CIPP-E IAPP Certified Information Privacy Professional/Europe (CIPP/E) Free Practice Exam Questions (2025 Updated)

The EDPB’s Guidelines 8/2020 on the targeting of social media users explain that the legitimate interest legal basis requires passing three cumulative tests: the purpose test, the necessity test, and the balancing test. The purpose test checks whether there is a legitimate interest pursued by the data controller or a third party. The necessity test checks whether the processing is necessary for the purpose identified. The balancing test checks whether the legitimate interest is not overridden by the interests or rights and freedoms of the data subject. The adequacy test is not one of the three tests required by the legitimate interest legal basis. The adequacy test is relevant for data transfers to third countries, not for data processing within the EU.

References:

EDPB Guidelines 8/2020 on the targeting of social media users, Section 3.2.11

GDPR Article 6(1)(f)2

GDPR Recital 472

IAPP CIPP/E Study Guide, Chapter 3, Section 3.2.23

 According to the CIPP/E study guide, the Court of Justice of the European Union (CJEU) ruled in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González1 that an Internet search engine operator is responsible for the processing of personal data that appear on web pages published by third parties, and that such operator must comply with the EU data protection law when it has an establishment in the EU. The CJEU held that Google Spain and Google Inc. were inextricably linked in their businesses, since Google Spain promoted and sold advertising space offered by Google Inc., which oriented its activity towards the inhabitants of Spain. Therefore, Google Inc. was subject to the EU data protection law through its subsidiary Google Spain, even though the personal data processing was carried out by Google Inc. outside the EU. This implies that search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten if they have an establishment in the EU that is inextricably linked to their parent company. References: 1: CIPP/E study guide, page 16; Google Spain v AEPD and Mario Costeja González

The GDPR defines personal data as “any information relating to an identified or identifiable natural person” (Article 4(1)). This includes names, quotations, and any other data that can be linked to a specific individual. The GDPR also requires that personal data be processed lawfully, fairly, and transparently, and that it be collected for specified, explicit, and legitimate purposes (Article 5(1)). Furthermore, the GDPR grants data subjects the right to object to the processing of their personal data for direct marketing purposes or for the purposes of the legitimate interests of the controller or a third party (Article 21).

In this scenario, Serge may have grounds to object to the use of his quotation on Brady Box’s home webpage, as it constitutes the processing of his personal data outside of the original purpose for which it was collected. Serge posted the quotation on Brady Box’s SNS, which is a separate service from Brady Box’s web page design service. By using the quotation on the home webpage, Brady Box is processing Serge’s personal data for a different purpose than the one for which Serge provided it, and without his consent or a legitimate interest. This may violate the principles of purpose limitation and lawfulness under the GDPR. Moreover, Serge may object to the use of his quotation as it implies his endorsement of Brady Box’s service, which may affect his reputation or interests.

The other options are less likely to be valid grounds for objection, as they are not directly related to the GDPR’s provisions on personal data protection. The misrepresentation of personal data as an endorsement may be a matter of contract law or consumer protection law, but not necessarily a GDPR issue. The juxtaposition of the quotation with others’ quotations may not affect Serge’s rights or interests, unless it creates a false or misleading impression of his views or opinions. The misapplication of the household exception in relation to a SNS may not apply in this case, as the household exception only covers the processing of personal data by a natural person in the course of a purely personal or household activity (Article 2(2)©). Serge’s posting of the quotation on a SNS may not qualify as a purely personal or household activity, as it involves the disclosure of personal data to a wider audience.

References:

GDPR

GDPR and social media

How does GDPR affect social media marketing?

Data Protection & Social Media: How GDPR Influences Today’s Social Media Marketing

Before Anna determines whether Frank’s performance database is permissible, she needs to know more information about the following aspects of the data processing:

The purpose and legal basis of the data processing, which should be clearly defined and documented in a data protection impact assessment (DPIA) or a similar document12.

The nature and extent of the personal data involved, which should be limited to what is necessary for the purpose and not retained longer than necessary12.

The measures taken to ensure the security and confidentiality of the personal data, such as encryption, pseudonymization, access control, etc12.

The rights and interests of the data subjects, such as their right to access, rectify, erase or restrict their personal data, as well as their right to object or withdraw consent12.

The potential risks and consequences of the data processing for the rights and freedoms of the data subjects, such as identity theft, discrimination, reputational damage, etc12.

In this case, Anna needs to know more information about what students have been told and how the research will be used. This is because:

The purpose of using student records for research purposes is not clear from Frank’s description. He does not specify whether he has obtained consent from the students or their parents/guardians, or whether he has informed them about his research objectives and methods.

The nature and extent of using student records for research purposes is not clear from Frank’s description. He does not specify which student records he is using (e.g., by name or by reference number), how many records he is using (e.g., by cohort or by class), or how long he will keep them (e.g., until graduation or indefinitely).

The measures taken to ensure the security and confidentiality of using student records for research purposes are not clear from Frank’s description. He does not specify whether he has encrypted his program or his laptop before transferring it to his home device, whether he has backed up his program or his laptop before losing it on the train, or whether he has reported his lost laptop to his IT department.

Therefore, Anna needs more information about these aspects before she can determine whether Frank’s performance database is permissible under the GDPR.

References: 1: Free CIPP/E Study Guide - International Association of Privacy Professionals 2: CIPP/E Certification - International Association of Privacy Professionals

 The ePrivacy Directive is a European Union (EU) directive that aims to protect the confidentiality of electronic communications and prevent their indiscriminate interception or monitoring. It was adopted in 2002 and amended in 2009. It applies to all providers of electronic communication services, such as internet service providers, mobile network operators, and online platforms12.

One of the main objectives of the ePrivacy Directive is to ensure that the retention of communications traffic data for law enforcement purposes is subject to strict conditions and safeguards. Communications traffic data refers to any information relating to the transmission or routing of electronic communications, such as IP addresses, timestamps, and metadata3. Such data can be used by competent national authorities for the prevention, investigation, detection or prosecution of criminal offences and safeguarding national security4.

However, the ePrivacy Directive does not allow individual EU member states to engage in such data retention without harmonizing their rules. Article 6(1)(b) of the directive states that “Member States shall ensure that any measures taken by them in relation to the retention of traffic data are consistent with this Directive”. Therefore, each EU member state must adopt a national law that complies with the requirements and limitations set by the directive12.

The Data Retention Directive (DRD) was a previous EU directive that aimed to establish a common framework for the retention of communications traffic data for law enforcement purposes across all EU member states. It was adopted in 2006 and amended in 2010. However, it was annulled by the Court of Justice of the European Union (CJEU) in 2014 on procedural grounds. The CJEU found that some provisions of the DRD were inconsistent with other EU directives and principles, such as Article 8(2) of the Charter of Fundamental Rights (CFR), which protects individuals from arbitrary interference with their privacy56.

The GDPR is a new EU regulation that implements some aspects of the DRD into national law through its provisions on processing personal data. However, it does not address directly the issue of communications traffic data retention for law enforcement purposes. Instead, it requires providers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing personal data. These measures include encryption, pseudonymisation, access control, and accountability7 . The GDPR also grants individuals certain rights regarding their personal data, such as access, rectification, erasure, portability, and objection7 .

Therefore, under current EU law, there is no single legal basis for retaining communications traffic data for law enforcement purposes across all EU member states. Each member state must adopt its own national law that respects the principles and limitations established by the ePrivacy Directive.

References:

ePrivacy Directive

ePrivacy Regulation

What is Communications Traffic Data?

How is Communications Traffic Data Retained?

Data Retention Directive

Data Retention Directive annulled by CJEU

General Data Protection Regulation

What are your rights regarding your personal data?

The GDPR applies to all personal data, regardless of whether it exists in physical form or not. The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as names, identification numbers, location data, or online identifiers1. Therefore, any information that can be linked directly or indirectly to a natural person is considered personal data under the GDPR.

However, the GDPR also distinguishes between different types of processing activities and their legal bases. Processing activities are the operations performed on personal data, such as collection, storage, use, disclosure, or deletion. Processing activities can be either automated or manual. Automated processing means using technology to perform processing activities without human intervention. Manual processing means using human intervention to perform processing activities.

The GDPR requires that any processing activity that involves personal data must comply with certain principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These principles and conditions apply to both automated and manual processing activities.

Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by an automated means in some way that affects its rights and freedoms. For example, if a company scans paper documents and stores them electronically in a database without deleting them after a certain period of time or when they are no longer needed for the original purpose for which they were collected (Article 6), then this would be considered an automated processing activity that involves personal data in physical form.

However, the GDPR does not apply to personal data that exists in physical form when it is handled in a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps paper documents in folders labeled with names and dates on their office shelves without scanning them or storing them electronically anywhere else (Article 5), then this would not be considered an automated processing activity that involves personal data in physical form.

References:

Physical Data - GDPR Summary

What GDPR Means for Your Physical Records - Access

Personal Data - Data Protection Act 2018

According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover. References:

GDPR Article 83

GDPR Article 25

GDPR Article 7

GDPR Article 5

GDPR Article 16

According to Article 14 of the GDPR, where personal data is not obtained directly from the data subject, the controller must provide the data subject with certain information about the processing, such as the identity of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject12. However, there are some exceptions to this obligation, as specified in Article 14(5). One of them is when the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing12. In such cases, the controller must take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available12. References: CIPP/E Certification - International Association of Privacy Professionals, Free CIPP/E Study Guide - International Association of Privacy Professionals, GDPR - EUR-Lex, Right to be Informed - General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) introduces several obligations for processors who process personal data on behalf of controllers. These obligations apply to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR’s list of processor obligations regarding cloud computing includes all of the following:

Controllers must be given notice of any subprocessors and have a right of objection. According to Article 28 of the GDPR, a processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Individuals authorized to process the personal data are subject to an obligation of confidentiality. According to Article 28 of the GDPR, the processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk. According to Article 32 of the GDPR, the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The GDPR’s list of processor obligations regarding cloud computing does not include the following:

Any personal data related to data subjects must be securely maintained for a maximum of ten years. The GDPR does not specify a precise time limit for the storage of personal data, but leaves it to the controller to determine the appropriate retention period, taking into account the nature, scope, context and purposes of the processing, as well as the risks for the rights and freedoms of data subjects. The GDPR also allows for the further storage of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate safeguards. Therefore, the processor must follow the instructions of the controller regarding the storage duration of the personal data, and delete or return the personal data to the controller after the end of the provision of services relating to the processing, unless required to store the personal data by Union or Member State law.

References:

GDPR, Articles 3, 4, 28, 29, 32, 51, 55, 56, 57, 58, 60, 61, 62, 63, 64, 65, 66, 67, and 68.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

Cloud Computing and GDPR: what you need to know | Combell, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.

GDPR Processor Obligations - Taylor Wessing, paragraphs 1, 2, 3, 4, 5, 6, 7, and 8.

The “soft opt-in” rule is an exception to the general requirement of obtaining consent before sending electronic mail marketing to individuals. It applies when the following conditions are met12:

the sender has obtained the contact details of the recipient in the context of the sale or negotiations for the sale of a product or service to that recipient;

the sender only sends direct marketing relating to its own similar products or services; and

the recipient has been given a simple opportunity to refuse or opt out of the marketing, both when the details were initially collected and in every subsequent message.

The option B matches these conditions, as it implies that the individual has shown an interest in buying a product from the sender, and that the sender can use the individual’s details to send marketing about similar products, as long as the individual can easily opt out. The other options do not qualify for the “soft opt-in” rule, as they either involve no consent, no prior relationship, or no opt-out mechanism. References: Electronic mail marketing | ICO, Direct marketing rules and exceptions under the GDPR

According to Article 36 of the GDPR, when a controller intends to process personal data that would result in a high risk to the rights and freedoms of data subjects, and a data protection impact assessment under Article 35 indicates that the risk cannot be mitigated by the controller, the controller must consult the supervisory authority before processing. The purpose of this prior consultation is to seek the advice of the supervisory authority on whether the processing complies with the GDPR and what measures can be taken to ensure compliance. During the prior consultation, the controller must provide the supervisory authority with the following information:

the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

the purposes and means of the intended processing;

the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;

the contact details of the data protection officer, if any;

the data protection impact assessment provided for in Article 35; and

any other information requested by the supervisory authority.

Therefore, the correct answer is B. An explanation of the purposes and means of the intended processing. This information is essential for the supervisory authority to understand the nature and scope of the processing and to assess its compliance with the GDPR. The other options are not required by Article 36, although they may be relevant for other aspects of the GDPR, such as the data protection by design and by default principle (A), the lawfulness of processing ©, or the designation of the data protection officer (D). References:

Article 36 of the GDPR, which regulates the prior consultation with the supervisory authority.

ICO guidance, which explains the process and requirements of the prior consultation.

EDPB guidelines, which provide further guidance on the criteria and procedure of the prior consultation.

The GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. The company must also identify a lawful basis for processing personal data, such as legal obligation, legitimate interest, or consent, and respect the data subject rights, such as the right to information, access, rectification, erasure, restriction, objection, and portability. Moreover, the company must be aware of the specific rules and restrictions regarding the processing of special categories of data (such as biometric, health, or political data) and data relating to criminal convictions and offences, which are subject to Article 10 of the GDPR and the laws of each member state. The company must also consider the national employment laws and the guidelines of the relevant supervisory authorities, which may impose additional conditions or limitations on the scope, methods, and purposes of background checks. For example, some member states may require prior authorization, notification, or consultation with the supervisory authority, the data subject, or the works council before conducting background checks. Some member states may also prohibit or restrict certain types of background checks, such as social media screening, credit checks, or criminal record checks, unless they are necessary, proportionate, and relevant for the specific job position or sector. Therefore, the company must conduct a thorough assessment of the legal framework and the risks and benefits of background checks in each member state where it operates or recruits employees, and ensure that it has a clear and consistent policy and procedure for conducting background checks in a GDPR-compliant manner. References: How to ‘background check’ under the GDPR, How to perform GDPR compliant background checks, GDPR and the processing of criminal conviction data across Europe, Pre-employment vetting: Data protection and criminal records, How GDPR Affects Background Checking

A risk analysis is a process of identifying, assessing and mitigating the potential threats and vulnerabilities that may affect the personal data processing activities of an organization. A risk analysis is not a one-time activity, but a continuous and dynamic process that requires regular monitoring and updating. A risk analysis is also not a substitute for compliance with the GDPR, but a tool to help ensure compliance by identifying and addressing the legal obligations and best practices.

According to the GDPR, an organization must conduct a data protection impact assessment (DPIA) before starting any new or significantly increased processing activity that may pose a high risk to the rights and freedoms of the data subjects. A DPIA is a systematic and documented process that aims to identify, evaluate and mitigate the risks associated with such processing activities. A DPIA must be carried out by or on behalf of the controller (the person or entity that determines the purposes and means of processing) or by another person acting on their behalf.

In this scenario, Frank is conducting a DPIA for his new processing activity of analyzing his students’ performance data in relation to Department for Education expectations. This processing activity poses a high risk to the rights and freedoms of his students, as it involves collecting, storing, using and transferring their personal data without their explicit consent or knowledge. Therefore, Frank must conduct a DPIA before starting this processing activity.

However, there are some exceptions to this requirement. One of them is when the processing activity involves personal data that are no longer relevant for the original purpose for which they were collected or otherwise processed. In this case, Frank can use existing personal data without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.

Therefore, in this situation, Anna will find that a risk analysis is NOT necessary in this situation as long as the data subjects are no longer current students of Frank’s. This means that Frank can use his existing student records without conducting a DPIA, as long as he ensures that they are adequate, relevant and limited to what is necessary for his new purpose.

References:

Risks and data protection impact assessments (DPIAs) | ICO

What Are GDPR Risk Assessments and Why Are They Important?

GDPR Compliance Risk Assessment Best Practices | Accountable

Why risk assessments are essential for GDPR compliance

According to Articles 33 and 34 of the GDPR, the Gummy Bear Company potentially violated its breach notification obligations by allowing Sam to copy and use the personal data of its customers in Ireland without their consent or authorization. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12)). The Gummy Bear Company, as a data controller, is required to notify the competent supervisory authority of the personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33(1)). The notification should include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records concerned, the likely consequences of the personal data breach, and the measures taken or proposed to address the personal data breach (Article 33(3)). The Gummy Bear Company is also required to communicate the personal data breach to the affected data subjects without undue delay, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34(1)). The communication should describe the nature of the personal data breach and the measures taken or proposed to address the personal data breach (Article 34(2)).

Therefore, the Gummy Bear Company should analyze and evaluate all of its breach notification obligations, taking into account the nature and circumstances of the personal data breach, the type and sensitivity of the personal data involved, the potential impact and harm to the data subjects, and the applicable laws and regulations of the jurisdictions where the data subjects reside. The Gummy Bear Company should also document the personal data breach and the remedial actions taken, and cooperate with the supervisory authorities and the data subjects as required by the GDPR.

References: GDPR, Articles 4(12), 33, 341; EDPB Guidelines 01/2021 on Examples regarding Data Breach Notification2

 The Individual Participation Principle is one of the Fair Information Practice Principles (FIPPs) that are not part of any legal framework, but are widely adopted by many data privacy regulations in force today1. The FIPPs are a set of guidelines for fair information practices that aim to protect the privacy and security of personal information. The Individual Participation Principle holds that individuals have a number of rights, including the right to have their personal data corrected or erased, the right to access and obtain confirmation of their personal data, the right to be informed about how their personal data is used and who it is shared with, and the right to object or withdraw consent for certain purposes2.

The General Data Protection Regulation (GDPR) is a legal framework that implements the European Union’s (EU) Data Protection Directive and provides comprehensive protection for all individuals within the EU regarding their personal data. The GDPR grants individuals a number of rights, such as the right to access, rectify, erase, restrict, port, object, or not be subject to automated decision-making based on their personal data. These rights are similar to those under the FIPPs and can be found in Articles 12 to 22 of the GDPR.

Therefore, the parts of the GDPR that provide the closest equivalent to the Individual Participation Principle are Articles 12 to 22.

References:

OECD Privacy Principles

What are the 7 main principles of GDPR?

Fair Information Practice Principles (FIPPs)

Individual Participation - International Association of Privacy Professionals

What is the right to be forgotten? | Right to erasure | Cloudflare

General Data Protection Regulation - Wikipedia

 According to Article 13 of the GDPR, when personal data are collected from the data subject, the controller shall provide the data subject with certain information, such as the purposes and legal basis of the processing, the recipients or categories of recipients of the personal data, and the existence of the data subject’s rights. This information shall be provided at the time when personal data are obtained. The purpose of this requirement is to ensure that the data subject is informed and aware of how their personal data will be used and shared, and to enable them to exercise their rights accordingly. Therefore, customers shall receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process. References:

Article 13 of the GDPR

IAPP CIPP/E Study Guide, page 32

The GDPR requires that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed2. In this scenario, the company ABCD is the controller of the client data, and the loss of the memory stick containing unencrypted and clear text personal data is a personal data breach that may pose a risk to the rights and freedoms of the data subjects, such as identity theft, fraud, financial loss, or reputational damage. Therefore, the company ABCD should notify the data protection supervisory authority as soon as possible, and provide the information specified in Article 33(3) of the GDPR, such as the nature of the breach, the categories and number of data subjects and personal data records concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach1. Option A is the correct answer, as it reflects the obligation of the controller under the GDPR. Options B, C and D are incorrect, as they do not comply with the GDPR requirements. Option B would delay the notification beyond the 72-hour deadline, which could result in administrative fines or other sanctions3. Option C would misuse the “disproportionate effort” exception, which only applies to the communication of the breach to the data subjects, not to the notification to the supervisory authority, and only when the controller has implemented appropriate technical and organisational protection measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access it4. Option D would prematurely notify the customers of the company without first notifying the supervisory authority, and without assessing the level of risk and the necessity of such communication, which should be done in consultation with the supervisory authority5. References: 1: Article 33(1) of the GDPR 2: Article 4(12) of the GDPR 3: Article 83(4)(a) of the GDPR 4: Article 34(3)(a) of the GDPR 5: Article 34(1) and (2) of the GDPR

According to the GDPR, the territorial scope of the regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union1. In this scenario, Who-R-U is not established in the Union, but it is collecting location information of its Canadian customers who use the app while traveling abroad, including in the EU. This constitutes monitoring of their behavior within the Union, and therefore triggers the application of the GDPR. The other options are not correct because: (A) Who-R-U does not have any establishment in the Union, as the naming-rights deal does not involve any technology or infrastructure; (B) Who-R-U is not offering goods or services to data subjects in the Union, as it only targets Canadian customers and blocks internet traffic from outside of Canada; © Who-R-U is not engaging in commercial activities conducted in the Union, as it only accepts Canadian currency and does not process orders that request the DNA report to be sent outside of Canada. References: 1: Article 3(2) of the GDPR; Free CIPP/E Study Guide, page 11.