CIPP/E - Territorial and Material Scope of the GDPR - Chapter 5 verified to pass 2023/2024

CIPP/E - Territorial and Material Scope of the GDPR - Chapter 5The Regulation applies Territorial Scope: 1) To EU established organisations 2) on a long arm extraterritorial basis to organisations which offer to sell goods or services or who monitor individuals in the EU. - correct answers How is Territorial Scope applied in the Regulation? Article 3(1) of the GDPR provides that it: applies to the processing of personal data in the context of the activities of the establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. - correct answers How is the concept of 'establishment' introduced in Article 3(1) of the Regulation? There is no definition of 'establishment' in the Regulation; however Recital 22 gives the term a broad meaning: establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. - correct answers What is the definition of establishment? The test is met when there is an inextricable link between the activities of an EU establishment and the processing of data carried out by a non-EU controller. - correct answers What is the test of 'in the context of activities' that would make the Regulation apply? Article 3(2) provides that the Regulation: applies to the processing of personal data of the data subjects who are in the Union by a controller or a processor not established in the Union, where the processing activities are related to: 1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 2) the monitoring of their behaviour as far as their behaviour takes place in the Union. - correct answers What does Article 3(2) say about non-EU 'established' organisations? Recital 23 provides that, in determining whether an organisation is offering good or services to data subjects who are in the EU, it should be ascertained whether it is 'apparent that the controller or processor envisages offering services to data subjects in one or more Member States of the Union'. - correct answers What does Recital 23 of the Regulation provide with respect to Territorial Scope? The EDPB provide the following relevant factors to satisfy Article 3(2)a: 1) Naming EU or Member states in reference to the goods or services 2) The use of an EU Language 3) Having marketing or advertising campaigns directed at EU audiences 4) The ability to place orders in EU languages 5) Referencing travel instructions from the EU 6) Paying a search engine to facilitate access by individuals in the EU 7) Having dedicated addresses or phone numbers for individuals in the EU 8) Use of top level EU domain, for example '.de' or '.eu' - correct answers What are some of the Relevant Factors that the EDPB give to determine if Article 3(2)a is satisfied? According to Recital 24 'monitoring' specifically includes the tracking of individuals online to create profiles, including where this is used to make decisions concerning them or for analysing or predicting their personal preferences, behaviours or attitudes. - correct answers What does Recital 24 specifically include as "Monitoring of Behaviour"? For Article 3(2)b to trigger the application of the GDPR, the 'behaviour monitored' must first relate to a data subject in the Union and ... the monitored behaviour must take place in the Union. - correct answers How does Article 3(2)b trigger the application of the GDPR? Article 3(2)b does NOT require that the controller or processor have an intention to monitor individuals in the EU, and in this regard is wider than the test in Article 3(2)a of GDPR. - correct answers Does Article 3(2)b require intent of the controller or processor to monitor individuals to be subject to GDPR? The EPDB provides the following as examples of monitoring:? 1) Behavioural Tracking and geolocation of content (particularly for advertising) 2) Online tracking through cookies and device finger printing 3) An online personalized diet and health analytics service 4) Closed-circuit television (CCTV) 5) Market surveys and other behavioural studies based on individual profiles 6) Monitoring or regular reporting on an individual's health - correct answers What does the EDPB provide as a list of examples of monitoring? Article 3(3) is the 'Public International Law' Article - correct answers What is Article 3(3) of the GDPR? Article 3(3) state the Regulation will apply where 'the processing of personal data [is] by a controller not established in the Union, but in a place where Member State law applies by virtue of Public International Law.' - correct answers What does the Public International Law Article ('Article 3(3)') state? Article 3(3) is intended to cover, for example, embassies and consulates of EU member states, or airplanes or ships to which the Regulation applies by virtue of international treaties. - correct answers What is Article 3(3) intended to cover? Material Scope is: 'processing of personal data wholly or partly by automated means' or 'processing other than by automated means of personal data which form part of a filing system' - Article 2 - correct answers What is Material Scope of Regulation? Article 2(2)a states that the Regulation does not apply to the processing or personal data in the course of an activity which falls outside the scope of EU law. This covers processing operation that concern public security, defence and national security. - correct answers What does Article 2(2)a state? Article 2(2)b states that the Regulation does not apply to the processing of personal data by the Member State when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty of the European Union. This includes activities on relation to the common foreign and security policy of the EU. - correct answers What does Article 2(2)b state? Article 2(2)c states that the Regulation does not apply to the processing of personal data by 'a natural person in the course of purely personal or household activity'. - correct answers What does Article 2(2)c state?