Free Preparation Discussions
MENU
IAPP Exam CIPP-E Topic 2 Question 102 Discussion
Topic #: 2
SCENARIO - Please use the following to answer the next question:
It has been a tough season for the Spanish Handball League, with acts of violence and racism having increased exponentially during their last few matches.
In order to address this situation, the Spanish Minister of Sports, in conjunction with the National Handball League Association, issued an Administrative Order (the "Act") obliging all the professional clubs to install a fingerprint-reading system for accessing some areas of the sports halls, primarily the ones directly behind the goalkeepers. The rest of the areas would retain the current access system, which allows any spectators access as long as they hold valid tickets.
The Act named a selected hardware and software provider, New Digital Finger, Ltd., for the creation of the new fingerprint system. Additionally, it stipulated that any of the professional clubs that failed to install this system within a two-year period would face fines under the Act.
The Murla HB Club was the first to install the new system, renting the New Digital Finger hardware and software. Immediately afterward, the Murla HB Club automatically renewed current supporters' subscriptions, while introducing a new contractual clause requiring supporters to access specific areas of the hall through the new fingerprint reading system installed at the gates.
After the first match hosted by the Murla HB Club, a local supporter submitted a complaint to the club and to the Spanish Data Protection Authority (the AEPD), claiming that the new access system violates EU data protection laws. Having been notified by the AEPD of the upcoming investigation regarding this complaint, the Murla HB Club immediately carried out a Data Protection Impact Assessment (DPIA), the conclusions of which stated that the new access system did not pose any high risks to data subjects' privacy rights.
The Murla HB Club should have carried out a DPIA before the installation of the new access system and at what other time?
A DPIA is not a one-time activity. While it's crucial to conduct a DPIA before implementing a new system that processes personal data (like the fingerprint system), the GDPR requires organizations to review and update their DPIAs periodically, especially when there are changes that might affect the risk to data subjects.
Here's why the other options are incorrect:
A . After the complaint of the supporter: While a complaint might trigger a review of the processing, the DPIA should have been done proactively before any issues arose.
C . At the end of every match of the season: This frequency is excessive and doesn't align with the idea of assessing risks when changes occur.
D . After the AEPD notification of the investigation: Similar to option A, this is reactive rather than proactive.
GDPR Article 35 - Data protection impact assessment
IAPP CIPP/E textbook, Chapter 4: Accountability and Data Governance (specifically, sections on DPIAs and ongoing review)
WP29 Guidelines on Data Protection Impact Assessment (DPIA)
Rosio
1 months agoLucina
1 months agoShawn
17 days agoKandis
21 days agoEmmett
1 months agoReiko
6 days agoDick
7 days agoNoe
8 days agoVeronika
10 days agoCordelia
1 months agoRoosevelt
2 months agoSalome
6 days agoWillodean
7 days agoJacquelyne
8 days agoAndrew
20 days agoDenae
27 days agoRuth
1 months agoGlen
2 months agoLorriane
2 months agoJoaquin
1 months agoEmerson
2 months agoRosio
2 months agoCordelia
2 months ago