SkarpSkarp

Chapter 12 of 13

Applied Scenarios and Case Studies: From Theory to Fact Patterns

Test your understanding by walking through compact, exam‑style scenarios that weave together multiple GDPR concepts, forcing you to spot issues, assign roles and choose the best legal path under time pressure.

15 min readen

Step 1 – How to Attack GDPR Scenarios Under Time Pressure

Why Scenarios Matter

On CIPP/E and in practice, you get dense fact patterns mixing scope, roles, legal bases, rights, transfers and enforcement, not neat single-article questions.

Your Scenario Checklist

Use a 4-step attack plan: 1) Scope & territory, 2) Roles, 3) Legal basis & special rules, 4) Rights, transfers, enforcement.

Goal of This Module

You will practice spotting multiple GDPR issues at once and picking the best legal path among plausible options under time pressure.

Step 2 – Scenario A: Fitness App and Cloud Analytics

Scenario A Overview

FitLife GmbH (Germany) runs a fitness app EU-wide, collects identity, GPS routes and heart rate, uses AWS in Ireland, InsightIQ in the UK, and FriendSpace in the US.

Data and Partners

Data: name, email, GPS, heart rate. Partners: AWS (cloud host in Ireland), InsightIQ (analytics in UK), FriendSpace (US social login).

Notice and Consent

Privacy notice: legal basis is "provide and improve the service"; checkbox consent only for "personalised workout recommendations"; no explicit mention of international transfers.

What to Think About

Consider: Is GDPR in scope? Who is controller vs processor? Is heart rate special category data? Are there international transfers and what safeguards are needed?

Step 3 – Issue-Spotting Walkthrough for Scenario A

Work through these questions in order. Try to answer before reading the hints.

  1. Scope & territory
  • FitLife is established in Germany and offers the app across the EU. GDPR clearly applies (Art. 3(1) establishment, plus Art. 3(2) offering services to data subjects in the EU).
  1. Roles
  • FitLife: controller for all processing of users' data.
  • AWS Ireland: processor (hosting under FitLife's instructions).
  • InsightIQ UK: likely processor if it only analyses data on FitLife's behalf and cannot use it for its own purposes.
  • FriendSpace US: independent controller for its own social media service; FitLife and FriendSpace are separate controllers, not joint controllers, if FriendSpace reuses data for its own purposes.

Thought check: If InsightIQ reuses pseudonymised statistics to build its own generic analytics products, it may be a controller (or joint controller) for that re-use.

  1. Legal bases
  • Core service (account, basic tracking): likely Art. 6(1)(b) contract with the user.
  • "Improve the service" analytics: could be legitimate interests (Art. 6(1)(f)), but must pass the three-part test and consider ePrivacy rules if cookies/SDKs are involved.
  • Personalised workout recommendations: relies on consent (checkbox). Consent must be specific, informed, and freely given.
  1. Special category data
  • Heart rate is health data (special category, Art. 9). FitLife needs an Art. 9(2) condition in addition to Art. 6.
  • Common path in a consumer app: explicit consent under Art. 9(2)(a).
  1. Transfers
  • AWS Ireland: no international transfer (still in the EEA).
  • InsightIQ in the UK: as of today (mid-2026), the UK is a third country, but the EU Commission adequacy decision for the UK (2021) still applies, subject to periodic review. So transfers are allowed on that basis.
  • FriendSpace in the US: this is an international transfer. Options include:
  • EU-US Data Privacy Framework (DPF) if FriendSpace is certified for the relevant services, or
  • Standard Contractual Clauses (SCCs) plus transfer impact assessment.
  1. Notice gaps
  • The privacy notice does not clearly explain the international transfers to the UK and US or identify the relevant safeguards/adequacy decisions (Arts. 13–14). This is a compliance gap.

Use this structured walkthrough as a mental template: you can run the same sequence for any exam scenario.

Step 4 – Quick Check on Scenario A

Test your ability to choose the best answer, not just a technically possible one.

In Scenario A, what is the **most appropriate** legal basis for FitLife's core processing of users' heart-rate data to provide the fitness-tracking service?

  1. Art. 6(1)(b) contract alone, because users sign up for the service
  2. Art. 6(1)(b) contract plus explicit consent under Art. 9(2)(a) for special category data
  3. Legitimate interests under Art. 6(1)(f), because users expect tracking
  4. Vital interests under Art. 6(1)(d), because heart rate is health data
Show Answer

Answer: B) Art. 6(1)(b) contract plus explicit consent under Art. 9(2)(a) for special category data

Heart rate is health data (special category). FitLife needs (1) a standard Art. 6 legal basis for processing personal data and (2) an Art. 9 condition for special categories. Providing the contracted service fits Art. 6(1)(b). Because this is a consumer fitness app (not medical care or employment), explicit consent under Art. 9(2)(a) is the most appropriate Art. 9 basis. Contract alone is not sufficient for special category data; legitimate interests and vital interests are not a good fit here.

Step 5 – Scenario B: HR, Whistleblowing and Rights Requests

Scenario B Overview

EuroBank SA (France) runs an HR system and whistleblowing hotline for EU staff, using SafeSpeak as a vendor. A Spanish employee, Ana, reports fraud via the hotline.

The Report and Policy

The report names people, describes alleged misconduct, and includes email screenshots. Policy: confidentiality, sharing with investigators/regulators, and possible limits on access to avoid prejudicing investigations.

Ana's Access Request

Three weeks later, Ana requests: (1) a copy of her report, and (2) all documents about the investigation, including witness statements. EuroBank fears this could expose witnesses and harm the investigation.

Key Issues to Spot

Consider: controller/processor roles, right of access scope, protection of others' rights, possible restrictions, and how a supervisory authority might view EuroBank's response.

Step 6 – Prioritising Issues in Scenario B

Use the 4-step structure again. Think before reading each point.

  1. Scope & roles
  • EuroBank SA is the controller for HR and hotline data.
  • SafeSpeak is a processor for operating the hotline on EuroBank's behalf.
  • Branches in Spain and Italy are part of the same legal entity; they are not separate controllers.
  1. Legal basis
  • HR data: likely Art. 6(1)(b) (employment contract) and/or Art. 6(1)(c) (legal obligation under employment/financial laws).
  • Whistleblowing: typically Art. 6(1)(c) (legal obligation to prevent fraud/comply with financial regulations) and/or Art. 6(1)(f) (legitimate interests in detecting misconduct).
  1. Right of access (Art. 15)
  • Ana has the right to obtain confirmation and access to her personal data.
  • But access rights are not absolute. Under Art. 15(4), access may not adversely affect the rights and freedoms of others (e.g., witnesses, accused persons).
  1. Restrictions
  • GDPR allows Member State or EU law restrictions (Art. 23) for purposes such as preventing obstruction of official or internal investigations.
  • EuroBank's policy cannot on its own override GDPR, but it can reflect national laws that restrict disclosure.
  1. Practical response
  • Likely approach:
  • Provide Ana with a copy of her own report (possibly with redactions of others' identifiers where necessary).
  • Explain the existence of the investigation and general categories of data processed.
  • Withhold or redact witness statements and sensitive details where disclosure would reveal identities or prejudice the investigation.
  • Document the balancing test and legal basis for any restriction.
  1. Exam tip
  • On CIPP/E, avoid extremes:
  • "Give nothing" is usually too restrictive.
  • "Give everything unredacted" usually fails to protect others' rights.
  • The best answer often involves partial access plus justified redactions.

Step 7 – MCQ Practice: Rights vs. Other Interests

Choose the best answer based on Scenario B.

How should EuroBank most appropriately respond to Ana's access request under GDPR?

  1. Refuse the entire request because investigations are confidential under company policy
  2. Provide all documents in full, because the right of access overrides internal policies
  3. Provide Ana with her own report and high-level information about the investigation, while redacting or withholding parts that would reveal witness identities or seriously prejudice the investigation, explaining the legal basis
  4. Delay responding until the investigation is complete, then decide what to disclose
Show Answer

Answer: C) Provide Ana with her own report and high-level information about the investigation, while redacting or withholding parts that would reveal witness identities or seriously prejudice the investigation, explaining the legal basis

Art. 15 grants access rights but Art. 15(4) and Art. 23 allow restrictions to protect others' rights and the effectiveness of investigations, where provided by law. The best answer balances Ana's rights with protection of witnesses and the investigation: partial disclosure with justified redactions and a clear explanation. Company policy alone cannot justify a total refusal, and indefinite delay is not allowed (responses are due without undue delay and in any event within one month, subject to limited extensions).

Step 8 – Scenario C: Group Companies and International Transfers

Scenario C Overview

DataShop BV (Netherlands) sells EU-wide, has a US parent, and sends hashed identifiers and purchase histories to the US parent for AI-based demand forecasting.

Structure and Roles

DataShop BV decides which EU data is collected and why, making it the controller. DataShop Inc. in the US processes this data for analytics, under SCCs and group policies.

Transfer Mechanisms

DataShop BV uses 2021 SCCs and did a transfer impact assessment in 2024. The privacy notice explains US transfers and safeguards.

Current Context

As of 2026, the EU-US Data Privacy Framework is available for certified US organisations, but SCCs plus TIAs remain widely used and valid.

Step 9 – MCQ Practice: Transfers and Outdated Mechanisms

Apply your knowledge of current transfer rules.

Which statement best reflects **current** GDPR practice for DataShop BV's transfers to DataShop Inc. in the US?

  1. DataShop BV can rely on the old EU-US Privacy Shield, because it still applies to intra-group transfers
  2. DataShop BV may rely on either SCCs (plus a transfer impact assessment and any necessary supplementary measures) or, if DataShop Inc. is certified, the EU-US Data Privacy Framework; Privacy Shield is no longer valid
  3. DataShop BV does not need any transfer mechanism because the data is hashed before transfer
  4. DataShop BV must always use Binding Corporate Rules (BCRs) for any intra-group transfer outside the EEA
Show Answer

Answer: B) DataShop BV may rely on either SCCs (plus a transfer impact assessment and any necessary supplementary measures) or, if DataShop Inc. is certified, the EU-US Data Privacy Framework; Privacy Shield is no longer valid

The Court of Justice of the EU invalidated the EU-US Privacy Shield in 2020 (Schrems II). As of 2026, valid options for US transfers include the 2021 SCCs (with a TIA and supplementary measures where needed) and the EU-US Data Privacy Framework for certified US organisations. Hashing alone does not necessarily remove the data from GDPR scope, and BCRs are optional, not mandatory.

Step 10 – Flashcard Drill: Roles, Bases, Transfers, Rights

Use these flashcards to reinforce key concepts that repeatedly appear in integrated scenarios.

Controller vs Processor: quick test
Ask: Who decides **why** and **how** personal data is processed? That entity is the controller. A processor acts **on behalf of** the controller and follows its documented instructions.
Special category data extra step
For health, biometric, or other special categories, you always need: (1) an Art. 6 legal basis, and (2) an Art. 9 condition (e.g., explicit consent, employment law obligation, vital interests, public interest in public health).
Access right is not absolute
Art. 15 grants access, but Art. 15(4) and Art. 23 allow restrictions to protect others' rights and important objectives (e.g., investigations). Often the correct approach is **partial access with justified redactions**.
International transfer definition
A transfer occurs when personal data is sent or made accessible from the EEA to a third country or international organisation. Remote access from a third country (e.g., support staff) can also be a transfer.
Common transfer tools (mid-2026)
Key tools: (1) Adequacy decisions (e.g., UK, EU-US DPF for certified US entities), (2) 2021 SCCs + TIA + supplementary measures, (3) Binding Corporate Rules, (4) narrow derogations in Art. 49.
Exam pattern: outdated mechanisms
CIPP/E questions may include distractors like "EU-US Privacy Shield" or pre-2021 SCCs. These are outdated. Look for references to **2021 SCCs** or **EU-US Data Privacy Framework** instead.
Balancing test for legitimate interests
Three steps: (1) Purpose test (is there a legitimate interest?), (2) Necessity test (is processing necessary for that purpose?), (3) Balancing test (do data subjects' interests override?). Document this analysis.

Key Terms

Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of personal data processing.
Right of access
The data subject's right under Art. 15 GDPR to obtain confirmation of processing and access to their personal data and related information.
Adequacy decision
A decision by the European Commission that a non-EU country ensures an adequate level of data protection, allowing free flow of personal data to that country.
Joint controllers
Two or more controllers that jointly determine the purposes and means of processing and must transparently allocate their GDPR responsibilities under Art. 26.
Legitimate interests
A flexible legal basis under Art. 6(1)(f) GDPR allowing processing necessary for the controller's or a third party's legitimate interests, except where overridden by data subjects' interests or rights.
Special category data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data about sex life or sexual orientation.
EU-US Data Privacy Framework
An adequacy framework adopted by the European Commission in 2023 for certified US organisations, allowing transfers of personal data from the EU to those entities.
Transfer impact assessment (TIA)
An assessment carried out by exporters using tools like SCCs to evaluate whether the law and practices of the third country may impinge on the effectiveness of the safeguards.
Standard Contractual Clauses (SCCs)
European Commission-approved contractual clauses that provide appropriate safeguards for personal data transfers to third countries without an adequacy decision.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself