GRA4137 Data Protection and Ethics

Fall 2020 Exam

NB! Please add your ID number (7 digits), top right, on all pages of your answer paper.
Total no. of pages in this exam: 2
To be answered: Group 1-3 persons
Answer paper size: max 10 pages
Max no. of answer paper attachment files: 0
Allowed answer paper file types: .pdf

The exam paper must also include a bibliography/reference list at the conclusion of the paper.
These pages are counted separately from the main paper. You will find a thorough explanation
of how to use quotes and references on the BI library webpage:
https://portal.bi.no/en/examination/assignment-thesis/cite-sources/. For information on
formal requirements and template paper; see www.bi.edu/templatepaper

Exam text

ACME is a global food delivery platform, operating in the United States, Singapore and
European Union. ACME’s European operations are headquartered in Sweden, where all user
data is currently stored.

ACME’s business model is relatively straightforward: they partner up with the local
restaurants, making their menus available on ACME’s website. Customers who visit the
website will be shown the list of restaurants within 10 kilometers of their current location and
will be able to place an order. The order details are subsequently transferred to the restaurant,
including customer’s name, address and ordered items, via a secure ACME platform. An
ACME courier is dispatched to pick up the goods once the goods are marked as “ready for pick
up” by the restaurant on the secure platform. This courier delivers the goods to the customer’s
location.

The restaurants ACME partners with have no influence over which data is processed on the
website or in the secure platform. ACME offers no customization options for their restaurant
partners – the platform is same for everyone.

Question 1: Which steps, if any, would you recommend ACME to take in order to ensure
the legality of the transfer of personal data to the restaurants?

Question 2: Would the restaurants be able to start using purchase data they receive from
ACME in order to improve their menu offerings (remove rarely purchased items from
the menu), or to send individual customers discount codes after each purchase? Which
lawful basis would you recommend these processing operations to be based on?

In the spring of 2020, global coronavirus pandemic resulted in a large increase in the usage of
food takeaway services. At the same time, the food delivery couriers were increasingly quitting
their jobs, being afraid for their own health.

ACME has considering implementing a new design of their website, which would present users
with a dialog box prior to purchasing the order. The dialog box would ask users to indicate
whether they have individual symptoms of coronavirus prior to the delivery of the goods

1
(“Fever? Yes/No Sore throat? Yes/No Headache? Yes/No…”) If user would indicate that
more than two symptoms were present, a request for delivery would be declined. The data
would be stored for 14 days.

Question 3: Is this processing compliant with the GDPR? Which steps, if any, would you
take to make this processing lawful?

As the pandemic intensified, many people started working from home, placing additional strain
on the global Internet infrastructure. Prices of cloud storage solutions, such as ones needed for
operating ACME’s website and restaurant platform, have skyrocketed. ACME was using
Amazon Web Services as its cloud provider, but is now considering CheapCloud, a cloud
storage provider from Montenegro. This cloud provider suffered a catastrophic loss of customer
data three years ago, but has provided a press release to ACME indicating that they have
upgraded their security to meet the latest standards.

Question 4: Which steps would you recommend ACME to take prior to engaging
CheapCloud?