According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

A. Where the technology supporting the website is located

B. Where the website is accessed

C. Where the decisions about processing are made

D. Where the customer's Internet service provider is located

What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

A. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.

B. CJEU can force national governments to implement and honor EU law, while the ECHR cannot.

C. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.

D. ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees:

Name Address Date of Birth Payroll number National Insurance number Sick pay entitlement Maternity/paternity pay entitlement Holiday entitlement Pension and benefits contributions Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical andorganizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C's U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A's employees is visible to anyone visiting Company C's website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company's ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

A. Hiring companies whose measures are consistent with recommendations of accrediting bodies.

B. Requesting advice and technical support from Company A's IT team.

C. Avoiding the use of another company's data to improve their own services.

D. Vetting companies' measures with the appropriate supervisory authority.

An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following?

A. Notify affected individuals that their data was unavailable for a period of time.

B. Document the loss of availability to demonstrate accountability

C. Notify the supervisory authority about the loss of availability

D. Conduct a thorough audit of all security systems

Which type of personal data does the GDPR define as a "special category" of personal data?

A. Educational history.

B. Trade-union membership.

C. Closed Circuit Television (CCTV) footage.

D. Financial information.