Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

IAPP Exam CIPP-E Topic 2 Question 102 Discussion

Actual exam question for IAPP's CIPP-E exam
Question #: 102
Topic #: 2
[All CIPP-E Questions]

SCENARIO - Please use the following to answer the next question:

It has been a tough season for the Spanish Handball League, with acts of violence and racism having increased exponentially during their last few matches.

In order to address this situation, the Spanish Minister of Sports, in conjunction with the National Handball League Association, issued an Administrative Order (the "Act") obliging all the professional clubs to install a fingerprint-reading system for accessing some areas of the sports halls, primarily the ones directly behind the goalkeepers. The rest of the areas would retain the current access system, which allows any spectators access as long as they hold valid tickets.

The Act named a selected hardware and software provider, New Digital Finger, Ltd., for the creation of the new fingerprint system. Additionally, it stipulated that any of the professional clubs that failed to install this system within a two-year period would face fines under the Act.

The Murla HB Club was the first to install the new system, renting the New Digital Finger hardware and software. Immediately afterward, the Murla HB Club automatically renewed current supporters' subscriptions, while introducing a new contractual clause requiring supporters to access specific areas of the hall through the new fingerprint reading system installed at the gates.

After the first match hosted by the Murla HB Club, a local supporter submitted a complaint to the club and to the Spanish Data Protection Authority (the AEPD), claiming that the new access system violates EU data protection laws. Having been notified by the AEPD of the upcoming investigation regarding this complaint, the Murla HB Club immediately carried out a Data Protection Impact Assessment (DPIA), the conclusions of which stated that the new access system did not pose any high risks to data subjects' privacy rights.

The Murla HB Club should have carried out a DPIA before the installation of the new access system and at what other time?

Show Suggested Answer Hide Answer
Suggested Answer: B

A DPIA is not a one-time activity. While it's crucial to conduct a DPIA before implementing a new system that processes personal data (like the fingerprint system), the GDPR requires organizations to review and update their DPIAs periodically, especially when there are changes that might affect the risk to data subjects.

Here's why the other options are incorrect:

A . After the complaint of the supporter: While a complaint might trigger a review of the processing, the DPIA should have been done proactively before any issues arose.

C . At the end of every match of the season: This frequency is excessive and doesn't align with the idea of assessing risks when changes occur.

D . After the AEPD notification of the investigation: Similar to option A, this is reactive rather than proactive.


GDPR Article 35 - Data protection impact assessment

IAPP CIPP/E textbook, Chapter 4: Accountability and Data Governance (specifically, sections on DPIAs and ongoing review)

WP29 Guidelines on Data Protection Impact Assessment (DPIA)

Contribute your Thoughts:

Currently there are no comments in this discussion, be the first to comment!


Save Cancel