Corey CIPP/E Study Guide
When do you need a DPO? - ANS-If the core activity of the processor or controller
includes;
• Regular and systematic processing on a large scale
• Processing special categories of data on a large scale
• Monitoring of a large scale geographical area
• Processing by public bodies other than courts
When do controllers and processors have to keep records (Article 30)? - ANS-If they
have 250 or more employees or The processing is likely to result in a risk to data
subjects or Processing is not occasional Processing includes special categories
When do you not need a DPIA even if you are doing a processing that involves high
risk? - ANS-For legal obligation purpose (employment) or for execution of a public task
(tax)
Which institution is eligible to approve Binding Corporate Rules? - ANS-Supervisory
Authority
What are the Privacy Shield self-certification requirements? - ANS-Commit to adhere to
the Privacy Shield Principles and publicise the commitment, publicly disclose privacy
policy, implement the principles, Renew certification annually
Why can't a US financial institution be eligible for Privacy Shield? - ANS-Because it is
not under the enforcement authority of Federal Trade Commission
What is the current list of adequate countries and the period to review the adequacy? -
ANS-Uruguay, Argentina, Canada (commercial organisations only), US(Privacy Shield),
Andorra, Jersey & Guernsey, Isle of Man, Israel, Switzerland, New Zealand, Faeroe
Islands - 4 years
What are the legal bases to transfer data outside of EEA? - ANS-Adequacy Decisions,
Appropriate Safeguards (Binding Corporate Rules, Standard Clauses, Codes of conduct
or certification, Adhoc contractual clauses authorised by SA, International Agreements),
Derogations (as last resort)
, When does the household exemption for GDPR not apply? - ANS-If you act on behalf of
an organisation or you knowingly extend the access to data beyond selected group of
contacts (ie: making it public)
What is the exception for opt-on rule for B2C marketing? - ANS-If you collected the
contact details in the context of a sale transaction (including presales) and marketing is
related with first party products and optout is offered at the point of data collection and
opt-out is offered in every subsequent communication
What information do you need to include in CCTV notice? - ANS-Identity and contact of
controller + Purpose
What are the permitted uses of metadata according to ePrivacy? - ANS-Quality of
service requirements, billing and interconnection payments, Prevent fraud and abuse
What are the 4 considerations for monitoring? - ANS-Necessity (can you use another
method?), Proportionality (proportional to purpose), Legitimacy (Lawful basis),
Transparency (Inform the data subject)
Who monitors personal data processing of EU bodies? - ANS-European Data Protection
Supervisor
What are the powers of Supervisory Authority and examples for each power? -
ANS-Investigative (Conduct audits, obtain access to premises), Corrective (issue fines,
ban processing), Authorisation & Advisory (Approve BCRs, Accredit certification bodies)
What information should be provided to data subjects for cross-border transfers? -
ANS-Existence or absence of an adequacy decision, Intent to transfer to another
country or multinational organisation, A reference to safeguards
What are cross border transfer derogations? - ANS-Explicit consent, performance of a
contract, Pubic Interest, Legal claims, Transfer from a register of public information,
Legitimate Interest (only if it is one off, not systematic, limited number of data subjects
and you must inform data subject+SA)
What are the responsibilities of a Supervisory Authority? - ANS-Represent member
state in EDPB, Promote monitor enforce GDPR, Protect fundamental human rights,
Facilitate free flow of personal data