Complete PDPF Exin Materials

Yes, because the shopkeeper cannot identify the owner of the telephone. Incorrect. The issue is not whether the shopkeeper can identify the visitor, but that it is technically possible to do so.

Yes, because the visitor has automatically consented by connecting to the Wi-Fi. Incorrect. Consent must be an active, informed and free act of agreement to the processing. To see a MAC-address, the visitor does not need to be logged onto the Wi-Fi.

No, because the telephones MAC-address must be regarded as personal data. Correct. The phone’s signal is a unique code that can be linked to the owner of the phone. The data must be regarded as personal data, because it is technically possible to identify the visitor. (Literature: A, Chapter 3; GDPR Article 26 and 30)

No, because the telephone providers are the owners of the MAC-addresses. Incorrect. The shopkeeper is not allowed to keep the data or process it because it must be regarded as personal data. The telephone provider is not the owner of the MAC-address, nor is the telephone provider protected by the GDPR.

Compulsory Corporate Rules are rules used internally by multinational companies to transfer personal data. Thus, it is possible to transfer data between them, even if the destination company is in a country that does not have an adequate level of data protection. These rules are like an internal corporate code of conduct and do not cover transfers of personal data outside the corporate group.

Do not confuse "Compulsory Corporate Rules" with "Standard Contractual Clauses". The last are clauses in contracts for international data transfer between companies (customer and supplier relationship) where the destination country does not have an adequate level of data protection, and depends on authorization from the Supervisory Authority.

Article 58 of GDPR

3. supervisory authority shall have all of the following authorisation and advisory powers:

a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36.

Besides to what many persons think, the GDPR does not apply only to the EU, but to all member countries of the European Economic Area (EEA) that includes, in addition to the EU member countries, Iceland, Liechtenstein and Norway.