New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium IAPP CIPP-E Dumps Questions Answers

Page: 1 / 19
Total 268 questions

Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Question 1

What are the obligations of a processor that engages a sub-processor?

Options:

A.

The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.

B.

The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.

C.

The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.

D.

The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Buy Now
Question 2

An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organization charge the data subject a fee for processing the request?

Options:

A.

Only where the organization can show that it is reasonable to do so because more than one request was made.

B.

Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.

C.

Only where the administrative costs of taking the action requested exceeds a certain threshold.

D.

Only if the organization can demonstrate that the request is clearly excessive or misguided.

Question 3

A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

Options:

A.

If obtaining consent is deemed to involve disproportionate effort.

B.

If obtaining consent is deemed voluntary by local legislation.

C.

If the company limits the footage to data subjects solely of legal age.

D.

If the company’s status as a documentary provider allows it to claim legitimate interest.

Question 4

In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

Options:

A.

If the cookies do not track personal data, then pre-checked boxes are acceptable.

B.

If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

C.

If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

D.

If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Question 5

What must a data controller do in order to make personal data pseudonymous?

Options:

A.

Separately hold any information that would allow linking the data to the data subject.

B.

Encrypt the data in order to prevent any unauthorized access or modification.

C.

Remove all indirect data identifiers and dispose of them securely.

D.

Use the data only in aggregated form for research purposes.

Question 6

In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

Options:

A.

When she is leaving her bank and moving to another bank.

B.

When she has recently changed jobs and no longer works for the same company.

C.

When she disagrees with a diagnosis her doctor has recorded on her records.

D.

When she no longer wishes to be sent marketing materials from an organization.

Question 7

If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

Options:

A.

Background checks on employees could be performed only under prior notice to all employees.

B.

Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.

C.

Background checks on European employees will stem from data protection and employment law, which can vary between member states.

D.

Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.

Question 8

Which of the following is an accurate statement regarding the "one-stop-shop" mechanism of the GDPR?

Options:

A.

It can result in several lead supervisory authorities in the EU assuming competence over the same data processing activities of an organization.

B.

It applies only to direct enforcement of data protection supervisory authorities (e.g.. finding a breach), but not to initiating or engaging m court proceedings

C.

It gives competence to the lead supervisory authority to address privacy issues derived from processes carried out by public authorities established in different countries.

D.

It allows supervisory authorities concerned (other than the lead supervisory authority) to act against organizations m exceptional cases even if they do not have any type of establishment in the Member State of the respective authority.

Question 9

A mobile device application that uses cookies will be subject to the consent requirement of which of the

following?

Options:

A.

The ePrivacy Directive

B.

The E-Commerce Directive

C.

The Data Retention Directive

D.

The EU Cybersecurity Directive

Question 10

Which statement provides an accurate description of a directive?

Options:

A.

A directive speo5es certain results that must be achieved, but each member state is free to decide how to turn it into a national law

B.

A directive has binding legal force throughout every member state and enters into force on a set date in all the member states.

C.

A directive is a legal act relating to specific cases and directed towards member states, companies 0' private individuals.

D.

A directive is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force.

Question 11

To which of the following parties does the territorial scope of the GDPR NOT apply?

Options:

A.

All member countries of the European Economic Area.

B.

All member countries party to the Treaty of Lisbon.

C.

All member countries party to the Paris Agreement.

D.

All member countries of the European Union.

Question 12

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

Options:

A.

The terms of service shall also enumerate all applicable anti-money laundering few.

B.

Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

C.

The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.

D.

Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.

Question 13

Which of the following is NOT exempt from the material scope of the GDPR. insofar as the processing of personal data is concerned?

Options:

A.

A natural person in the course of a large-scale but purely personal or household activity.

B.

A natural person processing data foe a small-scale, purely personal or household activity.

C.

A natural person in the course of processing purely personal or household data on behalf of a spouse who is beyond the age of majority.

D.

A natural person in the course of activity conducted purely tor a personally-owned sole proprietorship.

Question 14

According to the GDPR. Article 4(14). biometric data is defined as:

"Personal data resulting from specific technical processing relating to the______charactenstics of a natural person"

Which term could NOT be placed in the above definition?

Options:

A.

Psychological.

B.

Physical.

C.

Intellectual.

D.

Behavioral

Question 15

What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

Options:

A.

They are allowed if determined to be technically necessary.

B.

They do not amount to valid consent under any circumstances.

C.

They are allowed if recorded In the register of processing activities.

D.

They constitute valid consent if the processing is necessary for purposes of legitimate interest

Question 16

Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

Options:

A.

Legislative powers.

B.

Corrective powers.

C.

Investigatory powers.

D.

Authorization and advisory powers.

Question 17

Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

Options:

A.

Providing a multi-layered privacy notice, in a website environment.

B.

Providing a QR code linking to more detailed privacy notice, in a CCTV sign.

C.

Providing a hyperlink to the organization’s home page, in a hard copy application form.

D.

Providing a “just-in-time” contextual pop-up privacy notice, in an online application from field.

Question 18

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?

Options:

A.

A prior opt-in consent for consumers unless they are already customers.

B.

A pre-checked box stating that the consumer agrees to receive email marketing.

C.

A notice that the consumer’s email address will be used for marketing purposes.

D.

No prior permission required, but an opt-out requirement on all emails sent to consumers.

Question 19

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign

from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

Options:

A.

She was not told which controller would be processing her personal data.

B.

She only viewed the visual representations of the privacy notice Liem provided.

C.

She did not read the privacy notice stating that her personal data would be shared.

D.

She has never made any purchases from JaphSoft and has no relationship with the company.

Question 20

When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

Options:

A.

Inform the subjects about the collection

B.

Provide a public notice regarding the data

C.

Upgrade security to match that of the source

D.

Update the data within a reasonable timeframe

Question 21

Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or consent?

Options:

A.

A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.

B.

A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.

C.

A health professional involved in the medical care for the data subject, where the data subject’s life hinges on the timely dissemination of such information.

D.

A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.

Question 22

Which sentence BEST summarizes the concepts of “fairness,” “lawfulness” and “transparency”, as expressly required by Article 5 of the GDPR?

Options:

A.

Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.

B.

Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data.

C.

Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced.

D.

Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data.

Question 23

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

Options:

A.

When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.

B.

When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.

C.

When the controller is required to have a Data Protection Officer.

D.

When personal data is being transferred outside of the EEA.

Question 24

MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?

Options:

A.

Yes, because MagicClean is processing data in the EU

B.

Yes. because MagicClean's data processing agreement with the French processor is an establishment in the EU

C.

No, because MagicClean is located m the United States only.

D.

No. because MagicClean is not offering services to EU data subjects.

Question 25

According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?

Options:

A.

As soon as possible after obtaining the personal data.

B.

As soon as possible after the first communication with the data subject.

C.

Within a reasonable period after obtaining the personal data, but no later than one month.

D.

Within a reasonable period after obtaining the personal data, but no later than eight weeks.

Question 26

If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT be validly determined by said controllers?

Options:

A.

The definition of a central contact point for data subjects.

B.

The rules regarding the exercising of data subjects" rights.

C.

The rules to provide information to data subjects in Articles 13 and 14.

D.

The non-disclosure of the essence of their arrangement to data subjects

Question 27

According to the GDPR, when should the processing of photographs be considered processing of special categories of personal data?

Options:

A.

When processed with the intent to publish information regarding a natural person on publicly accessible media.

B.

When processed with the intent to proceed to scientific or historical research projects.

C.

When processed with the intent to uniquely identify or authenticate a natural person.

D.

When processed with the intent to comply with a law.

Question 28

Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing?

Options:

A.

When an individual has not consented to the marketing.

B.

When an individual’s details are obtained from their inquiries about buying a product.

C.

Where an individual’s details have been obtained from a bought-in marketing list.

D.

Where an individual is given the ability to unsubscribe from marketing emails sent to him.

Question 29

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan

to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

With regard to TripBliss Inc.’s use of website cookies, which of the following statements is correct?

Options:

A.

Because not all of the cookies are strictly necessary to enable the use of a service requested from TripBliss Inc., consent requirements apply to their use of cookies.

B.

Because of the categories of data involved, explicit consent for the use of cookies must be obtained separately from customers.

C.

Because Techiva will receive only aggregate statistics of data collected from the cookies, no additional consent is necessary.

D.

Because the use of cookies involves the potential for location tracking, explicit consent must be obtained from customers.

Question 30

According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?

Options:

A.

Right to restriction of processing.

B.

Right to erasure ("Right to be forgotten").

C.

Right to lodge a complaint with a supervisory authority.

D.

Right not to be subject to automated individual decision-making

Question 31

A company wishes to transfer personal data to a country outside of the European Union/EEA In order to do so, they are planning an assessment of the country's laws and practices, knowing that these may impinge upon the transfer safeguards they intend to use

All of the following factors would be relevant for the company to consider EXCEPT'?

Options:

A.

Any onward transfers, such as transfers of personal data to a sub-processor in the same or another third country.

B.

The process of modernization in the third country concerned and their access to emerging technologies that rely on international transfers of personal data

C.

The technical, financial, and staff resources available to an authority m the third country concerned that may access the personal data to be transferred

D.

The contractual clauses between the data controller or processor established in the European Union/EEA and the recipient of the transfer established in the third country concerned

Question 32

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism should Jackie recommend for using InstaHR?

Options:

A.

Adequacy

B.

Binding corporate rules.

C.

Explicit consent of employees.

D.

Standard contractual clauses

Question 33

Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

Options:

A.

The ability to enact new laws by executive order.

B.

The right to access data for investigative purposes.

C.

The discretion to carry out goals of elected officials within the member state.

D.

The authority to select penalties when a controller is found guilty in a court of law.

Question 34

Articles 13 and 14 of the GDPR provide details on the obligation of data controllers to inform data subjects when collecting personal data. However, both articles specify an exemption for situations in which the data subject already has the information.

Which other situation would also exempt the data controller from this obligation under Article 14?

Options:

A.

When providing the information would go against a police order.

B.

When providing the information would involve a disproportionate effort

C.

When the personal data was obtained through multiple source in the public domain

D.

When the personal data was obtained 5 years before the entry into force of the GDPR

Question 35

Why is advisable to avoid consent as a legal basis for an employer to process employee data?

Options:

A.

Employee data can only be processed if there is an approval from the data protection officer.

B.

Consent may not be valid if the employee feels compelled to provide it.

C.

An employer might have difficulty obtaining consent from every employee.

D.

Data protection laws do not apply to processing of employee data.

Question 36

In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the importance of using a “layered notice” to provide data subjects with what?

Options:

A.

A privacy notice containing brief information whilst offering access to further detail.

B.

A privacy notice explaining the consequences for opting out of the use of cookies on a website.

C.

An explanation of the security measures used when personal data is transferred to a third party.

D.

An efficient means of providing written consent in member states where they are required to do so.

Question 37

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

In preparing the company for its impending lawsuit, Alice’s instruction to the company’s IT Department violated Article 5 of the GDPR because the company failed to first do what?

Options:

A.

Send out consent forms to all of its employees.

B.

Minimize the amount of data collected for the lawsuit.

C.

Inform all of its employees about the lawsuit.

D.

Encrypt the data from all of its employees.

Question 38

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

What is the time period in which Mike should receive a response to his request?

Options:

A.

Not more than one month of receipt of Mike’s request.

B.

Not more than two months after verifying Mike’s identity.

C.

When all the information about Mike has been collected.

D.

Not more than thirty days after submission of Mike’s request.

Question 39

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Assuming that there is a cross-border processing of personal data, which of the

following criteria would NOT be useful to the lead supervisory authority responsible

for the Greek employee's complaint when trying to determine the location of the

controller's main establishment?

Options:

A.

Where the controller is registered as a company.

B.

Where the processor is registered as a company.

C.

Where decisions about the processing activities are made.

D.

Where the director with responsibility for processing activities is located.

Question 40

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered data processor activity?

Options:

A.

If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy.

B.

If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.

C.

If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product improvement activities.

D.

If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use their information for its product improvement activities.

Question 41

In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

Options:

A.

Adopting a risk-based approach and implementing supplementary measures as needed.

B.

Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.

C.

Obtaining explicit consent from each EU citizen for every individual data transfer.

D.

Storing all personal data within the borders of the European Union.

Question 42

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

Options:

A.

A postal notification

B.

A direct electronic message

C.

A notice on a corporate blog

D.

A prominent advertisement in print media

Question 43

SCENARIO

Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.

Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.

Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier’s request, how may Javier proceed in order to seek compensation?

Options:

A.

He will have to sue the EVETFIT’s head office in France, where EVETFIT has its main establishment.

B.

He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.

C.

He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.

D.

He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

Question 44

Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

Options:

A.

Approved certifications.

B.

Binding corporate rules.

C.

Law enforcement requests.

D.

Standard contractual clauses.

Question 45

SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:

  • Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
  • Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
  • Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
  • Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a

program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs

Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Which of the University’s records does Anna NOT have to include in her record of processing activities?

Options:

A.

Student records

B.

Staff and alumni records

C.

Frank’s performance database

D.

Department for Education records

Question 46

Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

Options:

A.

Personal data revealing ethnic origin.

B.

Personal data revealing genetic data.

C.

Personal data revealing financial data.

D.

Personal data revealing trade union membership.

Question 47

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

Options:

A.

Data Subject Rights.

B.

Right of Action.

C.

Necessity.

D.

Consent.

Question 48

What obligation does a data controller or processor have after appointing a data protection officer?

Options:

A.

To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.

B.

To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.

C.

To ensure that the data protection officer acts as the sole point of contact for individuals’ Questions: about their personal data.

D.

To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.

Question 49

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

Options:

A.

Employees must sign an ad hoc contractual agreement each time personal data is exported.

B.

All employees are subject to the rules in their entirety, regardless of where the work is taking place.

C.

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

D.

Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Question 50

How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

Options:

A.

App developers will expand the amount of data necessary to collect for an app’s functionality.

B.

Users will be given granular types of consent for particular types of processing.

C.

App developers’ responsibilities as data controllers will increase.

D.

Users will see fewer advertisements when using apps.

Question 51

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

Options:

A.

The right to request access to the personal data a controller holds about them.

B.

The right to request the deletion of data a controller holds about them.

C.

The right to opt-out of the sale of their personal data to third parties.

D.

The right to request restriction of processing of personal data, under certain scenarios.

Question 52

An entity’s website stores text files on EU users’ computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

Options:

A.

General Data Protection Regulation 2016/679.

B.

E-Privacy Directive 2002/58/EC.

C.

E-Commerce Directive 2000/31/EC.

D.

Data Protection Directive 95/46/EC.

Question 53

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?

Options:

A.

The data is sensitive.

B.

The data is uncategorized.

C.

The data is being used for a new purpose.

D.

The data is being processed via a new means.

Question 54

After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?

Options:

A.

The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.

B.

Adequacy determinations automatically lapse when a Member State leaves the EU.

C.

The UK is now a third country because it’s no longer subject to the GDPR.

D.

The UK is less trustworthy now that its not part of the Union.

Question 55

After detecting an intrusion involving the theft of unencrypted personal data, who shall the breached company notify first under GDPR requirements?

Options:

A.

Any parents of children whose personal data was compromised.

B.

Any affected customers whose data was compromised.

C.

A competent supervisory authority.

D.

A local law enforcement agency

Question 56

An online company’s privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

Options:

A.

Use a layered privacy notice on its website and in its email communications.

B.

Identify uses of data in a privacy notice mailed to the data subject.

C.

Provide only general information about its processing activities and offer a toll-free number for more information.

D.

Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.

Question 57

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?

Options:

A.

JaphSoft failed to first anonymize the personal data.

B.

JaphSoft pseudonymized all the data instead of deleting what it no longer needed.

C.

JaphSoft was in possession of information that could be used to identify data subjects.

D.

JaphSoft failed to keep personally identifiable information in a separate database.

Question 58

A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?

Options:

A.

Other data held by the processor.

B.

Other data held by the controller

C.

Other data held by recipients of the data.

D.

Other data held by Internet Service Providers (ISPs).

Question 59

In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

Options:

A.

Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.

B.

Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to reduce.

C.

Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.

D.

Where the DPIA identifies risks that will require insurance for protecting its business interests.

Question 60

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

Options:

A.

Incidents of personal data breaches, whether disclosed or not.

B.

Data inventory or data mapping exercises that have been conducted.

C.

Categories of recipients to whom the personal data have been disclosed.

D.

Retention periods for erasure and deletion of categories of personal data.

Question 61

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it received from BHealthy?

Options:

A.

Appropriate security that takes into account the industry practices for protecting customer contact information and purchase history.

B.

Only the security measures assessed by BHealthy prior to entering into the data processing contract.

C.

Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight.

D.

The level of security that a reasonable data subject whose data is processed would expect in relation to the data subject’s purchase history.

Question 62

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

Options:

A.

If Accidentable is entitled to use of the data as an affiliate of Bedrock.

B.

If Accidentable also uses the data to conduct public health research.

C.

If the data becomes necessary to defend Accidentable’s legal rights.

D.

If the accuracy of the data is not an aspect that Louis is disputing.

Question 63

Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

Options:

A.

Accuracy

B.

Storage Limitation

C.

Integrity and confidentiality

D.

Lawfulness, fairness and transparency

Question 64

What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller’s behalf?

Options:

A.

An obligation on the processor to report any personal data breach to the controller within 72 hours.

B.

An obligation on both parties to report any serious personal data breach to the supervisory authority.

C.

An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.

D.

An obligation on the processor to assist the controller in complying with the controller’s obligations to notify the supervisory authority about personal data breaches.

Question 65

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism did ProStorage most likely rely on to transfer Ruth's

medical information to the hospital?

Options:

A.

Ruth's implied consent.

B.

Protecting the vital interest of Ruth.

C.

Performance of a contract with Ruth.

D.

Protecting against legal liability from Ruth.

Question 66

Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?

Options:

A.

Name and contact details of each controller on behalf of which the processor is acting.

B.

Categories of processing carried out on behalf of each controller for which the processor is acting.

C.

Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.

D.

Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.

Question 67

What is true if an employee makes an access request to his employer for any personal data held about him?

Options:

A.

The employer can automatically decline the request if it contains personal data about a third person.

B.

The employer can decline the request if the information is only held electronically.

C.

The employer must supply all the information held about the employee.

D.

The employer must supply any information held about an employee unless an exemption applies.

Question 68

A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

Options:

A.

Inform the data subject of the security measures in place.

B.

Ensure that the receiving entity has signed a data processing agreement.

C.

Encrypt the transferred data in transit and at rest.

D.

Conduct a data protection impact assessment.

Question 69

Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection

laws throughout the European Union?

Options:

A.

That it essentially functions as a one-stop shop mechanism

B.

That it takes the form of a Regulation as opposed to a Directive

C.

That it makes notification of large-scale data breaches mandatory

D.

That it makes appointment of a data protection officer mandatory

Question 70

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

Options:

A.

Documenting due diligence steps taken in the pre-contractual stage.

B.

Conducting a risk assessment to analyze possible outsourcing threats.

C.

Requiring that the processor directly notify the appropriate supervisory authority.

D.

Maintaining evidence that the processor was the best possible market choice available.

Question 71

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information

is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

For what reason would JaphSoft be considered a controller under the GDPR?

Options:

A.

It determines how long to retain the personal data collected.

B.

It has been provided access to personal data in the MarketIQ database.

C.

It uses personal data to improve its products and services for its client-base through machine learning.

D.

It makes decisions regarding the technical and organizational measures necessary to protect the personal data.

Question 72

It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3

Options:

A.

Notify the police and Tile a criminal complaint about the incident

B.

Start an investigation to understand the incident's possible scope, duration and nature

C.

Send a notification to the competent supervisory authority describing the incident.

D.

Send an email about the incident to all clients and ask them to change their passwords

Question 73

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

What would be the most appropriate response to Jacks data subject access request?

Options:

A.

The company should not provide any information, as the company is headquartered outside of the EU.

B.

The company should decline to provide any information, as the amount of information requested is too excessive to provide in one month.

C.

The company should cite the need for an extension, and agree to provide the information requested in Jack's original DSAR within a period of 3 months.

D.

The company should provide all requested information except for the emails, as they are excluded from data access request requirements under the GDPR.

Question 74

SCENARIO

Please use the following to answer the next question:

Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.

What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

Options:

A.

Information about DPIAs found in Articles 38 through 40 of the GDPR.

B.

Data breach documentation that data controllers are required to maintain.

C.

Existing DPIA guides published by local supervisory authorities.

D.

Records of processing activities that data controllers are required to maintain.

Page: 1 / 19
Total 268 questions