











Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
CIPP/E Review Questions,,,,,,,
Typology: Exams
1 / 19
This page cannot be seen from the preview
Don't miss anything!












CIPP/E Review Questions What did the principles of the Human Rights Declaration provide the basis for? - Answer The principles enshrined in the Human Rights Declaration have provided the basis for all subsequent European data protection laws and standards. (Ch. 1) What right is contained in Article 12 of the Human Rights Declaration? - Answer The right to a private life and associated freedoms is contained in Article 12 of the Human Rights Declaration. (Ch. 1) What right is contained in Article 19 of the Human Rights Declaration? - Answer The right of freedom of expression is contained in Article 19 of the Human Rights Declaration. (Ch. 1) What article reconciles conflicts between Article 12 and Article 19 of the Human Rights Declaration? - Answer Article 29(2) reconciles the apparent conflict between Article 12 and Article 19, stating that individual rights are not absolute and that there will be instances where a balance must be struck to limit their exercise. (Ch. 1) Why is the ECHR such a powerful instrument? - Answer he ECHR is a powerful instrument because of the scope of the fundamental rights and freedoms it protects. (Ch. 1) List the thirteen rights that the ECHR protects. - Answer The thirteen rights that the ECHR protects are:
Describe the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data that were developed by OECD in 1980. What do they strive to accomplish? - Answer The "Guidelines" lay out basic rules governing trans- border data flows and the protection of personal information and privacy in order to facilitate the harmonization of data protection law between countries. The Guidelines aim to strike a balance between protecting the privacy and the rights and freedoms of individuals without creating any barriers to trade while allowing the uninterrupted flow of personal data across national borders. (Ch. 1) List the principles introduced by the Guidelines that should be followed by data controllers processing personal information. - Answer The principles introduced by the Guidelines that should be followed by data controllers processing personal information are:
country, including countries that are not members of the Council of Europe. (Ch. 1) What is the goal of the European Commission's Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data? - Answer The aim of the Directive is to further reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another. This helps maintain consistency with Articles 8 and 10 of the ECHR. (Ch. 1) When was the Charter of Fundamental Rights given binding legal effect? - Answer The Charter was given binding legal effect when the Treaty of Lisbon came into force in December, 2009. (Ch. 1) What provision of the TFEU ensures that all institutions of the European Union must protect individuals when processing personal data? - Answer Article 16(2) of the TFEU. (Ch. 1) What is the significance of the Lisbon Treaty? - Answer The Lisbon Treaty is significant because it addresses fundamental rights and core values, which are not mentioned in the treaty establishing the European Union. (Ch. 1) List the seven institutions that make up the European Union. - Answer The seven institutions that make up the EU are:
When was Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals formally adopted? - Answer 24 October 1995. (Ch. 3) The Directive can be described as what type of law? - Answer A human rights law that protects the principles of the internal market. (Ch. 3) The Directive comprises 72 recitals and 34 articles. What is described in the recitals and articles? - Answer The recitals define the theories and interpretations behind the Directive and its corresponding obligations, while the articles define the obligations of the member states in implementing the requirements of the Directive. (Ch. 3) List the key principles laid out in the Directive that have to do with how member states must provide personal data. - Answer According to the Directive, member states must provide that personal data shall be:
Directive has been implemented in some member states using different pieces of legislation, rather than one piece of legislation. (Ch. 3) What are the four building blocks that comprise the meaning of personal data, as defined by the Opinion 4/2007 of the Working Party? - Answer The four building blocks that comprise the meaning of personal data are: "any information," "relating to," "an identified or identifiable," and "natural person." (Ch. 4) Name the three aspects of the concept "information" that help define when information will be considered personal data. - Answer Nature, content and format. (Ch. 4) In Opinion 4/2007, the Article 29 Working Party named three elements that apply to personal data. What are they? - Answer The content element, the purpose element, and the result element. (Ch. 4) When are each of the three elements defined above present? - Answer The three elements can be defined as present as described below. Content Element - When the information is about an individual in the most common sense of the word. Purpose Element - Whether the information is processed to evaluate, consider or analyse the individual in a certain way. Result Element - When the processing of certain information has an impact on the individual's rights and interests. As described in Opinion 4/2007 by the Working Party, when is a natural person "identifiable"? - Answer When it is possible to identify a person even though that person has not yet been identified.
A person can be identifiable because information combined with other pieces of information will allow the individual to be distinguished from others. (Ch.
List the three building blocks that define a data controller. - Answer The three building blocks that define a data controller are (1) the natural or legal person, public authority, agency or any other body, (2) which alone or jointly with others, and (3) determines the purposes and means of the processing of personal data. (Ch. 4) For a person to be a considered a "data processor," what two things must be present? - Answer The person is a separate legal entity with respect to the controller, and the person processes personal data on behalf of the controller. (Ch. 4) When is Article 4(1)(a) the applicable law regarding personal data? When is Article 4(1)(c) the applicable law? - Answer Article 4(1)(a) is applicable when the data controller has an establishment in the EU. If the controller does not have an establishment in the EU, Article 4(1)(c) will apply. (Ch. 5) What are the two basic purposes of Article 4(1)? - Answer The two purposes of Article 4(1) are to ensure that gaps in protection do not arise and to prevent conflicts between member states' laws. (Ch. 5) According to the Article 29 Working Party, when does an establishment play a role in a processing operation? - Answer - When it is responsible for relations with users in a particular jurisdiction,
When providing information pursuant to Article 10, what should a data controller take into account? - Answer Data controllers should take into account the expectations of data subjects and the nature of the information being processed. (Ch. 8) What does Article 11 address? - Answer Situations where personal data is not obtained directly from the data subject. (Ch. 8) Articles 10 and 11 have many similarities, but also two key differences. What are those differences? - Answer The obligations set out in Articles 10 and 11 differ in regard as to the time at which the required information should be provided to the data subject and the circumstances in which a data controller does not have to provide information about its processing. (Ch. 8) What situations does Article 13 cover? - Answer Article 13 covers two special situations where the data processor might be exempted from having to provide information to the data subject: When data is collected for research or statistical purposes. When data is collected for public safety. What are three important benefits of a well-crafted privacy notice? - Answer Three benefits of a well-crafted privacy notice are (1) greater customer trust, (2) likelihood that individuals will provide more voluminous and more valuable personal information, and (3) decreased risk of complaints and disputes arising from the use of personal data. (Ch. 8) What information should be contained in a privacy notice? - Answer A privacy notice should contain the following items:
(3) provide a source of funds for some national DPAs in the running and maintenance of their offices and fulfillment of their duties under legislation. (Ch. 11) What is permitted under Article 20 of the Directive? - Answer Article 20 of the Directive permits member states to determine that some data processing operations may present specific risks to the rights and freedoms of data subjects, and thus require "prior checking" and approval from the national DPA before the data processing activity can commence. (Ch. 11) Article 25 puts what requirement on the governments of the EU member states? - Answer Article 25 requires the governments of the EU member states to ban the transfer of personal data to any country outside the European Economic area unless that third country ensures an adequate level of privacy protection. (Ch. 12) List the things that must be given consideration when assessing the adequacy of protection afforded by the third country in an international data transfer. - Answer Consideration must be given to the following items:
(2) traffic data, and (3) location data. (Ch. 15) When do data protection laws apply to marketing messages? - Answer Data protection laws apply to marketing messages when individuals' personal data is processed in order to communicate the marketing message to them. (Ch.
What may happen to data controllers who do not comply with the requirements of the Data Protection Directive and/or the e-Privacy Directive when engaging in direct marketing activities? - Answer They may be subject to enforcement, including possible fines and administrative sanctions by national data protection authorities, and civil/criminal liability. (Ch. 16) How can data controllers working in a cloud environment demonstrate evidence of safeguards for the protection of personal data? - Answer Data controllers working in a cloud environment can demonstrate adequate safeguards for personal data by (1) geographically limiting the cloud, (2) reliance upon a derogation under Article 26 of the Directive, (3) model clauses, (4) tailored data transfer agreements, and (5) Binding Safe processor Rules. (Ch. 17) According to the Article 29 Working Party, why should it be assumed that the collection and storage of information and its further use by search engines amounts to processing subject to the Directive? - Answer Because search engines often collect log files, IP addresses, and/or cookies, all of which can be construed as personal data. (Ch. 17)