Certified Information Privacy Professional CIPP-E Book

Page: 8 / 19

Question 32

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated

speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.

What presents the BIGGEST potential privacy issue with the company’s practices?

Options:

The NFC portal can read any data stored in the action figures

The information about the data processing involved has not been specified

The cloud service provider is in a country that has not been deemed adequate

The RFID tag in the action figures has the potential for misuse because of the toy’s evolving capabilities

Question 33

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

Options:

The Court of Justice of the European Union.

The European Data Protection Supervisor.

The European Court of Human Rights.

The European Data Protection Board.

Answer:

Explanation:

Reference: [Reference: https://www.privacy-regulation.eu/en/recital-143-GDPR.htm, The Court of Justice of the European Union (CJEU) is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. The CJEU consists of two courts: the Court of Justice and the General Court. The CJEU ensures the uniform interpretation and application of EU law across the EU and settles disputes between EU institutions, member states, and individuals., According to the EU Treaties, EU Member-States’ courts may – or, in case no appeal from their decisions is possible, must – ask the CJEU to rule on the interpretation and validity of disputed provisions of EU law. Such decisions are known as preliminary rulings, by which the CJEU expresses its ultimate authority to interpret EU law and which are binding for all national courts in the EU when they apply those specific provisions in individual cases. Since May 2018 – when the GDPR became applicable across the EU -, the CJEU has played an important role in clarifying the meaning and scope of some of its key concepts. For instance, the Court notably ruled that two parties as different as a website owner that has embedded a Facebook plugin and Facebook may be qualified as joint controllers by taking converging decisions ( Fashion ID case ), that consent for online data processing is not validly expressed through pre-ticked boxes ( Planet49 case) and that the European Commission Decision to grant adequacy to the EU-US Privacy Shield framework is invalid as a mechanism for international data transfers, and supplemental measures may be necessary to lawfully transfer data outside of the EU on the basis of Commission-vetted model clauses (in the Schrems II case )., Therefore, to receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to the Court of Justice of the European Union, which is the ultimate authority on EU law and the GDPR., References:, GDPR, Court of Justice of the European Union, Court of Justice of the European Union - International Association of Privacy Professionals, Judicial enforcement of EU law | European Foundation for the Improvement of Living and Working Conditions, [Competences of the Court of Justice of the European Union], ]

Question 34

Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?

Options:

Data subjects must be sufficiently informed of the purposes for which their personal data is processed.

Processing of special categories of personal data on a large scale requires appointing a DPO.

Personal data of data subjects must always be accurate and kept up to date.

Data controllers must be in control of the data they hold at all times.

Question 35

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism should Jackie recommend for using InstaHR?

Options:

Adequacy

Binding corporate rules.

Explicit consent of employees.

Standard contractual clauses

Answer:

Explanation:

According to the GDPR, any transfer of personal data to a third country or an international organisation must be based on an adequacy decision by the Commission, appropriate safeguards by the data exporter and importer, or derogations for specific situations1. In this scenario, InstaHR is an Australian based company that processes personal data on behalf of ProStorage, a Dutch based company. Australia is not recognised by the Commission as a country that provides an adequate level of data protection2, so the adequacy option is not available. Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies or organisations that define their global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries that do not provide an adequate level of protection3. However, BCRs are not applicable in this case, as InstaHR is not part of the same corporate group as ProStorage. Explicit consent of employees is a possible derogation for specific situations, but it is not a reliable or practical transfer mechanism, as it must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time4. Therefore, the most suitable transfer mechanism for using InstaHR is standard contractual clauses (SCCs). SCCs are contractual clauses that have been pre-approved by the Commission and that provide appropriate safeguards for data protection when transferring personal data from the EU/EEA to third countries. SCCs are legally binding and enforceable by data subjects, and they impose obligations on both the data exporter and the data importer. SCCs are widely used by data controllers and processors as a transfer mechanism under the GDPR. References: 1: Art. 44 GDPR - General principle for transfers22: Adequacy decisions - European Commission13: Binding corporate rules - European Commission14: Article 7 of the GDPR. : Standard Contractual Clauses (SCC) - European Commission1.

Page: 8 / 19