Which institution has the power to adopt findings that confirm the adequacy of the data protection
level in a non-EU country?
B
Explanation:
According to Article 45 of the GDPR, the European Commission has the power to determine, on the
basis of an assessment, whether a non-EU country, a territory or a sector within that country, or an
international organisation ensures an adequate level of data protection. This means that the data
protection rules and standards in that country or organisation are equivalent to those in the EU. The
effect of an adequacy decision is that personal data can flow freely from the EU to that country or
organisation without any further safeguards or authorisations. The European Commission has
adopted adequacy decisions for several countries and organisations, such as Japan, Canada, and the
EU-US Data Privacy Framework. Reference:
Data protection adequacy for non-EU
countries
,
Adequate Level of Protection
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe
Convention 108?
D
Explanation:
The GDPR and the Convention 108 are two important data protection instruments that aim to protect
the rights and freedoms of individuals with regard to their personal data. They both have some
similarities and some differences, but one common feature is that they both require notification of
processing activities to a supervisory authority.
A supervisory authority is an independent public body that monitors and enforces compliance with
data protection laws.
In the EU, there are 47 national data protection authorities (DPAs) that have
the power to impose administrative fines, issue guidelines, conduct investigations, and cooperate
with other authorities1
.
In the Council of Europe, there are 54 parties to the Convention 108 that
have established their own supervisory authorities or have agreed to be supervised by an external
authority2
.
Notification of processing activities is a requirement for any controller or processor of personal data
that falls under the scope of the GDPR or the Convention 108.
A controller is a natural or legal person
who determines the purposes and means of the processing of personal data3
.
A processor is a
natural or legal person who processes personal data on behalf of a controller3
. Notification means
informing the supervisory authority about certain aspects of the processing, such as:
The identity and contact details of the controller and processor
The categories and sources of personal data
The purposes and legal basis for processing
The recipients or categories of recipients of personal data
The retention period or criteria for determining it
The existence of any automated decision-making or profiling
The rights of data subjects and how they can exercise them
Notification can be done in various ways, such as:
Submitting a written notification form
Publishing a notice on a website or other platform
Sending an email or other electronic message
Using an online system or portal
Notification should be done as soon as possible after becoming aware of any relevant information
about the processing.
It should also be updated whenever there are significant changes in relation to
the processing4
.
Therefore, both the GDPR and the Convention 108 require notification of processing activities to a
supervisory authority. This is one way to ensure transparency, accountability, and compliance with
data protection laws.
Reference: https://rm.coe.int/090000168093b851
Which aspect of the GDPR will likely have the most impact on the consistent implementation of data
protection
laws throughout the European Union?
B
Explanation:
One of the main differences between a Regulation and a Directive in the EU law is that a Regulation
is directly applicable and binding in all EU member states, without the need for national
implementing measures, while a Directive sets out the objectives and principles that the member
states must achieve, but leaves them the choice of form and methods to transpose it into their
national laws. Therefore, by taking the form of a Regulation, the GDPR aims to harmonize and unify
the data protection rules across the EU, and to ensure a consistent implementation and enforcement
of the data protection laws throughout the EU. The other aspects of the GDPR listed in the question,
such as the one-stop shop mechanism, the mandatory notification of large-scale data breaches, and
the mandatory appointment of a data protection officer, are also important features of the GDPR, but
they do not have the same impact on the consistency of the data protection laws as the form of a
Regulation.
Reference: Difference between A Regulation And Directive (European Law)1; EUR-Lex - 310401_2 -
EN - EUR-Lex2
; EU GDPR vs.
European Data Protection Directive 95/46/EC - Advisera3; Difference
between GDPR and Data Protection Directive - Profolus
How is the retention of communications traffic data for law enforcement purposes addressed by
European data protection law?
B
Explanation:
The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of
electronic communications and prevent their indiscriminate interception or monitoring. It was
adopted in 2002 and amended in 2009.
It applies to all providers of electronic communication
services, such as internet service providers, mobile network operators, and online platforms12
.
One of the main objectives of the ePrivacy Directive is to ensure that the retention of
communications traffic data for law enforcement purposes is subject to strict conditions and
safeguards.
Communications traffic data refers to any information relating to the transmission or
routing of electronic communications, such as IP addresses, timestamps, and metadata3
.
Such data
can be used by competent national authorities for the prevention, investigation, detection or
prosecution of criminal offences and safeguarding national security4
.
However, the ePrivacy Directive does not allow individual EU member states to engage in such data
retention without harmonizing their rules. Article 6(1)(b) of the directive states that “Member States
shall ensure that any measures taken by them in relation to the retention of traffic data are
consistent with this Directive”.
Therefore, each EU member state must adopt a national law that
complies with the requirements and limitations set by the directive12
.
The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common
framework for the retention of communications traffic data for law enforcement purposes across all
EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the
Court of Justice of the European Union (CJEU) in 2014 on procedural grounds.
The CJEU found that
some provisions of the DRD were inconsistent with other EU directives and principles, such as Article
8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary
interference with their privacy56
.
The GDPR is a new EU regulation that implements some aspects of the DRD into national law
through its provisions on processing personal data. However, it does not address directly the issue of
communications traffic data retention for law enforcement purposes. Instead, it requires providers to
implement appropriate technical and organisational measures to ensure a level of security
appropriate to the risk involved in processing personal data.
These measures include encryption,
pseudonymisation, access control, and accountability7
.
The GDPR also grants individuals certain
rights regarding their personal data, such as access, rectification, erasure, portability, and
objection7
.
Therefore, under current EU law, there is no single legal basis for retaining communications traffic
data for law enforcement purposes across all EU member states. Each member state must adopt its
own national law that respects the principles and limitations established by the ePrivacy Directive.
Reference:
ePrivacy Directive
ePrivacy Regulation
What is Communications Traffic Data?
How is Communications Traffic Data Retained?
Data Retention Directive
Data Retention Directive annulled by CJEU
General Data Protection Regulation
What are your rights regarding your personal data?
Reference: https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/440retention-of-
traffic-data- dumortier-goemans2f90.pdf (9)
What type of data lies beyond the scope of the General Data Protection Regulation?
B
Explanation:
: The General Data Protection Regulation (GDPR) is a data protection law that applies to the
processing of personal data of individuals in the European Union (EU) and the European Economic
Area (EEA).
Personal data is any information relating to an identified or identifiable natural person,
such as name, address, email, phone number, etc12
.
The GDPR does not apply to personal data that
is anonymized, meaning that it cannot be linked back to a specific individual12
.
Anonymization can
be achieved by removing or masking any identifying information from the data, such as using
pseudonyms, aggregating or generalizing the data, or applying statistical methods12
.
Therefore, the type of data that lies beyond the scope of the GDPR is anonymized data.
Reference: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2
: CIPP/E
Certification - International Association of Privacy Professionals
Reference: https://www.datainspektionen.se/other-lang/in-english/the-general-data-protection-
regulation-gdpr/ the-purposes-and-scope-of-the-general-data-protection-regulation/
https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-
data_en#:~:text=Different%20pieces%20of%20information%2C%20which,the%20scope%20of%20th
e%20GDPR. B. ANONYMIZED Personal data is any information that relates to an identified or
identifiable living individual. Different pieces of information, which collected together can lead to the
identification of a particular person, also constitute personal data. Personal data that has been de-
identified, encrypted or pseudonymised but can be used to re-identify a person remains personal
data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in
such a way that the individual is not or no longer identifiable is no longer considered personal data.
For data to be truly anonymised, the anonymisation must be irreversible.
Under what circumstances would the GDPR apply to personal data that exists in physical form, such
as information contained in notebooks or hard copy files?
D
Explanation:
The GDPR applies to all personal data, regardless of whether it exists in physical form or not.
The
GDPR defines personal data as any information relating to an identified or identifiable natural
person, such as names, identification numbers, location data, or online identifiers1
. Therefore, any
information that can be linked directly or indirectly to a natural person is considered personal data
under the GDPR.
However, the GDPR also distinguishes between different types of processing activities and their legal
bases. Processing activities are the operations performed on personal data, such as collection,
storage, use, disclosure, or deletion. Processing activities can be either automated or manual.
Automated processing means using technology to perform processing activities without human
intervention. Manual processing means using human intervention to perform processing activities.
The GDPR requires that any processing activity that involves personal data must comply with certain
principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data
minimization, accuracy, storage limitation, integrity and confidentiality. These principles and
conditions apply to both automated and manual processing activities.
Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by
an automated means in some way that affects its rights and freedoms. For example, if a company
scans paper documents and stores them electronically in a database without deleting them after a
certain period of time or when they are no longer needed for the original purpose for which they
were collected (Article 6), then this would be considered an automated processing activity that
involves personal data in physical form.
However, the GDPR does not apply to personal data that exists in physical form when it is handled in
a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps
paper documents in folders labeled with names and dates on their office shelves without scanning
them or storing them electronically anywhere else (Article 5), then this would not be considered an
automated processing activity that involves personal data in physical form.
Reference:
Physical Data - GDPR Summary
What GDPR Means for Your Physical Records - Access
Personal Data - Data Protection Act 2018
Reference: https://www.zimmerslaw.com/english-1/data-protection/
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad
range of dolls, action figures and plush toys that can be found internationally in a wide variety of
retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not
employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The
toys produced by the company can be found in all popular toy stores throughout Europe, the United
States and Asi
a. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact
with children. The CEO of the company is touting these toys as the next big thing, due to the
increased possibilities offered: The figures can answer children’s Questions: on various subjects, such
as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker
and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter
radius can connect to the toys via Bluetooth as well. The figures can also be associated with other
figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is
generated on cloud servers and sent back to the figure. The answer is given through the figure’s
integrated
speakers, making it appear as though that the toy is actually responding to the child’s question. The
packaging of the toy does not provide technical details on how this works, nor does it mention that
this feature requires an internet connection. The necessary data processing for this has been
outsourced to a data center located in South Africa. However, your company has not yet revised its
consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which
consumers can play the characters they acquire in the course of playing the game. The system will
come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will
read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its
own stock features and abilities, but it is also possible to earn additional ones by accomplishing game
goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch
characters during the game, and it is possible to bring the figure to locations outside of the home and
have the character’s abilities remain intact.
Why is this company obligated to comply with the GDPR?
D
Explanation:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad
range of dolls, action figures and plush toys that can be found internationally in a wide variety of
retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not
employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The
toys produced by the company can be found in all popular toy stores throughout Europe, the United
States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact
with children. The CEO of the company is touting these toys as the next big thing, due to the
increased possibilities offered: The figures can answer children’s Questions: on various subjects, such
as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker
and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter
radius can connect to the toys via Bluetooth as well. The figures can also be associated with other
figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is
generated on cloud servers and sent back to the figure. The answer is given through the figure’s
integrated speakers, making it appear as though that the toy is actually responding to the child’s
question. The packaging of the toy does not provide technical details on how this works, nor does it
mention that this feature requires an internet connection. The necessary data processing for this has
been outsourced to a data center located in South Africa. However, your company has not yet revised
its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which
consumers can play the characters they acquire in the course of playing the game. The system will
come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will
read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its
own stock features and abilities, but it is also possible to earn additional ones by accomplishing game
goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch
characters during the game, and it is possible to bring the figure to locations outside of home and
have the character’s abilities remain intact.
Why is this company obligated to comply with the GDPR?
A . The company has offices in the EU. B. The company employs staff in the EU. C. The company’s
data center is located in a country outside the EU. D. The company’s products are marketed directly
to EU customers.
Answer:
Verified Answer: D. The company’s products are marketed directly to EU customers.
Explanation:
According to section 6(1)© of the GDPR1
, personal data shall be processed by organisations, which
offer goods or services or otherwise carry out activities, in relation to which processing of personal
data may be regarded as relevant for their legitimate interests. The legitimate interests referred to
are those arising from the performance of a task carried out in their name or on their behalf, or for
their own purposes. The legitimate interests referred to are those arising from the performance of a
task carried out in their name or on their behalf, or for their own purposes. The legitimate interests
referred to are those arising from the performance of a task carried out in their name or on their
behalf, or for their own purposes. The legitimate interests referred to are those arising from the
performance of a task carried out in their name or on their behalf, or for their own purposes. The
legitimate interests referred to are those arising from the performance of a task carried out in their
name or on their behalf, or for their own purposes. The legitimate interests referred to are those
arising from the performance of a task carried out in their name or on their behalf, or for their own
purposes. The legitimate interests referred to are those arising from the performance
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad
range of dolls, action figures and plush toys that can be found internationally in a wide variety of
retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not
employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The
toys produced by the company can be found in all popular toy stores throughout Europe, the United
States and Asi
a. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact
with children. The CEO of the company is touting these toys as the next big thing, due to the
increased possibilities offered: The figures can answer children’s Questions: on various subjects, such
as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker
and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter
radius can connect to the toys via Bluetooth as well. The figures can also be associated with other
figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is
generated on cloud servers and sent back to the figure. The answer is given through the figure’s
integrated
speakers, making it appear as though that the toy is actually responding to the child’s question. The
packaging of the toy does not provide technical details on how this works, nor does it mention that
this feature requires an internet connection. The necessary data processing for this has been
outsourced to a data center located in South Africa. However, your company has not yet revised its
consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which
consumers can play the characters they acquire in the course of playing the game. The system will
come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will
read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its
own stock features and abilities, but it is also possible to earn additional ones by accomplishing game
goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch
characters during the game, and it is possible to bring the figure to locations outside of the home and
have the character’s abilities remain intact.
What presents the BIGGEST potential privacy issue with the company’s practices?
B
Explanation:
While all of the options present potential privacy issues, the lack of transparency about data
processing poses the biggest risk for several reasons:
Uninformed Consent: Without clear information about data collection and usage, children and
parents cannot make informed decisions about using the toys. This violates the principle of informed
consent, which is a cornerstone of data protection laws.
Hidden Features: The packaging and privacy policy do not disclose the hidden functionality of the
toys, including the connection to the cloud and data processing in South Africa. This lack of
transparency creates distrust and raises concerns about potential misuse of data.
Unclear Data Flow: The explanation provided about the data flow is vague and incomplete. It is
unclear what data is collected, how it is stored, for what purposes it is used, and who has access to
it. This lack of clarity creates uncertainty and raises concerns about potential data breaches or leaks.
Limited Control: Without detailed information about data practices, users have limited control over
their information. They cannot opt out of data collection or request deletion of their data, further
hindering their privacy rights.
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad
range of dolls, action figures and plush toys that can be found internationally in a wide variety of
retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not
employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The
toys produced by the company can be found in all popular toy stores throughout Europe, the United
States and Asi
a. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact
with children. The CEO of the company is touting these toys as the next big thing, due to the
increased possibilities offered: The figures can answer children’s Questions: on various subjects, such
as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker
and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter
radius can connect to the toys via Bluetooth as well. The figures can also be associated with other
figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer
is generated on cloud servers and sent back to the figure. The answer is given through the figure’s
integrated
speakers, making it appear as though that the toy is actually responding to the child’s QUESTION.
The packaging of the toy does not provide technical details on how this works, nor does it mention
that this feature requires an internet connection. The necessary data processing for this has been
outsourced to a data center located in South Africa. However, your company has not yet revised its
consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which
consumers can play the characters they acquire in the course of playing the game. The system will
come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will
read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its
own stock features and abilities, but it is also possible to earn additional ones by accomplishing game
goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch
characters during the game, and it is possible to bring the figure to locations outside of the home and
have the character’s abilities remain intact.
To ensure GDPR compliance, what should be the company’s position on the issue of consent?
D
Explanation:
According to Article 8 of the GDPR, where the processing of personal data is based on consent and
the offer of an information society service (ISS) is directly made to a child, the processing is lawful
only if the child is at least 16 years old, or if the consent is given or authorised by the holder of
parental responsibility over the child. The GDPR allows EU member states to lower the age threshold
to a minimum of 13 years. The data controller must make reasonable efforts to verify that the
consent is given or authorised by the holder of parental responsibility, taking into account available
technology. An ISS is any service normally provided for remuneration, at a distance, by electronic
means and at the individual request of a recipient of services. Examples of ISS include online
marketplaces, social media platforms, and online games.
In this scenario, the company is offering an ISS to children, as the connected toys can talk and
interact with children via the internet. The company is also processing personal data of the children,
such as their voice, questions, preferences, and location. Therefore, the company must obtain
parental consent for the use of the action figures before any data can be collected, unless the child is
above the age threshold set by the relevant EU member state. The company must also inform the
parents and the children about the nature and purpose of the data processing, the data transfers to
South Africa, and the rights of the data subjects. The company must also ensure that the data
processing is fair, lawful, transparent, and in accordance with the data protection principles and the
children’s best interests.
The other options are incorrect because:
A . The child cannot provide consent himself, regardless of the purpose of the data processing, unless
he is above the age threshold set by the relevant EU member state. The GDPR does not make any
distinction between data processing for marketing or non-marketing purposes when it comes to
children’s consent.
B . The company does not need to obtain written authorization from the supervisory authority to
process children’s data, as long as it complies with the GDPR requirements and obtains parental
consent. The supervisory authority is the independent public authority responsible for monitoring
the application of the GDPR in each EU member state, and it can intervene only in cases of non-
compliance or complaints.
C . Consent for data collection cannot be implied through the parent’s purchase of the action figure
for the child. The GDPR requires that consent must be freely given, specific, informed, and
unambiguous, and that it must be expressed by a clear affirmative action. The purchase of a product
does not meet these criteria, and it does not indicate the parent’s agreement to the data processing.
Moreover, the packaging of the toy does not provide sufficient information about the data
processing, nor does it mention that an internet connection is required.
Reference:
Article 8 and Recitals (38) and (58) of the GDPR
,
Can personal data about children be
collected?
,
Children and the UK GDPR
,
CIPP/E Certification
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad
range of dolls, action figures and plush toys that can be found internationally in a wide variety of
retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not
employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The
toys produced by the company can be found in all popular toy stores throughout Europe, the United
States and Asi
a. A large portion of the company’s
revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact
with children. The CEO of the company is touting these toys as the next big thing, due to the
increased possibilities offered: The figures can answer children’s Questions: on various subjects, such
as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker
and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter
radius can connect to the toys via Bluetooth as well. The figures can also be associated with other
figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer
is generated on cloud servers and sent back to the figure. The answer is given through the figure’s
integrated
speakers, making it appear as though that the toy is actually responding to the child’s QUESTION.
The packaging of the toy does not provide technical details on how this works, nor does it mention
that this feature requires an internet connection. The necessary data processing for this has been
outsourced to a data center located in South Africa. However, your company has not yet revised its
consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which
consumers can play the characters they acquire in the course of playing the game. The system will
come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will
read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its
own stock features and abilities, but it is also possible to earn additional ones by accomplishing game
goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch
characters during the game, and it is possible to bring the figure to locations outside of the home and
have the character’s abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which
practice should the company institute?
A
Explanation:
According to Article 32 of the GDPR, the controller and the processor must implement appropriate
technical and organisational measures to ensure a level of security appropriate to the risk of
processing personal data, taking into account the state of the art, the costs of implementation, and
the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons. The GDPR also provides some examples of
such measures, including the pseudonymisation and encryption of personal data, the ability to
ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and
services, the ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident, and a process for regularly testing, assessing and evaluating
the effectiveness of technical and organisational measures for ensuring the security of the
processing.
In this scenario, the company is processing personal data of children, such as their voice, questions,
preferences, and location, through the connected toys that use a wireless Bluetooth connection to
communicate with smartphones, tablets, cloud servers, and other toys. This poses a high risk to the
security of the data, as Bluetooth is a short-range wireless technology that can be easily intercepted,
hacked, or compromised by malicious actors. Therefore, the company should encrypt the data in
transit over the Bluetooth connection, to prevent unauthorized access, disclosure, or alteration of
the data. Encryption is a process of transforming data into an unreadable form, using a secret key or
algorithm, that can only be reversed by authorized parties who have the corresponding key or
algorithm. Encryption can protect the data from being accessed or modified by anyone who does not
have the key or algorithm, thus ensuring the confidentiality and integrity of the data.
The other options are incorrect because:
B . Including dual-factor authentication before each use by a child in order to ensure a minimum
amount of security is not a sufficient measure to protect the data in transit over the Bluetooth
connection. Dual-factor authentication is a process of verifying the identity of a user by requiring two
pieces of evidence, such as a password and a code sent to a phone or email. While this may enhance
the security of the user’s account or device, it does not protect the data that is transmitted over the
wireless connection, which can still be intercepted, hacked, or compromised by malicious actors.
Moreover, dual-factor authentication may not be suitable or convenient for children, who may not
have access to a phone or email, or who may forget their passwords or codes.
C . Including three-factor authentication before each use by a child in order to ensure the best level
of security possible is not a necessary or proportionate measure to protect the data in transit over
the Bluetooth connection. Three-factor authentication is a process of verifying the identity of a user
by requiring three pieces of evidence, such as a password, a code sent to a phone or email, and a
biometric feature, such as a fingerprint or a face scan. While this may provide a high level of security
for the user’s account or device, it does not protect the data that is transmitted over the wireless
connection, which can still be intercepted, hacked, or compromised by malicious actors.
Furthermore, three-factor authentication may not be appropriate or feasible for children, who may
not have access to a phone or email, or who may not have reliable biometric features, or who may
find the process too complex or cumbersome.
D . Inserting contractual clauses into the contract between the toy manufacturer and the cloud
service provider, since South Africa is outside the European Union, is not a relevant measure to
protect the data in transit over the Bluetooth connection. Contractual clauses are legal agreements
that specify the obligations and responsibilities of the parties involved in a data transfer, such as the
level of data protection, the rights of data subjects, and the remedies for breaches. While contractual
clauses may be necessary to ensure the compliance of the data transfer to South Africa, which is a
non-EU country that does not have an adequacy decision from the European Commission, they do
not address the security of the data that is transmitted over the wireless connection, which can still
be intercepted, hacked, or compromised by malicious actors. Moreover, contractual clauses are not a
technical or organisational measure, but a legal measure, that falls under a different provision of the
GDPR, namely Article 46.
Reference:
Article 32 and Recitals (75), (76), (78), (83), and (85) of the GDPR
,
Security of
processing
,
Encryption
,
Authentication
, [Contractual clauses]