Special Summer Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CIPP-E Questions and Answers

Question # 6

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered data processor activity?

A.

If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy.

B.

If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.

C.

If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product improvement activities.

D.

If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use their information for its product improvement activities.

Full Access
Question # 7

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

A.

Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.

B.

EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.

C.

JaphSoft is the sole processor because it processes personal data on behalf of its clients.

D.

Liem and EcoMick are joint controllers because they carry out joint marketing activities.

Full Access
Question # 8

What is the key difference between the European Council and the Council of the European Union?

A.

The Council of the European Union is helmed by a president.

B.

The Council of the European Union has a degree of legislative power.

C.

The European Council focuses primarily on issues involving human rights.

D.

The European Council is comprised of the heads of each EU member state.

Full Access
Question # 9

If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT be validly determined by said controllers?

A.

The definition of a central contact point for data subjects.

B.

The rules regarding the exercising of data subjects" rights.

C.

The rules to provide information to data subjects in Articles 13 and 14.

D.

The non-disclosure of the essence of their arrangement to data subjects

Full Access
Question # 10

A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars.

Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?

A.

Payments cannot be made in a European Union currency.

B.

The controller does not have an establishment in the European Union.

C.

The website is not available in several official languages of European Un on Member States

D.

The website cannot block connections from outside the U.S. that use a Virtual Private Network (VPN) to simulate a US location.

Full Access
Question # 11

Why is advisable to avoid consent as a legal basis for an employer to process employee data?

A.

Employee data can only be processed if there is an approval from the data protection officer.

B.

Consent may not be valid if the employee feels compelled to provide it.

C.

An employer might have difficulty obtaining consent from every employee.

D.

Data protection laws do not apply to processing of employee data.

Full Access
Question # 12

Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

A.

The obligation of companies to declare data breaches.

B.

The requirement to demonstrate compliance to a supervisory authority.

C.

The necessity of the bulk collection of personal data by the government.

Full Access
Question # 13

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism did ProStorage most likely rely on to transfer Ruth's

medical information to the hospital?

A.

Ruth's implied consent.

B.

Protecting the vital interest of Ruth.

C.

Performance of a contract with Ruth.

D.

Protecting against legal liability from Ruth.

Full Access
Question # 14

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

A.

Seek informed consent from company employees.

B.

Have cameras recording during work hours only.

C.

Retain captured footage for no more than 30 days.

D.

Restrict camera placement to building entrances only.

Full Access
Question # 15

SCENARIO

Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in

Italy. The company has numerous remote workers in different EU countries. Recently,

the management of Gentle Hedgehog noticed a decrease in productivity of their sales

team, especially among remote workers. As a result, the company plans to implement

a robust but privacy-friendly remote surveillance system to prevent absenteeism,

reward top performers, and ensure the best quality of customer service when sales

people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee

surveillance software whose European headquarters is in Germany. Sauron Eye's

software provides powerful remote-monitoring capabilities, including 24/7 access to

computer cameras and microphones, screen captures, emails, website history, and

keystrokes. Any device can be remotely monitored from a central server that is

securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by

default; however, a so-called Transparent Mode, which regularly and conspicuously

notifies all users about the monitoring and its precise scope, also exists. Additionally,

the monitored employees are required to use a built-in verification technology

involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

What monitoring may be lawfully performed within the scope of Gentle Hedgehog's

business?

A.

Everything offered by Sauron Eye's software with the exception of camera and microphone monitoring.

B.

Everything offered by Sauron Eye's software, assuming employees provide daily consent to the monitoring.

C.

Only video calls conducted during business hours and emails that do not contain a "private" or "personal" tag.

D.

Only emails, website browsing history and camera for internal video calls that are expressly marked as monitored.

Full Access
Question # 16

A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

A.

Binding Corporate Rules are especially recommended for small and medium companies.

B.

The data exporter does not need to be located in the EU for the standard Contractual Clauses.

C.

Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.

D.

The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

Full Access
Question # 17

Which of the following demonstrates compliance with the accountability principle found in Article 5, Section 2 of the GDPR?

A.

Anonymizing special categories of data.

B.

Conducting regular audits of the data protection program.

C.

Getting consent from the data subject for a cross border data transfer.

D.

Encrypting data in transit and at rest using strong encryption algorithms.

Full Access
Question # 18

A company would like to implement CCTV monitoring in its offices for safety and security purposes. Which of the following would be the best legal basis for the company to rely upon?

A.

Public interest.

B.

Individual consent

C.

Legitimate interest.

D.

Exercise of pubic authority.

Full Access
Question # 19

Please use the following to answer the next question:

WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids’ website states the following:

“WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child’s personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child’s personal information. We will only share you and your child’s personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers.”

“We may retain you and your child’s personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years.”

“We are processing you and your child’s personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child’s personal information; rectify or erase you or your child’s personal information; the right to correction or erasure of you and/or your child’s personal information; object to any processing of you and your child’s personal information. You also have the right to complain to the supervisory authority about our data processing activities.”

What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

A.

No marketing information at all.

B.

Any marketing information at all.

C.

Marketing information related to other business operations of WonderKids.

D.

Marketing information for products or services similar to those purchased from WonderKids.

Full Access
Question # 20

Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Based on Article 5(1)(b),

what is the impact of a member state’s interpretation of the word “incompatible”?

A.

It dictates the level of security a processor must follow when using and storing personal data for two different purposes.

B.

It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.

C.

It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.

D.

It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Full Access
Question # 21

The European Parliament jointly exercises legislative and budgetary functions with which of the following?

A.

The European Commission.

B.

The Article 29 Working Party.

C.

The Council of the European Union.

D.

The European Data Protection Board.

Full Access
Question # 22

What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?

A.

The controller will be liable to pay an administrative fine

B.

The processor will be liable to pay compensation to affected data subjects

C.

The processor will be considered to be a controller in respect of the processing concerned

D.

The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved

Full Access
Question # 23

The Planet 49 CJEU Judgement applies to?

A.

Cookies used only by third parties.

B.

Cookies that are deemed technically necessary.

C.

Cookies regardless of whether the data accessed is personal or not.

D.

Cookies where the data accessed is considered as personal data only.

Full Access
Question # 24

An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organisation charge the data subject for processing the request?

A.

Only where the organisation can show that it is reasonable to do so because more than one request was made.

B.

Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.

C.

Only where the administrative costs of taking the action requested exceeds a certain threshold.

D.

Only if the organisation can demonstrate that the request is clearly excessive or misguided.

Full Access
Question # 25

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Under the General Data Protection Regulation (GDPR), what is the most likely reason Serge may have grounds to object to the use of his quotation?

A.

Because of the misrepresentation of personal data as an endorsement.

B.

Because of the juxtaposition of the quotation with others’ quotations.

C.

Because of the use of personal data outside of the social networking service (SNS).

D.

Because of the misapplication of the household exception in relation to a social networking service (SNS).

Full Access
Question # 26

Under what circumstances would the GDPR apply to personal data that exists in physical form, such as information contained in notebooks or hard copy files?

A.

Only where the personal data is produced as a physical output of specific automated processing activities, such as printing, labelling, or stamping.

B.

Only where the personal data is to be subjected to specific computerized processing, such as image

scanning or optical character recognition.

C.

Only where the personal data is treated by automated means in some way, such as computerized distribution or filing.

D.

Only where the personal data is handled in a sufficiently structured manner so as to form part of a filing system.

Full Access
Question # 27

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

A.

The local Data Protection Supervisory Authorities.

B.

The European Data Protection Board.

C.

The EU Commission.

D.

The Member States.

Full Access
Question # 28

SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

Which of the following is T-Craze’s lead supervisory authority?

A.

Germany, because that is where T-Craze is headquartered.

B.

France, because that is where T-Craze conducts processing of personal information.

C.

Spain, because that is T-Craze’s primary market based on its marketing campaigns.

D.

T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries.

Full Access
Question # 29

What type of data lies beyond the scope of the General Data Protection Regulation?

A.

Pseudonymized

B.

Anonymized

C.

Encrypted

D.

Masked

Full Access
Question # 30

When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?

A.

The ease of identification of individuals.

B.

The size of any data processor involved.

C.

The special characteristics of the data controller.

D.

The nature, sensitivity and volume of personal data.

Full Access
Question # 31

In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

A.

When the data is to be processed for market research.

B.

When providing preventive or counselling services to the child.

C.

When providing the child with materials purely for educational use.

D.

When a legitimate business interest makes obtaining consent impractical.

Full Access
Question # 32

An unforeseen power outage results in company Z’s lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018 guidance, company Z should do which of the following?

A.

Notify affected individuals that their data was unavailable for a period of time.

B.

Document the loss of availability to demonstrate accountability

C.

Notify the supervisory authority about the loss of availability

D.

Conduct a thorough audit of all security systems

Full Access
Question # 33

Which mechanism, introduced by the GDPR as a means of ensuring both compliance and transparency, allows for the possibility of personal data transfers to third countries under Article 42?

A.

Approved certifications.

B.

Binding corporate rules.

C.

Law enforcement requests.

D.

Standard contractual clauses.

Full Access
Question # 34

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

A.

Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

B.

Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

C.

Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

D.

Outside the material scope of the GDPR, because transactions are for personal or household purposes

Full Access
Question # 35

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

A.

The Court of Justice of the European Union.

B.

The European Data Protection Supervisor.

C.

The European Court of Human Rights.

D.

The European Data Protection Board.

Full Access
Question # 36

Article 58 of the GDPR describes the power of supervisory authorities. Which of the following is NOT among those granted?

A.

Legislative powers.

B.

Corrective powers.

C.

Investigatory powers.

D.

Authorization and advisory powers.

Full Access
Question # 37

In the Planet 49 case, what was the main judgement of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?

A.

If the cookies do not track personal data, then pre-checked boxes are acceptable.

B.

If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

C.

If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

D.

If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Full Access
Question # 38

Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?

A.

The right to privacy is an absolute right

B.

The right to privacy has to be balanced against other rights under the ECHR

C.

The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy

D.

The right to privacy protects the right to hold opinions and to receive and impart ideas without interference

Full Access
Question # 39

Which aspect of processing does the GDPR allow processors to determine for themselves?

A.

The question of whether the controller needs to be informed about the substitution of another processor carrying out specific processing activities on behalf of the controller.

B.

Their own purposes for the processing, if such purposes are compatible with those for which the personal data were initially collected.

C.

The parameters of their marketing campaigns using personal data relating to the controller's customers.

D.

Their own type of hardware or software and the specific security measures for the processing.

Full Access
Question # 40

SCENARIO

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based

company that allows anyone to buy and sell cryptocurrencies via its online platform.

The company stores and processes the personal data of its customers in a

dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on

the platform. They then must successfully pass a Know Your Customer (KYC) due

diligence procedure aimed at preventing money laundering and ensuring

compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by

reading a disclaimer written in bold and ticking a checkbox on a separate page in

order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms

of service also include a privacy policy section, saying, among other things, that if a

customer fails the KYC process, its KYC data will be automatically shared with the

national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including

whether they have any criminal convictions, whether they use recreational drugs or

have problems with alcohol, and whether they have a terminal illness. While

providing this data, customers see a conspicuous message saying that this data is

meant only to prevent fraud and account takeover, and will be never shared with

private third parties.

The company regularly conducts external security testing of its online systems by

independent cybersecurity companies from the EU. At the final stage of testing, the

company provides cybersecurity assessors with access to its central database to

review security permissions, roles and policies. Personal data in the database is

encrypted; however, cybersecurity assessors usually have access to the decryption

keys obtained while running initial security testing. The assessors must strictly

follow the guidelines imposed by the company during the entire testing and auditing

process.

All customer data, including trading activities and all internal communications with

technical support, are permanently stored in a secured AWS S3 Glacier cloud data

storage, located in Ireland, for backup and compliance purposes. The data is

securely transferred to the cloud and then is properly encrypted while at rest by

using AWS-native encryption mechanisms. These mechanisms give AWS the

necessary technical means to encrypt and decrypt the data when such is required

by the company. There is no data processing agreement between AWS and the

company.

Should Jane modify the required GDPR rights waiver for non-European residents?

A.

Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.

B.

Yes, this clause must be entirely removed as all customers,

regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.

C.

No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.

D.

No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.

Full Access
Question # 41

Read the following steps:

    Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices

    Monitor and analyze the apps and devices for compliance

    Manage application life cycles

    Monitor data sharing

An organization should perform these steps to do which of the following?

A.

Pursue a GDPR-compliant Privacy by Design process.

B.

Institute a GDPR-compliant employee monitoring process.

C.

Maintain a secure Bring Your Own Device (BYOD) program.

D.

Ensure cloud vendors are complying with internal data use policies.

Full Access
Question # 42

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users’ ethnic origin, nationality, and gender.

Which would be the most appropriate legal basis for this processing under GDPR, Article 9 (Processing of special categories of personal data)?

A.

Processing necessary for scientific or statistical purposes.

B.

Processing necessary for reasons of substantial public interest.

C.

Processing necessary for purposes of preventive or occupational medicine.

D.

Processing necessary for the defense of legal claims in potential negligence cases.

Full Access
Question # 43

Which of the following would require designating a data protection officer?

A.

Processing is carried out by an organization employing 250 persons or more.

B.

Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.

C.

The core activities of the controller or processor consist of processing operations of financial information or information relating to children.

D.

The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Full Access
Question # 44

Which of the following would most likely NOT be covered by the definition of “personal data” under the GDPR?

A.

The payment card number of a Dutch citizen

B.

The U.S. social security number of an American citizen living in France

C.

The unlinked aggregated data used for statistical purposes by an Italian company

D.

The identification number of a German candidate for a professional examination in Germany

Full Access
Question # 45

Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

A.

Accuracy

B.

Storage Limitation

C.

Integrity and confidentiality

D.

Lawfulness, fairness and transparency

Full Access
Question # 46

When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

A.

Inform the subjects about the collection

B.

Provide a public notice regarding the data

C.

Upgrade security to match that of the source

D.

Update the data within a reasonable timeframe

Full Access
Question # 47

Many businesses print their employees’ photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?

A.

Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.

B.

Because photographs qualify as biometric data only when they undergo a “specific technical processing”.

C.

Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.

D.

Because photographic ID is a physical security measure which is “necessary for reasons of substantial public interest”.

Full Access
Question # 48

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

What is the time period in which Mike should receive a response to his request?

A.

Not more than one month of receipt of Mike’s request.

B.

Not more than two months after verifying Mike’s identity.

C.

When all the information about Mike has been collected.

D.

Not more than thirty days after submission of Mike’s request.

Full Access
Question # 49

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?

A.

Notify its Data Protection Authority about the data breach.

B.

Analyze and evaluate the liability for customers in Ireland.

C.

Analyze and evaluate all of its breach notification obligations.

D.

Notify all of its customers that reside in the European Union.

Full Access
Question # 50

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?

A.

An information security risk by copying the data into a new database.

B.

A potential legal liability and financial exposure from its customers.

C.

A significant risk to the customers’ fundamental rights and freedoms.

D.

A significant risk due to the lack of an informed consent mechanism.

Full Access
Question # 51

Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?

A.

Greece

B.

Norway

C.

Australia

D.

Switzerland

Full Access
Question # 52

According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?

A.

Data ownership allocation.

B.

Access control management.

C.

Frequent pseudonymization key rotation.

D.

Error propagation avoidance along the processing chain.

Full Access
Question # 53

Through a combination of hardware failure and human error, the decryption key for a bank's customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A.

A data breach has not occurred because the loss was not the result of hacking.

B.

A data breach has not occurred because no data was exposed to any unauthorized individual.

C.

A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D.

A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Full Access
Question # 54

If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following EXCEPT?

A.

Notify the appropriate data protection authority.

B.

Perform a data protection impact assessment (DPIA).

C.

Create an information retention policy for those who operate the system.

D.

Ensure that safeguards are in place to prevent unauthorized access to the footage.

Full Access
Question # 55

SCENARIO

Please use the following to answer the next question:

You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.

The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.

When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated

speakers, making it appear as though that the toy is actually responding to the child’s question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.

In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.

Why is this company obligated to comply with the GDPR?

A.

The company has offices in the EU.

B.

The company employs staff in the EU.

C.

The company’s data center is located in a country outside the EU.

D.

The company’s products are marketed directly to EU customers.

Full Access
Question # 56

To comply with the GDPR and the EU Court of Justice's decision in Schrems II, the European Commission issued what are commonly referred to as the new standard contractual clauses (SCCs). As a result, businesses must do all of the following EXCEPT?

A.

Consider the new optional docking clause, which expressly permits adding new parties to the SCCs.

B.

Migrate all contracts entered into before September 27, 2021, that use the old SCCs to the new SCCs by December 27, 2022.

C.

Take steps to flow down the new SCCs to relevant parts of their supply chain using the new SCCs as of September 27, 2021, if the business is a data importer.

D.

Implement the new SCCs in the U.K. following Brexit, as the U.K. Information Commissioner's Office does not have the authority to publish its own set of SCCs.

Full Access
Question # 57

Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

A.

When the personal data is processed only in non-electronic form

B.

When the personal data is collected and then pseudonymised by the controller

C.

When the personal data is held by the controller but not processed for further purposes

D.

When the personal data is processed by an individual only for their household activities

Full Access
Question # 58

SCENARIO

Please use the following to answer the next question:

Why was Jackie correct in not completing a transfer impact assessment for HRYourWay?

A.

HRYourWay was ultimately not selected

B.

HRYourWay is not located in a third country.

C.

ProStorage will obtain consent for all transfers.

D.

ProStorage can rely on its Binding Corporate Rules

Full Access
Question # 59

In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

A.

Approved data controllers.

B.

The Council of the European Union.

C.

National data protection authorities.

D.

The European Data Protection Supervisor.

Full Access
Question # 60

Through a combination of hardware failure and human error, the decryption key for a bank’s customer account transaction database has been lost. An investigation has determined that this was not the result of hacking or malfeasance, simply an unfortunate combination of circumstances. Which of the following accurately indicates the nature of this incident?

A.

A data breach has not occurred because the loss was not the result of hacking.

B.

A data breach has not occurred because no data was exposed to any unauthorized individual.

C.

A data breach has occurred because the loss of the key has resulted in the data no longer being accessible.

D.

A data breach has occurred because the loss of the key has resulted in the loss of confidentiality or integrity of the data.

Full Access
Question # 61

Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country?

A.

The European Parliament

B.

The European Commission

C.

The Article 29 Working Party

D.

The European Council

Full Access
Question # 62

A company wishes to transfer personal data to a country outside of the European Union/EEA In order to do so, they are planning an assessment of the country's laws and practices, knowing that these may impinge upon the transfer safeguards they intend to use

All of the following factors would be relevant for the company to consider EXCEPT'?

A.

Any onward transfers, such as transfers of personal data to a sub-processor in the same or another third country.

B.

The process of modernization in the third country concerned and their access to emerging technologies that rely on international transfers of personal data

C.

The technical, financial, and staff resources available to an authority m the third country concerned that may access the personal data to be transferred

D.

The contractual clauses between the data controller or processor established in the European Union/EEA and the recipient of the transfer established in the third country concerned

Full Access
Question # 63

What should a controller do after a data subject opts out of a direct marketing activity?

A.

Without exception, securely delete all personal data relating to the data subject.

B.

Without undue delay, provide information to the data subject on the action that will be taken.

C.

Refrain from processing personal data relating to the data subject for the relevant type of communication.

D.

Take reasonable steps to inform third-party recipients that the data subject’s personal data should be deleted and no longer processed.

Full Access
Question # 64

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:

    Name

    Address

    Date of Birth

    Payroll number

    National Insurance number

    Sick pay entitlement

    Maternity/paternity pay entitlement

    Holiday entitlement

    Pension and benefits contributions

    Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.

This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

A.

Hiring companies whose measures are consistent with recommendations of accrediting bodies.

B.

Requesting advice and technical support from Company A’s IT team.

C.

Avoiding the use of another company’s data to improve their own services.

D.

Vetting companies’ measures with the appropriate supervisory authority.

Full Access
Question # 65

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?

A.

The data is sensitive.

B.

The data is uncategorized.

C.

The data is being used for a new purpose.

D.

The data is being processed via a new means.

Full Access
Question # 66

An online company’s privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

A.

Use a layered privacy notice on its website and in its email communications.

B.

Identify uses of data in a privacy notice mailed to the data subject.

C.

Provide only general information about its processing activities and offer a toll-free number for more information.

D.

Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.

Full Access
Question # 67

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign

from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

A.

She was not told which controller would be processing her personal data.

B.

She only viewed the visual representations of the privacy notice Liem provided.

C.

She did not read the privacy notice stating that her personal data would be shared.

D.

She has never made any purchases from JaphSoft and has no relationship with the company.

Full Access
Question # 68

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

A.

The resulting obligation to notify data subjects would involve disproportionate effort.

B.

The incident resulted from the actions of a third-party that were beyond their control.

C.

The destruction of the stolen data makes any risk to the affected data subjects unlikely.

D.

The sensitivity of the categories of data involved in the incident was not substantial enough.

Full Access
Question # 69

In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?

A.

Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.

B.

Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to reduce.

C.

Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.

D.

Where the DPIA identifies risks that will require insurance for protecting its business interests.

Full Access
Question # 70

An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?

A.

Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.

B.

Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.

C.

Invoke the “disproportionate effort” exception under Article 33 to postpone notifying data subjects until more information can be gathered.

D.

Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.

Full Access
Question # 71

What is the most frequently used mechanism for legitimizing cross-border data transfer?

A.

Standard Contractual Clauses.

B.

Approved Code of Conduct.

C.

Binding Corporate Rules.

D.

Derogations.

Full Access
Question # 72

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?

A.

The lack of the option to opt in.

B.

The level of security within the website.

C.

The contract with the third-party advertising network.

D.

The need to have the contents of the advertising approved.

Full Access
Question # 73

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, if exfiltration of job application data (submitted through online application forms and stored on a webserver) resulted in personal information being accessible to unauthorized persons, this would be primarily considered what kind of breach?

A.

An integrity breach.

B.

An accuracy breach.

C.

An availability breach.

D.

A confidentiality breach.

Full Access
Question # 74

The transparency principle is most directly related to which of the following rights?

A.

Right to object

B.

Right to be informed.

C.

Right to be forgotten.

D.

Right to restriction of processing.

Full Access
Question # 75

SCENARIO

Please use the following to answer the next question:

Gentle Hedgehog Inc. is a privately owned website design agency incorporated in

Italy. The company has numerous remote workers in different EU countries. Recently,

the management of Gentle Hedgehog noticed a decrease in productivity of their sales

team, especially among remote workers. As a result, the company plans to implement

a robust but privacy-friendly remote surveillance system to prevent absenteeism,

reward top performers, and ensure the best quality of customer service when sales

people are interacting with customers.

Gentle Hedgehog eventually hires Sauron Eye Inc., a Chinese vendor of employee

surveillance software whose European headquarters is in Germany. Sauron Eye's

software provides powerful remote-monitoring capabilities, including 24/7 access to

computer cameras and microphones, screen captures, emails, website history, and

keystrokes. Any device can be remotely monitored from a central server that is

securely installed at Gentle Hedgehog headquarters. The monitoring is invisible by

default; however, a so-called Transparent Mode, which regularly and conspicuously

notifies all users about the monitoring and its precise scope, also exists. Additionally,

the monitored employees are required to use a built-in verification technology

involving facial recognition each time they log in.

All monitoring data, including the facial recognition data, is securely stored in Microsoft Azure cloud servers operated by Sauron Eye, which are physically located in France.

Under what condition could the surveillance system be used on the personal devices

of employees?

A.

Only if the monitoring system is manufactured by a European vendor storing the monitoring data within the EU.

B.

Only if the employees give valid consent and the monitoring is narrowly limited to their professional tasks.

C.

Only if the cloud that stores the monitoring data is certified by the EDPB as GDPR compliant.

D.

Only if the employer offers an adequate compensation for using the employee's devices.

Full Access
Question # 76

The European Data Protection Board (EDPB) recommends measures to supplement transfer tools, in order to ensure compliance with the European Union (EU) level of personal data protection. According to these recommendations, what additional actions should be taken when a transfer to a third country is based upon an adequacy decision?

A.

Adopt a supplementary data transfer mechanism.

B.

Monitor the ongoing validity of the data transfer mechanism.

C.

Adopt technical, contractual or organizational supplementary measures.

D.

Monitor changes in the law or practice of the third country that would tower the level of protection of personal data

Full Access
Question # 77

How can the relationship between the GDPR and the Digital Services Act, the Data Governance Act and the Digital Markets Act most accurately be described?

A.

The aforementioned legal acts do not refer to (i.e., do not mention) the GDPR.

B.

The aforementioned legal acts apply without prejudice (i.e., in parallel) to the GDPR.

C.

The aforementioned legal acts change specific provisions (i.e., certain articles) of the GDPR.

D.

The aforementioned legal acts contain some sector-specific exemptions (i.e., only for certain businesses) from the GDPR.

Full Access
Question # 78

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Which of the following principles has likely been violated in the processing of the

photocall photos containing personal data?

A.

Adequacy.

B.

Lawfulness.

C.

Transparency.

D.

Data minimization.

Full Access
Question # 79

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?

A.

JaphSoft failed to first anonymize the personal data.

B.

JaphSoft pseudonymized all the data instead of deleting what it no longer needed.

C.

JaphSoft was in possession of information that could be used to identify data subjects.

D.

JaphSoft failed to keep personally identifiable information in a separate database.

Full Access
Question # 80

SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany

Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

What is the best option for the lead regulator when responding to the Spanish supervisory authority’s notice that it plans to take action regarding Sofia’s complaint?

A.

Accept, because it did not receive any complaints.

B.

Accept, because GDPR permits non-lead authorities to take action for such complaints.

C.

Reject, because Right Target’s processing was conducted throughout Europe.

D.

Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.

Full Access
Question # 81

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Which of the following is NOT necessarily considered a factor in identifying whether

the processing could be considered a "cross-border processing"?

A.

The total number of the data subjects interested.

B.

The potential harm for the data subjects affected.

C.

The limitation of rights of the data subjects concerned.

D.

The exposure of the information of the data subjects involved.

Full Access
Question # 82

Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

A.

Approved certifications.

B.

Binding corporate rules.

C.

Law enforcement requests.

D.

Standard contractual clauses.

Full Access
Question # 83

Which statement provides an accurate description of a directive?

A.

A directive speo5es certain results that must be achieved, but each member state is free to decide how to turn it into a national law

B.

A directive has binding legal force throughout every member state and enters into force on a set date in all the member states.

C.

A directive is a legal act relating to specific cases and directed towards member states, companies 0' private individuals.

D.

A directive is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force.

Full Access
Question # 84

What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

A.

The requirements affected individuals without exception.

B.

The requirements were financially burdensome to EU businesses.

C.

The requirements specified that data must be held within the EU.

D.

The requirements had limitations on how national authorities could use data.

Full Access
Question # 85

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.

Registration Form

Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

    First name:

    Surname:

    Year of birth:

    Email:

    Physical Address (optional*):

    Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. […]

2.Applicable law. […]

3.Limitation of liability. […]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

What is one potential problem Vigotron’s age policy might encounter under the GDPR?

A.

Age restrictions are more stringent when health data is involved.

B.

Users are only required to be aged 13 or over to be considered adults.

C.

Organizations must make reasonable efforts to verify parental consent.

D.

Organizations that tie a service to marketing must seek consent for each purpose.

Full Access
Question # 86

Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

A.

Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s objection.

B.

Consider the impact of the profiling on the data subject’s interest, rights and freedoms.

C.

Demonstrate that the profiling is for the purposes of direct marketing.

D.

Consider the importance of the profiling to their particular objective.

Full Access
Question # 87

What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

A.

The establishment of a list of legitimate data processing criteria

B.

The creation of legally binding data protection principles

C.

The synchronization of approaches to data protection

D.

The restriction of cross-border data flow

Full Access
Question # 88

In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

A.

The predicted consequences of the breach.

B.

The measures being taken to address the breach.

C.

The type of security safeguards used to protect the data.

D.

The contact details of the appropriate data protection officer.

Full Access