Two businesses decide to work together to sell their products by mail order Orders are made via a single online website and they each use their existing employees to administer and update each other's orders on a single order system regardless of product.
Which of the below is CORRECT of the roles of the two businesses in relation to the single order system'?
The two businesses are both joint controllers of the information contained in the single order system, because they jointly determine the purposes and means of the processing. They have a shared purpose of selling their products by mail order and they agree on the means of processing by using a single online website and a single order system. Their decisions complement each other and are necessary for the processing to take place. The processing by each party is inseparable and inextricably linked. Therefore, they meet the criteria for joint controllership under the GDPR.Reference:
Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 16-24
An individual applies for a job as a security guard The employer has had significant issues with the sickness record of past recruits They therefore decide to offer the position to the individual on the basis they request a copy of their medical record so that the employer can be assured that they are in a good state of health.
The Data Protection Officer has been asked to advise. What advice is MOST appropriate?
The Data Protection Act 2018 (DPA 2018) makes it a criminal offence for a person to require another person to make a subject access request for information about their health, convictions or cautions, or spent convictions, and to provide that information to the first person or a third person, as a condition of providing or offering to provide goods, facilities or services, or as a condition of entering into or continuing a contract. This is known as an enforced subject access request. The employer in this scenario is committing a criminal offence by offering the job to the individual on the condition that they request a copy of their medical record and provide it to the employer. The employer is also breaching the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and storage limitation, as they are processing health data, which is a special category of personal data, without a valid legal basis, without informing the individual of the purpose and legal basis of the processing, and without limiting the processing to what is necessary and relevant for the employment relationship. The employer should instead obtain the individual's explicit consent to request the health information directly from the relevant health professional, and only request the information that is necessary and proportionate for the specific role of a security guard.Reference:
ICO guidance on enforced subject access requests4
ICO guidance on special category data5
What are Information Society Services'? Select the INCORRECT answer
Information society services (ISS) are defined in Article 4(25) of the UK GDPR as ''any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services''. This means that ISS are online services that are paid for, either by the user or by another source of income, such as advertising or sponsorship, and that are provided without the parties being physically present, using electronic equipment for the transmission and reception of data, and upon the request of the user. Examples of ISS include apps, programs, websites, search engines, social media platforms, online marketplaces, content streaming services, online games, and any other online services that offer goods or services to users over the internet. Therefore, options A, B and C are correct examples of ISS, as they meet the criteria of the definition. However, option D is not a correct example of ISS, as it does not involve any remuneration for the service provider. Information services provided by non-profit or government organisations with no remuneration are not considered ISS under the UK GDPR, unless they compete with other ISS on the market.Reference:
Services covered by this code5
You are a consulting Data Protection Officer (DPO) for a holiday resort You have been asked to conduct a Data Protection Impact Assessment (DPIA) for them in advance of adopting a new HR management database.
While working through the DPIA, which of the following is NOT a requirement?
a description of the processing, including its purposes and legal basis;
an assessment of the necessity and proportionality of the processing in relation to its purposes;
an assessment of the risks to the rights and freedoms of individuals; and
the measures envisaged to address the risks and demonstrate compliance with the UK GDPR.
Article 13 and 14 of the UK GDPR2
Which of the following is NOT a processor obligation?
Providing the controller with corporate information relating to its board members is not a processor obligation under the GDPR. The processor obligations under the GDPR are mainly the following:
To process the personal data only on documented instructions from the controller, unless required by law;
To ensure that persons authorised to process the personal data are bound by confidentiality;
To implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
To not engage another processor without the prior authorisation of the controller;
To assist the controller in fulfilling its obligations regarding data subject rights, data protection impact assessments, prior consultations, and data breach notifications;
To delete or return the personal data to the controller at the end of the service, unless required by law to store the data;
To make available to the controller all information necessary to demonstrate compliance and allow for audits and inspections.Reference:
Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 37-41
