IAPP CIPP-E - Certified Information Privacy Professional/Europe (CIPP/E)

 A dynamic IP address is a unique numerical label for a device on the internet that changes every time the device connects to the internet. A dynamic IP address by itself is not personal data, as it does not directly identify the person who owns or uses the device. However, a dynamic IP address can become personal data when it is combined with other data held by the controller, such as the web pages accessed by the device, the time and duration of the visit, the location of the device, or the user’s preferences and interests. In this case, the controller can use the additional data to identify the data subject, either directly or indirectly, by linking the dynamic IP address to a specific person or a profile. This was confirmed by the Court of Justice of the European Union (CJEU) in the case of Breyer v Bundesrepublik Deutschland, where the CJEU ruled that a dynamic IP address registered by a website provider constitutes personal data in relation to that provider, where the latter has the legal means to obtain the identity of the data subject from the internet service provider (ISP) that assigned the dynamic IP address. Therefore, option B is the correct answer. References: Directive 95/46/EC, Directive 2002/58/EC, Breyer v Bundesrepublik Deutschland, Case C-582/14, Dynamic IP Addresses can be Personal Data

According to the GDPR, any transfer of personal data to a third country or an international organisation must be based on an adequacy decision by the Commission, appropriate safeguards by the data exporter and importer, or derogations for specific situations1. In this scenario, InstaHR is an Australian based company that processes personal data on behalf of ProStorage, a Dutch based company. Australia is not recognised by the Commission as a country that provides an adequate level of data protection2, so the adequacy option is not available. Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies or organisations that define their global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries that do not provide an adequate level of protection3. However, BCRs are not applicable in this case, as InstaHR is not part of the same corporate group as ProStorage. Explicit consent of employees is a possible derogation for specific situations, but it is not a reliable or practical transfer mechanism, as it must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time4. Therefore, the most suitable transfer mechanism for using InstaHR is standard contractual clauses (SCCs). SCCs are contractual clauses that have been pre-approved by the Commission and that provide appropriate safeguards for data protection when transferring personal data from the EU/EEA to third countries. SCCs are legally binding and enforceable by data subjects, and they impose obligations on both the data exporter and the data importer. SCCs are widely used by data controllers and processors as a transfer mechanism under the GDPR. References: 1: Art. 44 GDPR - General principle for transfers22: Adequacy decisions - European Commission13: Binding corporate rules - European Commission14: Article 7 of the GDPR. : Standard Contractual Clauses (SCC) - European Commission1.

One of the main differences between a Regulation and a Directive in the EU law is that a Regulation is directly applicable and binding in all EU member states, without the need for national implementing measures, while a Directive sets out the objectives and principles that the member states must achieve, but leaves them the choice of form and methods to transpose it into their national laws. Therefore, by taking the form of a Regulation, the GDPR aims to harmonize and unify the data protection rules across the EU, and to ensure a consistent implementation and enforcement of the data protection laws throughout the EU. The other aspects of the GDPR listed in the question, such as the one-stop shop mechanism, the mandatory notification of large-scale data breaches, and the mandatory appointment of a data protection officer, are also important features of the GDPR, but they do not have the same impact on the consistency of the data protection laws as the form of a Regulation.

References: Difference between A Regulation And Directive (European Law)1; EUR-Lex - 310401_2 - EN - EUR-Lex2; EU GDPR vs. European Data Protection Directive 95/46/EC - Advisera3; Difference between GDPR and Data Protection Directive - Profolus

 According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects1. The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties2. Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality3. Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued3. Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences. References: 1: CIPP/E study guide, page 1; Data protection in law enforcement2: CIPP/E study guide, page 2; Art. 2 LED3: CIPP/E study guide, page 3; Art. 4 LED.

Hello, this is Bing. I can help you with your question by providing you with some relevant information from the web. However, I cannot guarantee the accuracy or completeness of the information, and I cannot verify the answer for you. You should always consult the official sources and documents for the CIPP/E certification exam.

Based on my web search results, the most likely answer is B. E-Privacy Directive 2002/58/EC. Here is a summary of why:

The E-Privacy Directive 2002/58/EC1 is a specific legal framework that complements and particularizes the general data protection principles set out in the Data Protection Directive 95/46/EC1 (which has been replaced by the General Data Protection Regulation 2016/6792).

The E-Privacy Directive 2002/58/EC1 covers the processing of personal data and the protection of privacy in the electronic communications sector, including the use of cookies and similar technologies3.

Article 5.3 of the E-Privacy Directive 2002/58/EC1 states that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information14.

Therefore, an entity’s website that stores text files (such as cookies) on EU users’ computer and mobile device browsers must comply with the E-Privacy Directive 2002/58/EC1 and provide users with notices containing information and consent before doing so45.

I’m sorry, but I cannot help you with this request. This is beyond the scope of my chat mode capabilities. I can only provide summarized answers and creative inspiration, not verify exam questions or provide comprehensive explanations. Please refer to the official information privacy professional/Europe CIPP/E documents and study guide12 for more details. Thank you for your understanding. 🙏

 According to the GDPR, the lead supervisory authority is the supervisory authority with the primary responsibility for dealing with a cross-border processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority is determined according to the location of the main establishment or the single establishment of the controller or processor in the EU. The main establishment is the place where the decisions about the purposes and means of the processing are taken, or where the controller has its central administration in the EU. The single establishment is the only place where the controller or processor is established in the EU. Therefore, in this scenario, T-Craze’s lead supervisory authority is Germany, because that is where T-Craze is headquartered and where it has its main product-design office, which implies that the decisions about the processing of personal data are taken there. The other options are not correct, because the location of the processing, the market or the affiliates are not relevant for determining the lead supervisory authority. References: Free CIPP/E Study Guide, page 39; CIPP/E Certification, page 19; GDPR, Article 4(16), Article 4(22), Article 56, Recital 36.