GDPR Personal Data Processing, Exams of Social Sciences

An overview of the key concepts and requirements related to personal data processing under the general data protection regulation (gdpr). It covers the definition of personal data, the criteria for identifying personal data, the types of personal data that belong to special categories, the principles of data processing, the rights of data subjects, the obligations of data controllers and processors, and the requirements for cross-border data transfers. The document also addresses specific topics such as data protection by design, data protection impact assessments, and the role of supervisory authorities. The information presented can be useful for university students, professionals, and individuals interested in understanding the gdpr and its implications for personal data processing.

Typology: Exams

2023/2024

Available from 09/20/2024

ROCKY-B
ROCKY-B šŸ‡°šŸ‡Ŗ

4.4

(16)

40K documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CIPP/E IAPP PRACTICE QUESTIONS & ANSWERS
Which of the following data protection milestones is a treaty among member states of
the Council of Europe:
-Data Retention Directive
-Charter of Fundamental Rights
-Convention 108
-e-Privacy Directive
-GDPR - Answers -Convention 108
Which of the following data protection milestones applies to public electronics
communications services and networks?
-Data Retention Directive
-Charter of Fundamental Rights
-Convention 108
-e-Privacy Directive
-GDPR - Answers -e-Privacy Directive
The Universal Declaration of Human Rights is a product of which institution?
-The United Nations
-The Council of Europe
-The European Union - Answers -The United Nations
Which European institutions is composed of 47 member states?
-The Council of Europe
-The European Union
-The European Economic Area - Answers -The Council of Europe
Chose the characteristic that describes the European Parliament.
-Is responsible for legislative development, supervisory oversight of other institutions,
and development of the budget
-Defines the EU priorities and sets the political direction for the EU. - Answers -Defines
the EU priorities and sets the political direction for the EU
Choose the characteristic that describes the European Council.
-Sets the overall political agenda of the EU
-Negotiates and adopts laws - Answers -Sets the overall political agenda of the EU.
Choose the characteristic that describes the Council of the EU
-Is sometimes described as the executive body of the EU
-Is one of the main decision-making bodies of the EU - Answers -Is one of the main
decision making bodies of the EU.
Choose the characteristic that describes the European Commission.
-Has the power to propose legislation
-Is composed of a directly elected body - Answers -Has the power to propose legislation
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download GDPR Personal Data Processing and more Exams Social Sciences in PDF only on Docsity!

CIPP/E IAPP PRACTICE QUESTIONS & ANSWERS

Which of the following data protection milestones is a treaty among member states of the Council of Europe: -Data Retention Directive -Charter of Fundamental Rights -Convention 108 -e-Privacy Directive -GDPR - Answers -Convention 108 Which of the following data protection milestones applies to public electronics communications services and networks? -Data Retention Directive -Charter of Fundamental Rights -Convention 108 -e-Privacy Directive -GDPR - Answers -e-Privacy Directive The Universal Declaration of Human Rights is a product of which institution? -The United Nations -The Council of Europe -The European Union - Answers -The United Nations Which European institutions is composed of 47 member states? -The Council of Europe -The European Union -The European Economic Area - Answers -The Council of Europe Chose the characteristic that describes the European Parliament. -Is responsible for legislative development, supervisory oversight of other institutions, and development of the budget -Defines the EU priorities and sets the political direction for the EU. - Answers -Defines the EU priorities and sets the political direction for the EU Choose the characteristic that describes the European Council. -Sets the overall political agenda of the EU -Negotiates and adopts laws - Answers -Sets the overall political agenda of the EU. Choose the characteristic that describes the Council of the EU -Is sometimes described as the executive body of the EU -Is one of the main decision-making bodies of the EU - Answers -Is one of the main decision making bodies of the EU. Choose the characteristic that describes the European Commission. -Has the power to propose legislation -Is composed of a directly elected body - Answers -Has the power to propose legislation

Choose the characteristic that describes the Court of Justice of the EU -Makes decisions on issues of EU law -Is based in Strasbourg - Answers -Makes decisions on issues of EU law. What is the function of the 4 step test? -Determine if data qualifies as personal data -Determine i personal data is anonymous -Determine if personal date belongs to special categories -Determine if personal data is pseudonymous. - Answers -Determine if data qualifies as personal data Which criteria are used to identify personal data? Select all that apply -natural person -an identified or identifiable -any information -relating to

  • or anonymous - Answers -All EXCEPT "or anonymous Select the types of personal data elements that belong to special categories under the GDPR. -Personal data revealing religious or philosophical beliefs -Data relating to personal interests and hobbies -Data concerning health -Personal data revealing political opinions -Personal data revealing financial information -Genetic data used to uniquely identify a natural person - Answers -All EXCEPT -personal interests and hobbies -financial information True or False: Personal data either belongs to special categories or does not. There is no grey area. - Answers -False True or False: Anonymising personal data is always possible. - Answers -False True or false: Pseudonymous data is protected by the GDPR. - Answers -True True or false: A data controller may be a natural person or a legal entity, while a data processor must be a legal entity. - Answers -False True or false: a contract protects a processor from being held to the same legal obligations as the controller. - Answers -False

Which legitimate processing criteria is commonly used when a customer purchases a good or service? -Consent -Vital interests -Contract - Answers -Contract Which exception to the prohibition on processing special categories of data must be explicit? -Vital interests -Publicly available data -Consent - Answers -Consent Select all that are potential solutions to lengthy privacy notices. -Key notices -Standardized Icons -Terms of Agreement -Just in time notices -Layered privacy notices - Answers -All EXCEPT -Key notices -Terms of Agreement True of False: A controller may charge an administrative fee to data subjects if they request that the information provision be in oral format. - Answers -False Privacy notices should use visualisation where appropriate. True or false? - Answers - True True or false: Information provided to data subjects about the processing of their personal data should be written in clear and plain language that is understandable. - Answers -True True or false: The transparency principle states that detail is more important that conciseness in a privacy notice. - Answers -False The information that must be provided to data subjects will depend on the situation. What information must be provided to data subjects when their personal data will be stored on a database hosted in the United States? -Use of automated decision making -Source of the date -Intention to transfer data internationally -Controller's legitimate interest - Answers -Intention to transfer data internationally

What information must be provided to data subjects when the controller's necessity is being used as the legal basis for processing? -Source of the data -Controller's legitimate interest -Recipients of the data -Legal basis for transferring data internationally - Answers -Controller's legitimate interest What information must be provided to data subjects when the personal data that will be processed was collected indirectly? -Source of the data -Storage period -Statutory or contractual requirement -Controller's legitimate interest - Answers -Source of the data What information must be provided to data subjects when their personal data will be shared with an outside organisation to provide them with a promised service? -Use of automated decision making -Recipients of the data -Intention to transfer data internationally -Source of the data - Answers -Recipients of the data What information must be provided to the data subjects in all circumstances? Select all that apply.

  • Identity of the controller -Controller's legitimate interest -Purpose of processing -Data subjects' rights - Answers -All EXCEPT legitimate interest Where would a full version of the privacy notice be located in a layered notice? -the top layer -the second layer -the third layer - Answers -the third layer True or false: upon indirect collection, information provision should happen within a reasonable period of time. - Answers -True True or false: Information provision is required, even if it necessitates disproportionate effort. - Answers -False CIAR stands for..... -Confidentiality, information, availability and risk assessment

-the subject matter and duration of the processing -the type of personal data -The method for destroying personal information following processing activities - Answers -All EXCEPT The method for destroying personal data. Contract should also contain the obligations and rights of the controller A processor is responsible for implementing appropriate technical and organisational measures to keep personal data secure. True or false? - Answers -True A processor may process personal data only on documented instructions from the controller. True or false? - Answers -True A controller must notify the supervisory authority of a personal data breach if __________. -A breach is likely to result in a risk to the rights and freedoms of natural persons -A breach is likely to result in a high risk for the rights and freedoms of natural persons - Answers -A breach likely to result in risk to the rights and freedoms of natural persons. A controller must notify the data subjects of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of those individuals unless_________. Pick all that apply: -Individual notice require disproportionate effort -Prior implementation of appropriate technical and organisational measures rendered the personal data unintelligible or encrypted -Post-breach actions greatly reduce the risk to the rights and freedoms of the data subjects. - Answers -All Which of the following data subject rights provides data subjects with entitlements to certain information, obtainable from the controller upon request? Pick all that apply. -right of access -right of erasure -right to object -right to restriction of processing - Answers -right of access Right of access grants data subjects access to which of the following types of information? Select all that apply. -The means of data storage -Retention periods _The purpose of processing

-Locations where the date is being processed - Answers --The purpose of processing -Retention periods -Locations where the data is being processed The right to be forgotten is part of what data subjectc right? -Right to data portability -Right to erasure -Right to restriction of processing -Right to rectification - Answers -Right to erasure Which of the following is not a method listed by the GDPR as a method for restricting processing of personal data. Select all that apply. -Noting the restriction in the system -Moving the data to a separate system -Temporarily blocking a website -Disabling the data management system - Answers -Disabling the data management system Which of the following are categories under which a data subject may object to processing his or her personal data? Select all that apply. -Establishment, exercise or defense of legal claims -Direct marketing -Public interest or legitimate interest -Research or statistical purposes - Answers -All EXCEPT Establishment, exercise or defense of legal claims. What is profiling? -the processing of personal data gathered from social media sites -a form of automated decision making -The act of enabling cookies -All of the above - Answers -A form of automated decision making True or false. Both controllers and processors have accountability obligations under GDPR. - Answers -True True or false: Data protection by design begins prior to processing and incorporates data protection considerations into the planning phase. - Answers -True What are the main values of data protection impact assessment (DPIA)? Select all that apply. -Demonstrating compliance to supervisory authorities

-Adequacy decision -Appropriate safeguard -Derogation - Answers -Adequacy decisions Which of the followig countries hav ebeen deemed adequate by the European Commission? Select all that apply. Argentina Uruguay New Zealand Switzerland - Answers -All Which of the following are EU-US Privacy Shield requirements? Select all that apply. -Publicly disclose the organisation's privacy policy -Implement the Privacy Shield Principles -Update the organization's privacy Policy annually. -Publicize the commitment to the U.S. Department of Commerce to adhere to the Privacy Shield Principles - Answers --Publicly disclose Privacy Policy -Implement Privacy Shield Principles -Publicize the commitment to the DoC Which of the following are appropriate safeguards for cross-boarder data transfers? Select all that apply. -Public Interest -Binding corporate rules -Approved codes of conduct or certification mechanisms -standard contractual clauses - Answers -BCR Codes of conduct/certification standard clasues Which appropriate safeguards allow large multinational companies to adopt a policy suite with rules for handling personal data? -Standard contractual clauses -Reliance on international agreements -Ad hoc contractual clauses -Binding corporate rules - Answers -Binding Corporate Rules True or false: Criteria for derogations are strict and should be interpreted narrowly. - Answers -True

Who does the GDPR task with promoting monitoring and enforcing the GDPR? -The European Data protection Supervisor -Processors -Controllers -Supervisory authorities - Answers -Supervisory Authorities How many active participants will the European Data Protection Board have?

  • 28
  • 38
  • 21
  • 31 - Answers - Which of the following mechanisms facilitates the provision of relevant information between supervisory authorities. -Urgency procedure -Mutual assistance -Cooperation -Consistency mechanism - Answers -Mutual Assistance Which of the following mechanisms facilitates a specific collaborative process between supervisory authorities, the commission and the European Data Protection Board for adopting certain measures and ensuring consistent GDPR application? -Cooperation -Joint operations -Dispute resolution -Consistency mechanism - Answers -consistency mechanism Which types of laws should be considered when processing employees' personal data? Select all that apply.
  • Local employment law -EU data protection law -Member state data protection law - Answers -All What must be provided to employees when processing their personal data? -Notice that their personal data will be processed -The supervisory authority's contact information -Opt-in

-Proportionality -Duration of the video -Lawfulness -Individual's rights -Prior checking -Information provision - Answers -Duration of the video True or false: Under the GDPR, individuals have the absolute right to object to any form of direct marketing at any time. - Answers -True Which of the following is true regarding direct marketing channels? -For postal marketing, opt-in is required -For telemarketing, opt-in is required -For business-to-consumer emailing and text-messaging, opt-in is required. - Answers - For business to consumer emailing and text-messaging, opt in is required. True or false: Under GDPR, web cookies qualify as personal data by IP addresses do not. - Answers -False According to the GDPR, when does an organisation need to take action to legitimize cross border data transfers of personal data a. when the date is routed through another jurisdicion in or outside the EU b. when the date is transferred from one jurisdiction in the EU to another c. when the date is transferred from a jurisdiction outside the European Union to a member state of the EU d. when the date is transferred from a jurisdiction in the EU to a third country which is not deemed adequate. - Answers -d The GDPR and its predecessor, the Data Protection Directive 95/46/EC, were allwoed to be set up as a harmonisation measure for European member staes by which? a. Lisbon Treaty b. Treaty of Rome c. Council of Europe Convention d. European Convention on Human Rights. - Answers -b Which is an example of direct marketing? a. an email sent to an individual about an order she has placed.

b. an email sent to an individual promoting an new book which is on sale c. a letter addressed to "the household" about a charity bookstore d. an advertisement on a website promoting a new book which is on sale - Answers -b The ePrivacy Directive 2002/58/EC contains which provision? a. Location data may be freely processed. b. Unsolicited commercial telephone calls, emails and faxes need opt-out consent c. Corporate communicaton systems must have adequate security. d. Cookies require prior information and consent - Answers -d Which statement describes a European best practices approach to the protection of employment data held by an organisation? a. Employers should avoid all types of monitoring when collection employee information within the workplace b. Organisations should seek legal advice from a privacy lawyer before processing employee data. c. Employee data should not be processed without expressed, verbal permission by the employee. d. Employers should consult with regulatory bodies such as works councils about proposed data processing activity - Answers -d When should a controller notify the supervisory authority of a loss of personal information which is likely to result in harm to an individual? a. within 72 hours after having become aware b. no later than 5 calendar days after the incident is identified c. notice must be provided without unreasonable delay; no later than 30 days; law enforcement can delay notification d. there is no need to notify the supervisory authority of a loss of personal information. - Answers -a Under what conditions is processing sensitive employee data acceptable?

b. reason(s) for processing the personal data c. third countries to which the information may be transferred d. all of A, B, and C. - Answers -d Which statement is correct concerning the information to be provided when collecting personal data directly from the data subject? a. There is one mandated form for such information which sets out all information requirements. b. data controllers are obliged to inform data subjects about the creation of copies of their personal data for backup reasons. c. the information needs to detail if the personal data will be passed to another organisation. d. An employer is not required to provide such information to its employees concerning the processing of their employment records. - Answers -c Under the GDPR, would a European company be allowed to use video surveillance to monitor employee access to inventory? a. No, under the GDPR this is never allowed b. No, video surveillance is too introsuve a solution c. Yes, provided that certain conditions have been met d. Yes, without any further conditions to be taken into account. - Answers -c Which institution is responsible for ensuring that directive are implemented properly by the member states? a. European Court of Justice b. European Commission c. European Parliament d. European Data Protection Supervisor - Answers -b What is true for a contract based on European Commission Standard Contractual Clauses with a processor outside the European Economic Area?

a. for subcontracting, the processor must inform the controller and obtain written approval. b. Before the processing starts, the processor must provide proof of compliance with technical and organisational measures. c. The data subject must consent to processing by the processor d. the processor must provide a compliance statement from its data protections authority - Answers -a Which type of data subject is NOT covered by the GDPR? a. Newborn children b. person under 18 c. person over 65 c. deceased individuals - Answers -d The GDPR requires that the data controller notify the supervisory authority of personal data breach unless: a. there is no disclosure of financial account information b. the number of personal data records affected is under 500 c. the breach is unlikely to result in a risk to the rights and freedoms of natural persons d. the controller has already addressed the breach, including mitigation efforts - Answers -c How is an employer obliged to proceed before engaging in the general monitoring of email traffic and internet use of all of its employees? a. The employer must provide a prior opt-out option. b. The employer must seek prior legal advice c. The employer must provide prior notice d. The employer must seek prior verbal consent. - Answers -c Which is NOT a compatible purpose for processing data beyond the purpose originally specified at the time of collection?

c. As a Regulation rather than a Directive, the GDPR sets forth binding provisions for EU member states to follow but it leaves them discretion in some areas. d. The GDPR imposes binding obligations on all EU member state as well as on all countries deemed adequate by the European Commission. - Answers -c Which is the most accurate statement concerning the obligations imposed by the GDPR? a. Notification is now optional but is recommended in order to foster the transparency of any organisiations data processing activities. b. Notification remains mandatory in order to finance the national DPSA's operations c. Notification is no longer required as the GDPR has switched to an accountability framework. d. Notification is only required of Processors but not Controllers. - Answers -c Which, according to the GDPR, is NOT a special category of data? a. political affiliate b. health informtin c. ethnic origin d. Social Security Number - Answers -d Which institution has the power to adopt adequacy findings for the Euorpean Union? a. Working Party 29 b. European Commission c. European Data Protection Supervisor d. European Court of Justice - Answers -b Which exemption to the e-Privacy Directive 2002/58/EC allows the data controller to send electronic marketing information? a. The recipients are existing customers b. The controller is a non-profit organisation. c. The data subject and controller work in the same industry d. The recipients' email address is taken from a public register. - Answers -a

Which according the the GDPR is NOT one of the considerations that should be taken into account to determine the appropriate technical and organisational measures to ensure a level of data security appropriate to the risk? a. cost of implementation b. the state of the art c scope of processing d. the size of the organization - Answers -d