Download CIPP/E EXAM CERTIFIED INFORMATION PRIVACY PROFESSIONAL/EUROPE EXAM QUESTIONS AND ANSWERS and more Exams Data Structures and Algorithms in PDF only on Docsity!
CIPP/E EXAM CERTIFIED INFORMATION
PRIVACY PROFESSIONAL/EUROPE EXAM
QUESTIONS AND CORRECT ANSWERS |
ALREADY GRADED A+ | VERIFIED
ANSWERS | JUST RELEASED
In which of the following situations would an individual most likely to be able to withdraw her consent for processing? (A). When she is leaving her bank and moving to another bank. (B). When she has recently changed jobs and no longer works for the same company. (C). When she disagrees with a diagnosis her doctor has recorded on her records. (D). When she no longer wishes to be sent marketing materials from an organization. ------CORRECT ANSWER---------------D). When she no longer wishes to be sent marketing materials from an organization. WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently. Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects? (A). A postal notification (B). A direct electronic message (C). A notice on a corporate blog
(D). A prominent advertisement in print media ------CORRECT ANSWER---------------C). A notice on a corporate blog Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law? A). Court of Auditors (B). Court of Justice of European Union (C). European Court of Human Rights (D). European Data Protection Board ------CORRECT ANSWER-- -------------B). Court of Justice of European Union If a data subject puts a complaint before a DPA and receives no information about its progress or outcome, how long does the data subject have to wait before taking action in the courts? (A). 1 month. (B). 3 months. (C). 5 months. (D). 12 months. ------CORRECT ANSWER---------------B). 3 months. Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?
(B). The processor will be liable to pay compensation to affected data subjects (C). The processor will be considered to be a controller in respect of the processing concerned (D). The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved ------CORRECT ANSWER---------------B). The processor will be liable to pay compensation to affected data subjects In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority? (A). Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA. (B). Where the DPIA identifies high risks to individuals' rights and freedoms that the controller can take steps to reduce. (C). Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens. (D). Where the DPIA identifies risks that will require insurance for protecting its business interests. ------CORRECT ANSWER--------- ------B). Where the DPIA identifies high risks to individuals' rights and freedoms that the controller can take steps to reduce With the issue of consent, the GDPR allows member states some choice regarding what?
A). The mechanisms through which consent may be communicated (B). The circumstances in which silence or inactivity may constitute consent (C). The age at which children must be required to obtain parental consent (D). The timeframe in which data subjects are allowed to withdraw their consent ------CORRECT ANSWER---------------C). The age at which children must be required to obtain parental consent When assessing the level of risk created by a data breach, which of the following would NOT have to be taken into consideration? (A). The ease of identification of individuals. (B). The size of any data processor involved. (C). The special characteristics of the data controller. (D). The nature, sensitivity and volume of personal data. ------ CORRECT ANSWER---------------B). The size of any data processor involved. Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted? A) B) Because photos qualify as biometric data only when they undergo a "specific technical processing"
(D). Within a reasonable period after obtaining the personal data, but no later than eight weeks. ------CORRECT ANSWER------------ ---A). As soon as possible after obtaining the personal data. An organization receives a request multiple times from a data subject seeking to exercise his rights with respect to his own personal dat a. Under what condition can the organization charge the data subject a fee for processing the request? (A). Only where the organization can show that it is reasonable to do so because more than one request was made. (B). Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR. (C). Only where the administrative costs of taking the action requested exceeds a certain threshold. (D). Only if the organization can demonstrate that the request is clearly excessive or misguided. ------CORRECT ANSWER---------- -----B). Only to the extent this is allowed under the restrictions on data subjects' rights introduced under Art 23 of GDPR. As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?
(A). Supervised by the same Data Protection Officer. (B). Consistent with Privacy Shield requirements (C). Bound by a standard contractual clause. (D). Inextricably linked in their businesses. ------CORRECT ANSWER---------------D). Inextricably linked in their businesses. Which of the following would require designating a data protection officer? (A). Processing is carried out by an organization employing 250 persons or more. (B). Processing is carried out for the purpose of providing for- profit goods or services to individuals in the EU. (C). The core activities of the controller or processor consist of processing operations of financial information or information relating to children. (D). The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale. ------ CORRECT ANSWER---------------D). The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale. What type of data lies beyond the scope of the General Data Protection Regulation? (A). Pseudonymized (B). Anonymized (C). Encrypted
(A). The consent of the employees (B). The legal obligation of the employer. (C). The legitimate interest of the public administration. (D). The protection of the vital interest of the employees. ------ CORRECT ANSWER---------------B). The legal obligation of the employer. Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers? (A). The European Commission can adopt an adequacy decision for individual companies. (B). The European Commission can adopt, repeal or amend an existing adequacy decision. (C). EU member states are vested with the power to accept or reject a European Commission adequacy decision. (D). To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation. ------CORRECT ANSWER---------------A). The European Commission can adopt an adequacy decision for individual companies. A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the
victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do? (A). Notify the newspaper that its article it is delisting the article. (B). Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name. (C). Identify other controllers who are processing the same information and inform them of the delisting request. (D). Prevent the article from being listed in search results no matter what search terms are entered into the search engine. ------CORRECT ANSWER---------------(A). Notify the newspaper that its article it is delisting the article. Which of the following is NOT a role of works councils? (A). Determining the monetary fines to be levied against employers for data breach violations of employee data. (B). Determining whether to approve or reject certain decisions of the employer that affect employees. (C). Determining whether employees' personal data can be processed or not. (D). Determining what changes will affect employee working conditions. ------CORRECT ANSWER---------------C). Determining whether employees' personal data can be processed or not.
European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing dat a. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals. Why is Bioface subject to the territorial scope of the General Data Protection Regulation? (A). It collects data from European Union websites, which constitutes an establishment in the European Union. ( ------CORRECT ANSWER---------------A). It collects data from European Union websites, which constitutes an establishment in the European Union. Which of the following was the first legally binding international instrument in the area of data protection? A) Convention 108 B)GDPR C)Universal Decl of Human Rights D)EU Directive on Privacy ------CORRECT ANSWER--------------- A) Convention 108
Which area of privacy is a lead supervisory authority's (LSA) MAIN concern? (A). Data subject rights (B). Data access disputes (C). Cross-border processing (D). Special categories of data ------CORRECT ANSWER----------- ----C). Cross-border processing An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses and full contact details has disappeared. The data on the stick is unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do? (A). Notify as soon as possible the data protection supervisory authority that a data breach may have taken place. (B). Launch an investigation and if nothing is found within one month, notify the data protection supervisory authority. (C). Invoke the "disproportionate effort" exception under Article 33 to postpone notifying data subjects until more information can be gathered. (D). Immediately notify all the customers of the company that their information has been accessed by
(D). Users will see fewer advertisements when using apps. ------ CORRECT ANSWER---------------B). Users will be given granular types of consent for particular types of processing. In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent? (A). When the data is to be processed for market research. (B). When providing preventive or counselling services to the child. (C). When providing the child with materials purely for educational use. (D). When a legitimate business interest makes obtaining consent impractical. ------CORRECT ANSWER---------------B). When providing preventive or counselling services to the child. A mobile device application that uses cookies will be subject to the consent requirement of which of the following? (A). The ePrivacy Directive (B). The E-Commerce Directive (C). The Data Retention Directive (D). The EU Cybersecurity Directive ------CORRECT ANSWER---- -----------A). The ePrivacy Directive A Spanish electricity customer calls her local supplier with Questions: about the company's
upcoming merger. Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information? (A). Verify that the request is applicable to the data collected before the GDPR entered into force. (B). Verify that the purpose of the request from the customer is in line with the GDPR. (C). Verify that the personal data has not already been sent to the customer. (D). Verify that the identity of the customer can be proven by other means. ------CORRECT ANSWER---------------A). Verify that the request is applicable to the data collected before the GDPR entered into force. An entity's website stores text files on EU users' computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks? (A). General Data Protection Regulation 2016/679. (B). E-Privacy Directive 2002/58/EC. (C). E-Commerce Directive 2000/31/EC. (D). Data Protection Directive 95/46/EC. ------CORRECT ANSWER---------------(D). Data Protection Directive 95/46/EC.
If a company chooses to ground an international data transfer on the contractual route, which of the following is NOT a valid set of standard contractual clauses? (A). Decision 2001/497/EC (EU controller to non-EU or EEA controller). (B). Decision 2004/915/EC (EU controller to non-EU or EEA controller). (C). Decision 2007/72/EC (EU processor to non-EU or EEA controller). (D). Decision 2010/87/EU (Non-EU or EEA processor from EU controller). ------CORRECT ANSWER---------------B). Decision 2004/915/EC (EU controller to non-EU or EEA controller). Under the Data Protection Law Enforcement Directive of the EU, a government can carry out IT Certification Guaranteed, The Easy Way! covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what? (A). Prudent. (B). Important. (C). Proportionate. (D). DPA-approved. ------CORRECT ANSWER---------------C). Proportionate. Under Article 58 of the GDPR, which of the following describes a power of supervisory
authorities in European Union (EU) member states? (A). The ability to enact new laws by executive order. (B). The right to access data for investigative purposes. (C). The discretion to carry out goals of elected officials within the member state. (D). The authority to select penalties when a controller is found guilty in a court of law. ------CORRECT ANSWER---------------B). The right to access data for investigative purposes. Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3? A) The behavior of suspected terrorists being monitored by EU law enforcement B) Personal data of EU Citizens being processed by a controller or processor based outside the EU C) Behavior of EU citizens outside the EU D)Personal data of EU residents by a non-EU business that targets EU customers ------CORRECT ANSWER---------------B) Personal data of EU Citizens being processed by a controller or processor based outside the EU What must a data controller do in order to make personal data pseudonymous? (A). Separately hold any information that would allow linking the data to the data subject. (B). Encrypt the data in order to prevent any unauthorized access or modification.
