IAPP EXAM QUESTIONS - NO ANSWER

IAPP/CIPP-E exam

What term best describes the European model for data protection?

A. Sectoral.
B. Self-regulatory.
C. Market-based.
D. Comprehensive.


Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

A. The right to privacy is an absolute right.
B. The right to privacy has to be balanced against other rights under the ECHR.
C. The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy.
D. The right to privacy protects the right to hold opinions and to receive and impart ideas without interference.

What was the aim of the European Data Protection Directive 95/46/EC?
A. To harmonise the implementation of the European Convention of Human Rights across all member states.
B. To implement the OECD Guidelines on the Protection of Privacy and transborder flows of Personal Data.
C. To completely prevent the transfer of personal data out of the European Union.
D. To further reconcile the protection of the fundamental rights of individuals with the free flow of data from member state to another.

Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?
A. The European Council.
B. The European Parliament.
C. The European Commission.
D. The Council of the European Union.

Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?

A. A voluntary notification for personal data breaches applicable to electronic communication providers.
B. A mandatory notification for personal data breaches applicable to electronic communication providers.
C. A voluntary notification for personal data breaches applicable to all data controllers.
D. A mandatory notification for personal data breaches applicable to all data controllers.

Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?
A. The European Parliament.
B. The European Commission.
C. The Article 29 Working Party.
D. The European Council.

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?
A. Both govern international transfers of personal data.
B. Both govern the manual processing of personal data.
C. Both only apply to European Union countries.
D. Both require notification of processing activities to a supervisory authority.


What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
A. The requirements affected individuals without exception.
B. The requirements were financially burdensome to EU businesses.
C. The requirements specified that data must be held within the EU.
D. The requirements had limitations on how national authorities could use data.

What type of data lies beyond the scope of the General Data Protection Regulation?
A. Pseudonymised.
B. Anonymised.
C. Encrypted.
D. Masked.

Which type of personal data does the GDPR define as a "special category" of personal data?
A. Educational history.
B. Trade-union membership.
C. Closed Circuit Television (CCTV) footage.
D. Financial information.


SCENARIO of Please use the following to answer the next question

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department.

The University maintains a number of types of records:

Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.

Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).

Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal.

Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.

Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relation to Department for Education expectations. He has attended one of Anna's data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion - so that he can update each record over time.

One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Anna explains to Frank that, as well as minimising personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Which of the University's records does Anna NOT have to include in her record of processing activities?

A. Student records.
B. Staff and alumni records.
C .Frank's performance database.
D .Department for Education records.

Before Anna determines whether Frank's performance database is permissible, what additional information does she need?

A. More information about Frank's data protection training.
B. More information about the extent of the information loss.
C. More information about the algorithm Frank used to mask student numbers.
D. More information about what students have been told and how the research will be used.

Anna will find that a risk analysis is NOT necessary in this situation as long as?
A. The data subjects are no longer current students of Frank's.
B. The processing will not negatively affect the rights of the data subjects.
C. The algorithms that Frank uses for the processing are technologically sound.
D. The data subjects gave their unambiguous consent for the original processing.

Assuming that Anna considers the loss of Frank's laptop to be a "high risk" situation, what advice should she give the University?
A. The incident must be reported to the data protection authority and most likely to individuals.
B. The incident must be reported to individuals, but most likely not to the data protection authority.
C. The incident must be reported to the data protection authority, but not to individuals.
D. The incident does not have to be reported under the GDPR.

What must a data controller do in order to make personal data pseudonymous?
A. Separately hold any information that would allow linking the data to the data subject.
B. Encrypt the data in order to prevent any unauthorized access or modification.
C. Remove all indirect data identifiers and dispose of them securely.
D. Use the data only in aggregated form for research purposes.

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

A. The controller will be liable to pay an administrative fine.
B. The processor will be liable to pay compensation to affected data subjects.
C. The processor will be considered to be a controller in respect of the processing concerned.
D. The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved.


According to the E-Commerce Directive 2000/31/EC, where is the place of "establishment" for a company providing services via an Internet website confirmed by the GDPR?

A. Where the technology supporting the website is located.
B. Where the website is accessed.
C. Where the decisions about processing are made.
D. Where the customer's Internet service provider is located.

Which of the following entities would most likely be exempt from complying with the GDPR?
A. A South American company that regularly collects European customers' personal data.
B. A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.
C. A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.
D. A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.


Which of the following scenarios best describes a situation where the GDPR would be applicable? .
A. If an American citizen but residing in the EU places an order online on a U.S. website, the GDPR would be applicable since the customer is residing in the EU.
B. A company based in Turkey selling products (with a ".com" domain name and with payment made possible in Turkish Lira or US Dollars), the company would have to comply with the GDPR since European customers may make a purchase on the website.
*C. If an EU citizen travels to the US and subscribes to a local service while staying in the US, the US service provider would have to comply with the GDPR because the customer is an EU citizen.
*D. For a hotel reservation in Thailand and enrolls in the hotel's loyalty program (which includes regular mailing featuring the hotel's reward program and promotion of partner services), the GDPR would be applicable because the customer is an EU citizen.


Article 29 Working Party has emphasized that the GDPR forbids "forum shopping," which occurs when companies do what?
A. Choose the data protection officer that is most sympathetic to their business concerns.
B. Designate their main establishment in member state with the most flexible practices.
C. File appeals of infringement judgments with more than one EU institution simultaneously.
D. Select third-party processors on the basis of cost rather than quality of privacy protection.

With the issue of consent, the GDPR allows member states some choice regarding what?
A. The mechanisms through which consent may be communicated.
B. The circumstances in which silence or inactivity may constitute consent.
C. The age at which children must be required to obtain parental consent.
D. The timeframe in which data subjects are allowed to withdraw their consent.

Which sentence best summarizes the concepts of "fairness,” "lawfulness" and "transparency," as expressly required by Article 5 of the GDPR?
A. Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.
B. Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data.
C. Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced.
D. Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data.


Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purpose and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b), what is the impact of a member state's interpretation of the word "incompatible”?

A. O It dictates the level of security a processor must follow when using and storing personal data for two different
purposes.
B. O It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of
personal data.
C. O It sets the standard for the level of detail a controller must record when documenting the purpose for collecting
personal data.
D. O It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original
intended purpose.

SCENARIO of Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.

Registration Form
Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Health app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.)

Sale, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third-party without a customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights, or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name: . Surname:
Year of birth:
Email:
Physical Address (optional*):
Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.
Terms and Conditions

(1) Jurisdiction. […]
(2) Applicable law. […]
(3) Limitation of liability. [...]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
Emily sends the draft to Sam for review.

Which of the following is Sam most likely to point out as the biggest problem with Emily's consent provision?
A. It is not legal to include fields requiring information regarding health status without consent.
B. Processing health data requires explicit consent, but the form does not ask for explicit consent.
C. Direct marketing requires explicit consent, whereas the registration form only provides for a right to object.
D. The provision of the fitness app should be made conditional on the consent to the data processing for direct marketing.

If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to?

A. Provide the user with logs of data collected through use of the app.
B. Erase any data collected from the time the app was first used.
C. Cease processing any data collected through use of the app.
D. Inform any third parties of the user's withdrawal of consent.


In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?
A. When the data is to be processed for market research.
B. When providing preventive or counselling services to the child.
C. When providing the child with materials purely for educational use.
D. When a legitimate business interest makes obredining consent impractical.

When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?
A. When the data has been pseudonymised.
B. When the data is protected by technological safeguards.
C. When the data serves legitimate interest of third parties.
D. When the data subject has failed to use a provided opt-out mechanism.


When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

A. Inform the subjects about the collection.
B. Provide a public notice regarding the data.
C. Upgrade security to match that of the source.
D. Update the data within a reasonable timeframe.


In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?
A. A privacy notice containing brief information whilst offering access to further detail.
B. A privacy notice explaining the consequences for opting out of the use of cookies on a website.
C. An explanation of the security measures used when personal data is transferred to a third party.
D. An efficient means of providing written consent in member states where they are required to do so.


32 SCENARIO
Please use the following to answer the next question:

Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers details to third parties, and he's convinced that Erbium must have gotten his details from ABC.
Jason has also been receiving an increased amount of marketing information from ABC, trying to sell him their full range of their insurance policies.

Perturbed by this, Jason has started looking at price comparison sites on the internet and has been shocked to find it other insurers offer much cheaper rates than ABC, even though he has been a loyal customer for many years. When his ABC policy comes up for renewal, he decides to switch to Xentron Insurance.

In order to activate his new insurance policy, Jason needs to supply Xentron with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask ABC to transfer his information directly to Xentron. He also takes this opportunity to ask ABC to stop using his personal data for marketing purposes.

ABC supplies Jason with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Jason it cannot transfer his data directly to Xentron as this is not technically feasible. ABC also explains that Jason's contract included a provision whereby Jason agreed that his data could be used for marketing purposes; according to ABC, it is too late for Jason to change his mind about this. It angers Jason when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Jason is still receiving unwanted calls from Erbium Insurance. He writes to Erbium to ask for the name of the organisation that supplied his details to them. He warns Erbium that he plans to complain to the data protection authority because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Erbium's response letter confirms Jason's suspicions. Erbium is ABC's wholly owned subsidiary, and they received information about Jason's accident from ABC shortly after Jason submitted his accident claim. Erbium assures Jason that there has been no breach of the GDPR, as Jason's contract included a provision in which he agreed to share his information with ABC's affiliates for business purposes.

Jason is disgusted by the way in which he has been treated by ABC, and writes to them insisting that all his information be erased from their computer system.

Based on the GDPR's position on the use of personal data for direct marketing purposes, which of the following is true about Jason's rights as a data subject?

A. Jason does not have the right to object to the use of his data because he previously consented to it.
B. Jason has the right to object at any time to the use of his data and ABC must honour his request to cease use.
C. Jason has the right to object to the use of his data, unless his data is required by ABC for the purpose of exercising a legal claim.
D. Jason does not have the right to object to the use of his data if ABC can demonstrate compelling legitimate grounds for the processing.

Which statement accurately summarizes ABC's obligation in regard to Jason's data portability request?

A. ABC does not have a duty to transfer Jason's data to Xentron if doing so is legitimately not technically feasible.
B. ABC does not have to transfer Jason's data to Xentron because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.
C. ABC has failed to comply with the duty to transfer Jason's data to Xentron because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.
D. ABC has failed to comply with the duty to transfer Jason's data to Xentron because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

After Jason has exercised his right to restrict the use of his data, under what conditions would Erbium have grounds for refusing to comply?
A. If Erbium is entitled to use of the data as an affiliate of ABC.
B. If Erbium also uses the data to conduct public health research.
C. If the data becomes necessary to defend Erbium's legal rights.
D. If the accuracy of the data is not an aspect that Jason is disputing.


The GDPR requires controllers to supply data subjects with detailed information about the processing of their data.
Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

A. The recipients or categories of recipients.
B. The categories of personal data concerned.
C. The rights of access, erasure, restriction, and portability.
D. The right to lodge a complaint with a supervisory authority.


When would a data subject NOT be able to exercise the right to portability?
A. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
B. When the processing is carried out pursuant to a contract with the data subject.
C. When the data was supplied to the controller by the data subject.
D. When the processing is based on consent.


Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?
A. Within 40 days of receipt.
B. Within 40 days of receipt, which may be extended by up to 40 additional days.
C. Within one month of receipt, which may be extended by up to an additional month.
D. Within one month of receipt, which may be extended by an additional two months.


Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?
A. If the processing is to be performed by a third-party vendor.
B. If the processing involves data that is considered personal data.
C. If the processing of the data is done through automated means.
D. If the processing is used to predict the behaviour of data subjects.


SCENARIO of Please use the following to answer the next question:

Brady is a computer programmer based in the United States who has been running his own business for two years. Brady's business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady's company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box's chat area, which is open to public viewing. Although she realised her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third-party American contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules.

He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfilment of a requested service. Felipe says he read the privacy notice but that it was long and complicated.

Brady continues to insist that Felipe has no need to be concerned. Brady's company has self-certified under the EU-U.S. Privacy Shield, and he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customised banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box's home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box's Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady's business is flourishing. He even supplements his income through online behavioural advertising (OBA) via a third-party ad network-with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on the scenario, what step did Brady most likely neglect before transferring customers' personal data to Hermes Designs?

A. Ensuring that Hermes has its data-handling practice independently certified.
B. Ensuring protection of the data under EU privacy principles.
C. Presenting a way for customers to opt out of the data transfer.
D. Providing notice to customers before any data transfer.

Why will Brady Box most likely NOT be held liable for the publication of Anna's document?

A. Because of the multiple entities.
B. Because of who processed the data.
C. Because of the nature of we data.
D. Because of the nature of the company.


Based on current trends in European privacy practices, which aspect of Brady Box's Online Behavioural Advertising is most likely to be insufficient if the company becomes established in Europe?

A. The lack of the option to opt in.
B. The level of security within the website.
C. The contract with the third-party advertising network.
D. The need to have the contents of the advertising approved.


Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?
A. Because of the misrepresentation of personal data as an endorsement.
B. Because of the juxtaposition of the quotation with others' quotations.
C. Because of the use of personal data outside of the social networking service (SNS).
D. Because of the misapplication of the household exception in relation to a social networking service (SNS)


Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server.

In this scenario, whom does Provider Y have the obligation to notify?
A. The public.
B. Company X.
C. Law enforcement.
D. The supervisory authority.


What are the obligations of a processor that engages a sub-processor?
A. The processor must give the controller prior written notice and perform a preliminary audit of the sub-processor.
B. O The processor must obtain the controller's specific written authorization and provide annual reports on the sub processor's performance.
C. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.


What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?
A. O An obligation on the processor to report any personal data breach to the controller within 72 hours.
B. O An obligation on both parties to report any serious personal data breach to the supervisory authority.
C. O An obligation on both parties to agree to a termination of the agreement if the other party is responsible for a personal data breach.
D. O An obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches.


In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?
A. The predicted consequences of the breach.
B. The measures being taken to address the breach.
C. The type of security safeguards used to protect the data.
D. The contact details of the appropriate data protection officer.


When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?
A. Documenting due diligence steps taken in the pre-contractual stage.
B. Conducting a risk assessment to analyze possible outsourcing threats.
C. Requiring that the processor directly notify the appropriate supervisory authority.
D. Maintaining evidence that the processor was the best possible market choice available.


SCENARIO
Please use the following to answer the next question:

Outliers Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Jonathan, suspects that this is partly due to the company's outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company ZenFiTech, hoping that they can design a new, cutting-edge website for Outliers Inc.'s foundering business.
During negotiations, a ZenFiTech representative describes a plan for gathering more customer information through detailed questionnaires, which could be used to tailor their preferences to specific travel destinations. Outliers Inc. can choose any number of data categories-age, income, ethnicityâ€”that would help them best accomplish their goals. Jonathan loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the questionnaires will require customers to provide explicit consent to having their data collected. The ZenFiTech representative suggests that they also run a program to analyze the new website's traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the Outliers Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which ZenFiTech will analyze by means of a special program. Outliers Inc. would receive aggregate statistics to help them evaluate the website's effectiveness. Jonathan enthusiastically engages ZenFiTech for these services.

ZenFiTech assigns the analytics portion of the project to longtime account manager Martin Smith. As is standard practice, Martin is given administrator rights to Outliers Inc.'s website, and can authorize access to the log files gathered from it. Unfortunately for Outliers Inc., however, Martin is taking on this new project at a time when his dissatisfaction with ZenFiTech is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Martin asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into ZenFiTech's system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce ZenFiTech, Martin experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his he company's system of access control must be reconsidered.

After Martin has informed his manager, what is ZenFiTech's legal responsibility as a processor?
A. O They must report it to Outliers, Inc.
B. O They must conduct a full systems audit.
C. They must report it to the supervisory authority.
D. O They must inform customers who have used the website.

If Outliers Inc. decides not to report the incident to the supervisory authority, what would be their best defense?
A. The resulting obligation to notify data subjects would involve disproportionate effort.
B. The incident resulted from the actions of a third-party that were beyond their control.
C. The destruction of the stolen data makes any risk to the affected data subjects unlikely.
D. Ohhe sensitivity of the categories of data involved in the incident was not substantial enough.


"Guidelines on Personal data breach notification under Regulation 2016/679" provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

A. A postal notification.
B. A direct electronic message.
C. A notice on a corporate blog.
D. A prominent advertisement in print media.

According to the GDPR, what is the main task of a Data Protection Officer (DPO)?
A. To create and maintain records of processing activities.
B. To conduct Privacy Impact Assessments on behalf of the controller or processor.
C. To monitor compliance with other local or European data protection provisions.
D. To create procedures for notification of personal data breaches to competent supervisory authorities.


Which of the following would require designating a data protection officer?
A. Processing is carried out by an organisation employing 250 persons or more.
B. Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
C. The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
D. The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.


Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?
A. The group of undertakings must obtain approval from a supervisory authority.
B. The group of undertakings must be comprised of organisations of similar sizes and functions.
C. The data protection officer must be located in the country where the data controller has its main establishment.
D. The data protection officer must be easily accessible from each establishment where the undertakings are located.


What obligation does a data controller or processor have after appointing a data protection officer?
A. To ensure that the data protection officer recentes sufficient instructions regarding the exercise of his or her defined tasks.
B. To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.
C. To ensure that the data protection officer acts as the sole point of contact for individuals' questions about their personal data.
D. To submit for approval to the data protection officer a code of conduct to govern organisational practices and demonstrate compliance with data protection principles.


Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
A. O Name and contact details of each controller on behalf of which the processor is acting.
B. O Categories of processing carried out on behalf of each controller for which the processor is acting.
C. O Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
D. O Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.

SCENARIO of
Please use the following to answer the next question:

Zandelay Fashion (Zandelay) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed Data Protection Officer who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including customer preferences and sensitive financial information, such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry (the CEO) tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner to ascertain any privacy risks before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activity.

Which of the following facts about Zandelay would trigger a data protection impact assessment under the GDPR?

A. The company will be undertaking processing activities involving sensitive data categories such as financial and children's data.
B. The company employs approximately 650 people and will therefore be carrying out extensive processing activities.
C. The company plans to undertake profiling of its customers through analysis of their purchasing patterns.
D. The company intends to shift their business model to rely more heavily on online shopping.


What would most effectively assist Zandelay in conducting their data protection impact assessment?
A. Information about DPIAs found in Articles 38 through 40 of the GDPR.
B. Data breach documentation that data controllers are required to maintain.
C. Existing DPIA guides published by lohal supervisory authorities.
D. Records of processing activities that data controllers are required to maintain.

In which of the following cases, cited as an example by a WP29 guidance, would conducting a single data protection
90. impact assessment to address multiple processing operations be allowed?

A. A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.
B. A data controller who plans to use a new technology product that has already undergone a DPIA by the product’s provider.
C. A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.
D. A railway operator who plans to evaluate the video surveillance in all the train stations of his company.


Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?
A. Approved certifications.
B. Binding corporate rules.
C. Law enforcement requests.
D. Standard contractual clauses.90.

In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?
A. Approved data controllers.
B. The Council of the European Union.
C. National data protection authorities.
D. The European Data Protection Supervisor.


A company is located in a country not considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organisation in the European Economic Area (EEA) under standard contractual clauses?
A. Submit the contract to its own government authority.
B. Ensure that notice is given to and consent is obtained from data subjects.
C. Supply any information requested by a data protection authority (DPA) within 30 days.
D. Ensure that local laws do not impede the company from meeting its contractual obligations.

Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
A. The European Commission can adopt an adequacy decision for individual companies.
B. The European Commission can adopt, repeal or amend an existing adequacy decision.
C. EU member states are vested with the power to accept or reject a European Commission adequacy decision.
D. To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.


Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?
A. The ability to enact new laws by executive order.
B. The right to access data for investigative purposes.
C. The discretion to carry out goals of elected officials within the member state.
D. The authority to select penalties when a controller is found guilty in a court of law.


Which of the following is one of the supervisory authority's investigative powers?
A. To notify the controller or the processor of an alleged infringement of the GDPR.
B. To require that controllers or processors adopt approved data protection certification mechanisms.
C. To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.
D. To require data controllers to provide them with written notification of all new processing activities.


71 of 90. Which area of privacy is a lead supervisory authority's (LSA) main concern?
A. Enforcement actions.
B. Data access disputes.
C. Cross-border processing.
D. Special categories of data.


Which is NOT an obligation that companies have in regard to their lead supervisory authority (LSA)?
A. Registering their data protection officers with the LSA.
B. Informing the LSA about high-risk processing activities.
C. Petitioning for main establishment status with the LSA.
D. Notifying the LSA of breaches involving threats to personal data.

What is true if an employee makes an access request to his employer for any personal data held about him?
A. The employer can automatically decline the request if it contains personal data about a third person.
B. The employer can decline the request if the information is only helchelectronically.
C. The employer must supply all the information held about the employee.
D. The employer must supply any information held about an employee unless an exemption applies.


A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker's personal data?
A. O Destroy sensitive information and store the rest per applicable data protection rules.
B. O Store all of the data in case the departing worker makes a subject access request.
C. O Securely store the data that is required to be kept under local law.
D. O Provide the employee the reasons for retaining the data.

Which of the following is NOT a capability of cookies that causes privacy concerns?
A. They can help form a profile of browsing habits from a user's computer.
B. They can be used to direct targeted advertising to website visitors.
C. They can store information long after a user has exited a website.
D. They can track users across different mobile applications.


SCENARIO Please use the following to answer the next question:

WonderKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website
through a company in the U.S. As part of their service, Wonderkids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states:

provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in the United States to store the data. Any data stored on equipment located in the United States meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information. We will only share you and your child's personal information with businesses that we see as adding real value to you.

By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.
etain you and your child's personal information for no more than 28 days, at which point the data will be depersonalised, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.


We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities.”

What additional information must Wonderkids provide in their Privacy Statement?

A. How often promotional emails will be sent.
B. Contact information of the hosting company.
C. Technical and organisational measures to protect data.
D. The categories of recipients with whom data will be shared.

Why is it advisable to avoid consent as a legal basis for an employer to process employee data?

A. Employee data can only be processed if there is an approval from the data protection officer.
B. Consent may not be valid if the employee feels compelled to provide it.
C. An employer might have difficulty obtaining consent from every employee.
D. Data protection laws do not apply to processing of employee data.

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the of break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future 90. incidents. Company technicians install cameras in the entrance of the building, hallways and offices.

Footage is recorded continuously, and is monitored by the home office in the United States

What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

A. Seek informed consent from company employees.
B. Have cameras recording during work hours only.
C. Retain captured footage for no more than 30 days.
D. Restrict camera placement to building entrances only.

Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

A. The processing is done by a non-profit organisation and the results are disclosed outside the organisation.
B. The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent. C. The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
D. The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.

What permissions are required for a marketer to send an email marketing message to a consumer in the EU?
A. A prior opt-in consent for consumers unless they are already customers.
B. A pre-checked box stating that the consumer agrees to receive email marketing.
C. A notice that the consumer's email address will be used for marketing purposes.
D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

What should a controller do after a data subject opts out of a direct marketing activity?

A. Without exception, securely delete all personal data relating to the data subject.
B. Without undue delay, provide information to the data subject on the action that will be taken.
C. Refrain from processing personal data relating to the data subject for the relevant type of communication.
D. Take reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.


In which of the following cases would an organisation most likely be required to follow both ePrivacy and data protection rules?
A. When creating an untargeted pop-up ad on a website.
B. When calling a potential customer to notify her of an upcoming product sale.
C. When emailing a customer to announce that his recent order should arrive earlier than expected.
D. When paying a search engine company to give prorrience to certain products and services within specific