How does the GDPR now define "processing"?

A. Any act involving the collecting and recording of personal data.

B. Any operation or set of operations performed on personal data or on sets of personal data.

C. Any use or disclosure of personal data compatible with the purpose for which the data was collected.

D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app

and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user

consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.

Registration Form

Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already

have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with

your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third- party without a

customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name:

Surname:

Year of birth:

Email:

Physical Address (optional*):

Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can

unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. [...]

2.Applicable law. [...]

3.Limitation of liability. [...]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of

any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company

may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

What is one potential problem Vigotron's age policy might encounter under the GDPR?

A. Age restrictions are more stringent when health data is involved.

B. Users are only required to be aged 13 or over to be considered adults.

C. Organizations must make reasonable efforts to verify parental consent.

D. Organizations that tie a service to marketing must seek consent for each purpose.

Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?

A. The Directive was superseded by the EU Directive on Privacy and Electronic Communications.

B. The Directive was superseded by the General Data Protection Regulation.

C. The Directive was annulled by the Court of Justice of the European Union.

D. The Directive was annulled by the European Court of Human Rights.

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

A. The controller will be liable to pay an administrative fine

B. The processor will be liable to pay compensation to affected data subjects

C. The processor will be considered to be a controller in respect of the processing concerned

D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

The European Parliament jointly exercises legislative and budgetary functions with which of the following?

A. The European Commission.

B. The Article 29 Working Party.

C. The Council of the European Union.

D. The European Data Protection Board.