To which of the following parties does the territorial scope of the GDPR NOT apply?
Answer(s): C
The territorial scope of the GDPR is determined by Article 3 of the Regulation, which sets out two main criteria for applying the GDPR to the processing of personal data: the establishment criterion and the targeting criterion. The establishment criterion applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The targeting criterion applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. In addition, the GDPR applies to the processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.Therefore, the territorial scope of the GDPR does not depend on the membership of a country to a particular international agreement or organisation, but on the location and activities of the controller or processor and the data subjects involved in the processing. The Paris Agreement is an international treaty on climate change that aims to limit global warming and reduce greenhouse gas emissions. It does not have any direct or indirect relevance to the GDPR or the protection of personal data. Hence, being a party to the Paris Agreement does not affect the applicability of the GDPR to a country or a controller or processor established in that country. The other options are incorrect because they are either directly or indirectly related to the GDPR or the protection of personal data. The European Economic Area (EEA) consists of all EU member states plus Iceland, Liechtenstein and Norway. The EEA Agreement allows these three countries to participate in the EU's internal market and to adopt most of the EU legislation, including the GDPR. Therefore, the GDPR applies to all EEA countries as if they were EU member states. The Treaty ofLisbon is an international agreement that amends the two treaties which form the constitutional basis of the EU. The Treaty of Lisbon introduces several changes to the EU's institutional structure, decision-making process, and policy areas, including the recognition of the Charter of Fundamental Rights of the EU as legally binding. The Charter of Fundamental Rights of the EU includes the right to the protection of personal data as a fundamental right, and provides the legal basis for the GDPR. Therefore, the GDPR applies to all EU member states that are parties to the Treaty of Lisbon. The European Union (EU) is a political and economic union of 27 member states that are located primarily in Europe. The EU has developed an internal single market through a standardised system of laws that apply in all member states, including the GDPR. Therefore, the GDPR applies to all EU member states by virtue of their membership to the EU.
Art. 3 GDPR Territorial scope, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Paris Agreement - Wikipedia, European Economic Area - Wikipedia, Treaty ofLisbon - Wikipedia, European Union - Wikipediahttps://www.complianceweek.com/understanding-the-territorial-scope-of-the- gdpr/24693.article
What must a data controller do in order to make personal data pseudonymous?
Answer(s): A
Pseudonymisation is a method that allows you to switch the original data set (for example, e-mail or a name) with an alias or pseudonym, or, in other words, a value which does not allow the individual to be directly identified. It is a reversible process that de-identifies data but allows the re- identification later on if necessary. This is a well-known data management technique highly recommended by the General Data Protection Regulation (GDPR) as one of the data protection methods. To make personal data pseudonymous, a data controller must separately hold any information that would allow linking the data to the data subject, such as a key or a code, and ensure that this information is kept securely and subject to technical and organisational measures to prevent unauthorised access or re-identification. The other options are not correct, as they either describe other data protection methods, such as encryption or anonymisation, or do not meet the definition of pseudonymisation under the GDPR.
Pseudonymization according to the GDPR, Pseudonymisation - Wikipedia, Anonymisation and pseudonymisation | Data Protection Commissionerhttps://en.wikipedia.org/wiki/Pseudonymization
Which of the following entities would most likely be exempt from complying with the GDPR?
Answer(s): D
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behaviour as far as their behaviour takes place within the EU (Article 3(2)). Therefore, the GDPR would apply to the following entities:A South American company that regularly collects European customers' personal data, as it is offering goods or services to data subjects in the EU.A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state, as it has an establishment in the EU.A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers, as it has an establishment in the EU and is offering goods or services to data subjects in the EU.The GDPR would not apply to the following entity:A North American company servicing customers in South Africa that uses a cloud storage system made by a European company, as it does not have an establishment in the EU, nor is it offering goods or services to data subjects in the EU, nor is it monitoring their behaviour within the EU. The fact that it uses a cloud storage system made by a European company does not trigger the application of the GDPR, unless the cloud provider is also processing personal data on behalf of the North American company in the context of its activities in the EU.
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - version adopted after public consultation, Art. 3 GDPR Territorial scope - General Data Protection Regulation (GDPR)
Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what?
Answer(s): B
The GDPR aims to harmonize the data protection rules across the EU and to ensure consistent and effective enforcement of those rules. However, the GDPR also recognizes that there may be some differences in the interpretation and application of the law among the member states, depending on their national legislation, culture and practices. Therefore, the GDPR introduces the concept of the "main establishment" of a controller or processor, which is the place where the decisions on the purposes and means of the processing of personal data are taken in the EU1. The main establishment determines which national supervisory authority will act as the lead authority for the cross-border processing activities of that controller or processor, and which national law will apply in case of a dispute or a complaint. The Article 29 Working Party, which is an advisory body composed of representatives of the national supervisory authorities, the European Data Protection Supervisor and the European Commission, has issued guidelines on how to identify the main establishment of a controller or processor under the GDPR3. The guidelines emphasize that the main establishment must reflect the reality of the processing activities and the effective and real exercise of management power over those activities. The guidelines also warn against the practice of "forum shopping", which occurs when a controller or processor designates its main establishment in a member state with the most flexible or lenient data protection regime, regardless of the actual location of the decision- making or the data processing. The guidelines state that such a practice is forbidden under the GDPR, and that the supervisory authorities will closely monitor and verify the criteria used by the controllers or processors to determine their main establishment. If the supervisory authorities find that the main establishment does not correspond to the factual situation, they may challenge the designation and apply the relevant corrective measures.
1 Art. 4 (16) GDPR Definitions- General Data Protection Regulation (GDPR)2 Art. 56-58 GDPR Cooperation and consistency - General Data Protection Regulation (GDPR)3 Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - European Data Protection Board4 Ibid, p. 14-15.https://gdprinformer.com/gdpr-articles/forum-shopping-illegal-gdpr
Post your Comments and Discuss IAPP CIPP-E exam with other Community members:
Martinez commented on September 21, 2024 This exam was so hard, I thought I'd need a miracle. Turns out, exam dumps are the next best thing. NETHERLANDS upvote
Filipa commented on August 27, 2024 Question 143 is incorrect, the answer is should be B, and the explanation is unrelated to the scenario. Other than that great work PORTUGAL upvote
Nell commented on August 18, 2024 Hello. This is very helpful UNITED KINGDOM upvote
X commented on August 08, 2024 answers are correct Anonymous upvote
Our website is free, but we have to fight against bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the CIPP-E content, but please register or login to continue.