CIPP/E Review Questions, Exams of Advanced Education

CIPP/E Review Questions,,,,,,,

Typology: Exams

2025/2026

Available from 03/25/2026

lamine-junior
lamine-junior šŸ‡ŗšŸ‡ø

1.6K documents

1 / 19

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CIPP/E Review Questions
What did the principles of the Human Rights Declaration provide the basis
for? - Answer The principles enshrined in the Human Rights Declaration have
provided the basis for all subsequent European data protection laws and
standards. (Ch. 1)
What right is contained in Article 12 of the Human Rights Declaration? -
Answer The right to a private life and associated freedoms is contained in
Article 12 of the Human Rights Declaration. (Ch. 1)
What right is contained in Article 19 of the Human Rights Declaration? -
Answer The right of freedom of expression is contained in Article 19 of the
Human Rights Declaration. (Ch. 1)
What article reconciles conflicts between Article 12 and Article 19 of the
Human Rights Declaration? - Answer Article 29(2) reconciles the apparent
conflict between Article 12 and Article 19, stating that individual rights are
not absolute and that there will be instances where a balance must be struck
to limit their exercise. (Ch. 1)
Why is the ECHR such a powerful instrument? - Answer he ECHR is a
powerful instrument because of the scope of the fundamental rights and
freedoms it protects. (Ch. 1)
List the thirteen rights that the ECHR protects. - Answer The thirteen rights
that the ECHR protects are:
- Right to life
- Prohibition of torture
- Prohibition of slavery and forced labour
- Right to liberty and security
- Right to a fair trial
- No punishment without law
- Respect for private and family life
- Freedom of thought, conscience and religion
- Freedom of expression
- Freedom of assembly and expression
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13

Partial preview of the text

Download CIPP/E Review Questions and more Exams Advanced Education in PDF only on Docsity!

CIPP/E Review Questions What did the principles of the Human Rights Declaration provide the basis for? - Answer The principles enshrined in the Human Rights Declaration have provided the basis for all subsequent European data protection laws and standards. (Ch. 1) What right is contained in Article 12 of the Human Rights Declaration? - Answer The right to a private life and associated freedoms is contained in Article 12 of the Human Rights Declaration. (Ch. 1) What right is contained in Article 19 of the Human Rights Declaration? - Answer The right of freedom of expression is contained in Article 19 of the Human Rights Declaration. (Ch. 1) What article reconciles conflicts between Article 12 and Article 19 of the Human Rights Declaration? - Answer Article 29(2) reconciles the apparent conflict between Article 12 and Article 19, stating that individual rights are not absolute and that there will be instances where a balance must be struck to limit their exercise. (Ch. 1) Why is the ECHR such a powerful instrument? - Answer he ECHR is a powerful instrument because of the scope of the fundamental rights and freedoms it protects. (Ch. 1) List the thirteen rights that the ECHR protects. - Answer The thirteen rights that the ECHR protects are:

  • Right to life
  • Prohibition of torture
  • Prohibition of slavery and forced labour
  • Right to liberty and security
  • Right to a fair trial
  • No punishment without law
  • Respect for private and family life
  • Freedom of thought, conscience and religion
  • Freedom of expression
  • Freedom of assembly and expression
  • Right to marry
  • Right to an effective remedy
  • Prohibition of discrimination Who oversees what is prescribed in the ECHR and how is the ECHR enforced?
  • Answer The ECHR is overseen by the European Court of Human Rights. The European Court of Human Rights examines alleged breaches of the ECHR and ensure that states comply with their obligations under the ECHR. (Ch. 1) What rights are protected under Article 10 of the ECHR? - Answer Article 10 of the ECHR protects the right of freedom of expression and the right to share information and ideas across national boundaries. (Ch. 1) What do the Human Right s Declaration and the ECHR have in common? - Answer Both the Human Rights Declaration and the ECHR recognize a need for balance between the rights of individuals and the justifiable interference with these rights, which is a common theme within data protection law. (Ch.

Describe the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data that were developed by OECD in 1980. What do they strive to accomplish? - Answer The "Guidelines" lay out basic rules governing trans- border data flows and the protection of personal information and privacy in order to facilitate the harmonization of data protection law between countries. The Guidelines aim to strike a balance between protecting the privacy and the rights and freedoms of individuals without creating any barriers to trade while allowing the uninterrupted flow of personal data across national borders. (Ch. 1) List the principles introduced by the Guidelines that should be followed by data controllers processing personal information. - Answer The principles introduced by the Guidelines that should be followed by data controllers processing personal information are:

  • Collection Limitation
  • Data Quality
  • Purpose Specification

country, including countries that are not members of the Council of Europe. (Ch. 1) What is the goal of the European Commission's Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data? - Answer The aim of the Directive is to further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another. This helps maintain consistency with Articles 8 and 10 of the ECHR. (Ch. 1) When was the Charter of Fundamental Rights given binding legal effect? - Answer The Charter was given binding legal effect when the Treaty of Lisbon came into force in December, 2009. (Ch. 1) What provision of the TFEU ensures that all institutions of the European Union must protect individuals when processing personal data? - Answer Article 16(2) of the TFEU. (Ch. 1) What is the significance of the Lisbon Treaty? - Answer The Lisbon Treaty is significant because it addresses fundamental rights and core values, which are not mentioned in the treaty establishing the European Union. (Ch. 1) List the seven institutions that make up the European Union. - Answer The seven institutions that make up the EU are:

  • European Parliament
  • European Council
  • Council
  • European Commission
  • Court of Justice of the European Union
  • European Central Bank
  • Court of Auditors How did the European Council and the European Central Bank gain institutional status? - Answer They were granted institutional status under the Treaty of Lisbon. (Ch. 2) What principles does the Charter (of Fundemental Rights) uphold? - Answer The Charter enshrines the following principles:
  • Everyone has the right to respect for his or her private and family life, home and communications.
  • Everyone has the right to the protection of personal data concerning him or her.
  • Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
  • Every person has the right to have his or her affairs handled impartially, fairly and within a reasonable time by the institutions, bodies, offices and agencies of the Union. What countries are not bound by the Charter? - Answer Poland and the United Kingdom are not bound by the Charter. (Ch. 2) What responsibilities does the European Parliament have as a result of Article 9A of the EU Treaty? - Answer The responsibilities of:
  • legislative development,
  • supervisory oversight of the other institutions,
  • democratic representation, and
  • the development of the budget. (Ch. 2) What is the maximum number of MEPs allowed as a result of the Treaty of Lisbon? - Answer No member state is allowed more than 96 MEPs. (Ch. 2) (Member of European Parliament) The European Parliament's work is divided into two main stages. List each of these stages and describe what happens in each stage. - Answer The two main stages are: (1) preparation for the plenary session and (2) execution of the plenary session. In the preparation stage, the MEPs prepare and discuss reports and other papers prior to the plenary session. During the plenary session, Parliament examines, possibly
  • revising data protection rules in the area of police and criminal justice,
  • ensuring high levels of protection for data transferred outside of the EU,
  • and effectively enforcing the rules. (Ch. 2) What is the function of the European Court of Human Rights (ECHR)? - Answer To apply the Convention and to ensure that contracting states respect the rights and guarantees set out in the Convention. (Ch. 2) The ECHR has pointed out what important piece of information regarding Article 8 of the Convention? - Answer That the use of modern electronic techniques to process personal data should be kept under control to ensure that the right to privacy set out in Article 8 is safeguarded. (Ch. 2) Describe the make-up of the Court of Justice of the European Union (aka, "the Court") - Answer The Court consists of the Court of Justice (also known as the European Court of Justice, or ECJ), the General Court, and the specialised courts attached to the General Court. (Ch. 2) Why is the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (aka "the Convention" or EU Convention 108) noteworthy? - Answer The Convention is noteworthy because (1) it is based on a series of principles that address the main concerns within data protection, (2) it ensures appropriate protections for individual privacy, while recognizing the importance of the free flow of personal data for commerce and the exercise of public functions, and (3) it requires signatory states to implement its principles by enacting national legislation. (Ch. 3) What are the three main parts to the Convention? - Answer The three main parts are
  • Basic Principles of Data Protection,
  • Transborder Data Flows, and
  • Mutual Assistance Provisions. (Ch. 3)

When was Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals formally adopted? - Answer 24 October 1995. (Ch. 3) The Directive can be described as what type of law? - Answer A human rights law that protects the principles of the internal market. (Ch. 3) The Directive comprises 72 recitals and 34 articles. What is described in the recitals and articles? - Answer The recitals define the theories and interpretations behind the Directive and its corresponding obligations, while the articles define the obligations of the member states in implementing the requirements of the Directive. (Ch. 3) List the key principles laid out in the Directive that have to do with how member states must provide personal data. - Answer According to the Directive, member states must provide that personal data shall be:

  • Processed fairly and lawfully.
  • Collected for specified and legitimate purposes and not processed in a manner incompatible with those purposes.
  • Adequate, relevant and not excessive.
  • Kept for no longer than is necessary.
  • Processed in accordance with the rights of the individual.
  • Protected against accidental, unlawful or unauthorised processing by the use of appropriate technical and organisational measures.
  • Transferred to countries outside the European Economic Area only if those countries ensure adequate levels of data protection.(Ch. 3) What special categories are identified in the Directive? - Answer Personal data revealing:
  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade union membership, or
  • details concerning health or sex life.

Directive has been implemented in some member states using different pieces of legislation, rather than one piece of legislation. (Ch. 3) What are the four building blocks that comprise the meaning of personal data, as defined by the Opinion 4/2007 of the Working Party? - Answer The four building blocks that comprise the meaning of personal data are: "any information," "relating to," "an identified or identifiable," and "natural person." (Ch. 4) Name the three aspects of the concept "information" that help define when information will be considered personal data. - Answer Nature, content and format. (Ch. 4) In Opinion 4/2007, the Article 29 Working Party named three elements that apply to personal data. What are they? - Answer The content element, the purpose element, and the result element. (Ch. 4) When are each of the three elements defined above present? - Answer The three elements can be defined as present as described below. Content Element - When the information is about an individual in the most common sense of the word. Purpose Element - Whether the information is processed to evaluate, consider or analyse the individual in a certain way. Result Element - When the processing of certain information has an impact on the individual's rights and interests. As described in Opinion 4/2007 by the Working Party, when is a natural person "identifiable"? - Answer When it is possible to identify a person even though that person has not yet been identified.

A person can be identifiable because information combined with other pieces of information will allow the individual to be distinguished from others. (Ch.

List the three building blocks that define a data controller. - Answer The three building blocks that define a data controller are (1) the natural or legal person, public authority, agency or any other body, (2) which alone or jointly with others, and (3) determines the purposes and means of the processing of personal data. (Ch. 4) For a person to be a considered a "data processor," what two things must be present? - Answer The person is a separate legal entity with respect to the controller, and the person processes personal data on behalf of the controller. (Ch. 4) When is Article 4(1)(a) the applicable law regarding personal data? When is Article 4(1)(c) the applicable law? - Answer Article 4(1)(a) is applicable when the data controller has an establishment in the EU. If the controller does not have an establishment in the EU, Article 4(1)(c) will apply. (Ch. 5) What are the two basic purposes of Article 4(1)? - Answer The two purposes of Article 4(1) are to ensure that gaps in protection do not arise and to prevent conflicts between member states' laws. (Ch. 5) According to the Article 29 Working Party, when does an establishment play a role in a processing operation? - Answer - When it is responsible for relations with users in a particular jurisdiction,

  • when it establishes an office in a member state that is involved in the selling or targeted advertisements to the inhabitants of that state, and
  • when it complies with court orders and/or law enforcement requests by the competent authorities of a member state with regard to user data. (Ch. 5) Describe the intent of the 'use of equipment' provision. - Answer The provision is intended to allow a member state to apply its national data protection law to a controller who, although not established in the EU, makes use of equipment situated in that member state unless that equipment is used only for the purposes of transit through the EU. (Ch. 5)

When providing information pursuant to Article 10, what should a data controller take into account? - Answer Data controllers should take into account the expectations of data subjects and the nature of the information being processed. (Ch. 8) What does Article 11 address? - Answer Situations where personal data is not obtained directly from the data subject. (Ch. 8) Articles 10 and 11 have many similarities, but also two key differences. What are those differences? - Answer The obligations set out in Articles 10 and 11 differ in regard as to the time at which the required information should be provided to the data subject and the circumstances in which a data controller does not have to provide information about its processing. (Ch. 8) What situations does Article 13 cover? - Answer Article 13 covers two special situations where the data processor might be exempted from having to provide information to the data subject: When data is collected for research or statistical purposes. When data is collected for public safety. What are three important benefits of a well-crafted privacy notice? - Answer Three benefits of a well-crafted privacy notice are (1) greater customer trust, (2) likelihood that individuals will provide more voluminous and more valuable personal information, and (3) decreased risk of complaints and disputes arising from the use of personal data. (Ch. 8) What information should be contained in a privacy notice? - Answer A privacy notice should contain the following items:

  • The full name of the company, entity or individual that is the data controller.
  • Contact information for the data controller.
  • A description of the purposes for which the data will be used.
  • Whether the data controller may contact individuals for marketing purposes.
  • A description of the recipients of the data.
  • Whether any data will be automatically collected.
  • How individuals can access their personal data and exercise their rights in relation to it. Name the three stages in a layered privacy notice, as outlined by the Article 29 Working Party. - Answer The three stages of a layered privacy notice are listed below. The short notice (Layer One) The condensed notice (Layer Two) The full notice (Layer Three) What rights do data subjects have in regard to data collection? - Answer Data subjects rights are listed below.
  • Access to personal data and basic information about processing activities.
  • Rectification, erasure and blocking of the data, where the processing of the data does not comply with the Data Protection Directive.
  • Ability to object to the processing of personal data.
  • Not to be subjected to solely automated processes that evaluate the individual's personal attributes, resulting in a decision that significantly affects him or has legal consequences for him. Name the Recital that stresses the importance of data subject rights. - Answer Recital 41. (Ch. 10) Articles 16 and 17 of Section VIII of the Data Protection Directive cover what two important concepts? - Answer Article 16 covers "confidentiality of processing," and Article 17 covers "security of processing." (Ch. 10) When designing its controls framework, what factors should a data controller concentrate on? - Answer The data controller should focus on the items below when designing its controls framework.
  • The management of confidentiality and security.
    • The policy framework for confidentiality and security.

(3) provide a source of funds for some national DPAs in the running and maintenance of their offices and fulfillment of their duties under legislation. (Ch. 11) What is permitted under Article 20 of the Directive? - Answer Article 20 of the Directive permits member states to determine that some data processing operations may present specific risks to the rights and freedoms of data subjects, and thus require "prior checking" and approval from the national DPA before the data processing activity can commence. (Ch. 11) Article 25 puts what requirement on the governments of the EU member states? - Answer Article 25 requires the governments of the EU member states to ban the transfer of personal data to any country outside the European Economic area unless that third country ensures an adequate level of privacy protection. (Ch. 12) List the things that must be given consideration when assessing the adequacy of protection afforded by the third country in an international data transfer. - Answer Consideration must be given to the following items:

  • The nature of the data.
  • The purpose and duration of the proposed processing operation or operations.
  • The country of origin and country of final destination.
  • The rules of law, both general and sectoral, in force in the third country.
  • The professional rules and security measures that are complied with in that country. What two elements does the Article 29 Working Party recommend for analysis of the level of protection provided by the third country in an international data transfer? - Answer The Article 29 Working Party recommends that the content of the applicable rules and the means for ensuring their effective application be analyzed in the situation of an international data transfer with a third country. (Ch. 12) The Article 29 Working Party outlined a set of content principles and an enforcement mechanism that describe the minimum requirement for protection to be "adequate." List the principles and describe the enforcement mechanism. - Answer The content principles are:
  • Purpose limitation
  • Data quality and proportionality
  • Transparency
  • Security
  • Rights of access, rectification and opposition
  • Restrictions on onward transfers
  • Sensitive data
  • Direct marketing
  • Automated individual decision The enforcement mechanism includes the delivery of a good level of compliance with the rules, a provision of support and help to individuals in the exercise of their rights, and the availability of appropriate redress to the injured party when rules are not complied with. (Ch. 12) Name the requirements that are established by the Safe Harbor Privacy Principles - Answer The requirements established by the Safe Harbor Privacy Principles are
  • notice,
  • choice,
  • onward transfer,
  • security,
  • data integrity,
  • access, and
  • enforcement. (Ch. 12) To qualify as an organisation that complies with Safe Harbor, what must that organisation do? - Answer An organisation must either join a self-regulatory privacy programme that adheres to the Safe Harbor's requirements or it must develop its own self-regulatory privacy policy that conforms to the Safe Harbor. (Ch. 12) What is contained in Article 28 of the Directive? - Answer The Directive's provisions on administrative supervision. (Ch. 13)

(2) traffic data, and (3) location data. (Ch. 15) When do data protection laws apply to marketing messages? - Answer Data protection laws apply to marketing messages when individuals' personal data is processed in order to communicate the marketing message to them. (Ch.

What may happen to data controllers who do not comply with the requirements of the Data Protection Directive and/or the e-Privacy Directive when engaging in direct marketing activities? - Answer They may be subject to enforcement, including possible fines and administrative sanctions by national data protection authorities, and civil/criminal liability. (Ch. 16) How can data controllers working in a cloud environment demonstrate evidence of safeguards for the protection of personal data? - Answer Data controllers working in a cloud environment can demonstrate adequate safeguards for personal data by (1) geographically limiting the cloud, (2) reliance upon a derogation under Article 26 of the Directive, (3) model clauses, (4) tailored data transfer agreements, and (5) Binding Safe processor Rules. (Ch. 17) According to the Article 29 Working Party, why should it be assumed that the collection and storage of information and its further use by search engines amounts to processing subject to the Directive? - Answer Because search engines often collect log files, IP addresses, and/or cookies, all of which can be construed as personal data. (Ch. 17)