Cert Quiz

Ace your homework & exams now with Quizwiz!

Which of the following parties involved in online behavioral advertising may qualify as a data controller? Select all that apply.

'An ad network' 'A website publisher' 'An advertiser'

Which of the following countries have been deemed adequate by the European Commission? Elect all that apply.

'Argentina' 'New Zealand' 'Switzerland' 'Uruguay'

Which of the following are appropriate safeguards for international data transfers? Select all that apply.

'Binding corporate rules' 'Standard contractual clauses' 'Approved codes of conduct or certification mechanisms'

Which of the following are categories under which a data subject may object to processing their personal data?

'Direct marketing' 'Public interest or legitimate interests' 'Research or statistical purposes'

Read the following scenario and then select all the GDPR data processing principles that have been violated: an access control system used by an organization's maintenance team for building security is later used by a manager in a different department to determine if employees are arriving late for work. The employees are not informed of this new processing action, and the manager does not create consistent records of the processing activities.

'Integrity and confidentiality' 'Accountability'

The ePrivacy Directive governs the processing of which types of data? Select all that apply.

'Location data' 'Content data' 'Traffic data'

Select all the types of personal data that belong to special categories of personal data under the GDPR.

'Personal data revealing political opinions' 'Personal data revealing religious or philosophical beliefs' 'Genetic data used to uniquely identify a natural person' 'Data concerning health'

What are the criteria used to determine the territorial scope of the GDPR?

'Processing of personal data when a controller or processor is established in the EU' 'Processing the personal data of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU' 'Processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law'

Which of the following fall under the material scope of the GDPR?

'Processing personal data without human intervention' 'Processing personal data that forms part of a filing system'

What information must be provided to data subjects in all circumstances?

'Purpose of processing' 'Data subjects' rights' 'Identity of the controller'

Select all that are potential solutions to lengthy privacy notices.

'Standardized icons' 'just-in-time notices' 'layered privacy notices'

Which forms of marketing are subject to the ePrivacy Directive? Select all that apply.

'Telephone marketing' 'electronic mail marketing'

The right of access grants data subjects access to which of the following types of information?

'The purpose of the processing' 'Retention periods' 'Locations where the data is being processed'

Which criteria are used to identify personal data?

'any information' 'relating to' 'an identified or identifiable' 'natural person'

Which types laws should be considered when processing employees' personal data? Select all that apply.

'local employment law' 'EU data protection law' 'Member state data protection law'

Which exception to the prohibition on processing special categories of personal data must be explicit?

Consent

Which of the following mechanisms facilitates a specific collaborative process between the Commission, the European Data Protection Board, and supervisory authorities for adopting certain measures and ensuring consistent GDPR application?

Consistency mechanism

Which lawful processing criteria is commonly used when a customer purchases a good or service?

Contract

What information must be provided to data subjects when the controller's necessity is being used as the legal basis for processing?

Controller's legitimate interest

Which of the following data protection milestones is a treaty among member states go the council of Europe?

Convention 108

Choose the characteristic that describes the European Commission.

Has the power to propose legislation

What are the main values of a data protection impact assessment (DPIA)? Select all that apply.

Incorporation data protection considerations into organizational planning; Demonstrating compliance to supervisory authorities.

A controller must notify the data subject(s) of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of those individuals unless ____. Check the exemptions that apply.

Individual notice requires disproportionate effort; prior implementation of appropriate technical and organizational measures rendered the personal data unintelligible or encrypted; post-breach actions greatly reduce the risk to the rights and freedoms of the data subjects.

The information that must be provided to data subjects will depend on the situation. What information must be provided to data subjects when their personal data will be stored on a database hosted in the United States?

Intention to transfer data internationally

Choose the characteristic that describes the Council of the EU.

Is one of the main decision making bodies of the EU

Choose the characteristic that describes the European Parliament.

Is responsable for legislative development, supervisory oversight of other institutions, and development of the budget

Arrange the options for international data transfers in the order that they should be considered.

1. Adequacy decisions 2. Appropriate safeguards 3. Derogations

How many active participants will the European Data Protection Board have?

27

What is profiling?

A form of automated decision-making

Which of the following options for international data transfers is a determination by the European Commission that a third country has achieved an EU-level of personal data protection?

Adequacy decision

What is data processing?

Any action performed on data

Under GDPR, which legal basis for processing personal data would be difficult to use for processing employee data?

Consent

Which appropriate safeguards allow large multinational companies to adopt a policy suite with rules for handling personal data?

Binding corporate rules

CIAR stands for ______.

Confidentiality, integrity, availability, and resilience

What is the function of the four-step test?

Determine if data qualifies as personal data

Which of the following is not listed by the GDPR as a method for restricting processing of personal data?

Disabling the data management system

Which of the following is not a data protection consideration associated with collecting personal data via CCTV?

Duration of the video

True of false. A data controller may be a natural person or legal entity, while a data processor must be a legal entity.

False

True of false. Personal data either belongs to special categories or does not. There is no grey area.

False

True or False: The GDPR requires controllers to always contact the supervisory authority following a DPIA and before processing of personal data.

False

True or false. A contract protects a processor from being held to the same legal obligations as the controller.

False

True or false. A processor may decide where and how to process personal data.

False

True or false. Anonymising personal data is always possible.

False

True or false. BYOD polices are designed to protect employees' personal data only.

False

True or false. Exclusions to the material scope of the GDPR should be interpreted broadly.

False

True or false. The ePrivacy Directive governs the processing of data through both private and public carriers and communications networks.

False

True or false. The most cutting-edge technology always is the best choice for security.

False

True or false: A controller may change an administrative fee to data subjects if they request that the information provision be in an oral format.

False

True or false: At least three of the lawful processing criteria within the GDPR must be met for personal data to be processed legally.

False

True or false: Information provision is required, even if it necessitates disproportionate effort.

False

True or false: The transparency principle states that detail is more important than conciseness in a privacy notice.

False

Choose the characteristic that describes the Court of Justice of the EU.

Makes decisions on issues of EU law

Which of the following mechanisms facilitates the provision of relevant information between supervisory authorities?

Mutual assistance

How can SNS providers be open and transparent about the processing of personal data?

Provide notice to individuals about the processing of their personal data

Which of the following must be included in controllers' personal data processing records but not in processors' records?

Purposes of processing

What information must be provided to data subjects when their personal data will be shared with an outside organization to provide them with a promised service?

Recipients of the data

Which of the following data subjects rights provides data subjects with entitlements to certain information, obtainable from the controller upon request?

Right of access

The right to be forgotten is also known as what?

Right to erasure

What U.S. act requires companies to have a system in place to receive anonymous complaints about potential wrongdoing?

Sarbanes-Oxley Act (SOX)

Choose the characteristic that describes the European Council.

Sets the overall political agenda of the EU

What information must be provided to data subjects when the personal data that will be processed was collected indirectly?

Source of the data

Drag and drop the correct phase into the blank. 'Taking into account the ____, the costs of implementation and the nature, scope, context, and purposes of processing...'

State of the art

Who does the GDPR task with promoting, monitoring and enforcing the GDPR?

Supervisory authorities

Which European institution is composed of 47 member states?

The Council of Europe

The universal Declaration of human rights is a product of which institution?

The United Nations

A controller must notify the supervisory authority of a personal data breach if ____.

The breach is likely to result in a risk for the rights and freedoms of natural persons

Which of the following are circumstances that require an organization to appoint a DPO? Select all that apply.

The controller is a public authority; The core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale; The core activities of the controller or processor consist of large-scale processing of special categories of data.

_____ must be included in a processor contract. Check all that apply.

The subject matter and duration of the processing; The nature and purpose of the processing; The type of personal data; The categories of data subjects

Where would a full version of the privacy notice be located in a layered notice?

The third layer

Which of the following data protection milestones applies to public electronics communications services and networks?

e-Privacy Directive

A processor may process personal data only on documented instructions from the controller.

True

True of false. Pseudonymous data is protected by the GDPR.

True

True of false: Privacy notices should use visualization where appropriate.

True

True or False. Alternatives to employee monitoring should always be considered first.

True

True or false. A processor is responsible for implementing appropriate technical and organizational measures to keep personal data secure.

True

True or false. Some employers may be required to consult with works councils and/or trade unions to process employees' personal data.

True

True or false. Under the GDPR, individuals have the absolute right to object to any form of direct marketing at any time.

True

True or false. When personal data is being processed, there always is a controller.

True

True or false: A cloud services supplier may determine technical and organizational means of processing and remain a processor.

True

True or false: Both controllers and processors have accountability obligations under the GDPR.

True

True or false: Criteria for derogations are strict and should be nitrated narrowly.

True

True or false: Data protection by design begins prior to processing and incorporates data protection considerations into the planning phase.

True

True or false: Information provided to data subjects about the processing of their personal data should be written in clear and plain language that is understanable.

True

True or false: The GDPR requires a data protection policy to be used 'where proportionate in relation to processing activities'.

True

True or false: The data protection officer must be an expert in data protection law and practices.

True

True or false: When information is collected indirectly, data subjects should be informed within a reasonable period of time.

True

Drag and drop the correct phase into the blank. 'The controller and the processor shall implement ____' (Article 32).

appropriate technical and organizational measures


Related study sets

APES: Things to Know for Unit #7 Test (Ch. 14-17)

View Set

Nutrition 1.5 My Diet: What is Your Eating Quotient?

View Set

CHEM Review Chap 7: Ionic Compounds & Metals

View Set