Deck 3: Certified Information Privacy Professional/Europe (CIPP/E)

A) The European Council
B) The European Parliament
C) The European Commission
D) The Council of the European Union

A) Where the technology supporting the website is located
B) Where the website is accessed
C) Where the decisions about processing are made
D) Where the customer's Internet service provider is located

A) Both govern international transfers of personal data
B) Both govern the manual processing of personal data
C) Both only apply to European Union countries
D) Both require notification of processing activities to a supervisory authority

A) The NFC portal can read any data stored in the action figures
B) The information about the data processing involved has not been specified
C) The cloud service provider is in a country that has not been deemed adequate
D) The RFID tag in the action figures has the potential for misuse because of the toy's evolving capabilities

A) The behavior of suspected terrorists being monitored by EU law enforcement bodies.
B) Personal data of EU citizens being processed by a controller or processor based outside the EU.
C) The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
D) Personal data of EU residents being processed by a non-EU business that targets EU customers.

A) The lawful processing criteria stipulated by Articles 6 to 9
B) The information requirements set out in Articles 13 and 14
C) The breach notification requirements specified in Articles 33 and 34
D) The rights granted to data subjects under Articles 12 to 22

A) The right to privacy is an absolute right
B) The right to privacy has to be balanced against other rights under the ECHR
C) The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
D) The right to privacy protects the right to hold opinions and to receive and impart ideas without interference

A) It dictates the level of security a processor must follow when using and storing personal data for two different purposes.
B) It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
C) It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.
D) It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

A) More information about Frank's data protection training.
B) More information about the extent of the information loss.
C) More information about the algorithm Frank used to mask student numbers.
D) More information about what students have been told and how the research will be used.

A) The ePrivacy Directive allows individual EU member states to engage in such data retention.
B) The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.
C) The Data Retention Directive's annulment makes such data retention now permissible.
D) The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

A) When the personal data is processed only in non-electronic form
B) When the personal data is collected and then pseudonymised by the controller
C) When the personal data is held by the controller but not processed for further purposes
D) When the personal data is processed by an individual only for their household activities

A) Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
B) Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
C) Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
D) Data that has been encrypted or is subject to other technical safeguards.

A) The European Parliament
B) The European Commission
C) The Article 29 Working Party
D) The European Council

A) Accuracy
B) Storage Limitation
C) Integrity and confidentiality
D) Lawfulness, fairness and transparency

A) The mechanisms through which consent may be communicated
B) The circumstances in which silence or inactivity may constitute consent
C) The age at which children must be required to obtain parental consent
D) The timeframe in which data subjects are allowed to withdraw their consent

A) Any act involving the collecting and recording of personal data.
B) Any operation or set of operations performed on personal data or on sets of personal data.
C) Any use or disclosure of personal data compatible with the purpose for which the data was collected.
D) Any operation or set of operations performed by automated means on personal data or on sets of personal data.

A) The establishment of a list of legitimate data processing criteria
B) The creation of legally binding data protection principles
C) The synchronization of approaches to data protection
D) The restriction of cross-border data flow

A) Pseudonymized
B) Anonymized
C) Encrypted
D) Masked

A) Verify that the request is applicable to the data collected before the GDPR entered into force.
B) Verify that the purpose of the request from the customer is in line with the GDPR.
C) Verify that the personal data has not already been sent to the customer.
D) Verify that the identity of the customer can be proven by other means.

A) The European Commission can adopt an adequacy decision for individual companies.
B) The European Commission can adopt, repeal or amend an existing adequacy decision.
C) EU member states are vested with the power to accept or reject a European Commission adequacy decision.
D) To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.

A) Greece
B) Norway
C) Australia
D) Switzerland

A) Submit the contract to its own government authority.
B) Ensure that notice is given to and consent is obtained from data subjects.
C) Supply any information requested by a data protection authority (DPA) within 30 days.
D) Ensure that local laws do not impede the company from meeting its contractual obligations.

A) Approved data controllers.
B) The Council of the European Union.
C) National data protection authorities.
D) The European Data Protection Supervisor.

A) Hiring companies whose measures are consistent with recommendations of accrediting bodies.
B) Requesting advice and technical support from Company A's IT team.
C) Avoiding the use of another company's data to improve their own services.
D) Vetting companies' measures with the appropriate supervisory authority.

A) Their omission of data protection provisions in their contract with Company C .
B) Their failure to provide sufficient security safeguards to Company A's data.
C) Their engagement of Company C to improve their payroll service.
D) Their decision to operate without a data protection officer.

A) Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.
B) EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.
C) JaphSoft is the sole processor because it processes personal data on behalf of its clients.
D) Liem and EcoMick are joint controllers because they carry out joint marketing activities.

A) Inform the subjects about the collection
B) Provide a public notice regarding the data
C) Upgrade security to match that of the source
D) Update the data within a reasonable timeframe

A) The authority by which the controller is collecting the data and the third parties to whom the data will be sent.
B) The name/s of relevant government agencies involved and the steps needed for revising the data.
C) The identity and contact details of the controller and the reasons the data is being collected.
D) The contact information of the controller and a description of the retention policy.

A) Information about DPIAs found in Articles 38 through 40 of the GDPR.
B) Data breach documentation that data controllers are required to maintain.
C) Existing DPIA guides published by local supervisory authorities.
D) Records of processing activities that data controllers are required to maintain.

A) It determines how long to retain the personal data collected.
B) It has been provided access to personal data in the MarketIQ database.
C) It uses personal data to improve its products and services for its client-base through machine learning.
D) It makes decisions regarding the technical and organizational measures necessary to protect the personal data.

A) Carry out an exercise that weighs the interests of the controller and the basis for the data subject's objection.
B) Consider the impact of the profiling on the data subject's interest, rights and freedoms.
C) Demonstrate that the profiling is for the purposes of direct marketing.
D) Consider the importance of the profiling to their particular objective.

A) Processing is carried out by an organization employing 250 persons or more.
B) Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.
C) The core activities of the controller or processor consist of processing operations of financial information or information relating to children.
D) The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

A) If the processing is to be performed by a third-party vendor
B) If the processing involves data that is considered personal data
C) If the processing of the data is done through automated means
D) If the processing is used to predict the behavior of data subjects

A) JaphSoft failed to first anonymize the personal data.
B) JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
C) JaphSoft was in possession of information that could be used to identify data subjects.
D) JaphSoft failed to keep personally identifiable information in a separate database.

A) Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
B) Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority.
C) Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered.
D) Immediately notify all the customers of the company that their information has been accessed by an unauthorized person.

A) She was not told which controller would be processing her personal data.
B) She only viewed the visual representations of the privacy notice Liem provided.
C) She did not read the privacy notice stating that her personal data would be shared.
D) She has never made any purchases from JaphSoft and has no relationship with the company.

A) The ability to enact new laws by executive order.
B) The right to access data for investigative purposes.
C) The discretion to carry out goals of elected officials within the member state.
D) The authority to select penalties when a controller is found guilty in a court of law.

A) The data subject already has information regarding how his data will be used
B) The provision of such information to the data subject would be too problematic
C) Third-party data would be disclosed by providing such information to the data subject
D) The processing of the data subject's data is protected by appropriate technical measures

A) Within 40 days of receipt
B) Within 40 days of receipt, which may be extended by up to 40 additional days
C) Within one month of receipt, which may be extended by up to an additional month
D) Within one month of receipt, which may be extended by an additional two months

A) Choose the data protection officer that is most sympathetic to their business concerns.
B) Designate their main establishment in member state with the most flexible practices.
C) File appeals of infringement judgments with more than one EU institution simultaneously.
D) Select third-party processors on the basis of cost rather than quality of privacy protection.

A) The ePrivacy Directive
B) The E-Commerce Directive
C) The Data Retention Directive
D) The EU Cybersecurity Directive

A) Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing.
B) Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default.
C) Failure to process personal information in a manner compatible with its original purpose.
D) Failure to provide the means for a data subject to rectify inaccuracies in personal data.

A) When an individual has not consented to the marketing.
B) When an individual's details are obtained from their inquiries about buying a product.
C) Where an individual's details have been obtained from a bought-in marketing list.
D) Where an individual is given the ability to unsubscribe from marketing emails sent to him.

A) Employee data can only be processed if there is an approval from the data protection officer.
B) Consent may not be valid if the employee feels compelled to provide it.
C) An employer might have difficulty obtaining consent from every employee.
D) Data protection laws do not apply to processing of employee data.

A) Data subject rights
B) Data access disputes
C) Cross-border processing
D) Special categories of data

A) A prior opt-in consent for consumers unless they are already customers.
B) A pre-checked box stating that the consumer agrees to receive email marketing.
C) A notice that the consumer's email address will be used for marketing purposes.
D) No prior permission required, but an opt-out requirement on all emails sent to consumers.

A) A voluntary notification for personal data breaches applicable to all data controllers.
B) A voluntary notification for personal data breaches applicable to electronic communication providers.
C) A mandatory notification for personal data breaches applicable to all data controllers.
D) A mandatory notification for personal data breaches applicable to electronic communication providers.

A) When creating an untargeted pop-up ad on a website.
B) When calling a potential customer to notify her of an upcoming product sale.
C) When emailing a customer to announce that his recent order should arrive earlier than expected.
D) When paying a search engine company to give prominence to certain products and services within specific search results.

A) The Insurance Commissioner determined that an adequacy determination is required by the Data Protection Act.
B) Adequacy determinations automatically lapse when a Member State leaves the EU.
C) The UK is now a third country because it's no longer subject to the GDPR.
D) The UK is less trustworthy now that its not part of the Union.

A) A company wants to combine location data with other data in order to offer more personalized service for the customer.
B) A company wants to use location data to infer information on a person's clothes purchasing habits.
C) A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.
D) A company wants to use location data to track delivery trucks in order to make the routes more efficient.

A) App developers will expand the amount of data necessary to collect for an app's functionality.
B) Users will be given granular types of consent for particular types of processing.
C) App developers' responsibilities as data controllers will increase.
D) Users will see fewer advertisements when using apps.

A) Separately hold any information that would allow linking the data to the data subject.
B) Encrypt the data in order to prevent any unauthorized access or modification.
C) Remove all indirect data identifiers and dispose of them securely.
D) Use the data only in aggregated form for research purposes.

A) Personal data revealing ethnic origin.
B) Personal data revealing genetic data.
C) Personal data revealing financial data.
D) Personal data revealing trade union membership.

A) A South American company that regularly collects European customers' personal data.
B) A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.
C) A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.
D) A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.

A) He will have to sue the EVETFIT's head office in France, where EVETFIT has its main establishment.
B) He will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.
C) He will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.
D) He will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

A) The requirements affected individuals without exception.
B) The requirements were financially burdensome to EU businesses.
C) The requirements specified that data must be held within the EU.
D) The requirements had limitations on how national authorities could use data.

A) Submit a draft decision to other supervisory authorities for their opinion.
B) Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
C) Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
D) Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.

A) Sectoral
B) Self-regulatory
C) Market-based
D) Comprehensive

A) Without exception, securely delete all personal data relating to the data subject.
B) Without undue delay, provide information to the data subject on the action that will be taken.
C) Refrain from processing personal data relating to the data subject for the relevant type of communication.
D) Take reasonable steps to inform third-party recipients that the data subject's personal data should be deleted and no longer processed.

A) Determining the monetary fines to be levied against employers for data breach violations of employee data.
B) Determining whether to approve or reject certain decisions of the employer that affect employees.
C) Determining whether employees' personal data can be processed or not.
D) Determining what changes will affect employee working conditions.

A) When she is leaving her bank and moving to another bank.
B) When she has recently changed jobs and no longer works for the same company.
C) When she disagrees with a diagnosis her doctor has recorded on her records.
D) When she no longer wishes to be sent marketing materials from an organization.

A) The predicted consequences of the breach.
B) The measures being taken to address the breach.
C) The type of security safeguards used to protect the data.
D) The contact details of the appropriate data protection officer.

A) When the data is to be processed for market research.
B) When providing preventive or counselling services to the child.
C) When providing the child with materials purely for educational use.
D) When a legitimate business interest makes obtaining consent impractical.

A) Accept, because it did not receive any complaints.
B) Accept, because GDPR permits non-lead authorities to take action for such complaints.
C) Reject, because Right Target's processing was conducted throughout Europe.
D) Reject, because GDPR does not allow other supervisory authorities to take action if there is a lead authority.

A) As soon as possible after obtaining the personal data.
B) As soon as possible after the first communication with the data subject.
C) Within a reasonable period after obtaining the personal data, but no later than one month.
D) Within a reasonable period after obtaining the personal data, but no later than eight weeks.

A) When the processing is necessary to perform a task in the exercise of authority vested in the controller.
B) When the processing is carried out pursuant to a contract with the data subject.
C) When the data was supplied to the controller by the data subject.
D) When the processing is based on consent.

A) Only where the organisation can show that it is reasonable to do so because more than one request was made.
B) Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR.
C) Only where the administrative costs of taking the action requested exceeds a certain threshold.
D) Only if the organisation can demonstrate that the request is clearly excessive or misguided.

A) If the data controller has received preapproval from a Data Protection Authority (DPA), after submitting the appropriate documents.
B) When it has been determined that adequate protection can be performed.
C) Only if the Data Protection Impact Assessment (DPIA) shows low risk.
D) Only as a last resort and when interpreted restrictively.

A) An updated privacy notice sent to an individual's personal email address.
B) A charity fundraising event notice sent to an individual at her business address.
C) A service outage notification provided to an individual by recorded telephone message.
D) A revision of contract terms conveyed to an individual by SMS from a marketing organization.

A) Approved certifications.
B) Binding corporate rules.
C) Law enforcement requests.
D) Standard contractual clauses.

A) A medical organization that wants to begin genetic testing to support earlier research for which they have performed a DPIA.
B) A data controller who plans to use a new technology product that has already undergone a DPIA by the product's provider.
C) A marketing team that wants to collect mailing addresses of customers for whom they already have email addresses.
D) A railway operator who plans to evaluate the same video surveillance in all the train stations of his company.

A) Destroy sensitive information and store the rest per applicable data protection rules.
B) Store all of the data in case the departing worker makes a subject access request.
C) Securely store the data that is required to be kept under local law.
D) Provide the employee the reasons for retaining the data.

A) Consent management and withdrawal.
B) Incident detection and response.
C) Preventative security.
D) Remedial security.

A) When the data has been pseudonymized.
B) When the data is protected by technological safeguards.
C) When the data serves legitimate interest of third parties.
D) When the data subject has failed to use a provided opt-out mechanism.

A) T-Craze has a French affiliate.
B) The French affiliate procured the services of Right Target.
C) T-Craze conducts its marketing and sales activities in France.
D) The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.

A) Use a layered privacy notice on its website and in its email communications.
B) Identify uses of data in a privacy notice mailed to the data subject.
C) Provide only general information about its processing activities and offer a toll-free number for more information.
D) Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.

A) Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
B) Because photographs qualify as biometric data only when they undergo a "specific technical processing".
C) Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
D) Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".

A) The consent of the employees.
B) The legal obligation of the employer.
C) The legitimate interest of the public administration.
D) The protection of the vital interest of the employees.

A) Prudent.
B) Important.
C) Proportionate.
D) DPA-approved.