Sure Pass Exam CIPP-E PDF

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident1. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. Therefore, a power outage that results in the loss of availability of customer data for six hours is considered a personal data breach under the GDPR.

Based on the WP 29’s February, 2018 guidance, which was endorsed by the European Data Protection Board, company Z should document the loss of availability to demonstrate accountability3. The guidance states that controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, regardless of whether the breach needs to be notified to the supervisory authority or the data subjects. This documentation must enable the supervisory authority to verify compliance with the GDPR and must be made available to the supervisory authority on request4.

The other options (A, C, and D) are not required by the GDPR or the guidance, although they may be advisable or beneficial depending on the circumstances. Option A is not mandatory, as the GDPR only requires the controller to communicate the personal data breach to the data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons5. A temporary loss of availability may not pose such a high risk, unless it affects the data subject’s essential services or activities. Option C is also not obligatory, as the GDPR only requires the controller to notify the supervisory authority of the personal data breach within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons6. A short-term loss of availability may not entail such a risk, unless it affects a large number of data subjects or sensitive data. Option D is not specified by the GDPR or the guidance, although it may be a good practice to conduct a thorough audit of all security systems after a personal data breach to identify and address any vulnerabilities or weaknesses that may have contributed to the incident or may lead to future incidents. References:

• 1: Article 32 of the GDPR
• 2: Article 4 (12) of the GDPR
• 3: Endorsed WP29 Guidelines
• 4: Article 33 (5) of the GDPR
• 5: Article 34 (1) of the GDPR
• 6: Article 33 (1) of the GDPR
• 7: Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01
• 8: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• 9: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

 Article 9 of the GDPR prohibits the processing of special categories of personal data, which are data that reveal sensitive information about the data subject and may pose a high risk to their rights and freedoms. The GDPR defines 10 types of personal data as special categories, which are:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

Among the answer choices, only option C is not one of these categories, as financial data is not considered to reveal any sensitive information about the data subject. However, financial data is still subject to the general principles and rules of the GDPR, such as lawfulness, fairness, transparency, accuracy, security, etc. References:

• Special category data | ICO
• Art. 9 GDPR Processing of special categories of personal data
• Special Categories of Data - International Association of Privacy Professionals

The GDPR establishes a two-tier system of administrative fines for infringements of its provisions, depending on the nature, gravity, and duration of the infringement, as well as other factors such as the intentional or negligent character of the infringement, the actions taken to mitigate the damage, the degree of co-operation with the supervisory authority, and any previous infringements1. The lower tier of fines can be up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The lower tier of fines applies to infringements of the GDPR relating to the following aspects1:

• The obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43;
• The obligations of the certification body pursuant to Articles 42 and 43;
• The obligations of the monitoring body pursuant to Article 41 (4). The higher tier of fines can be up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher1. The higher tier of fines applies to infringements of the GDPR relating to the following aspects1:
• The basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9;
• The data subjects’ rights pursuant to Articles 12 to 22;
• The transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
• Any obligations pursuant to Member State law adopted under Chapter IX;
• Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58 (2) or failure to provide access in violation of Article 58 (1). Therefore, higher fines are assessed for GDPR violations due to violations of a data subject’s rights, as these are among the infringements that fall under the higher tier of fines. Data subjects’ rights are the rights granted to individuals whose personal data are processed by controllers or processors, such as the right to access, rectify, erase, restrict, object, or port their data, as well as the right to be informed, to withdraw consent, and to lodge a complaint1. Violations of these rights can cause significant harm to the data subjects and undermine the objectives of the GDPR. Therefore, option D is the correct answer. References: Art. 83 GDPR – General conditions for imposing administrative fines, Article 83 GDPR - GDPRhub