GDPR
According to the European Data Protection Board, which of the following concepts or practices DO follow from the principles relating to the processing of personal data under EU data protection law?
- Access control management - Frequent pseudonymization key rotation - Error propagation avoidance along the processing channels
Pursuant to EDPB Guidelines 8/2022, what criteria must be considered when identifying a lead supervisory authority of a controller?
- Determining where the controller has its place of central administration in the EEA. - Determining the supervisory authority where the place of central administration of the controller is located. - Determining if decisions on the processing are taken in another establishment in the EEA, and if that establishment has the power to implement those decisions.
What type of personal data does the GDPR define as special category of personal data?
- Racial or ethnic origin - Political opinions - Religious or philosophical beliefs - Trade union membership - Genetic data - Biometric data, - Health - Sex life - Sexual orientation
Which of the following entities would most likely be exempt from complying with GDPR?
A North American company servicing customers in South Africa that uses a cloud storage system made by a European Company.
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?
A company wants to build a dating app that creates candidate profiles based on location data from third-party sources. According to Article 35, a Data Protection Impact Assessment is required when the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, especially when using new technologies.
In the absence of a decision pursuant to Article 45(3), when may a controller or processor transfer personal data to a third country or international organization?
A controller or processor may transfer personal data only if the controller or processor has provided appropriate safeguards and on the condition that enforceable data subject rights and effective legal remedies for data subjects are provided.
Which statement provides an accurate description of a directive? A. A directive specifies certain results that must be achieved, but each member state is free to decide how to turn it into a national law. B. A directive has binding legal force throughout every member state and enters into force on a set date in all the member states. C. A directive is a legal act relating to specific cases and directed towards member states, companies or private individuals. D. A directive is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force.
A directive specifies certain results that must be achieved, but each member state is free to decide how to turn it into a national law.
Which statement provides an accurate description of a directive? A. A directive specifies certain results that must be achieved, but each member state is free to decide how to turn it into a national law. B. A directive has binding legal force throughout every member state and enters into force on a set date in all the member states. C. A directive is a legal act relating to specific cases and directed towards member states, companies, or private individuals. D. A directive is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force.
A directive specifies certain results that must be achieved, but each member state is free to decide how to turn it into a national law. Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States. Directives lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?
A mandatory notification for personal breaches applicable to electronic communication providers. *The e-Privacy Directive 2002/58/EC, also known as the Directive on privacy and electronic communications, is a specific directive that compliments and particularizes the GDPR for the electronic communications sector. It was amended in 2009 by Directive 2009/136/EC, which introduced several changes to enhance the protection of personal data and privacy in the electronic communications sector.
What permissions are required for a marketer to send an email marketing message to a consumer in the EU?
A prior opt-in consent for consumers, unless they are already customers.
Which of the following is an example of direct marketing that would be subject to European data protection laws? A. An updated privacy notice sent to an individual's personal email address. B. A charity fundraising event notice sent to an individual at her business address. C. A service outage notification provided to an individual by recorded telephone message. D. A revision of contract terms conveyed to an individual by SMS from a marketing organization.
A revision of contract terms conveyed to an individual by SMS from a marketing organization. Under GDPR, conveying a revision of contract terms to an individual via SMS by a marketing organization can be considered a form of direct marketing. The GDPR defines direct marketing communication of advertising or marketing material which is directed to specific individuals. Though "B" could be considered direct marketing if consent for such communication was never provided.
Relating to Privacy Law, which term can best be defined as being able to prove that an organization is acting and demonstrating compliance with applicable laws? A. Accountability B. Privacy Governance C. Privacy Framework D. Data Map
Accountability. Accountability is a major concept in new data protection laws.
Which marketing-related activity is LEAST likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)? *ePrivacy Directive
Advertisements passively displayed on a website.
Which of the following are recognized routes for data transfer outside the EEA? A. BCRs B. Alternative contractual mechanisms C. Standard contractual clauses D. All the above
All of the above. The transfer of personal data outside the EEA is only allowed under certain conditions. The most common routes are BCRs, standard contractual clauses, and alternative contractual mechanisms.
BHealthy, a company based in Italy is ready to launch a new line of natural products with a focus on sunscreen. The last step prior to product launch is for BH to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BH teamed up with Natural Insight, a company specializing in determining pricing for natural products. NI intends to use this info to train its algorithm to help determine the price point at which BH can sell its new sunscreens. Prior to sharing its customer list, BH conducted a review of NI's security practices and concluded that the company has sufficient security measures to protect the contact info. Additionally, BH's data processing contractual terms with NI require continued implementation of technical and organizational measures.
Also included in the contract are restrictions on use of the data provided by BH for any purpose beyond the provision of services, which include use of the data for continued improvement of NU's machine learning algorithms. In which case would NI's use of BH's data for improvement of its algorithms be considered data processor activity? If Natural Insight received express contractual instructions from BHealthy to use its data for improving its algorithms. *Idenitify the contractual activity directed by the controller.
An example of direct marketing?
An email was sent to an individual promoting a new book on sale.
What must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?
An obligation on the processor to assist the controller in complying with the controller's obligations to notify the supervisory authority about personal data breaches. *Article 28(3)(f) provides that the written agreement between the controller and processor must include an obligation on the processor to assist the controller in ensuring compliance with the controller's obligations pursuant to Articles 32 to 36 of GDPR.
What type of data lies beyond the scope of the General Data Protection Regulation?
Anonymized
Data subjects have the right to freeze their data if they requested erasure. This falls under? A. Article 15: Right of access B. Article 16: Right to rectification C. Article 17 Right to erasure D. Article 18: Right to restriction of processing
Article 18: Right to restriction of processing Right to restriction of processing. This right concerns temporary freezing of data. Data subjects have the right to restrict the processing of their personal data when verifying overriding grounds is pending in the context of an erasure request.
According to Article 21 of the GDPR, when can the data subject object to direct marketing?
Article 21 of the GDPR states that the data subject shall have the right to object at any time to processing of personal data where direct marketing is concerned, and that where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. Even if opt-in consent is not required before sending marketing emails, the GDPR requires that the recipient always be provided with an opportunity to opt-out of receiving such emails.
The principles for data processing are stated in... A. Article 5 of the GDPR B. Article 6 of the GDPR C. Article 5 of Convention 108 D. Article 6 of Convention 108+
Article 5 of the GDPR The fundamental principles from Convention 108 and the former directive are reflected in Articles 5 and 6 of the GDPR. It sets out the principles for processing (Article 5) and the legal grounds for processing (Article 6).
If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?
Background checks on European employees will stem from data protection and employment law, which can vary between member states. *GDPR does not explicitly regulate background checks, but it does apply to the processing of personal data that may be obtained or used during such checks. Therefore, the company must comply with the GDPR principles, such as lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Many businesses print their employees' photographs on building passes so that employees can be identified by security staff. This is notwithstanding the fact that facial images potentially qualify as biometric data under the GDPR. Why would such practice be permitted?
Because photographs qualify as biometric data only when they undergo a "special technical processing". According to Recital 51 of the GDPR, photographs are not automatically considered biometric data unless they are processed by a specific technical means that allows the unique identification of a natural person. This means that printing employees' photographs on building passes does not necessarily involve biometric data, as long as the photographs are not used for facial recognition or other similar purposes.
What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe Convention 108? A. Both govern international transfers of personal data. B. Both govern the manual processing of personal data. C. Both only apply to European Union countries. D. Both require notification of processing activities to a supervisory authority.
Both require notification of processing activities to a supervisory authority.
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action. These organizations are commonly known as?
Civil society organizations.
What term BEST describes the European model for data protection?
Comprehensive *The European model for data is best described as comprehensive because it covers all sectors and types of data processing and applies to any organization that targets or collects data related to people in the EU.
A multinational company is appointing a mandatory data protection officer. In addition to considering the rules set out in Article 37(1) of the GDPR, which of the following actions must the company also undertake to ensure compliance in all EU jurisdictions in which it operates? A. Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter. B. Conduct a Data Protection Privacy Assessment on the processing operations of the company in all the countries it operates. C. Assess whether the company has more than 250 employees in each of the EU member-states in which it is established. D. Revise the data processing activities of the company that affect more than one jurisdiction to evaluate whether they comply with the principles of privacy by design and by default
Consult national derogations to evaluate if there are additional cases to be considered in relation to the matter. A multinational company that is appointing a mandatory data protection officer (DPO) must also consult national derogations to evaluate if there are additional cases to be considered in relation to the matter. The other options are not correct because they are not directly related to the appointment of a DPO.
The Planet 49 CJEU Judgment applies to?
Cookies regardless of whether the data accessed is personal or not.
According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law? A. Data ownership Allocation B. Access Control Management C. Frequent pseudonymization key rotation D. Error propagation avoidance along the processing chain.
Data Ownership Allocation
According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?
Data ownership allocation.
According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law? A. Data ownership allocation. B. Access control management C. Frequent pseudonymization key rotation D. Error propagation avoidance along the processing chain.
Data ownership allocation. *Under the GDPR, organizations are required to understand the importance of data ownership. This means recognizing that individuals have the right to know what personal data is being collected, how it is being used, and who it is being shared with. HOWEVER, in the broadest sense, the term "personal data" encompasses any information relating to an identified or identifiable individual (data subject). In other words, personal data is linked, by reason of its content, purpose, or effect, to a particular individual and the mere fact that a piece of data pertains to a specific individual does not imply that the individual also "owns" her personal data in a legal sense.
In which component of privacy governance does an organization identify what personal information is processed and determine privacy obligations? A. Selecting a Privacy Framework B. Developing a Privacy Strategy C. Defining Privacy Program Scope D. Structuring the Privacy Team
Defining Privacy Program Scope. While defining the scope of the privacy program an organization should identify what personal information is to be processed and then identify privacy obligations related to the data collected.
(What is the BEST answer?) A controller... A. Follows the instructions of the processor B. Processes the data and ensures the regulations are followed C. Determines the status of parties that process personal data D. Determines for what purposes personal data is processed
Determines for what purposes personal data is processed. A controller is the natural or legal person, the government agency, the office of another authority that alone or together with others determines the purpose and the means for the processing of the data.
Which of the following regulates the use of electronic communications services within the European Union?
Directive 2002/58'EC of the European Parliament and of the Council of 12 July 2002. *Directive 2002/58'Ec (also known as the ePrivacy Directive), regulates the use of electronic communications services within the European Union. It covers issues such as confidentiality of communications, processing of traffic and location data, spam, cookies, and security breaches.
Define Directive?
Directives lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.
The first rules to balance personal freedom with restrictions of rights are found in? A. The Charter of Fundamental Rights and the Treaty of Lisbon B. The European data protection package C. The Universal Declaration of Human Rights of the United Nations and the European Convention on Human Rights (ECHR) D. The OECD guidelines
ECHR - The Universal Declaration of Human Rights of the United Nations and the European Convention on Human Rights A first point of departure was the Universal Declaration of Human Rights of the United Nations in 1948. A second point of reference is the European Convention on Human Rights (ECHR) from 1953. Both treaties recognize the balance between freedoms and rights of persons and the justified restriction of these rights.
If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of personal data so long as? A. The individuals are European citizens or residents. B. The data processing activities are in Spain. C. The data controller is in France. D. The EU individuals are targeted.
EU individuals are targeted.
If a French controller has a car-sharing app available only in Morocco, Algeria, and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data as long as? A. EU individuals are targeted. B. The individuals are European citizens or residents. C. The data controller is in France. D. The data processing activities are in Spain.
EU individuals are targeted.
What are the applicable fines for higherr-level infringements of GDPR?
Higher tier fines can be up to 20 million euros or 4% of the total worldwide turnover of the preceding financial year. whichever is higher.
Pursuant to EDPB Guidelines 8/2022, all of the following criteria must be considered when identifying a lead supervisory authority of a controller, EXCEPT?
Except, determining the SA according to what has been identified by the controller as the authority to which data subjects can lodge complaints.
Which of the following is NOT the scope of the GDPR? A. Organizations not based in Europe B. Not-for-profit organizations C. Households D. Healthcare institutions
Households The material scope is laid down in Article 2. The scope is negatively defined by exceptions to households, the LEDP, and foreign and security policy of the EU and the EU institutions.
In the Planet 49 case, what was the main judgment of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?
If the e-Privacy Directive requires consent for cookies, then teh GDPR consent requirements apply. *CJEU ruled that the consent required by ePrivacy Directive for the use of cookies must comply with the conditions set forth in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user's devise, regardless of whether it is personal data or not. Further, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.
When a company processes an employee data to pay their salary, they will do the process on the basis of... A. Consent B. Employee's legitimate interest C. Fulfilling the employee's contract D. Legal obligation of the employee
Fulfilling the employee's contract Processing is necessary to fulfill the employment contract; for example, to pay the employee, the employer must process the employee's name and bank deposit.
According to Article 4(14), biometrics is defined as "Personal data resulting from specific technical processing relating to the __________ characteristics of a natural person". Which term could NOT be placed in the above definition?
Intellectual. Article 4(14)" 'biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
One Case, One Phone (OCOP) is a company that sells customizable cases for cellphones. They are based in Germany and have two physical shops, one in Berlin and one in Stuttgart. However, most of their profits come from their online shop. The website uses cookies for better performance and they collect data from customers worldwide. They have grown and can't keep up with the orders in their small workshop in Germany. Because of this, OCOP has contacted a Japanese factory that would be able to build the cases and then send them to the customers. To do that, they need to know the customer's name as well as their phone model. They wouldn't require any other data, such as credit card numbers, nationalities, or age. This data would only be stored in the German database. OCOP has investigated the Japanese factory and has found they have never had a data breach, although they don't follow all the principles of the GDP
Is OCOP allowed to transfer the customer's name and the phone model to a factory in another country? What is the BEST answer? Is OCOP allowed to transfer the data to the Japanese factory? Regarding the cookies, is it allowed (privacy compliant) to use them? The Japanese factory tells OCOP they want to have the customer's age as well. They argue this will allow for a more targeted design, as well as less confusion with orders. Can OCOP send them this information? What is the BEST answer? OCOP wants to review online privacy rights to make sure they are following them appropriately. What should they consult?
Which of the following is not one of the four principles developed by the European AU Alliance regarding the ethical use of Artificial Intelligence?
It should be lawful.
What are the applicable fines for lower-level infringements of GDPR?
Lower tier fines can be up to 10 million euros or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Discover which employees are accessing cloud services from which devices and apps. Lock down the data in those apps and devices. Monitor and analyze the apps and devices for compliance. Manage application life cycles data sharing. An organization should perform these steps to do which of the following?
Maintain a secure Bring Your Own Device (BYOD) Program.
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following?
Perform a data protection impact assessment. Create an information retention policy for those who operate the system. Ensure that safeguards are in place to prevent unauthorized access to the footage.
Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation. The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers. In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases.
Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme. Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activitiesWhat would MOST effectively assist Zandelay in conducting their data protection impact assessment? Existing DPIA guides published by local supervisory authorities.
The European Data Protection Board (EDPB) recommends measures to supplement transfer tools in order to ensure compliance with the European Union level of personal data protection. According to these recommendations, what additional actions should be taken when a transfer to a third country is based on an adequacy decision?
Monitor changes in the law or practice of the third country that would lower the level of protection of personal data.
The European Data Protection Board (EDPB) recommends measures to supplement transfer tools in order to ensure compliance with European Union level of personal data protection. According to these recommendations, what additional actions should be taken when a transfer to a third country is based upon an adequacy decision?
Monitor changes in the law or practice of the third country that would lower the level of protection of personal data. *This means that the data importer should stay informed of any developments in the third country or organization that could affect the validity of the adequacy decision, and take appropriate measures if the level of protection is no longer adequate.
In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met? A. Approved data controllers. B. The Council of the European Union. C. National data protection authorities. D. The European Data Protection Supervisor.
National Data Protection Authorities.
In addition to the European Commission, who can adopt Standard Contractual Clauses, assuming that all required conditions are met? a. Approved data controllers. B. The Council of the European Union. C. National data protection authorities. D. The European Data Protection Supervisor.
National data protection authorities. *DPAs are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws.
The Japanese factory tells OCOP they want to have the customer's age as well. They argue this will allow for a more targeted design, as well as less confusion with orders. Can OCOP send them this information? What is the BEST answer? A. Yes, since it follows or principles on the GDPR B. Yes, they can transfer any data as long as it's safe C. No, because it doesn't follow the principle of necessity D. No, because it doesn't follow the principle of adequacy
No, because it doesn't follow the principle of necessity The GDPR contains various core concepts. "Necessity" is one of the core concepts. For the data processing to be lawful, the processing must be necessary. Producing and sending the case wouldn't require customer age. To avoid confusion, order numbers could also be used instead of age
Are EU agencies covered by the GDPR? A. Yes, always B. Only in the case of sensitive data C. Only if it involves more than one Member State D. No, never
No, never. The EU institutions, bodies and agencies are not covered by the GDPR (which falls under Regulation 45/2001/C).
An employee of company ABCD has just noticed a memory stick containing records of client data, including their names, addresses, and full contact details, has disappeared. The data on the stick is encrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely was lost during the travel of an employee. What should the company do?
Notify as soon as possible the data protection supervisory authority that a data breach may have taken place.
If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with GDPR compliance, it should first do all of the following, EXCEPT?
Notify the appropriate data protection authority.
Identifying the handwriting of an individual can be considered as... A. Communications data B. Video surveillance C. Biometric data D. Personal data
Personal data. This is not so much about physical properties (biometric data), but the handwriting can uniquely identify a person.Personal data
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do? A. Notify the newspaper that it is delisting the article. B. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name. C. Identify other controllers who are processing the same information and inform them of the delisting request. D. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.
Notify the newspaper that it is delisting the article.
A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do? A. Notify the newspaper that it is delisting the article. B. Fully erase the URL to the content, as opposed to delist which is mainly based on data subject's name. C. Identify other controllers who are processing the same information and inform them of the delisting request. D. Prevent the article from being listed in search results no matter what search terms are entered into the search engine.
Notify the newspaper that it is delisting the article. *European Data Protection Law provides that the operator of the search engine as a the person responsible for the processing, must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing the information the fact that the web page will no longer appear in the search engine's results following a search made on the basis of the data subject's name.
An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach. Based on the WP 29's February, 2018 guidance, company Z should do which of the following? A. Notify affected individuals that their data was unavailable for a period of time. B. Document the loss of availability to demonstrate accountability C. Notify the supervisory authority about the loss of availability D. Conduct a thorough audit of all security systems
Notify the supervisory authority about the loss of availability. Article 4(12) GDPR defines personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorizes disclosure of, or access to , personal data transmitted, stored, or otherwise processed." WP 29: The question may be asked whether a temporary loss of availability of personal data should be considered as a breach and, if so, one which needs to be notified. Article 32 of the GDPR, "security of processing," explains that when implementing technical and organisational measures to ensure a level of security appropriate to the risk, consideration should be given, amongst other things, to "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services," and "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident". Therefore, a security incident resulting in personal data being made unavailable for a period of time is also a type of breach, as the lack of access to the data can have a significant impact on the rights and freedoms of natural persons. To be clear, where personal data is unavailable due to planned system maintenance being carried out this is not a 'breach of security' as defined in Article 4(12). A breach is a type of security incident. WP29 3/2014 guidance categorizes three types of breaches. (1) Confidentiality Breach; (2) Integrity Breach; and (3) Availability Breach. Confidentiality breach - where there is an unauthorised or accidental disclosure of, or access to, personal data. Integrity breach - where there is an unauthorised or accidental alteration of personal data. Availability breach - where there is an accidental or unauth
An organization receives a request multiple times from a data subject seeking to exercise their rights with respect to their own personal data. Under what condition can the organization charge the data subject for processing the request?
Only if the organization can demonstrate that the request is clearly excessive or misguided.
Do companies have to report data processing to the DPA? A. Yes, all of them B. Only if they deal with sensitive data C. No, but they must keep records of data processing D. No, but they must keep records of sensitive data
Only if they deal with sensitive data. Sensitive data sharing is considered the revealing of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
Relating to Privacy Law, which term can best be defined as to guide a privacy function toward compliance with legal obligations and the organization's business objectives and goals? A. Accountability B. Privacy Governance C. Privacy Framework D. Data Map
Privacy Governance. Privacy governance is required for building a strong privacy program.
What should a controller do after a data subject opts out of a direct marketing activity?
Refrain from processing personal data relating to the data subject for the relevant type of communication.
Define Regulation?
Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States.
As a DPO for a small bank in the EU, you receive a data subject access request from one of your customers. The customer provides you with his name and has used the email address registered in your system. What would be the most appropriate way to confirm the identity of the customer?
Request that the customer answer additional security questions.
The controller's relationships with processors and sub-processors is part of... A. Liabilities B. Representative actions C. Self-regulation D. Code of Conduct
Self-regulation Accountability, as described in Chapter 11. A few components in the context of self-regulation include: the focus on demonstrable proof of compliance, controllers' relationships with processors and sub-processors, notification of personal data breaches to the DPAs and subjects, and the execution of DPIAs.
A surveying agency has the name of a person and their political opinions. What kind of data is the latter? A. Anonymous information B. Non-personal data C. Personal data D. Sensitive data
Sensitive data The regulation stipulates that some types of personal data require additional protection. The processing of these sensitive data can lead to a significant risk for individual fundamental rights and fundamental freedoms. This includes revealing racial or ethnic origin, political opinions, and religious or philosophical belief.
All the following are responsibilities of a privacy program manager EXCEPT: A. Identifying privacy obligations B. Conducting program audits C. Creating new procedures D. Submit an annual report to the GDPR
Submit an annual report to the GDPR. The GDPR does not required an annual report.
What aspect of the GDPR will likely have the most impact on the consistent implementation of data protection laws throughout the European Union?
That it takes the form of a Regulation as opposed to a Directive.
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?
The CJEU can force national governments to implement and honor EU law, while the ECHR cannot.
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions? A. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot. B. CJEU can force national governments to implement and honor EU law, while the ECHR cannot. C. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot. D. ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.
The CJEU can force national governments to implement and honor EU law, while the ECHR cannot.
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative? A. The European Council B. The European Parliament C. The European Commission D. The Council of the European Union
The Council of the European Union *The CoEU creates and implements proposals, which can then be made into law. An example is the proposal of the GDPR.
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC). Why is the Directive no longer part of EU law?
The Data Retention Directive was annulled by the Court of Justice of the European Union. *On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid in response to a case brought by Digital Rights Ireland against the Irish authorities and others because blanket data collection violated the EU Charter of Fundamental Rights, in particular the right of privacy enshrined in Article 8(1).
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
The European Commission can adopt, repeal or amend an existing adequacy decision.
Under GDPR, which of the following is true in regard to adequacy decisions for individual companies?
The European Commission can adopt, repeal, or amend an existing adequacy decision.
Which institution has the power to adopt findings that confirm the adequacy of the data protection level in a non-EU country? A. European Parliament B. European Commission C. Article 29 Working Party D. European Council
The European Commission. The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection
According to Article 84 of the GDPR, the rules on penalties applicable to infringement shall be laid down by?
The Member States. According to Article 54, the rules on other penalties applicable to infringements of the GDPR, which are not subject to administrative fines pursuant to Article 83, shall be laid down by the Member States.
Regarding privacy governance, which of the following describes where an organization stands on privacy? A. The Scope of the Privacy Program B. The Privacy Vision Statement C. The Privacy Framework D. The Privacy Strategy
The Privacy Vision Statement. The privacy vision or mission statement describes where the organization stands regarding privacy in just a few sentences.
Which of the following describes a mandatory requirement for a group of undertakings that want to appoint a single data protection officer?
The data protection officer must be easily accessible from each establishment where the undertakings are located. Per Article 37(2) a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment.
A mobile device application that uses cookies will be subject to the consent requirement of which of the following?
The ePrivacy Directive *The ePrivacy Directive, also known as the Cookie Law, is the WU legislation that regulates the use of cookies and other tracking technologies on websites and mobile applications.
OCOP wants to review online privacy rights to make sure they are following them appropriately. What should they consult? A. Convention 108 B. Data Protection Directive C. Data Retention Directive D. The ePrivacy Directive
The ePrivacy Directive They should include the ePrivacy Directive regarding cookies and the GDPR. Convention 108 and the Data Protection Directive are outdated. The Data Retention Directive is ruled invalid.
What Directive does 2002/58/EC compliment?
The ePrivacy Directive compliments and particularizes Directive 95/46/EC (the Data Protection Directive) which sets out the general principles for the protection of personal data in the EU. By supplementing Directive 95/46/EC [predecessor of the GDPR], [ePrivacy Directive] is aimed at protecting the fundamental rights of natural persons and particularly their right to privacy, as well as the legitimate interests of legal persons.
Sanctions for non-compliance with the EU Artificial Intelligence Act (AI Act) could result in a maximum fine of?
The higher of up to 30 million euros or up to 6% of the entity's total worldwide turnover for the preceding financial year?
Under GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?
The identity and contact details of the controller and the reasons the data is being collected.
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
Under the GDPR, processors of data must maintain several records about their data processing activities. However, they are not required to include in these records the details of any data protection impact assessments. These are generally kept by the data controller, not the processor.
Pursuant to Article 17 and EDPB Guidelines 2019 on RTBF criteria in search engine cases, all of the following would be valid grounds for data subjects delisting requests, EXCEPT? A. The data subject withdraws consent and there is no other legal basis for the processing. B. The personal data is no longer necessary in relation to the search engine provider's processing C. The personal dale has been collected in relation to the offer of Information Society Services (ISS) to a child. D. The processing s necessary for exercising the right of freedom of expression and information
The processing is necessary for exercising the right of freedom of expression and information Article 17(3) provides that the right to erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information
Pursuant to Article 17 and EDPB Guidelines on RTBF criteria in search engine cases, all of the following would be valid grounds for data subject delisting requests, EXCEPT?
The processing is necessary for exercising the right of freedom of expression and information. Article 17(3) provides that the right to erasure does not apply to the extent that processing is necessary for exercising the right to freedom of expression and information.
As of today, which of the following rights has an unclear scope? A. The right of access B. The right to not be subjected to profiling C. The right to data portability D. The right of transparent communication and information
The right to not be subjected to profiling Article 22: Right to not be subjected to automated decision making (to profiling). The scope and application of this right is not yet entirely clear. In the coming years it will become clear what exactly this right entails.
A key component of the OECD guidelines is the "individual participation principle". What parts of the GDPR provide the closest equivalent to that principle?
The rights granted to data subjects under Articles 12 to 22.
If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may not be validly determined by said controllers?
The rules to provide information to data subjects in Articles 13 and 14.
A grade school is planning to use facial recognition to track student attendance. Which of the following may provide a lawful basis for this processing? A. The school places a notice near each camera. B. Processing is necessary for the legitimate interests pursued by the school. C. A state law requires facial recognition to verify attendance. D. The school gets explicit consent from the students.
The school gets explicit consent from the students. Use of facial recognition involves biometric data, which is a special category of personal data under GDPR. and such data can only be processed under certain conditions, one of which is explicit consent of the data subject.
Which of the following is NOT recognized as a common characteristic of cloud computing services?
The supplier assumes the vendor's business risk associated with data processing by the supplier.
As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its US parent are what?
They are inextricably linked in their businesses. Notice ruling regarding "right to be forgotten".
What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?
They constitute valid consent of the processing is necessary for the purposes of legitimate interest.
Which of the following is one of the supervisory authorities investigative powers? A. To determine whether a controller or processor has the right to judicial remedy concerning a compensation decision made against them. B. To notify the controller or processor of an alleged infringement of the GDPR. C. To require data controllers to provide them with written notification of all new processing activities. D. To require the controllers or processors to adopt approved data protection certification mechanisms.
To notify the controller or processor of an alleged infringement of the GDPR. Tip: *Look at the type of power asked about. In this question its asking about "investigative" powers. Article 58 of GDPR: The supervisory authorities are endowed with three types of powers under the GDPR: investigative, advisory, and corrective powers.
What obligation does a controller or processor have after appointing a data protection officer?
To provide resources necessary to carry out the defined tasks of the data protection officer and maintain his or her expert knowledge *Per GDPR, the controller and processor must support the DPO in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
In accordance with the ePrivacy Directive, which regulates electronic marketing in the EU, consent is generally required before sending marketing emails or texts. However, there is an exception known as "soft opt-in" which allows?
Under the ePrivacy Directive, soft-opt is an exception that allows marketing emails or texts to be sent on an opt-out basis (in contrast to the opt-in requirement) if the recipient's details were collected "in the context of the sale of a product or service" and the marketing is for "similar products or services" provided by the same organization.
The ePrivacy Regulation was changed in 2009. What was the biggest change? A. The inclusion of all electronic devices B. Ensuring consistency with the GDPR C. Users have to consent to cookies D. Simplification of the rules..
Users have to consent to cookies. The ePrivacy directive was amended in 2009. The most important change has to do with cookies. Article 5 paragraph 3 stipulates that the storage of information in the terminal equipment of a subscriber or user is only permitted on the condition that the user concerned has given his consent.
A Spanish electricity customer calls her local supplier with questions about the company's upcoming merger, specifically wanting to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?
Verify that the identity of the customer can be proven by other means. * Per Article 13, the controller (in this case the electricity supplier) has the obligation to provide the data subject (the customer) with information about the processing of their personal data, including recipients or categories of recipients of the personal data, if any. However, BEFORE providing this information, the controller must verify the identity of the data subject to ensure the information is not disclosed to unauthorized persons.
Higher fines are assessed for GDPR violations due to which of the following?
Violations of a data subject's rights.
Higher fines are assessed for GDPR violations due to which of the following? A. Violations of a data subject's rights. B. Failure to notify the supervisory authority and data subjects of a personal data breach. C. Violations of a data controller's obligations to obtain a child's consent. D. Failure to appoint a data protection officer.
Violations of a data subject's rights.
Higher fines are assessed for GDPR violations due for which of the following?
Violations of a data subject's rights. *The GDPR establishes a two-tier system of administrative fines for infringements of its provisions, depending on the nature, gravity, and duration of the infringement, as well as other factors such as intentional or negligent character of the infringement, the actions taken to mitigate the damage, the degree of co-operation with the supervisory authority, and any previous infringements.
Under what circumstances might the soft opt-in rule apply in relation to direct marketing?
When an individual's details are obtained from their inquiries about buying a product.
In which scenario is a controller most likely required to undertake a Data Protection Impact Assessment?
When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.
Article 13 and 14 of the GDPR provide details on the obligation of data controllers to inform data subjects when collecting personal data. Both Articles specify an exemption for situations in which the data subject already has the information. Which other situation would also exempt the data controller from this obligation under Article 14?
When providing the information would involve a disproportionate effort.
When does GDPR provide more latitude for a company to process data beyond its original collection purpose?
When the data has been pseudonymized. *GDPR provides more latitude for data beyond its original collection when it has been pseudonymized because pseudonymization is one of the measures that can help a company implement the principles of data protection by design and by default. Moreover, the GDPR states that the further processing of pseudonymized data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is NOT considered to be incompatible with the initial purpose, provided that appropriate safeguards are in place to protect the rights and freedoms of the data subjects.
According to GDPR, when does an organization need to take action to legitimize cross-border data transfers of personal data?
When the data is transferred from a jurisdiction in the European Union to a third country that is not deemed adequate.
Under which of the following conditions does the GDDPR NOT apply to the processing of personal data? A. When the personal data is processed only in non-electronic form. B. When the personal data is collected and then pseudonymized by the controller. C. When the personal data is held by the controller but not processed for further purposes. D. When the personal data is processed by an individual only for their household activites.
When the personal data is processed by an individual only for their household activities.
Assuming the without undue delay provision is followed, what is the time limit for complying with a data subject access request?
Within one month of reciept, which may be extended by an additional two months. *Article 12 (3) provides that the controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it? A. Outside the material scope of the GDPR, because transactions do not include personal data about data subjects in the European Union. B. Outside the material scope of the GDPR, because transactions are for personal or household purposes. C. Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union. D. Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.
Within the material scope of the GDPR to the extent that the transactions include data subjects in the European Union.
Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR, or outside of it?
Within the scope of the GDPR to the extend that transactions include data subjects in the European Union.
Can there be personal data in the Internet of Things? A. Yes, and it will all be public. B. Yes, and some will not be public C. No, because since it's public it's not personal data anymore. D. No, it's about things not persons and personal data
Yes, and some will not be public Many devices connected to the internet of things (IoT) have sensors with which they can collect information about their environment. This may be personal data. The requirement for personal data sent via these IoT networks is a challenge.
Is location data a form of personal data? A. No, because a person can't be identified using it B. No, because it's not private information C. Yes, because a person can be identified using it D. Yes, because it's private information
Yes, because a person can be identified using it. Location-based services (LBS) utilize information about location to deliver a wide array of applications and services (entertainment, navigation, payment). Location data are included in the definition of personal data. They can lead to the identification of a person.
Is OCOP allowed to transfer the data to the Japanese factory? A. Yes, because they offer an adequate level of protection B. No, because they don't offer an adequate level of protection C. Yes, because it follows the principle of necessity D. No, because it doesn't follow the principle of necessity.
Yes, because they offer an adequate level of protection. Adequacy is another concept. For example, the directive prohibits international data transfers to jurisdictions that do not offer an adequate level of protection. Japan ensures an 'adequate level of protection' as determined by the Commission (Article 45).
Regarding the cookies, is it allowed (privacy compliant) to use them? A. Yes, they can use them as long as they are necessary for efficiency B. Yes, but only if they give detailed information about them to the customers C. Yes, but only if they give detailed information about them to the customers, as well as their consent D. Yes, but only if they give detailed information about them to the customers, as well as their consent, and there is an option to visit the website without using them
Yes, but only if they give detailed information about them to the customers, as well as their consent In the ePrivacy Directive, Article 5 paragraph 3 stipulates that the storage of information in the terminal equipment of a subscriber or user is only permitted on condition that the user concerned has given his consent. For this, it must first be provided with clear and complete information.
Is OCOP allowed to transfer the customer's name and the phone model to a factory in another country? What is the BEST answer? A. Yes, since it follows the principle of necessity. B. Yes, in principle, but a distinction must be made between countries. C. No, data can never be transferred internationally. D. No, data can only be transferred internationally for medical or security reasons.
Yes, in principle, but a distinction must be made between countries. One of the GDPR's objectives is to let information flow freely between states that commit to the principles of data protection. The GDPR contains various core concepts. "Necessity" is one of the core concepts. For the data processing and transfer to be lawful, the processing must be necessary. Special attention should be paid to the transfer of personal data to third countries.
A company asks users for their addresses in order to send a package they have ordered. Does this follow the principle of "necessity"? A. Yes, it's considered a contract performance B. Yes, it's considered a legitimate interest C. Yes, it's considered a vital interest D. Yes, it's considered a legal obligation
Yes, it's considered a contract performance Contract performance: processing is necessary for the performance of a contract. For example, personal data is required for delivery of a product or service. Processing must be unavoidable in order to complete the contract.
The three mechanisms under which personal data can be transferred outside the European Economic Area (EEA) are? A. public authority, appropriate safeguards, and specific situations B. public authority, adequate findings, and special categories C. scope, adequate findings, and appropriate safeguards D. adequate findings, appropriate safeguards, and under specific derogations
adequate findings, appropriate safeguards, and under specific derogations Transfer of personal data outside the European Economic Area (EEA) can legally take place in three ways (Articles 44-50), namely on the basis of: 1. 'Adequacy findings'- Article 45; 2. 'Appropriate safeguards'- Article 46; 3. 'Derogation for specific situations'- Article 49.
What is Directive 2002/58/EC?
ePrivacy Directive
What are the four principles developed by the European AU regarding the ethical use of Artificial Intelligence?
empathy, fairness, transparency, and accountability
In Convention 108 and Article 5 of the GDPR, it's set that in order to process data legally, it must be ___________, which means that the subjects must be aware that their personal data is being used. A. lawful B. fair C. with consent D. transparent
fair The fundamental principles from Convention 108 and the directive are reflected in Articles 5 and 6 of the GDPR. It states the processing must be fair. This means that the data subject must be aware that his or her data is processed and used. Only in that case can a well-considered judgment be given.