Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
A collection of multiple-choice questions and answers related to the certified information privacy professional/europe (cipp/e) exam. It covers key concepts and principles of data protection and privacy under the general data protection regulation (gdpr), including data subject rights, data processing principles, cross-border data transfers, and more. Designed to help individuals preparing for the cipp/e exam by providing practice questions and insights into the exam's content.
Typology: Exams
1 / 21
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do? (A). Notify the newspaper that its article it is delisting the article. (B). Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name. (C). Identify other controllers who are processing the same information and inform them of the delisting request. (D). Prevent the article from being listed in search results no matter what search terms are entered into the search engine. - Correct Answer-(A). Notify the newspaper that its article it is delisting the article. Which of the following is NOT a role of works councils? (A). Determining the monetary fines to be levied against employers for data breach violations of employee data. (B). Determining whether to approve or reject certain decisions of the employer that affect employees. (C). Determining whether employees' personal data can be processed or not. (D). Determining what changes will affect employee working conditions. - Correct Answer-C). Determining whether employees' personal data can be processed or not. Which of the following would NOT be relevant when determining if a processing activity would be considered profiling? (A). If the processing is to be performed by a third-party vendor (B). If the processing involves data that is considered personal data (C). If the processing of the data is done through automated means (D). If the processing is used to predict the behavior of data subjects - Correct Answer-(D). If the processing is used to predict the behavior of data subjects The GDPR forbids the practice of "forum shopping", which occurs when companies do what? (A). Choose the data protection officer that is most sympathetic to their business concerns.
(B). Designate their main establishment in member state with the most flexible practices. (C). File appeals of infringement judgments with more than one EU institution simultaneously. (D). Select third-party processors on the basis of cost rather than quality of privacy protection - Correct Answer-(B). Designate their main establishment in member state with the most flexible practices. Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing dat a. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals. Why is Bioface subject to the territorial scope of the General Data Protection Regulation? (A). It collects data from European Union websites, which constitutes an establishment in the European Union. (B). It offers services in the European Union by identifying data subjects in the European Union. (C). It collects data from subjects and uses it for automated processing. (D). It monitors the behavior of data subjects in the European Union. - Correct Answer-A). It collects data from European Union websites, which constitutes an establishment in the European Union. Which of the following was the first legally binding international instrument in the area of data protection? A) Convention 108 B)GDPR C)Universal Decl of Human Rights D)EU Directive on Privacy - Correct Answer-A) Convention 108 Which area of privacy is a lead supervisory authority's (LSA) MAIN concern? (A). Data subject rights (B). Data access disputes (C). Cross-border processing (D). Special categories of data - Correct Answer-C). Cross-border processing An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it
likely was lost during the travel of an employee. What should the company do? (A). Notify as soon as possible the data protection supervisory authority that a data breach may have taken place. (B). Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority. (C). Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered. (D). Immediately notify all the customers of the company that their information has been accessed by an unauthorized person. - Correct Answer-A). Notify as soon as possible the data protection supervisory authority that a data breach may have taken place. An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following? (A). Notify affected individuals that their data was unavailable for a period of time. (B). Document the loss of availability to demonstrate accountability (C). Notify the supervisory authority about the loss of availability (D). Conduct a thorough audit of all security systems - Correct Answer-C). Notify the supervisory authority about the loss of availability How is the GDPR's position on consent MOST likely to affect future app design and implementation? (A). App developers will expand the amount of data necessary to collect for an app's functionality. (B). Users will be given granular types of consent for particular types of processing. (C). App developers' responsibilities as data controllers will increase. (D). Users will see fewer advertisements when using apps. - Correct Answer-B). Users will be given granular types of consent for particular types of processing. In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent? (A). When the data is to be processed for market research. (B). When providing preventive or counselling services to the child. (C). When providing the child with materials purely for educational use. (D). When a legitimate business interest makes obtaining consent impractical. - Correct Answer-B). When providing preventive or counselling services to the child. A mobile device application that uses cookies will be subject to the consent requirement of which of the following? (A). The ePrivacy Directive (B). The E-Commerce Directive (C). The Data Retention Directive (D). The EU Cybersecurity Directive - Correct Answer-A). The ePrivacy Directive
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information? (A). Verify that the request is applicable to the data collected before the GDPR entered into force. (B). Verify that the purpose of the request from the customer is in line with the GDPR. (C). Verify that the personal data has not already been sent to the customer. (D). Verify that the identity of the customer can be proven by other means. - Correct Answer- A). Verify that the request is applicable to the data collected before the GDPR entered into force. An entity's website stores text files on EU users' computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks? (A). General Data Protection Regulation 2016/679. (B). E-Privacy Directive 2002/58/EC. (C). E-Commerce Directive 2000/31/EC. (D). Data Protection Directive 95/46/EC. - Correct Answer-(D). Data Protection Directive 95/46/EC. How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law? (A). The ePrivacy Directive allows individual EU member states to engage in such data retention. (B). The ePrivacy Directive harmonizes EU member states' rules concerning such data retention. (C). The Data Retention Directive's annulment makes such data retention now permissible. (D). The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only. - Correct Answer-D). The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only. When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach? (A). Documenting due diligence steps taken in the pre-contractual stage. (B). Conducting a risk assessment to analyze possible outsourcing threats. (C). Requiring that the processor directly notify the appropriate supervisory authority. (D). Maintaining evidence that the processor was the best possible market choice available. - Correct Answer-A). Documenting due diligence steps taken in the pre-contractual stage. If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?
(A). Decision 2001/497/EC (EU controller to non-EU or EEA controller). (B). Decision 2004/915/EC (EU controller to non-EU or EEA controller). (C). Decision 2007/72/EC (EU processor to non-EU or EEA controller). (D). Decision 2010/87/EU (Non-EU or EEA processor from EU controller). - Correct Answer- B). Decision 2004/915/EC (EU controller to non-EU or EEA controller). Under the Data Protection Law Enforcement Directive of the EU, a government can carry out IT Certification Guaranteed, The Easy Way! covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what? (A). Prudent. (B). Important. (C). Proportionate. (D). DPA-approved. - Correct Answer-C). Proportionate. Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states? (A). The ability to enact new laws by executive order. (B). The right to access data for investigative purposes. (C). The discretion to carry out goals of elected officials within the member state. (D). The authority to select penalties when a controller is found guilty in a court of law. - Correct Answer-B). The right to access data for investigative purposes. Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3? A) The behavior of suspected terrorists being monitored by EU law enforcement B) Personal data of EU Citizens being processed by a controller or processor based outside the EU C) Behavior of EU citizens outside the EU D)Personal data of EU residents by a non-EU business that targets EU customers - Correct Answer-B) Personal data of EU Citizens being processed by a controller or processor based outside the EU What must a data controller do in order to make personal data pseudonymous? (A). Separately hold any information that would allow linking the data to the data subject. (B). Encrypt the data in order to prevent any unauthorized access or modification. (C). Remove all indirect data identifiers and dispose of them securely. (D). Use the data only in aggregated form for research purposes. - Correct Answer-A). Separately hold any information that would allow linking the data to the data subject. Which EU institution is vested with the competence to propose new data protection legislation on its own initiative? (A). The European Council (B). The European Parliament
(C). The European Commission (D). The Council of the European Union - Correct Answer-D). The Council of the European Union What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014? (A). The requirements affected individuals without exception. (B). The requirements were financially burdensome to EU businesses. (C). The requirements specified that data must be held within the EU. (D). The requirements had limitations on how national authorities could use data. - Correct Answer-D). The requirements had limitations on how national authorities could use data Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs? (A). Data subjects must be sufficiently informed of the purposes for which their personal data is processed. (B). Processing of special categories of personal data on a large scale requires appointing a DPO. (C). Personal data of data subjects must always be accurate and kept up to date. (D). Data controllers must be in control of the data they hold at all times. - Correct Answer-(D). Data controllers must be in control of the data they hold at all times. What is the MAIN reason GDPR Article 4(22) establishes the concept of the "concerned supervisory authority"? (A). To encourage the consistency of local data processing activity. (B). To give corporations a choice about who their supervisory authority will be. (C). To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state. (D). To ensure that the interests of individuals residing outside the lead authority's jurisdiction are represented. - Correct Answer-A). To encourage the consistency of local data processing activity. Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted? (A). Legislative powers. (B). Corrective powers. (C). Investigatory powers. (D). Authorization and advisory powers. - Correct Answer-D). Authorization and advisory powers. Which of the following would most likely NOT be covered by the definition of "personal data" under the GDPR?
(A). The payment card number of a Dutch citizen (B). The U.S. social security number of an American citizen living in France (C). The unlinked aggregated data used for statistical purposes by an Italian company (D). The identification number of a German candidate for a professional examination in Germany - Correct Answer-D). The identification number of a German candidate for a professional examination in Germany A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties. Under the GDPR, what is the online shop's PRIMARY obligation while engaging in this kind of profiling? (A). It must solicit informed consent through a notice on its website (B). It must seek authorization from the European supervisory authorities (C). It must be able to demonstrate a prior business relationship with the customers (D). It must prove that it uses sufficient security safeguards to protect customer data - Correct Answer-(A). It must solicit informed consent through a notice on its website Article 29 Working Party has emphasized that the GDPR forbids "forum shopping", which occurs when companies do what? (A). Choose the data protection officer that is most sympathetic to their business concerns. (B). Designate their main establishment in member state with the most flexible practices. (C). File appeals of infringement judgments with more than one EU institution simultaneously. (D). Select third-party processors on the basis of cost rather than quality of privacy protection.
rights under EU law? A). Court of Auditors (B). Court of Justice of European Union (C). European Court of Human Rights (D). European Data Protection Board - Correct Answer-B). Court of Justice of European Union If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts? (A). 1 month. (B). 3 months. (C). 5 months. (D). 12 months. - Correct Answer-B). 3 months. Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data? (A). The authority by which the controller is collecting the data and the third parties to whom the data will be sent. (B). The name/s of relevant government agencies involved and the steps needed for revising the data. (C). The identity and contact details of the controller and the reasons the data is being collected. (D). The contact information of the controller and a description of the retention policy. - Correct Answer-C). The identity and contact details of the controller and the reasons the data is being collected. To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following? (A). The Court of Justice of the European Union. (B). The European Data Protection Supervisor. (C). The European Court of Human Rights. (D). The European Data Protection Board. - Correct Answer-A). The Court of Justice of the European Union. What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller? (A). The controller will be liable to pay an administrative fine (B). The processor will be liable to pay compensation to affected data subjects (C). The processor will be considered to be a controller in respect of the processing concerned (D). The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved - Correct Answer-B). The processor will be liable to pay compensation to affected data subjects
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority? (A). Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA. (B). Where the DPIA identifies high risks to individuals' rights and freedoms that the controller can take steps to reduce. (C). Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens. (D). Where the DPIA identifies risks that will require insurance for protecting its business interests. - Correct Answer-B). Where the DPIA identifies high risks to individuals' rights and freedoms that the controller can take steps to reduce With the issue of consent, the GDPR allows member states some choice regarding what? A). The mechanisms through which consent may be communicated (B). The circumstances in which silence or inactivity may constitute consent (C). The age at which children must be required to obtain parental consent (D). The timeframe in which data subjects are allowed to withdraw their consent - Correct Answer-C). The age at which children must be required to obtain parental consent When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration? (A). The ease of identification of individuals. (B). The size of any data processor involved. (C). The special characteristics of the data controller. (D). The nature, sensitivity and volume of personal data. - Correct Answer-B). The size of any data processor involved. Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted? A) B) Because photos qualify as biometric data only when they undergo a "specific technical processing" C) D) - Correct Answer-B) Because photos qualify as biometric data only when they undergo a "specific technical processing" A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission? (A). Inform the data subject of the security measures in place. (B). Ensure that the receiving entity has signed a data processing agreement.
(C). Encrypt the transferred data in transit and at rest. (D). Conduct a data protection impact assessment. - Correct Answer-A). Inform the data subject of the security measures in place. According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject's personal data has been obtained from other sources? (A). As soon as possible after obtaining the personal data. (B). As soon as possible after the first communication with the data subject. (C). Within a reasonable period after obtaining the personal data, but no later than one month. (D). Within a reasonable period after obtaining the personal data, but no later than eight weeks. - Correct Answer-A). As soon as possible after obtaining the personal data. An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organization charge the data subject a fee for processing the request? (A). Only where the organization can show that it is reasonable to do so because more than one request was made. (B). Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR. (C). Only where the administrative costs of taking the action requested exceeds a certain threshold. (D). Only if the organization can demonstrate that the request is clearly excessive or misguided. - Correct Answer-B). Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR. As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what? (A). Supervised by the same Data Protection Officer. (B). Consistent with Privacy Shield requirements (C). Bound by a standard contractual clause. (D). Inextricably linked in their businesses. - Correct Answer-D). Inextricably linked in their businesses. Which of the following would require designating a data protection officer? (A). Processing is carried out by an organization employing 250 persons or more. (B). Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
(C). The core activities of the controller or processor consist of processing operations of financial information or information relating to children. (D). The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale. - Correct Answer-D). The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale. What type of data lies beyond the scope of the General Data Protection Regulation? (A). Pseudonymized (B). Anonymized (C). Encrypted (D). Masked - Correct Answer-B). Anonymized In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met? (A). Approved data controllers. (B). The Council of the European Union. (C). National data protection authorities. (D). The European Data Protection Supervisor. - Correct Answer-A). Approved data controllers. A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker's personal data? A) Destroy sensitive information and store the rest per applicable data protection rules B) Store all the data C) Securely store the data that is required by law D) Provide the employee the reason for retaining the data - Correct Answer-A) Destroy sensitive information and store the rest per applicable data protection rules Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority? (A). The consent of the employees (B). The legal obligation of the employer. (C). The legitimate interest of the public administration. (D). The protection of the vital interest of the employees. - Correct Answer-B). The legal obligation of the employer. Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers? (A). The European Commission can adopt an adequacy decision for individual companies. (B). The European Commission can adopt, repeal or amend an existing adequacy decision. (C). EU member states are vested with the power to accept or reject a European Commission adequacy decision.
(D). To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation. - Correct Answer-A). The European Commission can adopt an adequacy decision for individual companies. Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC? (A). A voluntary notification for personal data breaches applicable to all data controllers. (B). A voluntary notification for personal data breaches applicable to electronic communication providers. (C). A mandatory notification for personal data breaches applicable to all data controllers. (D). A mandatory notification for personal data breaches applicable to electronic communication providers - Correct Answer-(D). A mandatory notification for personal data breaches applicable to electronic communication providers. When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves? (A). Inform the subjects about the collection (B). Provide a public notice regarding the data (C). Upgrade security to match that of the source (D). Update the data within a reasonable timeframe - Correct Answer-A). Inform the subjects about the collection What is the key difference between the European Council and the Council of the European Union? (A). The Council of the European Union is helmed by a president. (B). The Council of the European Union has a degree of legislative power. (C). The European Council focuses primarily on issues involving human rights. (D). The European Council is comprised of the heads of each EU member state. - Correct Answer-D). The European Council is comprised of the heads of each EU member state. Why is advisable to avoid consent as a legal basis for an employer to process employee data? (A). Employee data can only be processed if there is an approval from the data protection officer. (B). Consent may not be valid if the employee feels compelled to provide it. C). An employer might have difficulty obtaining consent from every employee. (D). Data protection laws do not apply to processing of employee data. - Correct Answer-A). Employee data can only be processed if there is an approval from the data protection officer. Which of the following entities would most likely be exempt from complying with the GDPR? (A). A South American company that regularly collects European customers' personal data. (B). A company that stores all customer data in Australia and is headquartered in a European Union
(EU) member state. (C). A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers. (D). A North American company servicing customers in South Africa that uses a cloud storage system made by a European company. - Correct Answer-C). A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers. The Planet 49 CJEU Judgement applies to? A) Cookies used only by third parties B) Cookies that are deemed technically necessary C) Cookies regardless of whether the data accessed is personal or not D) Cookies where the data accessed is considered personal data only - Correct Answer-C) Cookies regardless of whether the data is accessed is personal or not Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files? (A). Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping. (B). Only where the personal data is to be subjected to specific computerized processing, such as image scanning or optical character recognition. (C). Only where the personal data is treated by automated means in some way, such as computerized distribution or filing. (D). Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system. - Correct Answer-D). Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system. With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition? (A). If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents. (B). When it has been determined that adequate protection can be performed. (C). Only if the Data Protection Impact Assessment (DPIA) shows low risk. (D). Only as a last resort and when interpreted restrictively. - Correct Answer-B). When it has been determined that adequate protection can be performed. According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by? (A). The local Data Protection Supervisory Authorities. (B). The European Data Protection Board.
(C). The EU Commission. (D). The Member States. - Correct Answer-D). The Member States. An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible? (A). Use a layered privacy notice on its website and in its email communications. (B). Identify uses of data in a privacy notice mailed to the data subject. (C). Provide only general information about its processing activities and offer a toll-free number for more information. (D). Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site. - Correct Answer-B). Identify uses of data in a privacy notice mailed to the data subject. Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing? (A). When an individual has not consented to the marketing. (B). When an individual's details are obtained from their inquiries about buying a product. (C). Where an individual's details have been obtained from a bought-in marketing list. (D). Where an individual is given the ability to unsubscribe from marketing emails sent to him.
(B). Sweden (C). Germany (D). United Kingdom - Correct Answer-(B). Sweden In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what? (A). A privacy notice containing brief information whilst offering access to further detail. (B). A privacy notice explaining the consequences for opting out of the use of cookies on a website. (C). An explanation of the security measures used when personal data is transferred to a third party. (D). An efficient means of providing written consent in member states where they are required to do so. - Correct Answer-A). A privacy notice containing brief information whilst offering access to further detail. The European Parliament jointly exercises legislative and budgetary functions with which of the following? (A). The European Commission. (B). The Article 29 Working Party. (C). The Council of the European Union. (D). The European Data Protection Board. - Correct Answer-(C). The Council of the European Union. A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses? (A). Submit the contract to its own government authority. (B). Ensure that notice is given to and consent is obtained from data subjects. (C). Supply any information requested by a data protection authority (DPA) within 30 days. (D). Ensure that local laws do not impede the company from meeting its contractual obligations. - Correct Answer-A). Submit the contract to its own government authority. In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection impact assessment to address multiple processing operations be allowed? (A). A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA. (B). A data controller who plans to use a new technology product that has already undergone a DPIA by the product's provider.
(C). A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses. (D). A railway operator who plans to evaluate the same video surveillance in all the train stations of his company. - Correct Answer-D). A railway operator who plans to evaluate the same video surveillance in all the train stations of his company. Select the answer below that accurately completes the following: "The right to compensation and liability under the GDPR... (A). ...provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage." (B). ...precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing." (C). ...can only be exercised against the data controller, even if a data processor was involved in the same processing." (D). ...is limited to a maximum amount of EUR 20 million per event of damage or loss." - Correct Answer-(B). ...precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing." What was the aim of the European Data Protection Directive 95/46/EC? (A). To harmonize the implementation of the European Convention of Human Rights across all member states. (B). To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data. (C). To completely prevent the transfer of personal data out of the European Union. (D). To further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another. - Correct Answer-B). To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of Personal Data Which of the following is one of the supervisory authority's investigative powers? (A). To notify the controller or the processor of an alleged infringement of the GDPR. (B). To require that controllers or processors adopt approved data protection certification mechanisms. (C). To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them. (D). To require data controllers to provide them with written notification of all new processing activities. - Correct Answer-A). To notify the controller or the processor of an alleged infringement of the GDPR. Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those
purposes." Based on Article 5(1)(b), what is the impact of a member state's interpretation of the word "incompatible"? (A). It dictates the level of security a processor must follow when using and storing personal data for two different purposes. (B). It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data. (C). It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data. (D). It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose. - Correct Answer-(A). It dictates the level of security a processor must follow when using and storing personal data for two different purposes. An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organisation charge the data subject for processing the request? (A). Only where the organisation can show that it is reasonable to do so because more than one request was made. (B). Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR. (C). Only where the administrative costs of taking the action requested exceeds a certain threshold. (D). Only if the organisation can demonstrate that the request is clearly excessive or misguided. - Correct Answer-D). Only if the organisation can demonstrate that the request is clearly excessive or misguided. To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client. Regarding the domain of the controller-processor relationships, how is this situation considered? A) Compliant with the security principle because the database is password protected B) Non-compliant, because the storage of the data exceeds the task contractually authorized by the controller C) Not applicable because the database is password protected D) Compliant with the storage limitation principle - Correct Answer-B) Non-compliant, because the storage of the data exceeds the task contractually authorized by the controller What are the obligations of a processor that engages a sub-processor? (A). The processor must give the controller prior written notice and perform a preliminary audit of
the sub- processor. (B). The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance. (C). The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned. (D). The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor. - Correct Answer-C). The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned. What permissions are required for a marketer to send an email marketing message to a consumer in the EU? (A). A prior opt-in consent for consumers unless they are already customers. (B). A pre-checked box stating that the consumer agrees to receive email marketing. (C). A notice that the consumer's email address will be used for marketing purposes. (D). No prior permission required, but an opt-out requirement on all emails sent to consumers.
A). Advertisements passively displayed on a website. (B). The use of cookies to collect data about an individual. (C). A text message to individuals from a company offering concert tickets for sale. (D). An email from a retail outlet promoting a sale to one of their previous customer. - Correct Answer-(A). Advertisements passively displayed on a website. When is data sharing agreement MOST likely to be needed? (A). When anonymized data is being shared. (B). When personal data is being shared between commercial organizations acting as joint data controllers. (C). When personal data is being proactively shared by a controller to support a police investigation. (D). When personal data is being shared with a public authority with powers to require the personal data to be disclosed. - Correct Answer-B). When personal data is being shared between commercial organizations acting as joint data controllers. company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify? (A). The public (B). Company X (C). Law enforcement (D). The supervisory authority - Correct Answer-(C). Law enforcement If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow? (A). Background checks on employees could be performed only under prior notice to all employees. (B). Background checks are only authorized with prior notice and express consent from all employees including those based in Europe. (C). Background checks on European employees will stem from data protection and employment law, which can vary between member states. (D). Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.
To which of the following parties does the territorial scope of the GDPR NOT apply? A) All member countries of the EEA (European Economic Area) B) All member countries party to the treaty of lisbon C) All member countries party to the Paris Agreement D) All member countries of the EU - Correct Answer-A) All member countries of the EEA (European Economic Area) According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data? (A). When processed with the intent to publish information regarding a natural person on publicly accessible media. (B). When processed with the intent to proceed to scientific or historical research projects. (C). When processed with the intent to uniquely identify or authenticate a natural person. (D). When processed with the intent to comply with a law. - Correct Answer-(C). When processed with the intent to uniquely identify or authenticate a natural person. As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention? (A). Protection of the interests of the data subjects. (B). Performance of a contact (C). Legitimate interest (D). Consent - Correct Answer-(D). Consent Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as? (A). Law firm organizations. (B). Civil society organizations. (C). Human rights organizations. (D). Constitutional rights organizations. - Correct Answer-(A). Law firm organizations. In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment? (A). When the controller is collecting email addresses from individuals via an online registration form for marketing purposes. (B). When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals. (C). When the controller is required to have a Data Protection Officer. (D). When personal data is being transferred outside of the EEA. - Correct Answer-(C). When the controller is required to have a Data Protection Officer.
According to the GDPR, what is the main task of a Data Protection Officer (DPO)? (A). To create and maintain records of processing activities. (B). To conduct Privacy Impact Assessments on behalf of the controller or processor. (C). To monitor compliance with other local or European data protection provisions. (D). To create procedures for notification of personal data breaches to competent supervisory authorities. - Correct Answer-B). To conduct Privacy Impact Assessments on behalf of the controller or processor. Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary? (A). Greece (B). Norway (C). Australia (D). Switzerland - Correct Answer-(D). Switzerland Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices Monitor and analyze the apps and devices for compliance Manage application life cycles Monitor data sharing An organization should perform these steps to do which of the following? (A). Pursue a GDPR-compliant Privacy by Design process. (B). Institute a GDPR-compliant employee monitoring process. (C). Maintain a secure Bring Your Own Device (BYOD) program. (D). Ensure cloud vendors are complying with internal data use policies. - Correct Answer- (C). Maintain a secure Bring Your Own Device (BYOD) program.