Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

IAPP CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Exam Practice Test

Page: 1 / 30
Total 295 questions

Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Question 1

SCENARIO

Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in

Italy. The company has numerous remote workers in different EU countries. Recently,

the management of Gentle Hedgehog noticed a decrease in productivity of their sales

team, especially among remote workers. As a result, the company plans to implement

a robust but privacy-friendly remote surveillance system to prevent absenteeism,

reward top performers, and ensure the best quality of customer service when sales

people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee

surveillance software whose European headquarters is in Germany. Sauron Eye's

software provides powerful remote-monitoring capabilities, including 24/7 access to

computer cameras and microphones, screen captures, emails, website history, and

keystrokes. Any device can be remotely monitored from a central server that is

securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by

default; however, a so-called Transparent Mode, which regularly and conspicuously

notifies all users about the monitoring and its precise scope, also exists. Additionally,

the monitored employees are required to use a built-in verification technology

involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

What monitoring may be lawfully performed within the scope of Gentle Hedgehog's

business?

Options:

A.

Everything offered by Sauron Eye's software with the exception of camera and microphone monitoring.

B.

Everything offered by Sauron Eye's software, assuming employees provide daily consent to the monitoring.

C.

Only video calls conducted during business hours and emails that do not contain a "private" or "personal" tag.

D.

Only emails, website browsing history and camera for internal video calls that are expressly marked as monitored.

Question 2

The European Parliament jointly exercises legislative and budgetary functions with which of the following?

Options:

A.

The European Commission.

B.

The Article 29 Working Party.

C.

The Council of the European Union.

D.

The European Data Protection Board.

Question 3

Which of the following is one of the supervisory authority’s investigative powers?

Options:

A.

To notify the controller or the processor of an alleged infringement of the GDPR.

B.

To require that controllers or processors adopt approved data protection certification mechanisms.

C.

To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.

D.

To require data controllers to provide them with written notification of all new processing activities.

Question 4

What type of data lies beyond the scope of the General Data Protection Regulation?

Options:

A.

Pseudonymized

B.

Anonymized

C.

Encrypted

D.

Masked

Question 5

As a result of the European Court of Justice’s ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation’s right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

Options:

A.

Supervised by the same Data Protection Officer.

B.

Consistent with Privacy Shield requirements

C.

Bound by a standard contractual clause.

D.

Inextricably linked in their businesses.

Question 6

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

Options:

A.

No, the assessors do not quality as data processors as they only have access to encrypted data.

B.

No. the assessors do not quality as data processors as they do not copy the data to their facilities.

C.

Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.

D.

Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.

Question 7

What is the most frequently used mechanism for legitimizing cross-border data transfer?

Options:

A.

Standard Contractual Clauses.

B.

Approved Code of Conduct.

C.

Binding Corporate Rules.

D.

Derogations.

Question 8

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

What is the nature of BHealthy and Natural Insight’s relationship?

Options:

A.

Natural Insight is BHealthy’s processor because the companies entered into data processing terms.

B.

Natural Insight is BHealthy’s processor because BHealthy is sharing its customer information with Natural Insight.

C.

Natural Insight is the controller because it determines the security measures to implement to protect data it processes; BHealthy is a co-controller because it engaged Natural Insight to determine pricing for the new sunscreens.

D.

Natural Insight is a controller because it is separately determine the purpose of processing when it uses BHealthy’s customer information to improve its machine learning algorithms.

Question 9

Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b),

what is the impact of a member state’s interpretation of the word “incompatible”?

Options:

A.

It dictates the level of security a processor must follow when using and storing personal data for two different purposes.

B.

It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.

C.

It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.

D.

It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Question 10

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

What is potentially wrong with the backup system operated in the AWS cloud?

Options:

A.

The AWS servers are located in the EU but in a country different than the location of the corporate headquarters.

B.

It is unlawful to process any personal data in a cloud unless the cloud is certified as GOPR-compliant by a competent supervisory authority.

C.

The data storage period has to be revised, and a data processing agreement w*h AWS must be signed

D.

AWS is a U S company, and no personal data of European residents may be transferred to it without explicit written consent from data subjects.

Question 11

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?

Options:

A.

The lack of the option to opt in.

B.

The level of security within the website.

C.

The contract with the third-party advertising network.

D.

The need to have the contents of the advertising approved.

Question 12

How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

Options:

A.

The ePrivacy Directive allows individual EU member states to engage in such data retention.

B.

The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.

C.

The Data Retention Directive’s annulment makes such data retention now permissible.

D.

The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

Question 13

Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing?

Options:

A.

When an individual has not consented to the marketing.

B.

When an individual’s details are obtained from their inquiries about buying a product.

C.

Where an individual’s details have been obtained from a bought-in marketing list.

D.

Where an individual is given the ability to unsubscribe from marketing emails sent to him.

Question 14

Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

Options:

A.

Providing a multi-layered privacy notice, in a website environment.

B.

Providing a QR code linking to more detailed privacy notice, in a CCTV sign.

C.

Providing a hyperlink to the organization’s home page, in a hard copy application form.

D.

Providing a “just-in-time” contextual pop-up privacy notice, in an online application from field.

Question 15

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated

speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.

What presents the BIGGEST potential privacy issue with the company’s practices?

Options:

A.

The NFC portal can read any data stored in the action figures

B.

The information about the data processing involved has not been specified

C.

The cloud service provider is in a country that has not been deemed adequate

D.

The RFID tag in the action figures has the potential for misuse because of the toy’s evolving capabilities

Question 16

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?

Options:

A.

The data is sensitive.

B.

The data is uncategorized.

C.

The data is being used for a new purpose.

D.

The data is being processed via a new means.

Question 17

Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

Options:

A.

The processing is done by a non-profit organization and the results are disclosed outside the organization.

B.

The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.

C.

The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.

D.

The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.

Question 18

When would a data subject NOT be able to exercise the right to portability?

Options:

A.

When the processing is necessary to perform a task in the exercise of authority vested in the controller.

B.

When the processing is carried out pursuant to a contract with the data subject.

C.

When the data was supplied to the controller by the data subject.

D.

When the processing is based on consent.

Question 19

What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108?

Options:

A.

Both govern international transfers of personal data

B.

Both govern the manual processing of personal data

C.

Both only apply to European Union countries

D.

Both require notification of processing activities to a supervisory authority

Question 20

According to the Personal Data Protection Commission's (PDPC) "Guide to basic data anonymization techniques," recently adopted by the Spanish

Data Protection Agency, which of the following is NOT a valid basic anonymization technique?

Options:

A.

Swapping.

B.

Generalization.

C.

Data Adjustment.

D.

Attribute Suppression.

Question 21

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

Options:

A.

A data breach has not occurred because the loss was not the result of hacking.

B.

A data breach has not occurred because no data was exposed to any unauthorized individual.

C.

A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D.

A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Question 22

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:

    Name

    Address

    Date of Birth

    Payroll number

    National Insurance number

    Sick pay entitlement

    Maternity/paternity pay entitlement

    Holiday entitlement

    Pension and benefits contributions

    Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.

This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

Options:

A.

Hiring companies whose measures are consistent with recommendations of accrediting bodies.

B.

Requesting advice and technical support from Company A’s IT team.

C.

Avoiding the use of another company’s data to improve their own services.

D.

Vetting companies’ measures with the appropriate supervisory authority.

Question 23

A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker’s personal data?

Options:

A.

Destroy sensitive information and store the rest per applicable data protection rules.

B.

Store all of the data in case the departing worker makes a subject access request.

C.

Securely store the data that is required to be kept under local law.

D.

Provide the employee the reasons for retaining the data.

Question 24

A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

Options:

A.

Binding Corporate Rules are especially recommended for small and medium companies.

B.

The data exporter does not need to be located in the EU for the standard Contractual Clauses.

C.

Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.

D.

The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

Question 25

The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?

Options:

A.

Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.

B.

Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.

C.

Failure to process personal information in a manner compatible with its original purpose.

D.

Failure to provide the means for a data subject to rectify inaccuracies in personal data.

Question 26

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

The Customer for Life plan may conflict with which GDPR provision?

Options:

A.

Article 6, which requires processing to be lawful.

B.

Article 7, which requires consent to be as easy to withdraw as it is to give.

C.

Article 16, which provides data subjects with a rights to rectification.

D.

Article 20, which gives data subjects a right to data portability.

Question 27

SCENARIO

Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in

Italy. The company has numerous remote workers in different EU countries. Recently,

the management of Gentle Hedgehog noticed a decrease in productivity of their sales

team, especially among remote workers. As a result, the company plans to implement

a robust but privacy-friendly remote surveillance system to prevent absenteeism,

reward top performers, and ensure the best quality of customer service when sales

people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee

surveillance software whose European headquarters is in Germany. Sauron Eye's

software provides powerful remote-monitoring capabilities, including 24/7 access to

computer cameras and microphones, screen captures, emails, website history, and

keystrokes. Any device can be remotely monitored from a central server that is

securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by

default; however, a so-called Transparent Mode, which regularly and conspicuously

notifies all users about the monitoring and its precise scope, also exists. Additionally,

the monitored employees are required to use a built-in verification technology

involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in

Microsoft Azure cloud servers operated by Sauron Eye, which are physically located

in France.

Based on the scenario, what are the primary privacy risks of the planned

surveillance system?

Options:

A.

A Chinese vendor and the monitoring of EU-based employees.

B.

Facial recognition data stored in the cloud and lack of encryption.

C.

Excessive scope of monitoring and lack of legitimate purpose for data collection.

D.

Missing E2EE encryption in the monitoring system and unclear data storage duration.

Question 28

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to

Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

Options:

A.

Get consent from the app users.

B.

Provide a transparent notice to users.

C.

Anonymize the data and add latency so it avoids disclosing real time locations.

D.

Obtain a court order because location data is a special category of personal data.

Question 29

For which of the following operations would an employer most likely be justified in requesting the data subject’s consent?

Options:

A.

Posting an employee’s bicycle race photo on the company’s social media.

B.

Processing an employee’s health certificate in order to provide sick leave.

C.

Operating a CCTV system on company premises.

D.

Assessing a potential employee’s job application.

Question 30

To comply with the GDPR and the EU Court of Justice's decision in Schrems II, the European Commission issued what are commonly referred to as the new standard contractual clauses (SCCs). As a result, businesses must do all of the following EXCEPT?

Options:

A.

Consider the new optional docking clause, which expressly permits adding new parties to the SCCs.

B.

Migrate all contracts entered into before September 27, 2021, that use the old SCCs to the new SCCs by December 27, 2022.

C.

Take steps to flow down the new SCCs to relevant parts of their supply chain using the new SCCs as of September 27, 2021, if the business is a data importer.

D.

Implement the new SCCs in the U.K. following Brexit, as the U.K. Information Commissioner's Office does not have the authority to publish its own set of SCCs.

Question 31

Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

Options:

A.

The obligation of companies to declare data breaches.

B.

The requirement to demonstrate compliance to a supervisory authority.

C.

The necessity of the bulk collection of personal data by the government.

Question 32

MagicClean is a web-based service located in the United States that matches home cleaning services to customers. It otters its services exclusively in the United States It uses a processor located in France to optimize its data. Is MagicClean subject to the GDPR?

Options:

A.

Yes, because MagicClean is processing data in the EU

B.

Yes. because MagicClean's data processing agreement with the French processor is an establishment in the EU

C.

No, because MagicClean is located m the United States only.

D.

No. because MagicClean is not offering services to EU data subjects.

Question 33

Which GDPR principle would a Spanish employer most likely depend upon to annually send the personal data of its employees to the national tax authority?

Options:

A.

The consent of the employees.

B.

The legal obligation of the employer.

C.

The legitimate interest of the public administration.

D.

The protection of the vital interest of the employees.

Question 34

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it received from BHealthy?

Options:

A.

Appropriate security that takes into account the industry practices for protecting customer contact information and purchase history.

B.

Only the security measures assessed by BHealthy prior to entering into the data processing contract.

C.

Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight.

D.

The level of security that a reasonable data subject whose data is processed would expect in relation to the data subject’s purchase history.

Question 35

How does the GDPR now define “processing”?

Options:

A.

Any act involving the collecting and recording of personal data.

B.

Any operation or set of operations performed on personal data or on sets of personal data.

C.

Any use or disclosure of personal data compatible with the purpose for which the data was collected.

D.

Any operation or set of operations performed by automated means on personal data or on sets of personal data.

Question 36

The GDPR forbids the practice of “forum shopping”, which occurs when companies do what?

Options:

A.

Choose the data protection officer that is most sympathetic to their business concerns.

B.

Designate their main establishment in member state with the most flexible practices.

C.

File appeals of infringement judgments with more than one EU institution simultaneously.

D.

Select third-party processors on the basis of cost rather than quality of privacy protection.

Question 37

The origin of privacy as a fundamental human right can be found in which document?

Options:

A.

Universal Declaration of Human Rights 1948.

B.

European Convention of Human Rights 1953.

C.

OECD Guidelines on the Protection of Privacy 1980.

D.

Charier of Fundamental Rights of the European Union 2000.

Question 38

What was the main failing of Convention 108 that led to the creation of the Data Protection Directive (Directive 95/46/EC)?

Options:

A.

IT did not account for the rapid growth of the Internet

B.

It did not include protections for sensitive personal data

C.

It was implemented in a fragmented manner by a small number of states.

D.

Its penalties for violations of data protection rights were widely viewed as r sufficient.

Question 39

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

Options:

A.

The local Data Protection Supervisory Authorities.

B.

The European Data Protection Board.

C.

The EU Commission.

D.

The Member States.

Question 40

As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?

Options:

A.

Protection of the interests of the data subjects.

B.

Performance of a contact

C.

Legitimate interest

D.

Consent

Question 41

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?

Options:

A.

They must report it to TripBliss Inc.

B.

They must conduct a full systems audit.

C.

They must report it to the supervisory authority.

D.

They must inform customers who have used the website.

Question 42

A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?

Options:

A.

If obtaining consent is deemed to involve disproportionate effort.

B.

If obtaining consent is deemed voluntary by local legislation.

C.

If the company limits the footage to data subjects solely of legal age.

D.

If the company’s status as a documentary provider allows it to claim legitimate interest.

Question 43

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

Options:

A.

A postal notification

B.

A direct electronic message

C.

A notice on a corporate blog

D.

A prominent advertisement in print media

Question 44

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.

Registration Form

Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

    First name:

    Surname:

    Year of birth:

    Email:

    Physical Address (optional*):

    Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. […]

2.Applicable law. […]

3.Limitation of liability. […]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

Options:

A.

Provide the user with logs of data collected through use of the app.

B.

Erase any data collected from the time the app was first used.

C.

Inform any third parties of the user’s withdrawal of consent.

D.

Cease processing any data collected through use of the app.

Question 45

In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

Options:

A.

If the cookies do not track personal data, then pre-checked boxes are acceptable.

B.

If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

C.

If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

D.

If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Question 46

According to the AI Act, a provider of a high-risk AI system has all of the following obligations EXCEPT?

Options:

A.

Ensuring users understand how the system mitigates bias.

B.

Registering the system in the European AI Board’s database.

C.

Providing detailed documentation about the system to the users.

D.

Conducting a conformity assessment before placing the system on the market.

Question 47

After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?

Options:

A.

The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.

B.

Adequacy determinations automatically lapse when a Member State leaves the EU.

C.

The UK is now a third country because it’s no longer subject to the GDPR.

D.

The UK is less trustworthy now that its not part of the Union.

Question 48

Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

Options:

A.

The European Commission can adopt an adequacy decision for individual companies.

B.

The European Commission can adopt, repeal or amend an existing adequacy decision.

C.

EU member states are vested with the power to accept or reject a European Commission adequacy decision.

D.

To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.

Question 49

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Assuming that there is a cross-border processing of personal data, which of the

following criteria would NOT be useful to the lead supervisory authority responsible

for the Greek employee's complaint when trying to determine the location of the

controller's main establishment?

Options:

A.

Where the controller is registered as a company.

B.

Where the processor is registered as a company.

C.

Where decisions about the processing activities are made.

D.

Where the director with responsibility for processing activities is located.

Question 50

Articles 13 and 14 of the GDPR provide details on the obligation of data controllers to inform data subjects when collecting personal data. However, both articles specify an exemption for situations in which the data subject already has the information.

Which other situation would also exempt the data controller from this obligation under Article 14?

Options:

A.

When providing the information would go against a police order.

B.

When providing the information would involve a disproportionate effort

C.

When the personal data was obtained through multiple source in the public domain

D.

When the personal data was obtained 5 years before the entry into force of the GDPR

Question 51

Start-up company MagicAI is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT Team decides to collect data about users' ethnic origin, nationality, and gender.

Which would be the most appropriate legal basis for this processing under the GDPR, Article 9 (Processing of special categories of personal data)?

Options:

A.

Processing necessary for scientific or statistical purposes.

B.

Processing necessary for reasons of substantial public interest.

C.

Processing necessary for purposes of preventive or occupational medicine.

D.

Processing necessary for the defense of legal claims in potential negligence cases.

Question 52

Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?

Options:

A.

The personal dale has been collected in relation to the offer of Information society services (ISS) to a child.

B.

The data subject withdraws consent and there is no other legal basis for the processing.

C.

The personal data is no longer necessary in relation to the search engine provider's processing

D.

The processing s necessary for exercising the right of freedom of expression and information

Question 53

SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:

    Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.

    Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).

    Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.

    Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a

program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has

done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Anna will find that a risk analysis is NOT necessary in this situation as long as?

Options:

A.

The data subjects are no longer current students of Frank’s

B.

The processing will not negatively affect the rights of the data subjects

C.

The algorithms that Frank uses for the processing are technologically sound

D.

The data subjects gave their unambiguous consent for the original processing

Question 54

A Spanish electricity customer calls her local supplier with Questions: about the company’s upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the

merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?

Options:

A.

Verify that the request is applicable to the data collected before the GDPR entered into force.

B.

Verify that the purpose of the request from the customer is in line with the GDPR.

C.

Verify that the personal data has not already been sent to the customer.

D.

Verify that the identity of the customer can be proven by other means.

Question 55

The Planet 49 CJEU Judgement applies to?

Options:

A.

Cookies used only by third parties.

B.

Cookies that are deemed technically necessary.

C.

Cookies regardless of whether the data accessed is personal or not.

D.

Cookies where the data accessed is considered as personal data only.

Question 56

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

Options:

A.

If Accidentable is entitled to use of the data as an affiliate of Bedrock.

B.

If Accidentable also uses the data to conduct public health research.

C.

If the data becomes necessary to defend Accidentable’s legal rights.

D.

If the accuracy of the data is not an aspect that Louis is disputing.

Question 57

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

Options:

A.

The controller will be liable to pay an administrative fine

B.

The processor will be liable to pay compensation to affected data subjects

C.

The processor will be considered to be a controller in respect of the processing concerned

D.

The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Question 58

According to the European Data Protection Board, controllers responding to a data subject access request can refuse to provide a copy of personal data under certain conditions. Which of the following is NOT one of these conditions?

Options:

A.

If the data subject access request was sent to an employee that is not involved in the processing of such requests.

B.

If there is such a large amount of data that the controller cannot identify the data subject of the request.

C.

If the controller is unable to use end-to-end encrypted emails for responding to such requests.

D.

If the personal data was processed in the past but is no longer at the controller's disposal at the time of the request.

Question 59

A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics. What is the company first required to do?

Options:

A.

Obtain specific consent for the new processing

B.

Only inform the data subjects of the new purpose.

C.

Proceed no further, as such repurposing is unlawful

D.

Update the privacy notice upon which consent was given

Question 60

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?

Options:

A.

Both parties are exempt, as the company is involved in human health research

B.

Jack and the pharmaceutical company are jointly liable.

C.

The pharmaceutical company is liable.

D.

Jack is liable

Question 61

Pursuant to Article 4(5) of the GDPR, data is considered “pseudonymized” if?

Options:

A.

It cannot be attributed to a data subject without the use of additional information.

B.

It cannot be attributed to a person under any circumstances.

C.

It can only be attributed to a person by the controller.

D.

It can only be attributed to a person by a third party.

Question 62

What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?

Options:

A.

ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.

B.

CJEU can force national governments to implement and honor EU law, while the ECHR cannot.

C.

CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.

D.

ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.

Question 63

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information

is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

For what reason would JaphSoft be considered a controller under the GDPR?

Options:

A.

It determines how long to retain the personal data collected.

B.

It has been provided access to personal data in the MarketIQ database.

C.

It uses personal data to improve its products and services for its client-base through machine learning.

D.

It makes decisions regarding the technical and organizational measures necessary to protect the personal data.

Question 64

SCENARIO

Please use the following to answer the next question:

Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients.

Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to participate in Market4U’s forum, and attending events. Such fields include birth date and salary.

What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?

Options:

A.

Conduct analysis only on anonymized personal data.

B.

Conduct analysis only on pseudonymized personal data.

C.

Delete all data collected prior to May 2018 after conducting the trend analysis.

D.

Procure a third party to conduct the analysis and delete the data from Market4U’s systems.

Question 65

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

Options:

A.

When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.

B.

When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.

C.

When the controller is required to have a Data Protection Officer.

D.

When personal data is being transferred outside of the EEA.

Question 66

Which of the following elements does NOT need to be presented to a data subject in order to collect valid consent for the use of cookies?

Options:

A.

A "Cookies Settings" button.

B.

A "Reject All" cookies button.

C.

A list of cookies that may be placed.

D.

Information on the purpose of the cookies.

Question 67

Which aspect of the GDPR will likely have the most impact on the consistent implementation of data protection

laws throughout the European Union?

Options:

A.

That it essentially functions as a one-stop shop mechanism

B.

That it takes the form of a Regulation as opposed to a Directive

C.

That it makes notification of large-scale data breaches mandatory

D.

That it makes appointment of a data protection officer mandatory

Question 68

SCENARIO

Please use the following to answer the next question:

Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.

What must Zandelay provide to the supervisory authority during the prior consultation?

Options:

A.

An evaluation of the complexity of the intended processing.

B.

An explanation of the purposes and means of the intended processing.

C.

Records showing that customers have explicitly consented to the intended profiling activities.

D.

Certificates that prove Martin’s professional qualities and expert knowledge of data protection law.

Question 69

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

Options:

A.

Data Subject Rights.

B.

Right of Action.

C.

Necessity.

D.

Consent.

Question 70

SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:

    Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.

    Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).

    Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.

    Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a

program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use

of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Before Anna determines whether Frank’s performance database is permissible, what additional information does she need?

Options:

A.

More information about Frank’s data protection training.

B.

More information about the extent of the information loss.

C.

More information about the algorithm Frank used to mask student numbers.

D.

More information about what students have been told and how the research will be used.

Question 71

In the Planet 49 case, what was the main judgement of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?

Options:

A.

If the cookies do not track personal data, then pre-checked boxes are acceptable.

B.

If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

C.

If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

D.

If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Question 72

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Which of the following is NOT necessarily considered a factor in identifying whether

the processing could be considered a "cross-border processing"?

Options:

A.

The total number of the data subjects interested.

B.

The potential harm for the data subjects affected.

C.

The limitation of rights of the data subjects concerned.

D.

The exposure of the information of the data subjects involved.

Question 73

An entity’s website stores text files on EU users’ computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

Options:

A.

General Data Protection Regulation 2016/679.

B.

E-Privacy Directive 2002/58/EC.

C.

E-Commerce Directive 2000/31/EC.

D.

Data Protection Directive 95/46/EC.

Question 74

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated

speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.

Why is this company obligated to comply with the GDPR?

Options:

A.

The company has offices in the EU.

B.

The company employs staff in the EU.

C.

The company’s data center is located in a country outside the EU.

D.

The company’s products are marketed directly to EU customers.

Question 75

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:

    Name

    Address

    Date of Birth

    Payroll number

    National Insurance number

    Sick pay entitlement

    Maternity/paternity pay entitlement

    Holiday entitlement

    Pension and benefits contributions

    Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.

This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

Under the GDPR, which of Company B’s actions would NOT be likely to trigger a potential enforcement action?

Options:

A.

Their omission of data protection provisions in their contract with Company C.

B.

Their failure to provide sufficient security safeguards to Company A’s data.

C.

Their engagement of Company C to improve their payroll service.

D.

Their decision to operate without a data protection officer.

Question 76

What must a data controller do in order to make personal data pseudonymous?

Options:

A.

Separately hold any information that would allow linking the data to the data subject.

B.

Encrypt the data in order to prevent any unauthorized access or modification.

C.

Remove all indirect data identifiers and dispose of them securely.

D.

Use the data only in aggregated form for research purposes.

Question 77

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

Options:

A.

Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.

B.

EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.

C.

JaphSoft is the sole processor because it processes personal data on behalf of its clients.

D.

Liem and EcoMick are joint controllers because they carry out joint marketing activities.

Question 78

Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?

Options:

A.

Court of Auditors

B.

Court of Justice of European Union

C.

European Court of Human Rights

D.

European Data Protection Board

The Court of Justice of the European Union (CJEU) is the judicial body of the EU that makes decisions on issues of EU law and enforces European decisions either in respect to actions taken by the European Commission against a member state or actions taken by individuals to enforce their rights under EU law. The CJEU consists of two courts: the Court of Justice and the General Court. The CJEU ensures the

Question 79

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.

Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

Options:

A.

It collects data from European Union websites, which constitutes an establishment in the European Union.

B.

It offers services in the European Union by identifying data subjects in the European Union.

C.

It collects data from subjects and uses it for automated processing.

D.

It monitors the behavior of data subjects in the European Union.

Question 80

A private company has establishments in France, Poland, the United Kingdom and, most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.

What is the lead supervisory authority for the SaaS service?

Options:

A.

The supervisory authority of Germany at federal level.

B.

The supervisory authority of Germany at regional level.

C.

The supervisory authority of the Republic of Poland.

D.

The supervisory authority of the European Union.

Question 81

SCENARIO

Please use the following to answer the next question:

Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

Options:

A.

HRYourWay was ultimately not selected

B.

HRYourWay is not located in a third country.

C.

ProStorage will obtain consent for all transfers.

D.

ProStorage can rely on its Binding Corporate Rules

Question 82

When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

Options:

A.

Inform the subjects about the collection

B.

Provide a public notice regarding the data

C.

Upgrade security to match that of the source

D.

Update the data within a reasonable timeframe

Question 83

If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

Options:

A.

Background checks on employees could be performed only under prior notice to all employees.

B.

Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.

C.

Background checks on European employees will stem from data protection and employment law, which can vary between member states.

D.

Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.

Question 84

Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?

Options:

A.

Privacy dashboard notice

B.

Visualization notice.

C.

Just-in-lime notice.

D.

Layered notice.

Question 85

SCENARIO

Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.

Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.

Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier’s request, how may Javier proceed in order to seek compensation?

Options:

A.

He will have to sue the EVETFIT’s head office in France, where EVETFIT has its main establishment.

B.

He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.

C.

He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.

D.

He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

Question 86

Which of the following is NOT a role of works councils?

Options:

A.

Determining the monetary fines to be levied against employers for data breach violations of employee data.

B.

Determining whether to approve or reject certain decisions of the employer that affect employees.

C.

Determining whether employees’ personal data can be processed or not.

D.

Determining what changes will affect employee working conditions.

Question 87

SCENARIO

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Based on the GDPR’s position on the use of personal data for direct marketing purposes, which of the following is true about Louis’s rights as a data subject?

Options:

A.

Louis does not have the right to object to the use of his data because he previously consented to it.

B.

Louis has the right to object at any time to the use of his data and Bedrock must honor his request to cease use.

C.

Louis has the right to object to the use of his data, unless his data is required by Bedrock for the purpose

of exercising a legal claim.

D.

Louis does not have the right to object to the use of his data if Bedrock can demonstrate compelling legitimate grounds for the processing.

Question 88

The GDPR's list of processor obligations regarding cloud computing includes all of the following EXCEPT?

Options:

A.

Controllers must be given notice of any subprocessors and have a right of objection.

B.

Individuals authorized to process the personal data are subject to an obligation of confidentiality.

C.

Any personal data related to data subjects must be securely maintained for a maximum of ten years.

D.

Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk.

Page: 1 / 30
Total 295 questions