Free Practice Questions for IAPP CIPP-E Exam

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1. Body temperature is a type of personal data that can reveal information about an individual’s health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR. The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

A. Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.

C. Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.

D. The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

References: 1 Article 4(1) of the GDPR2 Policy Brief: Location Data Under Existing Privacy Laws | FPF23 Article 2(1) of the GDPR4 Article 4(5) of the GDPR5 Article 9(2) of the GDPR.

 A data protection impact assessment (DPIA) is a process to identify and minimise the data protection risks of a project that is likely to result in a high risk to the rights and freedoms of individuals1. The GDPR requires controllers to conduct a DPIA before starting such processing activities1. In this case, Building Block should have done a DPIA before implementing the SecurityScan measure, as it involves the monitoring of employees’ computers, which could affect their privacy and other fundamental rights2. A DPIA would help Building Block to assess the necessity, proportionality and compliance measures of the SecurityScan measure, as well as to identify and mitigate the risks to the employees and to consult with the relevant stakeholders, such as the data protection officer, the employees themselves, and the supervisory authorities12. The other options are not the first step that Building Block should have done, as they either follow or depend on the outcome of the DPIA. References: Data Protection Impact Assessment (DPIA) - GDPR.eu, Data protection impact assessments | ICO

 According to the European Data Protection Board, the principles relating to the processing of personal data under EU data protection law are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability1. These principles imply certain concepts or practices that data controllers and processors should follow, such as access control management, frequent pseudonymization key rotation, and error propagation avoidance along the processing chain2. However, data ownership allocation is not a concept or practice that follows from these principles, as the GDPR does not recognize the notion of data ownership by either the data subject or the data controller3. Therefore, option A is the correct answer. References:

Data protection basics

Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

CIPP/E Study Guide, page 11

 According to the Free CIPP/E Study Guide, page 16, “the GDPR provides for a one-stop-shop mechanism, which means that a controller or processor with establishments in several Member States will have only one supervisory authority as its interlocutor, which will act as the lead authority. However, this does not mean that the lead authority has exclusive competence to supervise all processing activities of the controller or processor throughout the EU. The GDPR also allows for the possibility of a relevant and reasoned objection by a concerned supervisory authority, which may trigger the consistency mechanism and the involvement of the European Data Protection Board (EDPB). Moreover, the GDPR recognizes the right of any supervisory authority to adopt urgent measures on its own territory or to commence legal proceedings before a court in its Member State in order to protect the rights and freedoms of data subjects.” Therefore, the lead regulator should accept the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint, as the GDPR permits non-lead authorities to take action for such complaints, especially when they involve urgent measures or legal proceedings to protect the data subjects’ rights and freedoms. The other options are incorrect, as they do not reflect the GDPR’s provisions on the one-stop-shop mechanism and the cooperation and consistency mechanisms. References:

Free CIPP/E Study Guide, page 16

GDPR, Articles 56, 60, 61, 62, 63, 64, 65 and 66