According to Article 13 of the GDPR, when personal data are collected from the data subject, the data controller must provide the data subject with the following information, among others1:

The identity and the contact details of the controller and, where applicable, of the controller's representative;

The contact details of the data protection officer, where applicable;

The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

The recipients or categories of recipients of the personal data, if any;

Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In the scenario, Wonderkids provides some of this information in their Privacy Statement, but not all. They do not specify the categories of recipients with whom they will share the personal data of their customers and their children. They only state that they will share the data with businesses that they see as adding real value to the customers, which is vague and ambiguous. This does not comply with the GDPR requirement to inform the data subjects about the recipients or categories of recipients of their personal data, if any. Therefore, Wonderkids must provide this additional information in their Privacy Statement.

1: Art. 13 GDPR Information to be provided where personal data are collected from the data subject

According to Article 32 of the GDPR, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The GDPR also provides some examples of such measures, including the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In this scenario, the company is processing personal data of children, such as their voice, questions, preferences, and location, through the connected toys that use a wireless Bluetooth connection to communicate with smartphones, tablets, cloud servers, and other toys. This poses a high risk to the security of the data, as Bluetooth is a short-range wireless technology that can be easily intercepted, hacked, or compromised by malicious actors. Therefore, the company should encrypt the data in transit over the Bluetooth connection, to prevent unauthorized access, disclosure, or alteration of the data. Encryption is a process of transforming data into an unreadable form, using a secret key or algorithm, that can only be reversed by authorized parties who have the corresponding key or algorithm. Encryption can protect the data from being accessed or modified by anyone who does not have the key or algorithm, thus ensuring the confidentiality and integrity of the data.

The other options are incorrect because:

B . Including dual-factor authentication before each use by a child in order to ensure a minimum amount of security is not a sufficient measure to protect the data in transit over the Bluetooth connection. Dual-factor authentication is a process of verifying the identity of a user by requiring two pieces of evidence, such as a password and a code sent to a phone or email. While this may enhance the security of the user's account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, dual-factor authentication may not be suitable or convenient for children, who may not have access to a phone or email, or who may forget their passwords or codes.

C . Including three-factor authentication before each use by a child in order to ensure the best level of security possible is not a necessary or proportionate measure to protect the data in transit over the Bluetooth connection. Three-factor authentication is a process of verifying the identity of a user by requiring three pieces of evidence, such as a password, a code sent to a phone or email, and a biometric feature, such as a fingerprint or a face scan. While this may provide a high level of security for the user's account or device, it does not protect the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Furthermore, three-factor authentication may not be appropriate or feasible for children, who may not have access to a phone or email, or who may not have reliable biometric features, or who may find the process too complex or cumbersome.

D . Inserting contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union, is not a relevant measure to protect the data in transit over the Bluetooth connection. Contractual clauses are legal agreements that specify the obligations and responsibilities of the parties involved in a data transfer, such as the level of data protection, the rights of data subjects, and the remedies for breaches. While contractual clauses may be necessary to ensure the compliance of the data transfer to South Africa, which is a non-EU country that does not have an adequacy decision from the European Commission, they do not address the security of the data that is transmitted over the wireless connection, which can still be intercepted, hacked, or compromised by malicious actors. Moreover, contractual clauses are not a technical or organisational measure, but a legal measure, that falls under a different provision of the GDPR, namely Article 46.

The Customer for Life plan may conflict with Article 7 of the GDPR, which states that ''the data subject shall have the right to withdraw his or her consent at any time'' and that ''it shall be as easy to withdraw as to give consent''1. The plan violates this principle by stating that customers agree not to withdraw direct marketing consent and that the company can ignore any attempts to do so.This is not a valid way of obtaining or maintaining consent, as consent must be freely given, specific, informed and unambiguous2.Moreover, the plan may also conflict with Article 21 of the GDPR, which gives data subjects the right to object to direct marketing at any time3.Reference:1: Article 7(3) of the GDPR2: Article 4(11) of the GDPR3: Article 21(2) of the GDPR

I hope this helps. If you have any other questions, please feel free to ask.

According to the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject1.The data subject also has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her2. Therefore, options A, B and D are valid data access requests that ABC Hotel Chain and XYZ Travel Agency have to honor, as they fall within the scope of the right of access and rectification. However, option C is not a valid data access request, as it involves the right to erasure, which is a separate right from the right of access.The right to erasure, also known as the right to be forgotten, entitles the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)3.However, the right to erasure is not absolute and does not apply where processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims4. In this scenario, Mike's request to obtain access and erasure of his personal data while keeping his rewards membership is not a valid data access request, as it contradicts the right to erasure. If Mike wants to exercise his right to erasure, he has to withdraw his consent for the processing of his personal data by ABC Hotel Chain and XYZ Travel Agency, which means that he cannot keep his rewards membership, as it is based on the processing of his personal data. Moreover, ABC Hotel Chain and XYZ Travel Agency may have other legal grounds for retaining his personal data, such as compliance with a legal obligation or the establishment, exercise or defence of legal claims.Therefore, option C is the correct answer, as it is the only situation where ABC Hotel Chain and XYZ Travel Agency do not have to honor Mike's data access request.Reference:1: Article 15 of the GDPR;2: Article 16 of the GDPR;3: Article 17(1) of the GDPR;4: Article 17(3) of the GDPR;Free CIPP/E Study Guide, pages 33-35.

The GDPR is the EU's general data protection regulation that applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU. The GDPR sets out the principles, rights and obligations for the protection of personal data, as well as the enforcement and cooperation mechanisms among the data protection authorities and the European Data Protection Board.

The Digital Services Act (DSA), the Data Governance Act (DGA) and the Digital Markets Act (DMA) are part of the EU's digital strategy that aims to create a single market for data and digital services, by supporting responsible access, sharing and re-use of data, while respecting the values of the EU and in particular the protection of personal data. These legal acts do not change or replace the GDPR, but rather complement and reinforce it, by addressing specific issues and challenges related to the digital economy and society. The DSA, the DGA and the DMA explicitly state that they apply without prejudice to the GDPR and that they respect and uphold the fundamental rights and freedoms of individuals, including the right to the protection of personal data.

The DSA is a proposal for a regulation that seeks to harmonise the rules and responsibilities of online intermediaries, such as platforms, hosting services, cloud providers and online marketplaces, in order to ensure a safe and trustworthy online environment for users and businesses. The DSA introduces a set of obligations for online intermediaries, such as transparency, accountability, due diligence, cooperation and reporting, depending on their size, role and impact. The DSA also establishes a new governance and cooperation system among the national authorities and the European Commission, as well as a mechanism for out-of-court dispute resolution.

The DGA is a proposal for a regulation that aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. The DGA introduces a new legal framework for data sharing services, such as data brokers, data marketplaces, data trusts and data cooperatives, that facilitate data exchange between data holders and data users. The DGA also sets out rules and requirements for data altruism, which is the voluntary consent of individuals or organisations to share data for the common good. The DGA also establishes a new governance model for data sharing in the EU, involving the European Data Innovation Board, the national competent authorities and the European Commission.

The DMA is a proposal for a regulation that intends to limit the power of large online platforms that act as gatekeepers in the digital market, by imposing a set of obligations and prohibitions to prevent unfair practices and ensure fair and open competition. The DMA defines the criteria and the procedure for identifying the gatekeepers, such as search engines, social networks, online marketplaces, app stores and cloud services, that have a significant impact and influence in the digital economy. The DMA also provides for the supervision and enforcement of the rules by the European Commission, as well as the possibility of imposing fines and sanctions for non-compliance.

GDPR, Articles 1, 2, 3, 4, 5, 6, 7, 8, and 9.

DSA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.

DGA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.

DMA, Articles 1, 2, 3, 4, 5, 6, 7, 8, 9, and 10.