IAPP CIPP-E Exam With Confidence Using Practice Dumps

 According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed. References:

Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.

ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR.

EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.

According to the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; © the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject1. The data subject also has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her2. Therefore, options A, B and D are valid data access requests that ABC Hotel Chain and XYZ Travel Agency have to honor, as they fall within the scope of the right of access and rectification. However, option C is not a valid data access request, as it involves the right to erasure, which is a separate right from the right of access. The right to erasure, also known as the right to be forgotten, entitles the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; © the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)3. However, the right to erasure is not absolute and does not apply where processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; © for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims4. In this scenario, Mike’s request to obtain access and erasure of his personal data while keeping his rewards membership is not a valid data access request, as it contradicts the right to erasure. If Mike wants to exercise his right to erasure, he has to withdraw his consent for the processing of his personal data by ABC Hotel Chain and XYZ Travel Agency, which means that he cannot keep his rewards membership, as it is based on the processing of his personal data. Moreover, ABC Hotel Chain and XYZ Travel Agency may have other legal grounds for retaining his personal data, such as compliance with a legal obligation or the establishment, exercise or defence of legal claims. Therefore, option C is the correct answer, as it is the only situation where ABC Hotel Chain and XYZ Travel Agency do not have to honor Mike’s data access request. References: 1: Article 15 of the GDPR; 2: Article 16 of the GDPR; 3: Article 17(1) of the GDPR; 4: Article 17(3) of the GDPR; Free CIPP/E Study Guide, pages 33-35.

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.

References: EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, page 151; CIPP/E Textbook, page 136.