The GDPR requires that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures1.This principle is known as integrity and confidentiality, or sometimes as security2.Encryption is one of the possible technical measures that can be used to protect personal data at rest, as it makes the data unintelligible to anyone who does not have the key to decrypt it3.By recommending that the company encrypts all personal data at rest, Tanya is following the principle of integrity and confidentiality, as she is ensuring that the personal data is secure and protected from unauthorised access or accidental damage.Reference:1: Article 5(1)(f) of the GDPR2:A guide to the data protection principles | ICO3: Encryption | ICO

According to the EDPB Guidelines 8/2022, the lead supervisory authority of a controller is the supervisory authority of the main or single establishment of the controller in the EEA. The main establishment is the place where the controller has its place of central administration in the EEA, unless decisions on the purposes and means of the processing are taken in another establishment in the EEA, and that establishment has the power to implement those decisions. The controller must be able to demonstrate that such an establishment exists. The supervisory authority of the main establishment is the lead supervisory authority, regardless of what the controller has identified as the authority to which data subjects can lodge complaints. Therefore, criterion C is not relevant for identifying the lead supervisory authority of a controller.

According to the UK GDPR, the controller and the processor must support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge1.The controller and the processor must also ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and that he or she reports directly to the highest management level of the controller or the processor1.

According to theFree CIPP/E Study Guide, page 12, ''the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.'' The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects.Reference:

Free CIPP/E Study Guide, page 12

GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

According to the General Data Protection Regulation (GDPR), a data processor is a natural or legal person, agency, public authority, or any other body who processes personal data on behalf of a data controller. A data controller is a natural or legal person, agency, public authority, or any other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. The GDPR imposes specific obligations and responsibilities on both data controllers and data processors, and requires them to enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.

In this scenario, BHealthy is the data controller, as it determines the purpose and means of collecting and sharing its customer information with Natural Insight. Natural Insight is the data processor, as it processes the customer information on behalf of BHealthy for the purpose of determining the price point for BHealthy's new sunscreens. However, Natural Insight also intends to use the customer information for its own purpose of improving its algorithms, which may not be aligned with BHealthy's purpose or instructions. This may constitute a breach of the data processing contract and the GDPR, as the data processor must only process the personal data on documented instructions from the data controller, unless required to do so by EU or member state law (Article 28(3)(a) of the GDPR).

Therefore, the only case in which Natural Insight's use of BHealthy's data for improvement of its algorithms would be considered data processor activity is if Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms. This would mean that BHealthy has given its consent and authorization for Natural Insight to process the data for that specific purpose, and that Natural Insight is acting in accordance with BHealthy's instructions. In this case, Natural Insight would still be bound by the data processing contract and the GDPR, and would have to comply with the other obligations and requirements of a data processor, such as ensuring the security of the data, respecting the conditions for engaging another processor, assisting the data controller in ensuring compliance with the GDPR, and deleting or returning the data to the data controller after the end of the service.

The other options are not valid cases for data processor activity, as they do not involve the data controller's instructions or consent. If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy, it may still be processing the data for a different purpose than the one for which it was collected and shared, and without BHealthy's knowledge or approval. If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities, it may still be violating the data processing contract and the GDPR, as it is not acting on behalf of the data controller, but for its own benefit. If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities, it may still be infringing the data controller's rights and obligations, as it is not the data controller's role to inform the data subjects of the processing activities, and it may not have a lawful basis for processing the data for its own purpose.

GDPR

Data Controllers and Processors - GDPR EU

Who does the UK GDPR apply to? | ICO

What Activities Count as Processing Under the GDPR?

What constitutes data processing? - European Commission