New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

IAPP CIPP-E Certified Information Privacy Professional/Europe (CIPP/E) Exam Practice Test

Demo: 76 questions
Total 268 questions

Certified Information Privacy Professional/Europe (CIPP/E) Questions and Answers

Question 1

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents. In relation to the emails Jack listed six members of the management team whose inboxes the required access.

How should the company respond to Jack's request to be forgotten?

Options:

A.

The company should not erase the data at this time as it may be required to defend a legal claim of unfair dismissal.

B.

The company should erase all data relating to Jack without undue delay as the right to be forgotten is an absolute right.

C.

The company should claim that the right to be forgotten is not applicable to them, as only a fraction of their global workforce resides in the European Union.

D.

The company should ensure that the information is stored outside of the European Union so that the right to be forgotten under the GDPR does not apply.

Question 2

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike’s data access request?

Options:

A.

The request is to obtain access and correct inaccurate personal data in his profile.

B.

The request is to obtain access and information about the purpose of processing his personal data.

C.

The request is to obtain access and erasure of his personal data while keeping his rewards membership.

D.

The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.

Question 3

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated

speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.

What presents the BIGGEST potential privacy issue with the company’s practices?

Options:

A.

The NFC portal can read any data stored in the action figures

B.

The information about the data processing involved has not been specified

C.

The cloud service provider is in a country that has not been deemed adequate

D.

The RFID tag in the action figures has the potential for misuse because of the toy’s evolving capabilities

Question 4

Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

Options:

A.

Anonymizing special categories of data.

B.

Conducting regular audits of the data protection program.

C.

Getting consent from the data subject for a cross border data transfer.

D.

Encrypting data in transit and at rest using strong encryption algorithms.

Question 5

Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

Options:

A.

The ability to enact new laws by executive order.

B.

The right to access data for investigative purposes.

C.

The discretion to carry out goals of elected officials within the member state.

D.

The authority to select penalties when a controller is found guilty in a court of law.

Question 6

ISO 31700 has set forth requirements relating to consumer products and services. In particular, this international standard focuses on the implementation of which of the following?

Options:

A.

Privacy by design.

B.

Comprehensive ethical Al software.

C.

Privacy notices for companies providing services to consumers.

D.

Automated systems for identifying EU data subjects' personal data.

Question 7

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

Options:

A.

Within 40 days of receipt

B.

Within 40 days of receipt, which may be extended by up to 40 additional days

C.

Within one month of receipt, which may be extended by up to an additional month

D.

Within one month of receipt, which may be extended by an additional two months

Question 8

According to the GDPR, how is pseudonymous personal data defined?

Options:

A.

Data that can no longer be attributed to a specific data subject without the use of additional information

kept separately.

B.

Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.

C.

Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

D.

Data that has been encrypted or is subject to other technical safeguards.

Question 9

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no

longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.

Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

Options:

A.

Assessed potential privacy risks by conducting a data protection impact assessment.

B.

Consulted with the relevant data protection authority about potential privacy violations.

C.

Distributed a more comprehensive notice to employees and received their express consent.

D.

Consulted with the Information Security team to weigh security measures against possible server impacts.

Question 10

SCENARIO

Please use the following to answer the next question:

WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:

“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”

“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”

“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to

you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.”

What additional information must Wonderkids provide in their Privacy Statement?

Options:

A.

How often promotional emails will be sent.

B.

Contact information of the hosting company.

C.

Technical and organizational measures to protect data.

D.

The categories of recipients with whom data will be shared.

Question 11

As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his

name, and has used the email address registered in your system.

What would be the most appropriate way to confirm the identity of the customer?

Options:

A.

Request that the customer provide his bank account number.

B.

Request that the customer answer additional security questions.

C.

Request a copy of the customer's last bank account statement.

D.

Request a copy of the customer's government-issued ID document.

Question 12

Please use the following to answer the next question:

WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:

“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”

“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”

“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.”

What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

Options:

A.

No marketing information at all.

B.

Any marketing information at all.

C.

Marketing information related to other business operations of WonderKids.

D.

Marketing information for products or services similar to those purchased from WonderKids.

Question 13

What is true if an employee makes an access request to his employer for any personal data held about him?

Options:

A.

The employer can automatically decline the request if it contains personal data about a third person.

B.

The employer can decline the request if the information is only held electronically.

C.

The employer must supply all the information held about the employee.

D.

The employer must supply any information held about an employee unless an exemption applies.

Question 14

Which of the following entities would most likely be exempt from complying with the GDPR?

Options:

A.

A South American company that regularly collects European customers’ personal data.

B.

A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.

C.

A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.

D.

A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.

Question 15

Which of the following is NOT considered a fair processing practice in relation to the transparency principle?

Options:

A.

Providing a multi-layered privacy notice, in a website environment.

B.

Providing a QR code linking to more detailed privacy notice, in a CCTV sign.

C.

Providing a hyperlink to the organization’s home page, in a hard copy application form.

D.

Providing a “just-in-time” contextual pop-up privacy notice, in an online application from field.

Question 16

How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

Options:

A.

App developers will expand the amount of data necessary to collect for an app’s functionality.

B.

Users will be given granular types of consent for particular types of processing.

C.

App developers’ responsibilities as data controllers will increase.

D.

Users will see fewer advertisements when using apps.

Question 17

A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker’s personal data?

Options:

A.

Destroy sensitive information and store the rest per applicable data protection rules.

B.

Store all of the data in case the departing worker makes a subject access request.

C.

Securely store the data that is required to be kept under local law.

D.

Provide the employee the reasons for retaining the data.

Question 18

SCENARIO

Please use the following to answer the next question:

Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.

What would MOST effectively assist Zandelay in conducting their data protection impact assessment?

Options:

A.

Information about DPIAs found in Articles 38 through 40 of the GDPR.

B.

Data breach documentation that data controllers are required to maintain.

C.

Existing DPIA guides published by local supervisory authorities.

D.

Records of processing activities that data controllers are required to maintain.

Question 19

In relation to third countries and international organizations, which of the following shall, along with the supervisory authorities, take appropriate steps to develop international cooperation mechanisms for the enforcement of data protection legislation?

Options:

A.

The European Parliament

B.

The Council of the European Union.

C.

The designated Data Protection Officers

D.

The European Commission

Question 20

Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

Options:

A.

Personal data revealing ethnic origin.

B.

Personal data revealing genetic data.

C.

Personal data revealing financial data.

D.

Personal data revealing trade union membership.

Question 21

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Assuming that there is a cross-border processing of personal data, which of the

following criteria would NOT be useful to the lead supervisory authority responsible

for the Greek employee's complaint when trying to determine the location of the

controller's main establishment?

Options:

A.

Where the controller is registered as a company.

B.

Where the processor is registered as a company.

C.

Where decisions about the processing activities are made.

D.

Where the director with responsibility for processing activities is located.

Question 22

SCENARIO

Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.

Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.

Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

Options:

A.

Submit a draft decision to other supervisory authorities for their opinion.

B.

Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.

C.

Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.

D.

Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.

Question 23

What obligation does a data controller or processor have after appointing a data protection officer?

Options:

A.

To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.

B.

To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.

C.

To ensure that the data protection officer acts as the sole point of contact for individuals’ Questions: about their personal data.

D.

To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.

Question 24

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

Options:

A.

Data Subject Rights.

B.

Right of Action.

C.

Necessity.

D.

Consent.

Question 25

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.

Registration Form

Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

  • First name:
  • Surname:
  • Year of birth:
  • Email:
  • Physical Address (optional*):
  • Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. […]

2.Applicable law. […]

3.Limitation of liability. […]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

Options:

A.

Provide the user with logs of data collected through use of the app.

B.

Erase any data collected from the time the app was first used.

C.

Inform any third parties of the user’s withdrawal of consent.

D.

Cease processing any data collected through use of the app.

Question 26

Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b),

what is the impact of a member state’s interpretation of the word “incompatible”?

Options:

A.

It dictates the level of security a processor must follow when using and storing personal data for two different purposes.

B.

It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.

C.

It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.

D.

It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Question 27

An entity’s website stores text files on EU users’ computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

Options:

A.

General Data Protection Regulation 2016/679.

B.

E-Privacy Directive 2002/58/EC.

C.

E-Commerce Directive 2000/31/EC.

D.

Data Protection Directive 95/46/EC.

Question 28

In which of the following situations would an individual most likely to be able to withdraw her consent for processing?

Options:

A.

When she is leaving her bank and moving to another bank.

B.

When she has recently changed jobs and no longer works for the same company.

C.

When she disagrees with a diagnosis her doctor has recorded on her records.

D.

When she no longer wishes to be sent marketing materials from an organization.

Question 29

According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

Options:

A.

To create and maintain records of processing activities.

B.

To conduct Privacy Impact Assessments on behalf of the controller or processor.

C.

To monitor compliance with other local or European data protection provisions.

D.

To create procedures for notification of personal data breaches to competent supervisory authorities.

Question 30

If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses?

Options:

A.

Decision 2001/497/EC (EU controller to non-EU or EEA controller).

B.

Decision 2004/915/EC (EU controller to non-EU or EEA controller).

C.

Decision 2007/72/EC (EU processor to non-EU or EEA controller).

D.

Decision 2010/87/EU (Non-EU or EEA processor from EU controller).

Question 31

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, if exfiltration of job application data (submitted through online application forms and stored on a webserver) resulted in personal information being accessible to unauthorized persons, this would be primarily considered what kind of breach?

Options:

A.

An integrity breach.

B.

An accuracy breach.

C.

An availability breach.

D.

A confidentiality breach.

Question 32

Which of the following would most likely NOT be covered by the definition of “personal data” under the GDPR?

Options:

A.

The payment card number of a Dutch citizen

B.

The U.S. social security number of an American citizen living in France

C.

The unlinked aggregated data used for statistical purposes by an Italian company

D.

The identification number of a German candidate for a professional examination in Germany

Question 33

In the Planet 49 case, what was the main judgement of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?

Options:

A.

If the cookies do not track personal data, then pre-checked boxes are acceptable.

B.

If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

C.

If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

D.

If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Question 34

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

Options:

A.

Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

B.

Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

C.

Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

D.

Outside the material scope of the GDPR, because transactions are for personal or household purposes

Question 35

Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

Options:

A.

The European Council

B.

The European Parliament

C.

The European Commission

D.

The Council of the European Union

Question 36

SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia’s complaint?

Options:

A.

T-Craze has a French affiliate.

B.

The French affiliate procured the services of Right Target.

C.

T-Craze conducts its marketing and sales activities in France.

D.

The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.

Question 37

If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

Options:

A.

Notify the appropriate data protection authority.

B.

Perform a data protection impact assessment (DPIA).

C.

Create an information retention policy for those who operate the system.

D.

Ensure that safeguards are in place to prevent unauthorized access to the footage.

Question 38

Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

Options:

A.

The European Parliament

B.

The European Commission

C.

The Article 29 Working Party

D.

The European Council

Question 39

In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

Options:

A.

Adopting a risk-based approach and implementing supplementary measures as needed.

B.

Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.

C.

Obtaining explicit consent from each EU citizen for every individual data transfer.

D.

Storing all personal data within the borders of the European Union.

Question 40

Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?

Options:

A.

A company wants to combine location data with other data in order to offer more personalized service for the customer.

B.

A company wants to use location data to infer information on a person’s clothes purchasing habits.

C.

A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.

D.

A company wants to use location data to track delivery trucks in order to make the routes more efficient.

Question 41

What is the primary purpose of Convention 108+, which amends the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data?

Options:

A.

To issue updated guidelines for data transfers from the EU to third-country signatories to the Convention.

B.

To modify the process for third countries to obtain an adequacy decision from the European Commission.

C.

To strengthen data protection in line with the European and international regulatory framework.

D.

To establish new data subject rights and safeguards for consumers in the EU member states.

Question 42

Which of the following is one of the supervisory authority’s investigative powers?

Options:

A.

To notify the controller or the processor of an alleged infringement of the GDPR.

B.

To require that controllers or processors adopt approved data protection certification mechanisms.

C.

To determine whether a controller or processor has the right to a judicial remedy concerning a compensation decision made against them.

D.

To require data controllers to provide them with written notification of all new processing activities.

Question 43

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

Options:

A.

The Court of Justice of the European Union.

B.

The European Data Protection Supervisor.

C.

The European Court of Human Rights.

D.

The European Data Protection Board.

Question 44

Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?

Options:

A.

It should be fair.

B.

It should be lawful

C.

It should prevent harm

D.

It should respect human autonomy.

Question 45

If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

Options:

A.

The individuals are European citizens or residents.

B.

The data processing activities are in Spain.

C.

The data controller is in France.

D.

The EU individuals are targeted.

Question 46

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

Options:

A.

The local Data Protection Supervisory Authorities.

B.

The European Data Protection Board.

C.

The EU Commission.

D.

The Member States.

Question 47

According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?

Options:

A.

Where the technology supporting the website is located

B.

Where the website is accessed

C.

Where the decisions about processing are made

D.

Where the customer’s Internet service provider is located

Question 48

What must a data controller do in order to make personal data pseudonymous?

Options:

A.

Separately hold any information that would allow linking the data to the data subject.

B.

Encrypt the data in order to prevent any unauthorized access or modification.

C.

Remove all indirect data identifiers and dispose of them securely.

D.

Use the data only in aggregated form for research purposes.

Question 49

Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?

Options:

A.

Data subjects must be sufficiently informed of the purposes for which their personal data is processed.

B.

Processing of special categories of personal data on a large scale requires appointing a DPO.

C.

Personal data of data subjects must always be accurate and kept up to date.

D.

Data controllers must be in control of the data they hold at all times.

Question 50

A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37 (1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates?

Options:

A.

Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter.

B.

Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates.

C.

Assess whether the company has more than 250 employees in each of the EU member-states in which it is established.

D.

Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default.

Question 51

What term BEST describes the European model for data protection?

Options:

A.

Sectoral

B.

Self-regulatory

C.

Market-based

D.

Comprehensive

Question 52

Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

Options:

A.

Greece

B.

Norway

C.

Australia

D.

Switzerland

Question 53

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it received from BHealthy?

Options:

A.

Appropriate security that takes into account the industry practices for protecting customer contact information and purchase history.

B.

Only the security measures assessed by BHealthy prior to entering into the data processing contract.

C.

Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight.

D.

The level of security that a reasonable data subject whose data is processed would expect in relation to the data subject’s purchase history.

Question 54

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

Options:

A.

The resulting obligation to notify data subjects would involve disproportionate effort.

B.

The incident resulted from the actions of a third-party that were beyond their control.

C.

The destruction of the stolen data makes any risk to the affected data subjects unlikely.

D.

The sensitivity of the categories of data involved in the incident was not substantial enough.

Question 55

WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?

Options:

A.

A postal notification

B.

A direct electronic message

C.

A notice on a corporate blog

D.

A prominent advertisement in print media

Question 56

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.

Registration Form

Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

  • First name:
  • Surname:
  • Year of birth:
  • Email:
  • Physical Address (optional*):
  • Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. […]

2.Applicable law. […]

3.Limitation of liability. […]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

What is one potential problem Vigotron’s age policy might encounter under the GDPR?

Options:

A.

Age restrictions are more stringent when health data is involved.

B.

Users are only required to be aged 13 or over to be considered adults.

C.

Organizations must make reasonable efforts to verify parental consent.

D.

Organizations that tie a service to marketing must seek consent for each purpose.

Question 57

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?

Options:

A.

The lack of the option to opt in.

B.

The level of security within the website.

C.

The contract with the third-party advertising network.

D.

The need to have the contents of the advertising approved.

Question 58

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

Options:

A.

The Court of Justice of the European Union.

B.

The European Data Protection Board.

C.

The Data Protection Authority.

D.

The European Commission.

Question 59

Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

Options:

A.

Legislative powers.

B.

Corrective powers.

C.

Investigatory powers.

D.

Authorization and advisory powers.

Question 60

Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

Options:

A.

The right to privacy is an absolute right

B.

The right to privacy has to be balanced against other rights under the ECHR

C.

The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy

D.

The right to privacy protects the right to hold opinions and to receive and impart ideas without interference

Question 61

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of the following provisions EXCEPT?

Options:

A.

Processing the personal data upon documented instructions regarding data transfers outside of the EEA.

B.

Notification regarding third party requests for access to Liem and EcoMick’s personal data.

C.

Assistance to Liem and EcoMick in their compliance with data protection impact assessments.

D.

Returning or deleting personal data after the end of the provision of the services.

Question 62

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism did ProStorage most likely rely on to transfer Ruth's medical information to the hospital?

Options:

A.

Ruth's implied consent.

B.

Protecting the vital interest of Ruth

C.

Performance of a contract with Ruth.

D.

Protecting against legal liability from Ruth.

Question 63

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

Options:

A.

Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.

B.

EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.

C.

JaphSoft is the sole processor because it processes personal data on behalf of its clients.

D.

Liem and EcoMick are joint controllers because they carry out joint marketing activities.

Question 64

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

Options:

A.

Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.

B.

Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

C.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

D.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Question 65

According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?

Options:

A.

Right to restriction of processing.

B.

Right to erasure ("Right to be forgotten").

C.

Right to lodge a complaint with a supervisory authority.

D.

Right not to be subject to automated individual decision-making

Question 66

SCENARIO

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based

company that allows anyone to buy and sell cryptocurrencies via its online platform.

The company stores and processes the personal data of its customers in a

dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on

the platform. They then must successfully pass a Know Your Customer (KYC) due

diligence procedure aimed at preventing money laundering and ensuring

compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by

reading a disclaimer written in bold and ticking a checkbox on a separate page in

order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms

of service also include a privacy policy section, saying, among other things, that if a

customer fails the KYC process, its KYC data will be automatically shared with the

national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including

whether they have any criminal convictions, whether they use recreational drugs or

have problems with alcohol, and whether they have a terminal illness. While

providing this data, customers see a conspicuous message saying that this data is

meant only to prevent fraud and account takeover, and will be never shared with

private third parties.

The company regularly conducts external security testing of its online systems by

independent cybersecurity companies from the EU. At the final stage of testing, the

company provides cybersecurity assessors with access to its central database to

review security permissions, roles and policies. Personal data in the database is

encrypted; however, cybersecurity assessors usually have access to the decryption

keys obtained while running initial security testing. The assessors must strictly

follow the guidelines imposed by the company during the entire testing and auditing

process.

All customer data, including trading activities and all internal communications with

technical support, are permanently stored in a secured AWS S3 Glacier cloud data

storage, located in Ireland, for backup and compliance purposes. The data is

securely transferred to the cloud and then is properly encrypted while at rest by

using AWS-native encryption mechanisms. These mechanisms give AWS the

necessary technical means to encrypt and decrypt the data when such is required

by the company. There is no data processing agreement between AWS and the

company.

Should Jane modify the required GDPR rights waiver for non-European residents?

Options:

A.

Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.

B.

Yes, this clause must be entirely removed as all customers,

regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.

C.

No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.

D.

No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.

Question 67

A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner's country law, and a placard indicating the area is being video monitored is visible when entering the property

Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?

Options:

A.

The surveillance camera system can potentially capture biometric information of the homeowner's family, which would be considered a processing of special categories of personal data.

B.

The homeowner has not specified which security measures ore in place as part of the surveillance camera system

C.

The GDPR specifically excludes surveillance camera images from the household exemption

D.

The surveillance camera system can potentially film individuals who enter its filming perimeter

Question 68

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?

Options:

A.

They must report it to TripBliss Inc.

B.

They must conduct a full systems audit.

C.

They must report it to the supervisory authority.

D.

They must inform customers who have used the website.

Question 69

Sanctions for non-compliance with the EU Artificial Intelligence Act (Al Act) could result in a maximum fine of?

Options:

A.

The higher of up to 10 million Euro or up to 2% of the entity's total worldwide turnover for the preceding financial year.

B.

The higher of up to 40 million Euro or up to 8% of the entity's total worldwide turnover for the preceding financial year.

C.

The higher of up to 20 million Euro or up to 4% of the entity's total worldwide turnover for the preceding financial year.

D.

The higher of up to 30 million Euro or up to 6% of the entity's total worldwide turnover for the preceding financial year.

Question 70

In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?

Options:

A.

If the cookies do not track personal data, then pre-checked boxes are acceptable.

B.

If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

C.

If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

D.

If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Question 71

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

Options:

A.

The right to request access to the personal data a controller holds about them.

B.

The right to request the deletion of data a controller holds about them.

C.

The right to opt-out of the sale of their personal data to third parties.

D.

The right to request restriction of processing of personal data, under certain scenarios.

Question 72

A mobile device application that uses cookies will be subject to the consent requirement of which of the

following?

Options:

A.

The ePrivacy Directive

B.

The E-Commerce Directive

C.

The Data Retention Directive

D.

The EU Cybersecurity Directive

Question 73

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

Options:

A.

The terms of service shall also enumerate all applicable anti-money laundering few.

B.

Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

C.

The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.

D.

Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.

Question 74

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

Options:

A.

No, the assessors do not quality as data processors as they only have access to encrypted data.

B.

No. the assessors do not quality as data processors as they do not copy the data to their facilities.

C.

Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.

D.

Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.

Question 75

An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?

Options:

A.

Notify affected individuals that their data was unavailable for a period of time.

B.

Document the loss of availability to demonstrate accountability

C.

Notify the supervisory authority about the loss of availability

D.

Conduct a thorough audit of all security systems

Question 76

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.

Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.

In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?

Options:

A.

Information about what is specified in the employment contract.

B.

Information about who employees should contact with any queries.

C.

Information about how providing consent could affect them as employees.

D.

Information about how the measures are in the best interests of the company.

Demo: 76 questions
Total 268 questions