Which of the following is the weakest lawful basis for processing employee personal data?

Under Article 30 of the GDPR, controllers are required to keep records of all of the
following EXCEPT?

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.
Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s
factories. Company B won’t hold any biometric data itself, but the related data will be
uploaded to Company B’s UK servers and used to provide the payroll service. Company
B’s live systems will contain the following information for each of Company A’s employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A
needs to carry out a data protection impact assessment in relation to the new time and
attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written
agreement requiring Company B to use the time and attendance data only for the purpose
of providing the payroll service, and to apply appropriate technical and organizational
security measures for safeguarding the data. Jenny suggests that Company B obtain
advice from its data protection officer. The company doesn’t have a DPO but agrees, in the
interest of finalizing the contract, to sign up for the provisions in full. Company A enters into
the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a
separate project meant to enhance the functionality of its payroll service, and engages
Company C to help. Company C agrees to extract all personal data from Company B’s live
systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server.
The two companies agree not to include any data processing provisions in their services
agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security
system, and suffers a cyber security incident soon after Company C begins work on the
project. As a result, data relating to Company A’s employees is visible to anyone visiting
Company C’s website. Company A is unaware of this until Jenny receives a letter from the
supervisory authority in connection with the investigation that ensues. As soon as Jenny is
made aware of the breach, she notifies all affected employees.
Under the GDPR, which of Company B’s actions would NOT be likely to trigger a potential
enforcement action?

Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

Please use the following to answer the next question:
ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They
use an internet-based common platform for collecting and sharing their customer data with
each other, in order to integrate their marketing efforts. Additionally, they agree on the data
to be stored, how reservations will be booked and confirmed, and who has access to the
stored data.
Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency
to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that
allows customers to sign up to accumulate points that can later be redeemed for free travel.
Mike has signed the agreement to be a rewards program member.
Now Mike wants to know what personal information the company holds about him. He
sends an email requesting access to his data, in order to exercise what he believes are his
data subject rights.
What are ABC Hotel Chain and XYZ Travel Agency’s roles in this relationship?

An online company’s privacy practices vary due to the fact that it offers a wide variety of
services. How could
it best address the concern that explaining them all would make the policies
incomprehensible?

Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?