IAPP CIPP-E Exam Questions

An adequacy decision is a decision adopted by the European Commission, which determines that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data1.This means that the third country or organisation provides a level of protection that is essentially equivalent to that guaranteed within the European Union (EU), taking into account its domestic law and international commitments, as well as the respect for the rule of law, human rights and fundamental freedoms, relevant legislation, and the existence and effective functioning of independent supervisory authorities1.An adequacy decision is one of the transfer tools that can be used to transfer personal data to a third country or organisation without requiring any further authorisation1.However, an adequacy decision is not permanent and can be amended, suspended or repealed by the Commission at any time, if the conditions are no longer met1.Therefore, according to the recommendations of the European Data Protection Board (EDPB), the additional action that should be taken when a transfer to a third country is based upon an adequacy decision is to monitor changes in the law or practice of the third country that would lower the level of protection of personal data2.This means that the data exporter should stay informed of any developments in the third country or organisation that could affect the validity of the adequacy decision, and take appropriate measures if the level of protection is no longer adequate2.The data exporter should also cooperate with the competent supervisory authority and inform it of any issues that may affect the compliance with the adequacy decision2. Therefore, option D is the correct answer.Reference:Art. 45 GDPR -- Transfers on the basis of an adequacy decision,Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

According to the EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, valid consent for the use of cookies must meet the following conditions:

* It must be freely given, which means that the data subject must have a genuine choice and the ability to refuse or withdraw consent without detriment.

* It must be specific, which means that the data subject must give consent for each distinct purpose of the processing and for each type of cookie.

* It must be informed, which means that the data subject must receive clear and comprehensive information about the identity of the controller, the purposes of the processing, the types of cookies used, the duration of the cookies, and the possibility of withdrawing consent.

* It must be unambiguous, which means that the data subject must express their consent by a clear affirmative action, such as clicking on an ''I agree'' button or selecting specific settings in a cookie banner.

* It must be granular, which means that the data subject must be able to consent to different types of cookies separately, such as essential, functional, performance, or marketing cookies.

Therefore, a ''Cookies Settings'' button is not a necessary element to collect valid consent for the use of cookies, as long as the data subject can exercise their choice and preference through other means, such as a cookie banner with different options. However, a ''Cookies Settings'' button may be a good practice to enhance transparency and user control, as it allows the data subject to access and modify their consent settings at any time.

On the other hand, a ''Reject All'' cookies button is a necessary element to collect valid consent for the use of cookies, as it ensures that the data subject can freely refuse consent without detriment. A list of cookies that may be placed and information on the purpose of the cookies are also necessary elements to collect valid consent for the use of cookies, as they ensure that the data subject is informed and can give specific consent for each type of cookie.

According to the CIPP/E study guide, data controllers should use the least intrusive means of verifying the identity of data subjects who make requests under the GDPR. Asking for a copy of an ID document or a bank account statement may be disproportionate and excessive, as they contain more personal data than necessary for authentication. Asking for the bank account number may not be sufficient, as it may be easily obtained by third parties. Therefore, the most appropriate way to confirm the identity of the customer is to ask additional security questions that only the customer would know, such as the date of the last transaction, the amount of the last deposit, or the name of the beneficiary of a recurring payment.

The CJEU ruled that the consent required by the ePrivacy Directive for the use of cookies must comply with the conditions laid down in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. Therefore, pre-checked boxes or implied consent by scrolling are not valid forms of consent for cookies. The CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user's device, regardless of whether it is personal data or not. Furthermore, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.