IAPP CIPP-E Actual Questions

 A data sharing agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful and to demonstrate compliance with the accountability principle under the GDPR. A data sharing agreement is most likely to be needed when personal data is being shared between commercial organizations acting as joint data controllers, because they have to determine and agree on their respective roles and responsibilities, such as the purpose and legal basis of the data sharing, the rights of the data subjects, the security measures, and the liability for any breaches. A data sharing agreement is not mandatory, but it is good practice and can help to avoid disputes and confusion. A data sharing agreement may not be needed or may be less detailed in the other scenarios, depending on the circumstances and the nature of the data. For example, anonymized data is not personal data under the GDPR and does not require a data sharing agreement, although it may still be subject to other contractual or ethical obligations. Personal data that is proactively shared by a controller to support a police investigation may be covered by a legal obligation or a public interest, and the controller may not have much control over how the data is used by the police. Personal data that is shared with a public authority with powers to require the personal data to be disclosed may also be subject to a legal obligation or a public interest, and the controller may have to comply with the authority’s request without a data sharing agreement. References:

Data sharing agreements | ICO, which provides guidance on the benefits and contents of a data sharing agreement.

Data Sharing Agreement - the Definition - GDPR Summary, which explains what a data sharing agreement is and when it can be used.

The role of data sharing and the GDPR | Data Republic, which discusses the impact of the GDPR on data sharing practices.

The EDPB’s Guidelines 4/2019 on Article 25 Data Protection by Design and by Default provide guidance on how to implement the requirements of Article 25 of the GDPR, which obliges controllers to design and implement appropriate technical and organisational measures and necessary safeguards to ensure that the processing of personal data complies with the data protection principles and protects the rights and freedoms of data subjects. The guidelines also explain how to apply the concept of data protection by default, which means that by default, only personal data that are necessary for each specific purpose of the processing are processed.

The guidelines do not mention data ownership allocation as a practice that follows from the principles relating to the processing of personal data under EU data protection law. Data ownership allocation is not a concept that is recognised or defined by the GDPR or the EDPB. Data ownership allocation refers to the idea that data subjects or controllers have some form of property rights over the personal data that they provide or process. However, the GDPR does not grant such rights, but rather establishes a set of rules and obligations for the processing of personal data, based on the notion of accountability and responsibility of the controllers and processors. The GDPR also recognises the rights and freedoms of data subjects, such as the right of access, rectification, erasure, restriction, portability, objection and not to be subject to automated decision-making, which are not dependent on the ownership of the personal data, but on the fact that the personal data relate to them.

The other practices listed in the question, namely access control management, frequent pseudonymization key rotation and error propagation avoidance along the processing chain, are examples of practices that follow from the principles relating to the processing of personal data under EU data protection law, as explained in the guidelines. Access control management follows from the principle of integrity and confidentiality, which requires that personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Frequent pseudonymization key rotation follows from the principle of data minimisation, which requires that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Error propagation avoidance along the processing chain follows from the principle of accuracy, which requires that personal data are accurate and, where necessary, kept up to date.

References:

GDPR, Articles 5, 6, 7, 8, 9, 15, 16, 17, 18, 19, 20, 21, 22 and 25.

EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27 and 28.

 According to the Free CIPP/E Study Guide, page 14, “if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.” This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller’s own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects. References:

Free CIPP/E Study Guide, page 14

GDPR, Article 36