New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CIPP-E Questions and Answers

Question # 6

If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT be validly determined by said controllers?

A.

The definition of a central contact point for data subjects.

B.

The rules regarding the exercising of data subjects" rights.

C.

The rules to provide information to data subjects in Articles 13 and 14.

D.

The non-disclosure of the essence of their arrangement to data subjects

Full Access
Question # 7

SCENARIO

Please use the following to answer the next question:

T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.

T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.

The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.

Which of the following is T-Craze’s lead supervisory authority?

A.

Germany, because that is where T-Craze is headquartered.

B.

France, because that is where T-Craze conducts processing of personal information.

C.

Spain, because that is T-Craze’s primary market based on its marketing campaigns.

D.

T-Craze may choose its lead supervisory authority where any of its affiliates are based, because it has presence in several European countries.

Full Access
Question # 8

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

A.

Within 40 days of receipt

B.

Within 40 days of receipt, which may be extended by up to 40 additional days

C.

Within one month of receipt, which may be extended by up to an additional month

D.

Within one month of receipt, which may be extended by an additional two months

Full Access
Question # 9

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.

Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.

What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

A.

Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.

B.

Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.

C.

Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.

D.

Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.

Full Access
Question # 10

According to Article 84 of the GDPR, the rules on penalties applicable to infringements shall be laid down by?

A.

The local Data Protection Supervisory Authorities.

B.

The European Data Protection Board.

C.

The EU Commission.

D.

The Member States.

Full Access
Question # 11

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Which of the following must be a component of the anti-money-laundering data-sharing practice of the platform?

A.

The terms of service shall also enumerate all applicable anti-money laundering few.

B.

Customers shall have an opt-out feature to restrict data sharing with law enforcement agencies after the registration.

C.

The terms of service shall include the address of the anti-money laundering agency and contacts of the investigators who may access me data.

D.

Customers snail receive a clear and conspicuous notice about such data sharing before submitting their data during the registration process.

Full Access
Question # 12

A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?

A.

Other data held by the processor.

B.

Other data held by the controller

C.

Other data held by recipients of the data.

D.

Other data held by Internet Service Providers (ISPs).

Full Access
Question # 13

Which of the following is NOT an explicit right granted to data subjects under the GDPR?

A.

The right to request access to the personal data a controller holds about them.

B.

The right to request the deletion of data a controller holds about them.

C.

The right to opt-out of the sale of their personal data to third parties.

D.

The right to request restriction of processing of personal data, under certain scenarios.

Full Access
Question # 14

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

What would be the most appropriate response to Jacks data subject access request?

A.

The company should not provide any information, as the company is headquartered outside of the EU.

B.

The company should decline to provide any information, as the amount of information requested is too excessive to provide in one month.

C.

The company should cite the need for an extension, and agree to provide the information requested in Jack's original DSAR within a period of 3 months.

D.

The company should provide all requested information except for the emails, as they are excluded from data access request requirements under the GDPR.

Full Access
Question # 15

Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.

Why is Bioface subject to the territorial scope of the General Data Protection Regulation?

A.

It collects data from European Union websites, which constitutes an establishment in the European Union.

B.

It offers services in the European Union by identifying data subjects in the European Union.

C.

It collects data from subjects and uses it for automated processing.

D.

It monitors the behavior of data subjects in the European Union.

Full Access
Question # 16

How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

A.

The ePrivacy Directive allows individual EU member states to engage in such data retention.

B.

The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.

C.

The Data Retention Directive’s annulment makes such data retention now permissible.

D.

The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

Full Access
Question # 17

SCENARIO

Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.

Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.

Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier’s request, how may Javier proceed in order to seek compensation?

A.

He will have to sue the EVETFIT’s head office in France, where EVETFIT has its main establishment.

B.

He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.

C.

He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.

D.

He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

Full Access
Question # 18

Which of the following would require designating a data protection officer?

A.

Processing is carried out by an organization employing 250 persons or more.

B.

Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.

C.

The core activities of the controller or processor consist of processing operations of financial information or information relating to children.

D.

The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Full Access
Question # 19

The European Data Protection Board (EDPB) recommends measures to supplement transfer tools, in order to ensure compliance with the European Union (EU) level of personal data protection. According to these recommendations, what additional actions should be taken when a transfer to a third country is based upon an adequacy decision?

A.

Adopt a supplementary data transfer mechanism.

B.

Monitor the ongoing validity of the data transfer mechanism.

C.

Adopt technical, contractual or organizational supplementary measures.

D.

Monitor changes in the law or practice of the third country that would tower the level of protection of personal data

Full Access
Question # 20

The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

A.

The recipients or categories of recipients.

B.

The categories of personal data concerned.

C.

The rights of access, erasure, restriction, and portability.

D.

The right to lodge a complaint with a supervisory authority.

Full Access
Question # 21

What is true if an employee makes an access request to his employer for any personal data held about him?

A.

The employer can automatically decline the request if it contains personal data about a third person.

B.

The employer can decline the request if the information is only held electronically.

C.

The employer must supply all the information held about the employee.

D.

The employer must supply any information held about an employee unless an exemption applies.

Full Access
Question # 22

If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?

A.

The individuals are European citizens or residents.

B.

The data processing activities are in Spain.

C.

The data controller is in France.

D.

The EU individuals are targeted.

Full Access
Question # 23

If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts?

A.

1 month.

B.

3 months.

C.

5 months.

D.

12 months.

Full Access
Question # 24

A worker in a European Union (EU) member state has ceased his employment with a company. What should the employer most likely do in regard to the worker’s personal data?

A.

Destroy sensitive information and store the rest per applicable data protection rules.

B.

Store all of the data in case the departing worker makes a subject access request.

C.

Securely store the data that is required to be kept under local law.

D.

Provide the employee the reasons for retaining the data.

Full Access
Question # 25

SCENARIO

Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.

Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ – the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.

Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?

A.

Submit a draft decision to other supervisory authorities for their opinion.

B.

Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.

C.

Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.

D.

Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.

Full Access
Question # 26

According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?

A.

Right to restriction of processing.

B.

Right to erasure ("Right to be forgotten").

C.

Right to lodge a complaint with a supervisory authority.

D.

Right not to be subject to automated individual decision-making

Full Access
Question # 27

In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the importance of using a “layered notice” to provide data subjects with what?

A.

A privacy notice containing brief information whilst offering access to further detail.

B.

A privacy notice explaining the consequences for opting out of the use of cookies on a website.

C.

An explanation of the security measures used when personal data is transferred to a third party.

D.

An efficient means of providing written consent in member states where they are required to do so.

Full Access
Question # 28

In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

A.

Adopting a risk-based approach and implementing supplementary measures as needed.

B.

Ensuring that all data transfers are encrypted with unbreakable encryption algorithms.

C.

Obtaining explicit consent from each EU citizen for every individual data transfer.

D.

Storing all personal data within the borders of the European Union.

Full Access
Question # 29

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

A.

No, the assessors do not quality as data processors as they only have access to encrypted data.

B.

No. the assessors do not quality as data processors as they do not copy the data to their facilities.

C.

Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.

D.

Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.

Full Access
Question # 30

SCENARIO

Please use the following to answer the next question:

Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.

Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.

Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated

Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.

Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.

Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.

Based on the scenario, what is the main reason that Brady should be concerned with Hermes Designs’ handling of customer personal data?

A.

The data is sensitive.

B.

The data is uncategorized.

C.

The data is being used for a new purpose.

D.

The data is being processed via a new means.

Full Access
Question # 31

SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:

  • Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
  • Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
  • Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
  • Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a

program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use

of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Before Anna determines whether Frank’s performance database is permissible, what additional information does she need?

A.

More information about Frank’s data protection training.

B.

More information about the extent of the information loss.

C.

More information about the algorithm Frank used to mask student numbers.

D.

More information about what students have been told and how the research will be used.

Full Access
Question # 32

A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States. What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?

A.

Seek informed consent from company employees.

B.

Have cameras recording during work hours only.

C.

Retain captured footage for no more than 30 days.

D.

Restrict camera placement to building entrances only.

Full Access
Question # 33

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

When Ben had the company collect additional data from its customers, the most serious violation of the GDPR occurred because the processing of the data created what?

A.

An information security risk by copying the data into a new database.

B.

A potential legal liability and financial exposure from its customers.

C.

A significant risk to the customers’ fundamental rights and freedoms.

D.

A significant risk due to the lack of an informed consent mechanism.

Full Access
Question # 34

Two companies, Gellcoat and Freifish, make plans to launch a co-branded product the prototype of which is called Gellifish 9090. The companies want to organize an event to introduce the new product, so they decide to share data from their client databases and come up with a list of people to invite. They agree on the content of the invitations and together build an app to gather feedback at the event.

In this scenario, Gellcoat and Freifish are considered to be?

A.

Joint controllers with respect to the personal data related to the event and separate controllers for their other purposes.

B.

Joint controllers for all purposes because they have merged their databases and their data is now jointly owned.

C.

Separate controllers because pint controllers^ requires a written designation in a contract

D.

Separate controllers and processors since they are each providing services to the other

Full Access
Question # 35

Under what circumstances might the “soft opt-in” rule apply in relation to direct marketing?

A.

When an individual has not consented to the marketing.

B.

When an individual’s details are obtained from their inquiries about buying a product.

C.

Where an individual’s details have been obtained from a bought-in marketing list.

D.

Where an individual is given the ability to unsubscribe from marketing emails sent to him.

Full Access
Question # 36

An organisation receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal data. Under what condition can the organisation charge the data subject for processing the request?

A.

Only where the organisation can show that it is reasonable to do so because more than one request was made.

B.

Only to the extent this is allowed under the restrictions on data subjects’ rights introduced under Art 23 of GDPR.

C.

Only where the administrative costs of taking the action requested exceeds a certain threshold.

D.

Only if the organisation can demonstrate that the request is clearly excessive or misguided.

Full Access
Question # 37

Read the following steps:

  • Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
  • Monitor and analyze the apps and devices for compliance
  • Manage application life cycles
  • Monitor data sharing

An organization should perform these steps to do which of the following?

A.

Pursue a GDPR-compliant Privacy by Design process.

B.

Institute a GDPR-compliant employee monitoring process.

C.

Maintain a secure Bring Your Own Device (BYOD) program.

D.

Ensure cloud vendors are complying with internal data use policies.

Full Access
Question # 38

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

A.

Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

B.

Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

C.

Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

D.

Outside the material scope of the GDPR, because transactions are for personal or household purposes

Full Access
Question # 39

SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:

  • Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.
  • Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).
  • Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.
  • Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a

program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has

done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Anna will find that a risk analysis is NOT necessary in this situation as long as?

A.

The data subjects are no longer current students of Frank’s

B.

The processing will not negatively affect the rights of the data subjects

C.

The algorithms that Frank uses for the processing are technologically sound

D.

The data subjects gave their unambiguous consent for the original processing

Full Access
Question # 40

Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

A.

The European Council

B.

The European Parliament

C.

The European Commission

D.

The Council of the European Union

Full Access
Question # 41

Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?

A.

It should be fair.

B.

It should be lawful

C.

It should prevent harm

D.

It should respect human autonomy.

Full Access
Question # 42

Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

A.

The ability to enact new laws by executive order.

B.

The right to access data for investigative purposes.

C.

The discretion to carry out goals of elected officials within the member state.

D.

The authority to select penalties when a controller is found guilty in a court of law.

Full Access
Question # 43

Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

A.

The service’s infrastructure is shared among the supplier’s customers and can be located in a number of countries.

B.

The supplier determines the location, security measures, and service standards applicable to the processing.

C.

The supplier allows customer data to be transferred around the infrastructure according to capacity.

D.

The supplier assumes the vendor’s business risk associated with data processed by the supplier.

Full Access
Question # 44

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Assuming that there is a cross-border processing of personal data, which of the

following criteria would NOT be useful to the lead supervisory authority responsible

for the Greek employee's complaint when trying to determine the location of the

controller's main establishment?

A.

Where the controller is registered as a company.

B.

Where the processor is registered as a company.

C.

Where decisions about the processing activities are made.

D.

Where the director with responsibility for processing activities is located.

Full Access
Question # 45

After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy determination. What is the reason for this?

A.

The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.

B.

Adequacy determinations automatically lapse when a Member State leaves the EU.

C.

The UK is now a third country because it’s no longer subject to the GDPR.

D.

The UK is less trustworthy now that its not part of the Union.

Full Access
Question # 46

There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

A.

Consent management and withdrawal.

B.

Incident detection and response.

C.

Preventative security.

D.

Remedial security.

Full Access
Question # 47

According to the GDPR, how is pseudonymous personal data defined?

A.

Data that can no longer be attributed to a specific data subject without the use of additional information

kept separately.

B.

Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.

C.

Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

D.

Data that has been encrypted or is subject to other technical safeguards.

Full Access
Question # 48

Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?

A.

Advertisements passively displayed on a website.

B.

The use of cookies to collect data about an individual.

C.

A text message to individuals from a company offering concert tickets for sale.

D.

An email from a retail outlet promoting a sale to one of their previous customer.

Full Access
Question # 49

Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

A.

The European Commission can adopt an adequacy decision for individual companies.

B.

The European Commission can adopt, repeal or amend an existing adequacy decision.

C.

EU member states are vested with the power to accept or reject a European Commission adequacy decision.

D.

To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.

Full Access
Question # 50

A key component of the OECD Guidelines is the “Individual Participation Principle”. What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that principle?

A.

The lawful processing criteria stipulated by Articles 6 to 9

B.

The information requirements set out in Articles 13 and 14

C.

The breach notification requirements specified in Articles 33 and 34

D.

The rights granted to data subjects under Articles 12 to 22

Full Access
Question # 51

What is the key difference between the European Council and the Council of the European Union?

A.

The Council of the European Union is helmed by a president.

B.

The Council of the European Union has a degree of legislative power.

C.

The European Council focuses primarily on issues involving human rights.

D.

The European Council is comprised of the heads of each EU member state.

Full Access
Question # 52

Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

A.

When the personal data is processed only in non-electronic form

B.

When the personal data is collected and then pseudonymised by the controller

C.

When the personal data is held by the controller but not processed for further purposes

D.

When the personal data is processed by an individual only for their household activities

Full Access
Question # 53

Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?

A.

Privacy dashboard notice

B.

Visualization notice.

C.

Just-in-lime notice.

D.

Layered notice.

Full Access
Question # 54

A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

A.

Submit the contract to its own government authority.

B.

Ensure that notice is given to and consent is obtained from data subjects.

C.

Supply any information requested by a data protection authority (DPA) within 30 days.

D.

Ensure that local laws do not impede the company from meeting its contractual obligations.

Full Access
Question # 55

With respect to international transfers of personal data, the European Data Protection Board (EDPB) confirmed that derogations may be relied upon under what condition?

A.

If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.

B.

When it has been determined that adequate protection can be performed.

C.

Only if the Data Protection Impact Assessment (DPIA) shows low risk.

D.

Only as a last resort and when interpreted restrictively.

Full Access
Question # 56

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information

is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

For what reason would JaphSoft be considered a controller under the GDPR?

A.

It determines how long to retain the personal data collected.

B.

It has been provided access to personal data in the MarketIQ database.

C.

It uses personal data to improve its products and services for its client-base through machine learning.

D.

It makes decisions regarding the technical and organizational measures necessary to protect the personal data.

Full Access
Question # 57

To which of the following parties does the territorial scope of the GDPR NOT apply?

A.

All member countries of the European Economic Area.

B.

All member countries party to the Treaty of Lisbon.

C.

All member countries party to the Paris Agreement.

D.

All member countries of the European Union.

Full Access
Question # 58

According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

A.

To create and maintain records of processing activities.

B.

To conduct Privacy Impact Assessments on behalf of the controller or processor.

C.

To monitor compliance with other local or European data protection provisions.

D.

To create procedures for notification of personal data breaches to competent supervisory authorities.

Full Access
Question # 59

Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?

A.

Law firm organizations.

B.

Civil society organizations.

C.

Human rights organizations.

D.

Constitutional rights organizations.

Full Access
Question # 60

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

A.

Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.

B.

Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

C.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

D.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Full Access
Question # 61

A data controller appoints a data protection officer. Which of the following conditions would NOT result in an infringement of Articles 37 to 39 of the GDPR?

A.

If the data protection officer lacks ISO 27001 auditor certification.

B.

If the data protection officer is provided by the data processor.

C.

If the data protection officer also manages the marketing budget.

D.

If the data protection officer receives instructions from the data controller.

Full Access
Question # 62

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

The Customer for Life plan may conflict with which GDPR provision?

A.

Article 6, which requires processing to be lawful.

B.

Article 7, which requires consent to be as easy to withdraw as it is to give.

C.

Article 16, which provides data subjects with a rights to rectification.

D.

Article 20, which gives data subjects a right to data portability.

Full Access
Question # 63

Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?

A.

The obligation of companies to declare data breaches.

B.

The requirement to demonstrate compliance to a supervisory authority.

C.

The necessity of the bulk collection of personal data by the government.

Full Access
Question # 64

To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds a data base, password-protected, listing all the social network followers of the client.

Regarding the domain of the controller-processor relationships, how is this situation considered?

A.

Compliant with the security principle, because the data base is password-protected.

B.

Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the controller.

C.

Not applicable, because the data base is password protected, and therefore is not at risk of identifying any data subject.

D.

Compliant with the storage limitation principle, so long as the internal auditor permanently deletes the data base.

Full Access
Question # 65

It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3

A.

Notify the police and Tile a criminal complaint about the incident

B.

Start an investigation to understand the incident's possible scope, duration and nature

C.

Send a notification to the competent supervisory authority describing the incident.

D.

Send an email about the incident to all clients and ask them to change their passwords

Full Access
Question # 66

The origin of privacy as a fundamental human right can be found in which document?

A.

Universal Declaration of Human Rights 1948.

B.

European Convention of Human Rights 1953.

C.

OECD Guidelines on the Protection of Privacy 1980.

D.

Charier of Fundamental Rights of the European Union 2000.

Full Access
Question # 67

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no

longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.

Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

A.

Assessed potential privacy risks by conducting a data protection impact assessment.

B.

Consulted with the relevant data protection authority about potential privacy violations.

C.

Distributed a more comprehensive notice to employees and received their express consent.

D.

Consulted with the Information Security team to weigh security measures against possible server impacts.

Full Access
Question # 68

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

A.

Incidents of personal data breaches, whether disclosed or not.

B.

Data inventory or data mapping exercises that have been conducted.

C.

Categories of recipients to whom the personal data have been disclosed.

D.

Retention periods for erasure and deletion of categories of personal data.

Full Access
Question # 69

ISO 31700 has set forth requirements relating to consumer products and services. In particular, this international standard focuses on the implementation of which of the following?

A.

Privacy by design.

B.

Comprehensive ethical Al software.

C.

Privacy notices for companies providing services to consumers.

D.

Automated systems for identifying EU data subjects' personal data.

Full Access
Question # 70

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?

A.

Both parties are exempt, as the company is involved in human health research

B.

Jack and the pharmaceutical company are jointly liable.

C.

The pharmaceutical company is liable.

D.

Jack is liable

Full Access
Question # 71

When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration?

A.

The ease of identification of individuals.

B.

The size of any data processor involved.

C.

The special characteristics of the data controller.

D.

The nature, sensitivity and volume of personal data.

Full Access
Question # 72

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

A.

When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.

B.

When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.

C.

When the controller is required to have a Data Protection Officer.

D.

When personal data is being transferred outside of the EEA.

Full Access
Question # 73

A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

A.

Binding Corporate Rules are especially recommended for small and medium companies.

B.

The data exporter does not need to be located in the EU for the standard Contractual Clauses.

C.

Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.

D.

The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.

Full Access
Question # 74

To receive a preliminary interpretation on provisions of the GDPR, a national court will refer its case to which of the following?

A.

The Court of Justice of the European Union.

B.

The European Data Protection Supervisor.

C.

The European Court of Human Rights.

D.

The European Data Protection Board.

Full Access
Question # 75

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

What is the time period in which Mike should receive a response to his request?

A.

Not more than one month of receipt of Mike’s request.

B.

Not more than two months after verifying Mike’s identity.

C.

When all the information about Mike has been collected.

D.

Not more than thirty days after submission of Mike’s request.

Full Access
Question # 76

Which sentence BEST summarizes the concepts of “fairness,” “lawfulness” and “transparency”, as expressly required by Article 5 of the GDPR?

A.

Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.

B.

Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data.

C.

Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced.

D.

Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data.

Full Access
Question # 77

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

If TripBliss Inc. decides not to report the incident to the supervisory authority, what would be their BEST defense?

A.

The resulting obligation to notify data subjects would involve disproportionate effort.

B.

The incident resulted from the actions of a third-party that were beyond their control.

C.

The destruction of the stolen data makes any risk to the affected data subjects unlikely.

D.

The sensitivity of the categories of data involved in the incident was not substantial enough.

Full Access
Question # 78

SCENARIO

Please use the following to answer the next question:

ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage's sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth's health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage's Human Resources department and Ruth's Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth's last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage

In support of Ruth's strategic goals of hiring more sales representatives, the Human

Resources team is focused on improving its processes to ensure that new

employees are sourced, interviewed, hired, and onboarded efficiently. To help with

this, Mary identified two vendors, HRYourWay, a German based company, and

InstaHR, an Australian based company. She decided to have both vendors go

through ProStorage's vendor risk review process so she can work with Ruth to

make the final decision. As part of the review process, Jackie, who is responsible

for maintaining ProStorage's privacy program (including maintaining controller

BCRs and conducting vendor risk assessments), reviewed both vendors but

completed a transfer impact assessment only for InstaHR. After her review of both

vendors, she determined that InstaHR satisfied more of the requirements as it

boasted a more established privacy program and provided third-party attestations,

whereas HRYourWay was a small vendor with minimal data protection operations.

Thus, she recommended InstaHR.

ProStorage's marketing team also worked to meet the strategic goals of the

company by focusing on industries where it needed to grow its market share. To

help with this, the team selected as a partner UpFinance, a US based company

with deep connections to financial industry customers. During ProStorage's

diligence process, Jackie from the privacy team noted in the transfer impact

assessment that UpFinance implements several data protection measures

including end-to-end encryption, with encryption keys held by the customer.

Notably, UpFinance has not received any government requests in its 7 years of

business. Still, Jackie recommended that the contract require UpFinance to notify

ProStorage if it receives a government request for personal data UpFinance

processes on its behalf prior to disclosing such data.

What transfer mechanism did ProStorage most likely rely on to transfer Ruth's

medical information to the hospital?

A.

Ruth's implied consent.

B.

Protecting the vital interest of Ruth.

C.

Performance of a contract with Ruth.

D.

Protecting against legal liability from Ruth.

Full Access
Question # 79

Articles 13 and 14 of the GDPR provide details on the obligation of data controllers to inform data subjects when collecting personal data. However, both articles specify an exemption for situations in which the data subject already has the information.

Which other situation would also exempt the data controller from this obligation under Article 14?

A.

When providing the information would go against a police order.

B.

When providing the information would involve a disproportionate effort

C.

When the personal data was obtained through multiple source in the public domain

D.

When the personal data was obtained 5 years before the entry into force of the GDPR

Full Access