Scenario 4:
Berc is a pharmaceutical company headquartered in Paris, France, known for developing inexpensive improved healthcare products. They want to expand to developing life-saving treatments. Berc has been engaged in many medical researches and clinical trials over the years. These projects required the processing of large amounts of data, including personal information. Since 2019, Berc has pursued GDPR compliance to regulate data processing activities and ensure data protection. Berc aims to positively impact human health through the use of technology and the power of collaboration. They recently have created an innovative solution in participation with Unty, a pharmaceutical company located in Switzerland. They want to enable patients to identify signs of strokes or other health-related issues themselves. They wanted to create a medical wrist device that continuously monitors patients' heart rate and notifies them about irregular heartbeats. The first step of the project was to collect information from individuals aged between 50 and 65. The purpose and means of processing were determined by both companies. The information collected included age, sex, ethnicity, medical history, and current medical status. Other information included names, dates of birth, and contact details. However, the individuals, who were mostly Berc's and Unty's customers, were not aware that there was an arrangement between Berc and Unty and that both companies have access to their personal data and share it between them. Berc outsourced the marketing of their new product to an international marketing company located in a country that had not adopted the adequacy decision from the EU commission. However, since they offered a good marketing campaign, following the DPO's advice, Berc contracted it. The marketing campaign included advertisement through telephone, emails, and social medi
a. Berc requested that Berc's and Unty's clients be first informed about the product. They shared the contact details of clients with the marketing company. Based on this scenario, answer the following Questio n:
Questio n:
Based on scenario 4, Berc shared personal information of its clients with an international marketing company even though an adequacy decision was absent. Which of the following is a valid reason to do so?
Under Article 46 of GDPR, in the absence of an adequacy decision, controllers can transfer data only if appropriate safeguards (e.g., Standard Contractual Clauses, Binding Corporate Rules) are in place.
Option C is correct because safeguards such as SCCs allow data transfers when no adequacy decision exists.
Option A is incorrect because adequacy decisions are a legal requirement, not optional.
Option B is incorrect because a CISO cannot authorize GDPR data transfers.
Option D is incorrect because reputation does not ensure GDPR compliance.
GDPR Article 46(1) (Appropriate safeguards for data transfers)
Recital 108 (Legally binding commitments for data protection)
Jeanice
15 hours agoAnnamaria
3 days ago