What does fairness principle under GDPR encompass?
The requirement that the controller take into account the interests and reasonable expectations of data subjects in the processing purposes
Which legal basis do not apply to processing personal data for right to erasure of the data subject?
Legal Obligation and Public Interest
Which legal basis do not apply to processing personal data for right to portability of the data subject?
Legal Obligation, Vital Interest, Public Interest and Legitimate Interest
On what conditions do the legal basis apply to processing personal data for right to be subject to a decision based solely on automated data processing of the data subject?
It applies to the legal bases such as Consent, Contract and Legitimate interest provided suitable measures to safeguard the data subject rights and freedoms and legitimate interests atleast the right to obtain human intervention
Public Authorities cannot rely on which legal bases when processing data in the performance of their tasks?
legitimate interest
Instead, they must rely on Article 6(1)(e) — because their processing must be grounded in law, not consent or legitimate interests. Their tasks are mandated by public authority, and GDPR requires a legal basis rooted in EU or Member State law for such processing.
Article 6(1)(e) requires a legal basis in Member State or EU law
This ensures:
Democratic legitimacy
Predictability
Accountability
Rule of law
Public authorities must be able to point to the specific law that empowers their processing.
What is the relationship between legal bases for processing special categories of personal data in relationship between articles 6 and 9 of the GDPR?
Article 9 - Special categories and Article 6 - general legal bases
One of the conditions specified in Article 9 of the GDPR (special categories of personal data) has to be supported by a legal basis under Article 6 of the GDPR (general legal bases for processing personal data)
What is the difference between right to erasure and right to be forgotten?
Right to Erasure refers to the ability to request the erasure of data and Right to be Forgotten refers to the obligation of the data controller to take reasonable steps to erase that data to the extent that it has been made public
When does right to object not apply?
Where the legal basis for the processing is consent or performance of contract
What are the two legal bases through which the right to object can be exercised?
Legitimate interest or Public Interest/Official Authority
What is principle of lawfulness?
The principle of lawfulness requires processing only when a legal basis exists, and transparency demands informing data subjects via a privacy notice.
What are the top 3 conditions that must be met in order for a data controller to claim legitimate interest under GDPR?
A legitimate interest pursued by the controller or a third party is the first condition for using legitimate interest as a basis, Necessity of processing is the second condition, ensuring data handling is proportionate, Balancing against data subject rights is the third condition for claiming legitimate interest.
What is Legitimate Interest Assessment?
An LIA is a balancing test required under the GDPR when relying on legitimate interests as a legal basis. It assesses whether the interest is lawful, the processing is necessary and the impact on data subjects is proportionate
What is the term of the Supervisory Authorities?
No less than 4 years
What is the timeframe for the Supervisory authority to respond to a consultation when DPIA has demonstrated a high risk that cannot be mitigated?
Within a period of upto 8 weeks and can be extended by another six weeks in case of more complex
Is the concept of Lead Supervisory Authority present under the Law Enforcement Directive (LED)?
No. Individual country Supervisor is competent and responsible in their own member state
Which lawful basis is never available for processing special category data?
Legitimate interest
When is hospital processing health data without explicit consent lawful?
Yes, if processing is necessary for medical diagnosis or provision of health care under Art. 9(2)(h).
What is required for a political party to process ethnicity data for targeted campaigning? Which Art. 9 condition might apply?
Explicit consent (if freely given and specific).
A company infers sexual orientation from browsing behaviour. Does this count as special category data?
Yes — inferred data can become special category if it reveals sensitive traits
A controller wants to reuse data for a new purpose. What test applies?
Compatibility test (Art. 6(4)).
A controller processes special category data for scientific research. Which condition applies?
Art. 9(2)(j) — research with safeguards under Art. 89.
A company uses AI to infer health conditions. Is this special category processing?
Yes — inferred health data is treated as special category.
A controller claims “we may use your data for any future business purpose.” Which principle is violated?
Purpose limitation
A company deletes identifiers but keeps IP addresses. Is this anonymisation?
No — IP addresses are personal data
-
pnandapackirisamyCIPPE261
-
pnandapackirisamyCIPPE-Data Protection Laws148
-
pnandapackirisamyCIPPE-CaseJudgements27
-
pnandapackirisamyCIPPE-EU Institutions20
-
pnandapackirisamyCIPPE-Important Technology concepts109
-
pnandapackirisamyCIPPE-Data Transfers21
-
pnandapackirisamyCIPPE-Data Processing Principles & Special Categories of Data43
-
pnandapackirisamyCIPPE-Governance12
-
pnandapackirisamyCIPPE-Employee Data41
-
pnandapackirisamyCIPPE- Territorial and Material Scope & Accountability23
-
pnandapackirisamyCIPPE-Self-regulation & the European Data Protection Board69
-
pnandapackirisamyCIPPE- Fair Processing Information & Third Country Data Transfers60
-
pnandapackirisamyCIPPE- Risk Management & Data Subject Rights45
-
pnandapackirisamyCIPPE-Personal Data & Controller-Processor Relationship28
-
pnandapackirisamyCIPPE-Surveillance and Direct Marketing125
-
pnandapackirisamyCIPPE-Theory based exam Prep237
-
pnandapackirisamyCIPPE-Scenario-based questions-Exam Prep250
-
pnandapackirisamyCIPPE-Basics49
