Last Attempt CIPP-E Questions

 This is not a valid set of standard contractual clauses because it does not correspond to any of the decisions adopted by the European Commission under the GDPR or the previous Data Protection Directive 95/46. The correct decision for EU processor to non-EU or EEA controller is Decision 2010/87/EU, which was amended by Decision 2004/915/EC. Decision 2007/72/EC is actually related to the recognition of the adequacy of the protection of personal data in Switzerland. References:

• Free CIPP/E Study Guide, page 18, section 3.4.2
• Standard contractual clauses for international transfers, section 1.1
• Standard Contractual Clauses (SCC), section 2.1
• Decision 2007/72/EC

 The GDPR requires that consent must be freely given, specific, informed and unambiguous1. This means that app developers must provide clear and transparent information about the purposes and legal basis of the data processing, and allow users to choose which types of processing they agree to and which they do not. For example, users should be able to consent separately to different types of cookies, such as functional, analytical or marketing cookies2. Users should also be able to withdraw their consent at any time as easily as they gave it1. Therefore, app design and implementation must take into account these requirements and provide users with granular and user-friendly consent options, rather than relying on pre-ticked boxes, implied consent or default settings3. References: 1 Art. 4 (11) and Art. 7 GDPR – Definitions and Conditions for consent - General Data Protection Regulation (GDPR)2 Guidelines 05/2020 on consent under Regulation 2016/679 - European Data Protection Board3 How To Make Compliant GDPR Consent Forms (With Examples) - Termly.

 According to the GDPR, processors must maintain records of all categories of processing activities carried out on behalf of each controller, containing the following information12:

• the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
• the categories of processing carried out on behalf of each controller;
• where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
• where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The records must be in writing, including in electronic form, and must be made available to the supervisory authority on request. The obligation to maintain records does not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.

The GDPR does not require processors to include details of any data protection impact assessment (DPIA) conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting. A DPIA is a process to help identify and minimise the data protection risks of a project. It is the responsibility of the controller to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The processor may assist the controller in carrying out the DPIA, but the processor does not have to document it in its records of processing activities. Therefore, the correct answer is D. References:

• GDPR, Article 30(2)
• GDPR, Article 35
• ICO, Documentation1
• ICO, Data protection impact assessments1

 A layered notice is a privacy notice designed to respond to problems with excessively long notices1. A short notice — the top layer — provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2. The full notice — the bottom layer — covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2. The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3. A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23. References: 2