Free IAPP CIPP-E Practice Exam with Questions & Answers | Set: 2

The GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. The company must also identify a lawful basis for processing personal data, such as legal obligation, legitimate interest, or consent, and respect the data subject rights, such as the right to information, access, rectification, erasure, restriction, objection, and portability. Moreover, the company must be aware of the specific rules and restrictions regarding the processing of special categories of data (such as biometric, health, or political data) and data relating to criminal convictions and offences, which are subject to Article 10 of the GDPR and the laws of each member state. The company must also consider the national employment laws and the guidelines of the relevant supervisory authorities, which may impose additional conditions or limitations on the scope, methods, and purposes of background checks. For example, some member states may require prior authorization, notification, or consultation with the supervisory authority, the data subject, or the works council before conducting background checks. Some member states may also prohibit or restrict certain types of background checks, such as social media screening, credit checks, or criminal record checks, unless they are necessary, proportionate, and relevant for the specific job position or sector. Therefore, the company must conduct a thorough assessment of the legal framework and the risks and benefits of background checks in each member state where it operates or recruits employees, and ensure that it has a clear and consistent policy and procedure for conducting background checks in a GDPR-compliant manner. References: How to ‘background check’ under the GDPR, How to perform GDPR compliant background checks, GDPR and the processing of criminal conviction data across Europe, Pre-employment vetting: Data protection and criminal records, How GDPR Affects Background Checking

According to Article 33 of the GDPR, in the case of a personal data breach, the processor (Provider Y) shall notify the controller (Company X) without undue delay after becoming aware of the breach. The processor does not have the obligation to notify the supervisory authority, the public, or law enforcement, unless otherwise required by law. The controller is responsible for notifying the supervisory authority and, where necessary, the data subjects, unless the breach is unlikely to result in a risk to their rights and freedoms. References:

Article 33 of the GDPR, which regulates the notification of a personal data breach to the supervisory authority.

[Article 34 of the GDPR], which regulates the communication of a personal data breach to the data subject.

ICO guidance, which explains the roles and responsibilities of controllers and processors in relation to data breach notification.

The CJEU ruled that the consent required by the ePrivacy Directive for the use of cookies must comply with the conditions laid down in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. Therefore, pre-checked boxes or implied consent by scrolling are not valid forms of consent for cookies. The CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user’s device, regardless of whether it is personal data or not. Furthermore, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.

References: CIPP/E Study Guide, page 29; CIPP/E Textbook, page 137; Planet49 case

According to the GDPR, the processing of personal data obtained through monitoring software must be lawful, fair, and transparent. This means that the employer must inform the employees about the nature, extent, and reasons for monitoring, and the possible consequences of non-compliance with the company’s policies. The employer must also have a legitimate interest or another lawful basis for processing the employees’ data, and respect their rights and freedoms. The employer must also comply with the national laws and guidelines of each member state where it operates, which may impose additional conditions or limitations on employee monitoring. In this case, Building Block did not inform the employee from Italy that the security software would also monitor his computer activity and location, and did not specify the purpose and scope of such monitoring. Therefore, the employee could not reasonably expect that his personal data would be processed in this way, and could not exercise his rights under the GDPR, such as the right to access, rectify, or object to the processing. Moreover, the employer did not conduct a proper assessment of the necessity and proportionality of the monitoring, and did not consider less intrusive alternatives to achieve its security goals. Therefore, the employer could face legal challenges from the employee, the Italian supervisory authority, or the labor courts, if it decides to apply disciplinary measures based on the data obtained through the monitoring software. The employer could also face fines or sanctions for violating the GDPR and the Italian data protection law. References: GDPR requirements for employee monitoring: rules to follow, Can Your Organisation Monitor Employees’ Personal Communications?, ICO publishes guidance to ensure lawful monitoring in the workplace, [Guidelines on processing personal data in the context of connected vehicles and mobility related applications]

According to the UK GDPR, the controller and the processor must support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge1. The controller and the processor must also ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and that he or she reports directly to the highest management level of the controller or the processor1. 

The NIS2 Directive is the EU’s legislation on cybersecurity that updates and replaces the previous NIS Directive. It aims to create a high common level of cybersecurity across the EU by setting up legal measures for the security of network and information systems used by essential and important entities in various sectors and by enhancing cooperation among the member states. The NIS2 Directive does not establish a common controls framework that every organization must adopt, but rather allows each member state to define the appropriate security measures and incident reporting requirements for the entities under its jurisdiction, taking into account the specificities of each sector and subsector. However, the NIS2 Directive does provide some general principles and objectives for the security measures, such as proportionality, risk-based approach, state of the art, and regular review and update. The NIS2 Directive also introduces minimum harmonised rules for the supervision and enforcement of the security measures and incident reporting obligations, including the possibility of imposing administrative fines.

References:

NIS2 Directive, Articles 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14.

The NIS2 Directive: A high common level of cybersecurity in the EU, pages 1, 2, 3, 4, 5, 6, 7, and 8.

 According to the Free CIPP/E Study Guide, page 16, “the GDPR provides for a one-stop-shop mechanism, which means that a controller or processor with establishments in several Member States will have only one supervisory authority as its interlocutor, which will act as the lead authority. However, this does not mean that the lead authority has exclusive competence to supervise all processing activities of the controller or processor throughout the EU. The GDPR also allows for the possibility of a relevant and reasoned objection by a concerned supervisory authority, which may trigger the consistency mechanism and the involvement of the European Data Protection Board (EDPB). Moreover, the GDPR recognizes the right of any supervisory authority to adopt urgent measures on its own territory or to commence legal proceedings before a court in its Member State in order to protect the rights and freedoms of data subjects.” Therefore, the lead regulator should accept the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint, as the GDPR permits non-lead authorities to take action for such complaints, especially when they involve urgent measures or legal proceedings to protect the data subjects’ rights and freedoms. The other options are incorrect, as they do not reflect the GDPR’s provisions on the one-stop-shop mechanism and the cooperation and consistency mechanisms. References:

Free CIPP/E Study Guide, page 16

GDPR, Articles 56, 60, 61, 62, 63, 64, 65 and 66