Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
Correct Answer: D
According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12: the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; the categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; where possible, a general description of the technical and organisational security measures referred to in Article 32(1). The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences. The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D. Reference: GDPR, Article 30(2) GDPR, Article 35 ICO, Documentation1 ICO, Data protection impact assessments1
Question 7
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?
Correct Answer: B
Question 8
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?
Correct Answer: C
According to Article 35 of the GDPR, a Data Protection Impact Assessment (DPIA) is required when the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies. A DPIA is supposed to show the characteristics of the processing, the risks and the measures adopted to mitigate them. The GDPR also provides some examples of processing operations that require a DPIA, such as: a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal or significant effects on the data subject; processing on a large scale of special categories of data or data relating to criminal convictions and offences; or a systematic monitoring of a publicly accessible area on a large scale. Among the answer choices, only option C falls under the first example, as it involves a systematic and extensive evaluation of personal aspects based on location data and data from third-party sources, which could be used for profiling and matching purposes. This could have significant effects on the data subjects' privacy, personal relationships and reputation. Therefore, a DPIA would be required for this processing operation. Option A does not necessarily involve a systematic and extensive evaluation of personal aspects, nor does it produce legal or significant effects on the data subject. It could be considered a legitimate interest of the company to offer more personalized service, as long as it respects the principles of data minimization, purpose limitation and transparency. Option B does not involve a decision based on the processing, nor does it produce legal or significant effects on the data subject. It could be considered a form of direct marketing, which is subject to specific rules under the GDPR and the ePrivacy Directive. Option D does not involve personal data relating to natural persons, but rather to delivery trucks. Therefore, it does not pose a high risk to the rights and freedoms of natural persons. Reference: GDPR Article 35 Guidelines on DPIA Art. 35 GDPR - Data protection impact assessment - GDPR.eu
Question 9
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?
Correct Answer: C
Question 10
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?
