Which of the following is the weakest lawful basis for processing employee personal data?

Please use the following to answer the next question:
The fitness company Vigotron has recently developed a new app called M-Health, which it
wants to market on its website as a free download. Vigotron’s marketing manager asks his
assistant Emily to create a webpage that describes the app and specifies the terms of use.
Emily, who is new at Vigotron, is excited about this task. At her previous job she took a
data protection class, and though the details are a little hazy, she recognizes that Vigotron
is going to need to obtain user consent for use of the app in some cases. Emily sketches
out the following draft, trying to cover as much as possible before sending it to Vigotron’s
legal department.
Registration Form
Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related
activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone
settings (along with other third-party apps you may already have) to collect data about all of
these important lifestyle elements, and provide the information necessary for you to enrich
your quality of life. (Please click here to read a full description of the services that M-Health
provides.)
Vigotron values your privacy. The M-Heaith app allows you to decide which information is
stored in it, and which apps can access your data. When your device is locked with a
passcode, all of your health and fitness data is encrypted with your passcode. You can
back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more
about Stratculous here.)
Vigotron will never trade, rent or sell personal information gathered from the M-Health app.
Furthermore, we will not provide a customer’s name, email address or any other
information gathered from the app to any third- party without a customer’s consent, unless
ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or
protect its business or property.
We are happy to offer the M-Health app free of charge. If you want to download and use it,
we ask that you
first complete this registration form. (Please note that use of the M-Health app is restricted
to adults aged 16 or older, unless parental consent has been given to minors intending to
use it.)
First name:
Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:
*If you are interested in receiving newsletters about our products and services that we think
may be of interest to you, please include your physical address. If you decide later that you
do not wish to receive these newsletters, you can unsubscribe by sending an email to
unsubscribe@vigotron.com or send a letter with your request to the address listed at the
bottom of this page.
Terms and Conditions
1.Jurisdiction. […]
2.Applicable law. […]
3.Limitation of liability. […]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and
that you consent to the processing of your personal data by Vigotron for the purpose of
using the M-Health app. Although you are entitled to opt out of any advertising or
marketing, you agree that Vigotron may contact you or provide you with any required
notices, agreements, or other information concerning the services by email or other
electronic means. You also agree that the Company may send automated emails with
alerts regarding any problems with the M-Health app that may affect your well being.
What is one potential problem Vigotron’s age policy might encounter under the GDPR?

If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

A mobile device application that uses cookies will be subject to the consent requirement of which of the following?

Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a
broad range of dolls, action figures and plush toys that can be found internationally in a
wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong
and in fact does not employ any staff outside Hong Kong, it has entered into a number of
local distribution contracts. The toys produced by the company can be found in all popular
toy stores throughout Europe, the United States and Asia. A large portion of the company’s
revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and
interact with children. The CEO of the company is touting these toys as the next big thing,
due to the increased possibilities offered: The figures can answer children’s Questions: on
various subjects, such as mathematical calculations or the weather. Each figure is
equipped with a microphone and speaker and can connect to any smartphone or tablet via
Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via
Bluetooth as well. The figures can also be associated with other figures (from the same
manufacturer) and interact with each other for an enhanced play experience
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and
the answer is generated on cloud servers and sent back to the figure. The answer is given
through the figure’s integrated
speakers, making it appear as though that the toy is actually responding to the child’s
QUESTION. The packaging of the toy does not provide technical details on how this works,
nor does it mention that this feature requires an internet connection. The necessary data
processing for this has been outsourced to a data center located in South Africa. However,
your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through
which consumers can play the characters they acquire in the course of playing the game.
The system will come bundled with a portal that includes a Near-Field Communications
(NFC) reader. This device will read an RFID tag in the action figure, making the figure
come to life onscreen. Each character has its own stock features and abilities, but it is also
possible to earn additional ones by accomplishing game goals. The only information stored
in the tag relates to the figures’ abilities. It is easy to switch characters during the game,
and it is possible to bring the figure to locations outside of the home and have the
character’s abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of
Processing), which practice should the company institute?

Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it
is a multi-billion-dollar candy company operating in every continent. All of the company’s IT
servers are located in Vermont. This year Joe hires his son Ben to join the company and
head up Project Big, which is a major marketing strategy to triple gross revenue in just 5
years. Ben graduated with a PhD in computer software from a top university. Ben decided
to join his father’s company, but is also secretly working on launching a new global online
dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that
many of them might also be interested in finding their perfect match. For Project Big, Ben
redesigns the company’s online web portal and requires customers in the European Union
and elsewhere to provide additional personal information in order to remain a customer.
Project Ben begins collecting data about customers’ philosophical beliefs, political opinions
and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto
a separate database for Ben Knows Best. Ben believes that he is not doing anything
wrong, because he explicitly asks each customer to give their consent by requiring them to
check a box before accepting their information. As Project Big is an important project, the
company also hires a first year college student named Sam, who is studying computer
science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on
going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer
information of people that reside in Ireland so that he and his friends can contact people
when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the
U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she
does some research on it. Alice approaches Joe and informs him that she has drafted up
Binding Corporate Rules for everyone in the company to follow, as it is important for the
company to have in place a legal mechanism to transfer data internally from the company’s
operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge
of handling a major lawsuit that has been brought against the company in federal court in
the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make
copies of the computer hard drives from the entire global sales team, including the
European Union, and send everything to her so that she can review everyone’s
information. Alice believes that Joe will be happy that she did the first level review, as it will
save the company a lot of money that would otherwise be paid to its outside law firm.
The data transfer mechanism that Alice drafted violates the GDPR because the company
did not first get approval from?

Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA
analysis. The company is headquartered in Montreal, and all of its employees are located
there. The company offers its services to Canadians only: Its website is in English and
French, it accepts only Canadian currency, and it blocks internet traffic from outside of
Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to
process orders that request the DNA report to be sent outside of Canada, and returns
orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU,
and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its
current Canadian customer base. The expansion will allow its Canadian customers to use
the app while traveling abroad. He
suggests that the company use this app to gather location information. If the plan shows
promise, Bob proposes to use push notifications and text messages to encourage existing
customers to pre-register for an EU version of the service. Bob calls this work plan, We-
Text-U. Once the company has gathered enough pre- registrations, it will develop EUspecific
content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the
company’s app, like storage and sharing of DNA information with other applications and
medical providers. The company’s contract says that it can keep customer DNA
indefinitely, and use it to offer new services and market them to customers. It also says that
customers agree not to withdraw direct marketing consent. Paul, the marketing director,
suggests that the company should fully exploit these provisions, and that it can work
around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun
this process. It is in the process of purchasing the naming rights for a building in Germany,
which would come with a few offices that Who-R-U executives can use while traveling
internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply
a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held
unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of
Canada. The reports include customer name, birthdate, ethnicity, racial background,
names of relatives, gender, and occasionally health information.
If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial
scope of the GDPR?