CIPP/E Exam 2023 with complete solutions

Lisbon Treaty, the _ AND _ were granted institutional status - Answer- European Council and the European Central Bank Exercises legislative and budgetary functions - Answer- European Parliament Elects the President of the Commission - Answer- European Parliament European Parliament has 4 responsibilities: - Answer- legislative development, supervisory oversight of other committes, democratic representation, developent of the budget European Parliament shares its legislative duties with - Answer- Council of the EU Three procedures apply to the legislative process: - Answer- ordinary, consultation, consent No EU country is allowed more than ___ Members of European Parliament - Answer- 96 European Council comprises of the - Answer- heads of the 28 member states The main decision-making body of the EU - Answer- Council of the European Union Council of the EU includes minister/representative from - Answer- each member state Sometimes described as the executive body of the EU - Answer- European Commission 'Union legislative acts may only be adopted on the basis of a ____________ proposal' - Answer- European Commission The ____ has the power to adopt 'adequacy findings' by which non-EU member states are regarded as providing an adequate level of data protection in accordance with EU standards. - Answer- European Commission The CJEU is divided into two parts: - Answer- The Court of Justice (ECJ) The General Court (the renamed 'Court of First Instance', or CFI) The ECHR is the international court that was founded in 1959 to oversee the ____ which protects the fundamental rights of people living in contracting states - Answer- European Convention on Human Rights ('the Convention'), the first legally binding international instrument in the field of data protection - Answer- Convention 108 Like the earlier resolutions, Convention 108 ensures appropriate protections for individual privacy but also - Answer- recognises the importance of the free flow of personal data for commerce and the exercise of public functions Convention 108 comprises 27 articles and has three main parts: - Answer- 'Basic principles of data protection' (Chapter II, Articles 4-11) 'Transborder data flows' (Chapter III, Article 12) 'Mutual assistance' provisions (Chapter IV, Articles 13-17) 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector - Answer- The ePrivacy Directive Member states are required to ensure the confidentiality of communications and of the traffic data generated by such communications, subject to specific exceptions, including where users of such services give their consent to interception and surveillance or where the interception and surveillance is authorised by law. - Answer- ePrivacy Directive Most forms of digital marketing, including emails, SMS and MMS messaging and faxes, but not person-to-person telephone marketing, require prior (opt-in) consent - Answer- ePrivacy Directive Specifically, Article 13 ('Unsolicited communications') now provides a right for individuals and organisations - including internet service providers (ISPs) - to bring legal proceedings against unlawful communications. - Answer- ePrivacy The NIS Directive has three main objectives: - Answer- Improving national cybersecurity capabilities by requiring each member state to set up a Computer Security Incident Response Team (CSIRT) and a competent national Network Information Systems Authority. Building cooperation at the EU level by setting up a cooperation group across the member states in order to support and facilitate strategic cooperation and the exchange of information. Member states are also required to set up a CSIRT network in order to promote swift and effective operational cooperation on specific cybersecurity incidents and to share information about risks. Promoting a culture of risk management and incident reporting among key economic actors, notably operators providing essential services (OES) such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure, and digital service providers (DSPs) such as search engines, cloud computing services and online marketplaces. Each member state is responsible for identifying the companies to which the NIS Directive will apply as well as the exact form it will take. The GDPR has a broad scope, but there are types of processing to which it does not apply: - Answer- (e.g., processing for domestic purposes, or processing which is regulated by another EU data protection law, such as Regulation 45/2001, which applies to the processing of personal data by EU institutions) Territorial Scope: the regulation applies for - Answer- To EU-established organisations (see Section 5.2.1). On a long-arm, extraterritorial basis to organisations which offer to sell goods or services to or who monitor individuals in the EU (see Section 5.2.2). The accessibility of a website is (enough / not enough) to constitute territorial scope for GDPR - Answer- Not enough an app developer based in Canada with no establishment in the EU but which monitors the behaviour of app users in the EU would/ would not be subject to GDPR under Article 3(2)(b) - Answer- would be Article 2(2)(a) states that the Regulation does not apply to the processing of personal data 'in the course of an activity which falls outside the scope of ______ _________'. This covers processing operations that concern public security, defence and national security. - Answer- Union law The ePrivacy Directive and the GDPR therefore work together because the ePrivacy Directive particularises, i.e., renders more specific rules in some areas (e.g., on telecommunications traffic data or the storing of information on an end-user's device). In such cases, these specific provisions of the ePrivacy Directive take precedent over the more general provisions of the GDPR. However, the EDPB Guidelines clarify that 'any processing of personal data which is not specifically governed by the ePrivacy Directive (or for which the ePrivacy Directive does not contain a "special rule")', remains subject to the provisions of the GDPR - Answer- Single slide Interestingly, the Recitals to the Regulation clarify that photographs, presumably of individuals, should / should not systematically be considered to be processing sensitive data since they are covered by the definition of biometric data only when processed through a specific technical means that allow the unique identification or authentication of an individual. - Answer- should not Article 13(1) requires that where personal data that relates to the data subject is collected directly from the data subject, all the following information must be provided to the data subject: - Answer- The identity and the contact details of the controller and, where applicable, of the controller's representative The contact details of the data protection officer (DPO), where one is appointed The purposes and legal basis of the processing Where the processing is necessary for the purpose of the controller's legitimate interest or the legitimate interest of a third party (under Article 6(1)(f) of the Regulation), the legitimate interests pursued by the controller or the third party The recipients or categories of recipients of the personal data, if any Whether the controller intends to transfer personal data to a third country or international organisation, and, if so:Whether or not an adequacy decision by the European Commission (the 'Commission') exists in relation to the transfer.If the transfer is made on the basis of appropriate safeguards pursuant to Articles 46 or 47 of the Regulation (e.g., under standard data protection clauses adopted by the Commission or binding corporate rules (BCRs)), or on the basis of the controller's compelling legitimate interests and own assessment that suitable safeguards are in place for the personal data transferred (under the second subparagraph of Article 49(1) of the Regulation), reference to the appropriate or suitable safeguards relied upon by the controller and the means by which to obtain a copy of them or where they have been made available. Article 13(2) on informing data subjects of the data you are collecting includes the requirement to inform of: - Answer- 1. retention period of personal data 2. information about DS rights in relation to their personal data, namely the existence of the rights (1) to request access to and rectification or erasure of personal data, (2) to request restriction of processing concerning the data subject, (3) to object to processing and (4) in relation to data portability. There are a variety of approaches to the provision of fair processing information that controllers could consider, including: - Answer- Using layered fair processing notices Providing just-in-time notices Adopting privacy dashboards Using alternative formats and channels of communication for information Taking steps to adapt to the requirements of diverse technologies, including, in particular, the internet of things (IoT) Layered notices: - Answer- The WP29 states that the first layer should include the purpose of processing, the controller's identity, and the