New Release CIPP-E Certified Information Privacy Professional Questions

According to the GDPR, a record of processing activities (RoPA) is a document that provides an overview of how personal data is processed within an organisation. It must include information on the types of personal data processed, the purposes for which the data is processed, and the measures taken to ensure the security of the data123. A RoPA must be kept up to date and made available to the supervisory authority upon request1.

In this scenario, Anna does not have to include Frank’s performance database in her RoPA, because it does not contain any personal data. Personal data is any information relating to an identified or identifiable natural person4. Frank’s performance database only contains aggregated or anonymised data that cannot identify any individual student. Therefore, it does not fall under the definition of personal data under the GDPR.

However, Anna still has to complete her RoPA for all other types of records that are processed by Granchester University, such as student records, staff and alumni records, and Department for Education records. These records may contain personal data that needs to be minimised and protected in accordance with the GDPR principles4. Anna also has to conduct a risk analysis before processing these records, as required by Article 35(2) of the GDPR4. She also has to report any security incidents involving these records, as required by Article 33(3) of the GDPR4.

References:

• [Art. 30 GDPR – Records of processing activities]
• [How do we document our processing activities?]
• Records of Processing (Article 30) Guidance
• GDPR Records of Processing Activities | Resources
• Records of Processing Activities: A Key GDPR Compliance Requirement

 Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

• Special category data | ICO
• Art. 9 GDPR Processing of special categories of personal data
• Special Categories of Data - International Association of Privacy Professionals

One of the main reasons why the CJEU invalidated the Privacy Shield was that it found that the US surveillance programs were not limited to what is strictly necessary and proportionate, as required by the EU law. The CJEU also criticized the lack of effective judicial remedies for EU data subjects whose data was accessed by US authorities. The Trans-Atlantic Data Privacy Framework is intended to address these issues by introducing new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and by creating a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. The Framework also enhances the oversight and transparency of US surveillance practices.

References: EU–US Data Privacy Framework - Wikipedia; FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House; United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework; European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework; A practical approach to the new Trans-Atlantic Data Privacy Framework.

According to the UK GDPR, the controller and the processor must support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge1. The controller and the processor must also ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and that he or she reports directly to the highest management level of the controller or the processor1.