According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

Please use the following to answer the next question:
Dynaroux Fashion (‘Dynaroux’) is a successful international online clothing retailer that
employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is
their recently appointed data protection officer, who oversees the company’s compliance
with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics,
including children. In doing so, the company processes large amounts of information about
such customers, including preferences and sensitive financial information such as credit
card and bank account numbers.
In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the
company is launching a new mobile app and loyalty scheme that puts significant emphasis
on profiling the company’s customers by analyzing their purchases. Ronan tells the CEO
that: (a) the potential risks of such activities means that
Dynaroux needs to carry out a data protection impact assessment to assess this new
venture and its privacy implications; and (b) where the results of this assessment indicate a
high risk in the absence of appropriate protection measures, Dynaroux may have to
undertake a prior consultation with the Irish Data Protection Commissioner before
implementing the app and loyalty scheme.
Jonas tells Ronan that he is not happy about the prospect of having to directly engage with
a supervisory authority and having to disclose details of Dynaroux’s business plan and
associated processing activities.
Which of the following facts about Dynaroux would trigger a data protection impact
assessment under the GDPR?

Many businesses print their employees’ photographs on building passes, so that
employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

Which of the following entities would most likely be exempt from complying with the GDPR?

Please use the following to answer the next question:
Due to rapidly expanding workforce, Company A has decided to outsource its payroll
function to Company B. Company B is an established payroll service provider with a
sizable client base and a solid reputation in the industry.
Company B’s payroll solution for Company A relies on the collection of time and
attendance data obtained via a biometric entry system installed in each of Company A’s
factories. Company B won’t hold any biometric data itself, but the related data will be
uploaded to Company B’s UK servers and used to provide the payroll service. Company
B’s live systems will contain the following information for each of Company A’s employees:
Name
Address
Date of Birth
Payroll number
National Insurance number
Sick pay entitlement
Maternity/paternity pay entitlement
Holiday entitlement
Pension and benefits contributions
Trade union contributions
Jenny is the compliance officer at Company A. She first considers whether Company A
needs to carry out a data protection impact assessment in relation to the new time and
attendance system, but isn’t sure whether or not this is required.
Jenny does know, however, that under the GDPR there must be a formal written
agreement requiring Company B to use the time and attendance data only for the purpose
of providing the payroll service, and to apply appropriate technical and organizational
security measures for safeguarding the data. Jenny suggests that Company B obtain
advice from its data protection officer. The company doesn’t have a DPO but agrees, in the
interest of finalizing the contract, to sign up for the provisions in full. Company A enters into
the contract.
Weeks later, while still under contract with Company A, Company B embarks upon a
separate project meant to enhance the functionality of its payroll service, and engages
Company C to help. Company C agrees to extract all personal data from Company B’s live
systems in order to create a new database for Company B.
This database will be stored in a test environment hosted on Company C’s U.S. server.
The two companies agree not to include any data processing provisions in their services
agreement, as data is only being used for IT testing purposes.
Unfortunately, Company C’s U.S. server is only protected by an outdated IT security
system, and suffers a cyber security incident soon after Company C begins work on the
project. As a result, data relating to Company A’s employees is visible to anyone visiting
Company C’s website. Company A is unaware of this until Jenny receives a letter from the
supervisory authority in connection with the investigation that ensues. As soon as Jenny is
made aware of the breach, she notifies all affected employees.
The GDPR requires sufficient guarantees of a company’s ability to implement adequate
technical and organizational measures. What would be the most realistic way that
Company B could have fulfilled this requirement?

A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing?

Article 29 Working Party has emphasized that the GDPR forbids “forum shopping”, which
occurs when companies do what?

Please use the following to answer the next question:
Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that
employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is
their recently appointed data protection officer, who oversees the company’s compliance
with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics,
including children. In doing so, the company processes large amounts of information about
such customers, including preferences and sensitive financial information such as credit
card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company
is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that:
(a) the potential risks of such activities means that Zandelay needs to carry out a data
protection impact assessment to assess this new venture and its privacy implications; and
(b) where the results of this assessment indicate a high risk in the absence of appropriate
protection measures, Zandelay may have to undertake a prior consultation with the Irish
Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a
supervisory authority and having to disclose details of Zandelay’s business plan and
associated processing activities.
What would MOST effectively assist Zandelay in conducting their data protection impact
assessment?