SCENARIO
Please use the following to answer the next question:
Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in
Greece (5), Italy (15) and Spain (1), have registered their most profitable results
ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based
in ARRA's main Italian establishment, has organized a team event for its 420
employees and their families at its hotel in Spain.
Upon arrival at the hotel, each employee and family member is given an electronic
wristband at the reception desk. The wristband serves a number of functions:
. Allows access to the "party zone" of the hotel, and emits a buzz if the user
approaches any unauthorized areas
. Allows up to three free drinks for each person of legal age, and emits a
buzz once this limit has been reached
. Grants a unique ID number for participating in the games and contests that
have been planned.
Along with the wristband, each guest receives a QR code that leads to the online
privacy notice describing the use of the wristband. The page also contains an
unchecked consent checkbox. In the case of employee family members under the
age of 16, consent must be given by a parent.
Among the various activities planned for the event, ARRA Hotels' HR office has
autonomously set up a photocall area, separate from the main event venue, where
employees can come and have their pictures taken in traditional carnival costume.
The photos will be posted on ARRA Hotels' main website for general marketing
purposes.
On the night of the event, an employee from one of ARRA's Greek hotels is
displeased with the results of the photos in which he appears. He intends to file a
complaint with the relevant supervisory authority in regard to the following:
. The lack of any privacy notice in the separate photocall area
The unlawful cross-border processing of his personal data
. The unacceptable aesthetic outcome of his photos
Which of the following is NOT necessarily considered a factor in identifying whether
the processing could be considered a "cross-border processing"?
Cross-border processing is defined in Article 4(23) of the GDPR as either:
* processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
* processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Therefore, the factors that are relevant for identifying whether the processing could be considered a cross-border processing are:
* the location and number of establishments of the controller or processor in the EU;
* the connection between the processing and the activities of the establishments;
* the substantial effect or likelihood of substantial effect on data subjects in more than one Member State.
The total number of the data subjects interested is not necessarily a factor, as the processing could affect only a few data subjects but still have a substantial impact on them. For example, a processing that involves the disclosure of sensitive personal data of a small group of data subjects in different Member States could be considered a cross-border processing.
* GDPR Article 4 - Definitions1
* Guidelines 8/2022 on identifying a controller or processor's lead supervisory authority2
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?
The other options are incorrect because:
Which of the following is an example of direct marketing that would be subject to European data protection laws?
According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service.Reference:
[IAPP article on direct marketing (EU specific)]
Lexology article on direct marketing requirements under the GDPR
SCENARIO
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
''WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the dat
a. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information. We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.''
''We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.''
''We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to
you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities.''
What additional information must Wonderkids provide in their Privacy Statement?
The identity and the contact details of the controller and, where applicable, of the controller's representative;
The contact details of the data protection officer, where applicable;
The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
The recipients or categories of recipients of the personal data, if any;
Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
In the scenario, Wonderkids provides some of this information in their Privacy Statement, but not all. They do not specify the categories of recipients with whom they will share the personal data of their customers and their children. They only state that they will share the data with businesses that they see as adding real value to the customers, which is vague and ambiguous. This does not comply with the GDPR requirement to inform the data subjects about the recipients or categories of recipients of their personal data, if any. Therefore, Wonderkids must provide this additional information in their Privacy Statement.
1: Art. 13 GDPR Information to be provided where personal data are collected from the data subject
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed
Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?
