Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?
Answer(s): D
The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that complements and particularises the GDPR for the electronic communications sector. It was amended in 2009 by the Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector. One of these changes was the introduction of a mandatory notification for personal data breaches applicable to providers of publicly available electronic communications services, such as telecom providers and internet service providers. According to Article 4 of the amended e-Privacy Directive, these providers must notify the competent national authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community. The notification must be made without undue delay and, where feasible, not later than 24 hours after the provider has become aware of the breach. The notification must include information such as the nature and content of the personal data concerned, the circumstances and consequences of the breach, and the measures taken or proposed by the provider to address the breach. The provider must also notify the affected data subjects of the breach, unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures that render the data unintelligible to any person who is not authorised to access it. The notification to the data subjects must describe the nature of the breach and the contact points where more information can be obtained, and must recommend measures to mitigate the possible adverse effects of the breach. The purpose of this mandatory notification is to ensure that the authorities and the data subjects are informed of the risks and the remedies related to the breach, and to encourage the providers to improve their security measures and prevent further breaches.
e-Privacy Directive, Changes to e-Privacy Directive Approved by European Parliament, Article 2 Amendments to Directive 2002/58/EC (Directive on privacy and electronic communications), Personal data breacheshttps://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32009L0136
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
Answer(s): A
The Data Retention Directive was a EU law that required providers of electronic communications services to retain certain data, such as traffic and location data, for a period of between six months and two years, for the purpose of preventing, investigating, detecting and prosecuting serious crime. However, in 2014, the Court of Justice of the European Union declared the Directive invalid, because it violated the fundamental rights to respect for private life and to the protection of personal data, as enshrined in the Charter of Fundamental Rights of the EU2. The Court found that the Directive entailed a wide-ranging and particularly serious interference with those rights, without being limited to what is strictly necessary. One of the reasons for this finding was that the Directive applied to all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception, thus affecting the entire population of the EU4. The Court also noted that the Directive did not provide sufficient safeguards to ensure effective protection of the data against the risk of abuse and unlawful access, and did not require the data to be retained within the EU5.
1 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC2 Charter of Fundamental Rights of the European Union3 Press release No 54/14 - Judgment in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others4 Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others. Requests for a preliminary ruling from the High Court (Ireland) and the Verfassungsgerichtshof (Austria). Joined cases C-293/12 and C-594/125 Ibid.https://www.loc.gov/law/help/eu-data-retention- directive/eu.php#:~:text=In%20April%202014%2C%20the%20Grand,proportionality%20in%20forging%20the%20Directive.
Which type of personal data does the GDPR define as a "special category" of personal data?
Answer(s): B
According to Article 9 of the GDPR, special category data is personal data that needs more protection because it is sensitive. The GDPR defines 10 types of personal data as special categories, which are:personal data revealing racial or ethnic origin;personal data revealing political opinions;personal data revealing religious or philosophical beliefs;personal data revealing trade union membership;genetic data;biometric data (where used for identification purposes); data concerning health;data concerning a person's sex life; and data concerning a person's sexual orientation.Among the answer choices, only option B falls under one of these categories, as trade union membership is considered to reveal political opinions or beliefs. Option A, C and D are not considered as special category data, as they do not reveal any sensitive information about the data subject. However, they are still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc.
Special category data | ICOArt. 9 GDPR Processing of special categories of personal data Special Categories of Data - International Association of Privacy Professionalshttps://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data- protection- regulation-gdpr/lawful-basis-for-processing/special-category- data/#:~:text=The%20GDPR%20defines%20special%20category%20data%20as%3A&text=personal%20data%20revealing%20trade%20union,u sed% 20for%20identification%20purposes)%3B
After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?
Answer(s): C
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU1. Therefore, after leaving the EU under the terms of Brexit, the UK became a third country for the purposes of the GDPR, meaning that personal data transfers from the EU to the UK are subject to the rules on international data transfers under Chapter V of the GDPR2. In order to ensure the continuity and stability of data flows between the EU and the UK, the UK sought an adequacy decision from the European Commission, which is a formal recognition that a third country provides an equivalent level of data protection to that of the EU3. On 28 June 2021, the European Commission adopted two adequacy decisions in respect of the UK: one for transfers under the GDPR and the other for transfers under the Law Enforcement Directive (LED)4. These decisions allow personal data to flow freely from the EU to the UK without any further safeguard being necessary, and are expected to last until 27 June 2025, unless they are amended, suspended or repealed earlier.
GDPR, Article 3GDPR, Chapter VData protection adequacy for non-EU countries, section "Adequacy decisions" UK government welcomes the European Commission's draft data adequacy decisions Adequacy, section "What does the EU GDPR adequacy decision say?"https://www.euractiv.com/section/digital/news/commission-must-refuse-uk-data- adequacy-rights- group-says/
Post your Comments and Discuss IAPP CIPP-E exam with other Community members:
Martinez commented on September 21, 2024 This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing. NETHERLANDS upvote
Filipa commented on August 27, 2024 Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work PORTUGAL upvote
Nell commented on August 18, 2024 Hello. This is very helpful UNITED KINGDOM upvote
X commented on August 08, 2024 answers are correct Anonymous upvote
Our website is free, but we have to fight against bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the CIPP-E content, but please register or login to continue.