IAPP Updated CIPP-E Exam Questions and Answers by jannat

The EDPB’s Guidelines 8/2020 on the targeting of social media users explain that the legitimate interest legal basis requires passing three cumulative tests: the purpose test, the necessity test, and the balancing test. The purpose test checks whether there is a legitimate interest pursued by the data controller or a third party. The necessity test checks whether the processing is necessary for the purpose identified. The balancing test checks whether the legitimate interest is not overridden by the interests or rights and freedoms of the data subject. The adequacy test is not one of the three tests required by the legitimate interest legal basis. The adequacy test is relevant for data transfers to third countries, not for data processing within the EU.

References:

EDPB Guidelines 8/2020 on the targeting of social media users, Section 3.2.11

GDPR Article 6(1)(f)2

GDPR Recital 472

IAPP CIPP/E Study Guide, Chapter 3, Section 3.2.23

 This is not an explicit right granted to data subjects under the GDPR, as the GDPR does not specifically address the sale of personal data. However, the GDPR does require that data subjects give their consent to any processing of their personal data that is not based on another legal basis, such as a contract or a legal obligation1. Therefore, data subjects have the right to withdraw their consent at any time, and the controller must inform them of this right before obtaining their consent2. The other options are explicit rights granted to data subjects under the GDPR, as they are listed in Chapter 3 of the regulation3. References:

Free CIPP/E Study Guide, page 23, section 3.1

CIPP/E Certification, page 18, section 3.1

The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1

GDPR data subject rights - 8 fundamental & additional rights, paragraph 4

Rights of the data subject - General Data Protection Regulation (GDPR), Article 7

Rights of the data subject - General Data Protection Regulation (GDPR), Chapter 3

According to the GDPR, personal data means any information relating to an identified or identifiable natural person1. Body temperature is a type of personal data that can reveal information about an individual’s health and therefore constitutes special category data under Article 9 of the GDPR2. However, not every activity involving personal data falls within the scope of the GDPR. The GDPR applies only to the processing of personal data wholly or partly by automated means or to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system3.

In this scenario, the organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data. This means that the organization does not use any automated means to collect, store, or process the body temperature data, nor does it create or intend to create a filing system that contains such data. Therefore, this practice does not involve any processing of personal data within the meaning of the GDPR and is not subject to its rules and obligations.

The other options are incorrect because:

A. Body temperature is considered personal data, as it can be linked to an identifiable natural person and reveal information about their health2.

C. Body temperature is not considered pseudonymous data, as it is not processed in a way that the data can no longer be attributed to a specific data subject without the use of additional information4.

D. The practice is not for the purpose of alleviating extreme risks to public health, as it is not based on any legal obligation, public interest, or vital interest that would justify the processing of special category data under Article 9 of the GDPR5.

References: 1 Article 4(1) of the GDPR2 Policy Brief: Location Data Under Existing Privacy Laws | FPF23 Article 2(1) of the GDPR4 Article 4(5) of the GDPR5 Article 9(2) of the GDPR.

 A data sharing agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful and to demonstrate compliance with the accountability principle under the GDPR. A data sharing agreement is most likely to be needed when personal data is being shared between commercial organizations acting as joint data controllers, because they have to determine and agree on their respective roles and responsibilities, such as the purpose and legal basis of the data sharing, the rights of the data subjects, the security measures, and the liability for any breaches. A data sharing agreement is not mandatory, but it is good practice and can help to avoid disputes and confusion. A data sharing agreement may not be needed or may be less detailed in the other scenarios, depending on the circumstances and the nature of the data. For example, anonymized data is not personal data under the GDPR and does not require a data sharing agreement, although it may still be subject to other contractual or ethical obligations. Personal data that is proactively shared by a controller to support a police investigation may be covered by a legal obligation or a public interest, and the controller may not have much control over how the data is used by the police. Personal data that is shared with a public authority with powers to require the personal data to be disclosed may also be subject to a legal obligation or a public interest, and the controller may have to comply with the authority’s request without a data sharing agreement. References:

Data sharing agreements | ICO, which provides guidance on the benefits and contents of a data sharing agreement.

Data Sharing Agreement - the Definition - GDPR Summary, which explains what a data sharing agreement is and when it can be used.

The role of data sharing and the GDPR | Data Republic, which discusses the impact of the GDPR on data sharing practices.