New Year Sale ! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

IAPP Exam CIPP-E Topic 3 Question 81 Discussion

Actual exam question for IAPP's CIPP-E exam
Question #: 81
Topic #: 3
[All CIPP-E Questions]

SCENARIO

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based

company that allows anyone to buy and sell cryptocurrencies via its online platform.

The company stores and processes the personal data of its customers in a

dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on

the platform. They then must successfully pass a Know Your Customer (KYC) due

diligence procedure aimed at preventing money laundering and ensuring

compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by

reading a disclaimer written in bold and ticking a checkbox on a separate page in

order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms

of service also include a privacy policy section, saying, among other things, that if a

customer fails the KYC process, its KYC data will be automatically shared with the

national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including

whether they have any criminal convictions, whether they use recreational drugs or

have problems with alcohol, and whether they have a terminal illness. While

providing this data, customers see a conspicuous message saying that this data is

meant only to prevent fraud and account takeover, and will be never shared with

private third parties.

The company regularly conducts external security testing of its online systems by

independent cybersecurity companies from the EU. At the final stage of testing, the

company provides cybersecurity assessors with access to its central database to

review security permissions, roles and policies. Personal data in the database is

encrypted; however, cybersecurity assessors usually have access to the decryption

keys obtained while running initial security testing. The assessors must strictly

follow the guidelines imposed by the company during the entire testing and auditing

process.

All customer data, including trading activities and all internal communications with

technical support, are permanently stored in a secured AWS S3 Glacier cloud data

storage, located in Ireland, for backup and compliance purposes. The data is

securely transferred to the cloud and then is properly encrypted while at rest by

using AWS-native encryption mechanisms. These mechanisms give AWS the

necessary technical means to encrypt and decrypt the data when such is required

by the company. There is no data processing agreement between AWS and the

company.

Should Jane modify the required GDPR rights waiver for non-European residents?

Show Suggested Answer Hide Answer
Suggested Answer: B

The GDPR applies to the processing of personal data of data subjects who are in the EU, regardless of their nationality or residence. This means that non-EU residents who are physically located in the EU are protected by the GDPR, and EU residents who are outside the EU are not. However, this does not mean that non-EU residents who are outside the EU can be asked to waive their GDPR rights by a company that is subject to the GDPR. The GDPR does not allow such waivers, as they would undermine the essence of the fundamental rights and freedoms of data subjects. The GDPR also requires that data subjects are provided with clear and transparent information about the processing of their personal data, and that they give their consent freely, specifically, informedly and unambiguously. A blanket waiver of GDPR rights does not meet these criteria, and would therefore be invalid and unenforceable.


* GDPR Article 3 - Territorial scope1

* GDPR Article 7 - Conditions for consent2

* GDPR Article 25 - Data protection by design and by default3

* GDPR Recital 171 - Relationship with previously concluded agreements4

Contribute your Thoughts:

Coral
6 months ago
Michael: I think it's important to consider the legality of the waiver for non-EU residents, so modifying it to ensure enforceability might be a good idea.
upvoted 0 times
...
Alethea
6 months ago
Sophia: I agree with David, we should not modify the waiver, but maybe have them manually sign a separate waiver for enforceability under GDPR.
upvoted 0 times
...
Joana
7 months ago
David: Non-EU residents may not be protected by GDPR if they are not physically located in the EU, so maybe we should leave the waiver as it is.
upvoted 0 times
...
Carey
7 months ago
Emily: I think all customers should enjoy the same individual rights granted under GDPR, so the waiver clause should be removed.
upvoted 0 times
...
Francine
7 months ago
Alex: I believe the waiver should not apply to residents of countries with an adequacy decision from the EC.
upvoted 0 times
...
Sherell
7 months ago
Jane: What do you think about modifying the GDPR rights waiver for non-European residents?
upvoted 0 times
...

Save Cancel