirement ensures the controller maintains ultimate control and awareness over who is processing the personal data for which they are responsible.

B. Adherence to an approved code of conduct is a mechanism to demonstrate compliance but does not override the explicit legal requirement for prior written authorisation from the controller as stated in GDPR Article 28(2).

C. A contract imposing the same obligations is a mandatory requirement under GDPR Article 28(4) after a sub-processor has been authorised, but it is not a substitute for obtaining the controller's prior authorisation.

D. The GDPR does not provide a "low-risk" exemption for the requirement to obtain controller authorisation. The rules outlined in Article 28 apply to all processing activities conducted by a processor, regardless of the perceived risk level.

1. Regulation (EU) 2016/679 (General Data Protection Regulation), Official Journal of the European Union, L 119/1.

Article 28(2): "The processor shall not engage another processor (a sub-processor) without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes." (Supports the correctness of A and the incorrectness of B, C, and D).

Article 28(4): "Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor...shall be imposed on that other processor by way of a contract..." (Explains why C is an additional requirement, not a substitute for authorisation).

2. European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.0, 7 July 2020.

Paragraph 105 (Page 33): "Article 28(2) GDPR requires the processor to seek the controller’s prior specific or general written authorisation before engaging a sub-processor. This is a key element of the controller’s control over the processing of personal data entrusted to the processor." (Directly supports the explanation for answer A).

Data sharing is a form of processing personal data and is therefore governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Section 121 of the DPA 2018 specifically mandates the Information Commissioner to prepare a statutory code of practice that provides practical guidance on sharing personal data in compliance with data protection legislation. This "Data sharing: a code of practice" has been issued by the Information Commissioner's Office (ICO) and was laid before the UK Parliament, giving it statutory force. It clarifies how the principles and obligations of the DPA 2018 apply to data sharing scenarios.

B. The Privacy and Electronic Communications Regulations (PECR) govern electronic marketing and cookies, not the general practice of data sharing between organisations.

C. The Freedom of Information Act provides a right of public access to information held by public bodies, which is distinct from the general regulation of data sharing practices.

D. Data sharing is explicitly regulated as a form of 'processing' under the DPA 2018 and UK GDPR; the ICO's guidance is a statutory code, not merely best practice.

1. Data Protection Act 2018, c. 12, Part 5, Chapter 2, Section 121. This section mandates the creation of the code. It states, "(1) The Commissioner must prepare a code of practice which contains—(a) practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation...". Available at: https://www.legislation.gov.uk/ukpga/2018/12/section/121/enacted

2. Information Commissioner's Office (ICO). (2021). Data sharing: a code of practice. The introduction states: "This data sharing code of practice is a statutory code issued under section 121 of the Data Protection Act 2018 (DPA 2018). It is a practical guide for organisations about how to share personal data in a way that complies with data protection law." (p. 5). Available at: https://ico.org.uk/media/for-organisations/documents/2619451/data-sharing-code-of-practice.pdf

3. UK General Data Protection Regulation (UK GDPR), Article 4(2). This article defines 'processing' to include "disclosure by transmission, dissemination or otherwise making available," which legally categorizes data sharing as a regulated activity. Available at: https://www.legislation.gov.uk/eur/2016/679/article/4 (as retained in UK law).

The two businesses are joint controllers because they jointly determine the purposes and means of processing personal data. They have a common purpose (selling products together via mail order) and have jointly decided on the means (a single website and a single order system). The fact that employees from both companies can administer all orders on this shared system further demonstrates this joint control over the processing activities. This arrangement fits the definition of joint controllership as outlined in Article 26 of the GDPR, where multiple entities collaborate on the essential decisions about data processing.

A. They are controllers of their own information contained in the single order system only.

This is incorrect because it fails to recognize the joint decision-making on the purposes and means of processing for the entire dataset, which is the hallmark of joint controllership.

B. They are controllers of their own information in the single order system and processors of the information they process on behalf of the other business.

This is incorrect. A processor acts on the instructions of a controller. Here, both businesses have a shared purpose and control, not a hierarchical controller-processor relationship.

C. The businesses are controllers of their respective information, and the staff are processors of this information.

This is incorrect because employees acting under the direct authority of their employer (the controller) are not considered separate processors.

---

1. General Data Protection Regulation (EU) 2016/679.

Article 26(1): "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers." This directly defines the scenario described.

Article 4(7): Defines a 'controller' as the entity that "determines the purposes and means of the processing of personal data." The joint nature of this determination is key.

2. European Data Protection Board (EDPB), Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 2.1, Adopted on 7 July 2021.

Paragraph 52: "Joint controllership exists when different entities process the same or a set of personal data for a joint purpose and have jointly defined the means for this processing."

Paragraph 53: "The joint participation can take the form of a common decision taken by two or more entities or result from converging decisions... where the decisions complement each other and are necessary for the processing to take place..." This describes the businesses' agreement to use a single system for a shared goal.

Section 2.1, Example 1 (p. 23): Discusses a research project where several institutes jointly agree on the purpose, data, and means, concluding they are joint controllers. This provides a direct parallel to the business collaboration in the question.

The principle of transparency requires that data subjects are informed about how their personal data is being processed. Artificial Intelligence (AI) systems, particularly complex machine learning models, can be opaque and embedded within processes in a non-obvious way. This can result in 'invisible processing,' where individuals are unaware that their data is being collected, analyzed, or used to make decisions by an AI system. This lack of awareness is a direct challenge to the core requirement of the transparency principle, which mandates clear and open communication about data processing activities from the outset.

A. Data subjects' expectations do not absolve data controllers of their legal obligation to provide clear, specific information about processing activities as required by the transparency principle.

B. This is incorrect. Transparency requirements fully apply to AI. Furthermore, AI processing is not inherently compatible with original purposes and can lead to 'function creep'.

D. This is incorrect. There is no general exemption for AI from transparency requirements under major data protection frameworks like the GDPR.

1. Information Commissioner's Office (ICO). (2021). Guidance on AI and data protection.

Reference: Part 2, 'Principle 1: Lawfulness, fairness and transparency', page 31. The guidance states, "The transparency principle requires you to be clear, open and honest with people from the start about who you are, and how and why you use their personal data... This can be challenging in the context of AI, as it can be difficult to understand and explain how an AI system works." This difficulty directly contributes to the potential for invisible processing.

2. European Data Protection Board (EDPB). (2018). Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251rev.01).

Reference: Section III.B.3, 'Information to be provided to the data subject', page 25. The guidelines emphasize that for automated decision-making, controllers must provide "meaningful information about the logic involved". The inherent complexity of some AI models makes providing this information challenging, potentially leaving the data subject unaware of the processing logic or even its occurrence.

3. Kaminski, M. E. (2019). The Right to Explanation, Explained. Berkeley Technology Law Journal, 34(1), 189-218.

Reference: Page 199. The paper discusses the opacity of machine learning systems, noting that "many modern machine learning models are not readily explainable even to their designers." This inherent opacity is a primary driver of 'invisible processing' from the end-user's perspective, as it becomes difficult to communicate what the system is doing in a transparent manner. (Available via university repositories and legal scholarship databases).