Join the discussion
Question 1/189
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?
Correct Answer: C
According to the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject1. The GDPR also recognizes that the processing of special categories of personal data, such as data revealing political opinions, religious or philosophical beliefs, or data concerning health or sex life, may entail a high risk to the rights and freedoms of natural persons2. Therefore, such data can only be processed under certain conditions, such as when the data subject has given explicit consent, or when the processing is necessary for reasons of substantial public interest3.
In this scenario, Ben had the company collect additional data from its customers, including their philosophical beliefs, political opinions and marital status, without a valid legal basis or a legitimate purpose. He also copied the data of the single customers onto a separate database for his own online dating website, without informing them or obtaining their consent. This processing of special categories of personal data created a significant risk to the customers' fundamental rights and freedoms, such as their right to privacy, dignity, non-discrimination and self-determination. The customers may also suffer from identity theft, fraud, harassment, or unwanted marketing as a result of the unauthorized use of their data. Therefore, Ben's actions constituted the most serious violation of the GDPR in this scenario.
Reference:
Art. 5 GDPR - Principles relating to processing of personal data
Recital 51 GDPR - Protecting sensitive personal data
Art. 9 GDPR - Processing of special categories of personal data
[Guidelines 3/2019 on processing of personal data through video devices] I hope this helps you understand the GDPR and data processing better. If you have any other questions, please feel free to ask me.
In this scenario, Ben had the company collect additional data from its customers, including their philosophical beliefs, political opinions and marital status, without a valid legal basis or a legitimate purpose. He also copied the data of the single customers onto a separate database for his own online dating website, without informing them or obtaining their consent. This processing of special categories of personal data created a significant risk to the customers' fundamental rights and freedoms, such as their right to privacy, dignity, non-discrimination and self-determination. The customers may also suffer from identity theft, fraud, harassment, or unwanted marketing as a result of the unauthorized use of their data. Therefore, Ben's actions constituted the most serious violation of the GDPR in this scenario.
Reference:
Art. 5 GDPR - Principles relating to processing of personal data
Recital 51 GDPR - Protecting sensitive personal data
Art. 9 GDPR - Processing of special categories of personal data
[Guidelines 3/2019 on processing of personal data through video devices] I hope this helps you understand the GDPR and data processing better. If you have any other questions, please feel free to ask me.
Add Comments
- Other Question (189q)
- Q1. SCENARIO Please use the following to answer the next question: Joe started the Gummy Bear ...
- Q2. Which of the following would most likely NOT be covered by the definition of "personal dat...
- Q3. The European Parliament jointly exercises legislative and budgetary functions with which o...
- Q4. Article 58 of the GDPR describes the power of supervisory authorities. Which of the follow...
- Q5. SCENARIO Please use the following to answer the next question: Zandelay Fashion ('Zandelay...
- Q6. SCENARIO Please use the following to answer the next question: Sandy recently joined Marke...
- Q7. Which statement is correct when considering the right to privacy under Article 8 of the Eu...
- Q8. Higher fines are assessed for GDPR violations due to which of the following?...
- Q9. Please use the following to answer the next question: Due to rapidly expanding workforce, ...
- Q10. What is the primary purpose of Convention 108+, which amends the Convention for the Protec...
- Q11. What term BEST describes the European model for data protection?...
- Q12. Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, ...
- Q13. Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?...
- Q14. SCENARIO Please use the following to answer the next question: You have just been hired by...
- Q15. Please use the following to answer the next question: Jack worked as a Pharmacovigiliance ...
- Q16. A multinational company is appointing a mandatory data protection officer. In addition to ...
- Q17. Which of the following is NOT an explicit right granted to data subjects under the GDPR?...
- Q18. Which of the following is NOT a role of works councils?...
- Q19. SCENARIO Please use the following to answer the next question: Building Block Inc. is a mu...
- Q20. SCENARIO Please use the following to answer the next question: Liem, an online retailer kn...
- Q21. SCENARIO Please use the following to answer the next question: WonderkKids provides an onl...
- Q22. An unforeseen power outage results in company Z's lack of access to customer data for six ...
- Q23. What obligation does a data controller or processor have after appointing a data protectio...
- Q24. Which of the following regulates the use of electronic communications services within the ...
- Q25. When would a data subject NOT be able to exercise the right to portability?...
- Q26. Select the answer below that accurately completes the following: "The right to compensatio...
- Q27. To receive a preliminary interpretation on provisions of the GDPR, a national court will r...
- Q28. Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?...
- Q29. As a result of the European Court of Justice's ruling in the case of Google v. Spain, sear...
- Q30. A company has collected personal data tor direct marketing purpose on the basis of consent...
- Q31. SCENARIO Please use the following to answer the next question: BHealthy, a company based i...
- Q32. What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Di...
- Q33. The GDPR specifies fines that may be levied against data controllers for certain infringem...
- Q34. SCENARIO Please use the following to answer the next question: You have just been hired by...
- Q35. SCENARIO Please use the following to answer the next question: Jane Stan's her new role as...
- Q36. What is an important difference between the European Court of Human Rights (ECHR) and the ...
- Q37. SCENARIO Please use the following to answer the next question: Due to rapidly expanding wo...
- Q38. What is the most frequently used mechanism for legitimizing cross-border data transfer?...
- Q39. SCENARIO Please use the following to answer the next question: Liem, an online retailer kn...
- Q40. SCENARIO Please use the following to answer the next question: Anna and Frank both work at...
- Q41. SCENARIO Please use the following to answer the next question: T-Craze, a German-headquart...
- Q42. Which of the following is the weakest lawful basis for processing employee personal data?...
- Q43. Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has re...
- Q44. MagicClean is a web-based service located in the United States that matches home cleaning ...
- Q45. Which of the following is NOT considered a fair processing practice in relation to the tra...
- Q46. Which aspect of the GDPR will likely have the most impact on the consistent implementation...
- Q47. A company plans to transfer employee health information between two of its entities in Fra...
- Q48. SCENARIO Please use the following to answer the next question: Building Block Inc. is a mu...
- Q49. Company X has entrusted the processing of their payroll data to Provider Y. Provider Y sto...
- Q50. SCENARIO Please use the following to answer the next question: You have just been hired by...
- Q51. SCENARIO Please use the following to answer the next question: Liem, an online retailer kn...
- Q52. SCENARIO Please use the following to answer the next question: T-Craze, a German-headquart...
- Q53. In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirme...
- Q54. Article 9 of the GDPR lists exceptions to the general prohibition against processing biome...
- Q55. What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Di...
- Q56. Which of the following is one of the supervisory authority's investigative powers?...
- Q57. In which of the following cases would an organization MOST LIKELY be required to follow bo...
- Q58. Under Article 30 of the GDPR, controllers are required to keep records of all of the follo...
- Q59. According to Article 14 of the GDPR, how long does a controller have to provide a data sub...
- Q60. When collecting personal data in a European Union (EU) member state, what must a company d...
- Q61. Which of the following does NOT have to be included in the records most processors must ma...
- Q62. In relation to third countries and international organizations, which of the following sha...
- Q63. A homeowner has installed a motion-detecting surveillance system that films his front doc ...
- Q64. Under the GDPR, which of the following is true in regard to adequacy decisions involving c...
- Q65. The European Data Protection Board (EDPB) recommends measures to supplement transfer tools...
- Q66. How is the retention of communications traffic data for law enforcement purposes addressed...
- Q67. In the Planet 49 case, what was the man judgement of the Coon of Justice of the European U...
- Q68. Based on GDPR Article 35, which of the following situations would trigger the need to comp...
- Q69. According to the GDPR, when should the processing of photographs be considered processing ...
- Q70. Which of the following describes a mandatory requirement for a group of undertakings that ...
- Q71. SCENARIO Please use the following to answer the next question: Javier is a member of the f...
- Q72. A mobile device application that uses cookies will be subject to the consent requirement o...
- Q73. An entity's website stores text files on EU users' computer and mobile device browsers. Pr...
- Q74. What is a reason the European Court of Justice declared the Data Retention Directive inval...
- Q75. With respect to international transfers of personal data, the European Data Protection Boa...
- Q76. What was the main failing of Convention 108 that led to the creation of the Data Protectio...
- Q77. There are three domains of security covered by Article 32 of the GDPR that apply to both t...
- Q78. If a company chooses to ground an international data transfer on the contractual route, wh...
- Q79. As per the GDPR, which legal basis would be the most appropriate for an online shop that w...
- Q80. Which EU institution is vested with the competence to propose new data protection legislat...
- Q81. Pursuant to Article 4(5) of the GDPR, data is considered "pseudonymized" if?...
- Q82. In addition to the European Commission, who can adopt standard contractual clauses, assumi...
- Q83. SCENARIO Please use the following to answer the next question: Brady is a computer program...
- Q84. SCENARIO Please use the following to answer the next question: ABC Hotel Chain and XYZ Tra...
- Q85. According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notifi...
- Q86. SCENARIO Please use the following to answer the next question: Jane Stan's her new role as...
- Q87. SCENARIO Please use the following to answer the next question: Jane Stan's her new role as...
- Q88. Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, ...
- Q89. SCENARIO Please use the following to answer the next question: Due to rapidly expanding wo...
- Q90. Article 9 of the GDPR lists exceptions to the general prohibition against processing biome...
- Q91. Which of the following demonstrates compliance with the accountability principle found in ...
- Q92. The European Data Protection Board (EDPB) recommends measures to supplement transfer tools...
- Q93. Which aspect of the GDPR will likely have the most impact on the consistent implementation...
- Q94. What permissions are required for a marketer to send an email marketing message to a consu...
- Q95. SCENARIO Please use the following to answer the next question: BHealthy, a company based i...
- Q96. SCENARIO Please use the following to answer the next question: Due to rapidly expanding wo...
- Q97. When collecting personal data in a European Union (EU) member state, what must a company d...
- Q98. In which of the following situations would an individual most likely to be able to withdra...
- Q99. SCENARIO Please use the following to answer the next question: Joe started the Gummy Bear ...
- Q100. Which of the following would require designating a data protection officer?...
- Q101. SCENARIO Please use the following to answer the next Question: Louis, a long-time customer...
- Q102. Which of the following is one of the supervisory authority's investigative powers?...
- Q103. Please use the following to answer the next question: Jane Stan's her new role as a Data P...
- Q104. When does the GDPR provide more latitude for a company to process data beyond its original...
- Q105. SCENARIO Please use the following to answer the next question: Building Block Inc. is a mu...
- Q106. SCENARIO Please use the following to answer the next question: Zandelay Fashion ('Zandelay...
- Q107. Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has re...
- Q108. What is true of both the General Data Protection Regulation (GDPR) and the Council of Euro...
- Q109. Under Article 9 of the GDPR, which of the following categories of data is NOT expressly pr...
- Q110. What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Di...
- Q111. SCENARIO Please use the following to answer the next question: Jason, a long-time customer...
- Q112. SCENARIO Louis, a long-time customer of Bedrock Insurance, was involved in a minor car acc...
- Q113. SCENARIO Please use the following to answer the next question: You have just been hired by...
- Q114. SCENARIO Please use the following to answer the next question: Anna and Frank both work at...
- Q115. Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent w...
- Q116. A Spanish electricity customer calls her local supplier with questions about the company's...
- Q117. Why is advisable to avoid consent as a legal basis for an employer to process employee dat...
- Q118. SCENARIO Please use the following to answer the next question: TripBliss Inc. is a travel ...
- Q119. SCENARIO Please use the following to answer the next question: Outliers Inc. is a travel s...
- Q120. Two companies, Gellcoat and Freifish, make plans to launch a co-branded product the protot...
- Q121. SCENARIO Please use the following to answer the next question: The fitness company Vigotro...
- Q122. Under the GDPR, where personal data is not obtained directly from the data subject, a cont...
- Q123. SCENARIO Please use the following to answer the next question: You have just been hired by...
- Q124. An unforeseen power outage results in company Z's lack of access to customer data for six ...
- Q125. Read the following steps: Discover which employees are accessing cloud services and from w...
- Q126. SCENARIO Please use the following to answer the next question: WonderkKids provides an onl...
- Q127. Which of the following countries will continue to enjoy adequacy status under the GDPR, pe...
- Q128. Which of the following does NOT have to be included in the records most processors must ma...
- Q129. Which institution has the power to adopt findings that confirm the adequacy of the data pr...
- Q130. SCENARIO Please use the following to answer the next question: Jane Stan's her new role as...
- Q131. Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit...
- Q132. Which of the following is an example of direct marketing that would be subject to European...
- Q133. Under Article 58 of the GDPR, which of the following describes a power of supervisory auth...
- Q134. Which of the following countries will continue to enjoy adequacy status under the GDPR, pe...
- Q135. When would a data subject NOT be able to exercise the right to portability?...
- Q136. According to Art 23 GDPR, which of the following data subject rights can NOT be restricted...
- Q137. Under the GDPR, which of the following is true in regard to adequacy decisions involving c...
- Q138. SCENARIO Please use the following to answer the next question: Dynaroux Fashion ('Dynaroux...
- Q139. What are the obligations of a processor that engages a sub-processor?...
- Q140. If a company is planning to use closed-circuit television (CCTV) on its premises and is co...
- Q141. Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occu...
- Q142. What is the MAIN reason GDPR Article 4(22) establishes the concept of the "concerned super...
- Q143. Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases...
- Q144. SCENARIO Please use the following to answer the next question: Building Block Inc. is a mu...
- Q145. Read the following steps: * Discover which employees are accessing cloud services and from...
- Q146. Which of the following is NOT exempt from the material scope of the GDPR. insofar as the p...
- Q147. If a data subject puts a complaint before a DPA and receives no information about its prog...
- Q148. SCENARIO Please use the following to answer the next question: Jane starts her new role as...
- Q149. According to Article 84 of the GDPR, the rules on penalties applicable to infringements sh...
- Q150. What term BEST describes the European model for data protection?...
- Q151. A mobile device application that uses cookies will be subject to the consent requirement o...
- Q152. Which GDPR requirement will present the most significant challenges for organizations with...
- Q153. A Spanish electricity customer calls her local supplier with Questions: about the company'...
- Q154. SCENARIO Please use the following to answer the next question: T-Craze, a German-headquart...
- Q155. An employee of company ABCD has just noticed a memory stick containing records of client d...
- Q156. A worker in a European Union (EU) member state has ceased his employment with a company. W...
- Q157. SCENARIO Please use the following to answer the next question: Sandy recently joined Marke...
- Q158. According to the European Data Protection Board, which of the following concepts or practi...
- Q159. Which of the following entities would most likely be exempt from complying with the GDPR?...
- Q160. Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, ...
- Q161. What is an important difference between the European Court of Human Rights (ECHR) and the ...
- Q162. A well-known video production company, based in Spain but specializing in documentaries fi...
- Q163. Under the GDPR, where personal data is not obtained directly from the data subject, a cont...
- Q164. The GDPR specifies fines that may be levied against data controllers for certain infringem...
- Q165. SCENARIO Please use the following to answer the next question: Ben is a member of the fitn...
- Q166. Please use the following to answer the next question: Jack worked as a Pharmacovigiliance ...
- Q167. In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirme...
- Q168. Under the GDPR, where personal data is not obtained directly from the data subject, a cont...
- Q169. What are the obligations of a processor that engages a sub-processor?...
- Q170. SCENARIO Please use the following to answer the next question: Jack worked as a Pharmacovi...
- Q171. Which of the following was the first legally binding international instrument in the area ...
- Q172. According to the GDPR, how is pseudonymous personal data defined?...
- Q173. SCENARIO Please use the following to answer the next question: You have just been hired by...
- Q174. SCENARIO Please use the following to answer the next question: Brady is a computer program...
- Q175. SCENARIO Please use the following to answer the next question: Joe started the Gummy Bear ...
- Q176. For which of the following operations would an employer most likely be justified in reques...
- Q177. When does the European Data Protection Board (EDPB) recommend reevaluating whether a trans...
- Q178. Based on GDPR Article 35, which of the following situations would trigger the need to comp...
- Q179. If a company is planning to use closed-circuit television (CCTV) on its premises and is co...
- Q180. SCENARIO Please use the following to answer the next question: Javier is a member of the f...
- Q181. According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" fo...
- Q182. SCENARIO Please use the following to answer the next question: Ben is a member of the fitn...
- Q183. SCENARIO Please use the following to answer the next question: Joe is the new privacy mana...
- Q184. A U.S.-based online shop uses sophisticated software to track the browsing behavior of its...
- Q185. According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" fo...
- Q186. Under Article 9 of the GDPR, which of the following categories of data is NOT expressly pr...
- Q187. SCENARIO Please use the following to answer the next question: Liem, an online retailer kn...
- Q188. In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirme...
- Q189. If a multi-national company wanted to conduct background checks on all current and potenti...
