The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that ''No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.'' This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU).Reference:

IAPP CIPP/E Study Guide, page 7

[Universal Declaration of Human Rights]

[Article 12 of the UDHR]

According to the Article 29 Working Party, a just-in-time notice is a type of privacy notice that provides processing information at specific points of data collection, such as when the user clicks on a certain feature or enters personal data1.This kind of notice is commonly recommended for AI-based technologies because it allows the user to receive relevant and timely information about the processing of their data, without being overwhelmed by lengthy and complex privacy statements1.A just-in-time notice can also be combined with other types of notices, such as layered notices or privacy dashboards, to provide a more comprehensive and user-friendly transparency framework1. Therefore, option C is the correct answer.Option A is incorrect because a privacy dashboard notice is a type of notice that provides the user with a centralised and interactive overview of the processing of their data, and allows them to manage their privacy settings and preferences1.Option B is incorrect because a visualization notice is a type of notice that uses graphical elements, such as icons, symbols, colours, or animations, to convey the processing information in a more intuitive and engaging way1.Option D is incorrect because a layered notice is a type of notice that provides the processing information in a hierarchical and modular way, starting with the most essential information and allowing the user to access more details if they wish1.Reference:

What's new in WP29's final guidelines on transparency?

According to GDPR Article 4(22), a supervisory authority is concerned by the processing of personal data if the data subjects residing in its member state are substantially affected or likely to be substantially affected by the processing, or if a complaint has been lodged with it. This concept is mainly introduced to ensure that the rights and interests of data subjects are protected by the supervisory authorities that are closest to them, regardless of where the controller or processor is established or where the lead supervisory authority is located. The concerned supervisory authorities have the right to participate in the one-stop-shop and consistency mechanisms, and to express their views and objections on the draft decisions of the lead supervisory authority. They also have the duty to cooperate and assist each other in the performance of their tasks.Reference:GDPR Article 4(22),GDPR Article 60,GDPR Article 63,The role of the 'supervisory authority concerned' (Chapter 3.1 ...

The GDPR applies to all personal data, regardless of whether it exists in physical form or not.The GDPR defines personal data as any information relating to an identified or identifiable natural person, such as names, identification numbers, location data, or online identifiers1. Therefore, any information that can be linked directly or indirectly to a natural person is considered personal data under the GDPR.

However, the GDPR also distinguishes between different types of processing activities and their legal bases. Processing activities are the operations performed on personal data, such as collection, storage, use, disclosure, or deletion. Processing activities can be either automated or manual. Automated processing means using technology to perform processing activities without human intervention. Manual processing means using human intervention to perform processing activities.

The GDPR requires that any processing activity that involves personal data must comply with certain principles and conditions, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. These principles and conditions apply to both automated and manual processing activities.

Therefore, the GDPR applies to personal data that exists in physical form only when it is processed by an automated means in some way that affects its rights and freedoms. For example, if a company scans paper documents and stores them electronically in a database without deleting them after a certain period of time or when they are no longer needed for the original purpose for which they were collected (Article 6), then this would be considered an automated processing activity that involves personal data in physical form.

However, the GDPR does not apply to personal data that exists in physical form when it is handled in a sufficiently structured manner so as to form part of a filing system. For example, if a company keeps paper documents in folders labeled with names and dates on their office shelves without scanning them or storing them electronically anywhere else (Article 5), then this would not be considered an automated processing activity that involves personal data in physical form.

Physical Data - GDPR Summary

What GDPR Means for Your Physical Records - Access

Personal Data - Data Protection Act 2018

According to theFree CIPP/E Study Guide, page 14, ''if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to the processing.'' This means that the controller must seek the advice of the supervisory authority when the DPIA identifies high risks that cannot be sufficiently reduced by the controller's own measures. The other options are not necessarily cases where the consultation is required, although they may trigger other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects.Reference:

Free CIPP/E Study Guide, page 14

GDPR, Article 36