Free Preparation Discussions
MENU
IAPP CIPP-E Exam - Topic 2 Question 90 Discussion
Topic #: 2
Pursuant to the EDPB Guidelines 8/2022, all of the following criteria must be considered when identifying a lead supervisory authority of a controller EXCEPT?
According to the GDPR, the material scope of the regulation covers the processing of personal data wholly or partly by automated means, or by non-automated means if the data forms part of a filing system or is intended to form part of a filing system (Article 2(1)). Personal data is defined as any information relating to an identified or identifiable natural person (data subject) (Article 4(1)). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1)). Therefore, pseudonymous data, such as blockchain transactions that use public keys or other identifiers, may still fall within the definition of personal data if the data subject can be identified or re-identified by using additional information or means (Recital 26).
The GDPR also applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to the offering of goods or services to such data subjects in the European Union or the monitoring of their behaviour as far as their behaviour takes place within the European Union (Article 3(2)). Therefore, the territorial scope of the GDPR covers both controllers and processors established in the European Union, and controllers and processors not established in the European Union but targeting or monitoring data subjects in the European Union.
In this scenario, blockchain transactions are classified as pseudonymous data, which may still be considered as personal data under the GDPR if the data subjects can be identified or re-identified. Therefore, such transactions are within the material scope of the GDPR, as they involve the processing of personal data by automated means. However, the GDPR only applies to such transactions to the extent that they include data subjects in the European Union, either by having a controller or processor established in the European Union, or by offering goods or services to or monitoring the behaviour of such data subjects. Therefore, the answer is C.
Asha
4 months agoDana
4 months agoShawnda
4 months agoRory
4 months agoLanie
4 months agoJoanna
5 months agoGerald
5 months agoAlonzo
5 months agoEna
5 months agoLavera
5 months agoRosio
5 months agoNancey
5 months agoLelia
5 months agoKenneth
5 months agoRoy
6 months agoTarra
10 months agoShanice
9 months agoNan
9 months agoMartin
10 months agoPortia
11 months agoBea
9 months agoBuck
10 months agoMarylyn
10 months agoFrance
11 months agoOlen
9 months agoJaime
10 months agoIzetta
10 months agoMonte
11 months agoNichelle
11 months agoWei
10 months agoKeneth
10 months agoOmega
11 months agoChristiane
11 months agoOmega
11 months ago