To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client. Regarding the domain of the controller-processor relationships, how is this situation considered?

SCENARIO Please use the following to answer the next question: ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data. Mike, an EU resident, has booked travel itineraries in the past through XYZ Trav

Please use the following to answer the next question: WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the chil

SCENARIO Please use the following to answer the next question: Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick ente

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

Many businesses print their employees’ photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

With the issue of consent, the GDPR allows member states some choice regarding what?

An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?

Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b), what is the impact of a member state’s interpretation of the word “incompatible”?

A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker’s personal data?

What obligation does a data controller or processor have after appointing a data protection officer?

Which of the following was the first legally binding international instrument in the area of data protection?

SCENARIO Please use the following to answer the next question: Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their

Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection laws throughout the European Union?

Why is advisable to avoid consent as a legal basis for an employer to process employee data?

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

SCENARIO Please use the following to answer the next question: Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both male and female clothing lines across all age demographics, including childr

A Spanish electricity customer calls her local supplier with Questions: about the company’s upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?