Free Preparation Discussions
MENU
IAPP CIPP-E Exam - Topic 8 Question 100 Discussion
Topic #: 8
Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject's sensitive medical information without the data subject's knowledge or consent?
According to the GDPR, the material scope of the regulation covers the processing of personal data wholly or partly by automated means, or by non-automated means if the data forms part of a filing system or is intended to form part of a filing system (Article 2(1)). Personal data is defined as any information relating to an identified or identifiable natural person (data subject) (Article 4(1)). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1)). Therefore, pseudonymous data, such as blockchain transactions that use public keys or other identifiers, may still fall within the definition of personal data if the data subject can be identified or re-identified by using additional information or means (Recital 26).
The GDPR also applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to the offering of goods or services to such data subjects in the European Union or the monitoring of their behaviour as far as their behaviour takes place within the European Union (Article 3(2)). Therefore, the territorial scope of the GDPR covers both controllers and processors established in the European Union, and controllers and processors not established in the European Union but targeting or monitoring data subjects in the European Union.
In this scenario, blockchain transactions are classified as pseudonymous data, which may still be considered as personal data under the GDPR if the data subjects can be identified or re-identified. Therefore, such transactions are within the material scope of the GDPR, as they involve the processing of personal data by automated means. However, the GDPR only applies to such transactions to the extent that they include data subjects in the European Union, either by having a controller or processor established in the European Union, or by offering goods or services to or monitoring the behaviour of such data subjects. Therefore, the answer is C.
Marcelle
3 months agoParis
4 months agoEmile
4 months agoRicarda
4 months agoFrance
4 months agoFrancesco
5 months agoRuthann
5 months agoDacia
5 months agoAsha
5 months agoKimi
5 months agoYvette
5 months agoRanee
5 months agoElise
5 months agoLeota
10 months agoKiera
10 months agoLavelle
10 months agoShanda
9 months agoEliz
9 months agoBrent
9 months agoSharita
10 months agoNu
9 months agoPamella
10 months agoMilly
10 months agoQuinn
11 months agoFidelia
9 months agoEdelmira
10 months agoVallie
10 months agoBillye
11 months agoIzetta
9 months agoRonald
9 months agoVerlene
9 months agoDelmy
9 months agoTamera
11 months agoAlba
11 months agoTamera
11 months ago