Cert Quiz
Which of the following parties involved in online behavioral advertising may qualify as a data controller? Select all that apply.
'An ad network' 'A website publisher' 'An advertiser'
Which of the following countries have been deemed adequate by the European Commission? Elect all that apply.
'Argentina' 'New Zealand' 'Switzerland' 'Uruguay'
Which of the following are appropriate safeguards for international data transfers? Select all that apply.
'Binding corporate rules' 'Standard contractual clauses' 'Approved codes of conduct or certification mechanisms'
Which of the following are categories under which a data subject may object to processing their personal data?
'Direct marketing' 'Public interest or legitimate interests' 'Research or statistical purposes'
Read the following scenario and then select all the GDPR data processing principles that have been violated: an access control system used by an organization's maintenance team for building security is later used by a manager in a different department to determine if employees are arriving late for work. The employees are not informed of this new processing action, and the manager does not create consistent records of the processing activities.
'Integrity and confidentiality' 'Accountability'
The ePrivacy Directive governs the processing of which types of data? Select all that apply.
'Location data' 'Content data' 'Traffic data'
Select all the types of personal data that belong to special categories of personal data under the GDPR.
'Personal data revealing political opinions' 'Personal data revealing religious or philosophical beliefs' 'Genetic data used to uniquely identify a natural person' 'Data concerning health'
What are the criteria used to determine the territorial scope of the GDPR?
'Processing of personal data when a controller or processor is established in the EU' 'Processing the personal data of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU' 'Processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law'
Which of the following fall under the material scope of the GDPR?
'Processing personal data without human intervention' 'Processing personal data that forms part of a filing system'
What information must be provided to data subjects in all circumstances?
'Purpose of processing' 'Data subjects' rights' 'Identity of the controller'
Select all that are potential solutions to lengthy privacy notices.
'Standardized icons' 'just-in-time notices' 'layered privacy notices'
Which forms of marketing are subject to the ePrivacy Directive? Select all that apply.
'Telephone marketing' 'electronic mail marketing'
The right of access grants data subjects access to which of the following types of information?
'The purpose of the processing' 'Retention periods' 'Locations where the data is being processed'
Which criteria are used to identify personal data?
'any information' 'relating to' 'an identified or identifiable' 'natural person'
Which types laws should be considered when processing employees' personal data? Select all that apply.
'local employment law' 'EU data protection law' 'Member state data protection law'
Which exception to the prohibition on processing special categories of personal data must be explicit?
Consent
Which of the following mechanisms facilitates a specific collaborative process between the Commission, the European Data Protection Board, and supervisory authorities for adopting certain measures and ensuring consistent GDPR application?
Consistency mechanism
Which lawful processing criteria is commonly used when a customer purchases a good or service?
Contract
What information must be provided to data subjects when the controller's necessity is being used as the legal basis for processing?
Controller's legitimate interest
Which of the following data protection milestones is a treaty among member states go the council of Europe?
Convention 108
Choose the characteristic that describes the European Commission.
Has the power to propose legislation
What are the main values of a data protection impact assessment (DPIA)? Select all that apply.
Incorporation data protection considerations into organizational planning; Demonstrating compliance to supervisory authorities.
A controller must notify the data subject(s) of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of those individuals unless ____. Check the exemptions that apply.
Individual notice requires disproportionate effort; prior implementation of appropriate technical and organizational measures rendered the personal data unintelligible or encrypted; post-breach actions greatly reduce the risk to the rights and freedoms of the data subjects.
The information that must be provided to data subjects will depend on the situation. What information must be provided to data subjects when their personal data will be stored on a database hosted in the United States?
Intention to transfer data internationally
Choose the characteristic that describes the Council of the EU.
Is one of the main decision making bodies of the EU
Choose the characteristic that describes the European Parliament.
Is responsable for legislative development, supervisory oversight of other institutions, and development of the budget
Arrange the options for international data transfers in the order that they should be considered.
1. Adequacy decisions 2. Appropriate safeguards 3. Derogations
How many active participants will the European Data Protection Board have?
27
What is profiling?
A form of automated decision-making
Which of the following options for international data transfers is a determination by the European Commission that a third country has achieved an EU-level of personal data protection?
Adequacy decision
What is data processing?
Any action performed on data
Under GDPR, which legal basis for processing personal data would be difficult to use for processing employee data?
Consent
Which appropriate safeguards allow large multinational companies to adopt a policy suite with rules for handling personal data?
Binding corporate rules
CIAR stands for ______.
Confidentiality, integrity, availability, and resilience
What is the function of the four-step test?
Determine if data qualifies as personal data
Which of the following is not listed by the GDPR as a method for restricting processing of personal data?
Disabling the data management system
Which of the following is not a data protection consideration associated with collecting personal data via CCTV?
Duration of the video
True of false. A data controller may be a natural person or legal entity, while a data processor must be a legal entity.
False
True of false. Personal data either belongs to special categories or does not. There is no grey area.
False
True or False: The GDPR requires controllers to always contact the supervisory authority following a DPIA and before processing of personal data.
False
True or false. A contract protects a processor from being held to the same legal obligations as the controller.
False
True or false. A processor may decide where and how to process personal data.
False
True or false. Anonymising personal data is always possible.
False
True or false. BYOD polices are designed to protect employees' personal data only.
False
True or false. Exclusions to the material scope of the GDPR should be interpreted broadly.
False
True or false. The ePrivacy Directive governs the processing of data through both private and public carriers and communications networks.
False
True or false. The most cutting-edge technology always is the best choice for security.
False
True or false: A controller may change an administrative fee to data subjects if they request that the information provision be in an oral format.
False
True or false: At least three of the lawful processing criteria within the GDPR must be met for personal data to be processed legally.
False
True or false: Information provision is required, even if it necessitates disproportionate effort.
False
True or false: The transparency principle states that detail is more important than conciseness in a privacy notice.
False
Choose the characteristic that describes the Court of Justice of the EU.
Makes decisions on issues of EU law
Which of the following mechanisms facilitates the provision of relevant information between supervisory authorities?
Mutual assistance
How can SNS providers be open and transparent about the processing of personal data?
Provide notice to individuals about the processing of their personal data
Which of the following must be included in controllers' personal data processing records but not in processors' records?
Purposes of processing
What information must be provided to data subjects when their personal data will be shared with an outside organization to provide them with a promised service?
Recipients of the data
Which of the following data subjects rights provides data subjects with entitlements to certain information, obtainable from the controller upon request?
Right of access
The right to be forgotten is also known as what?
Right to erasure
What U.S. act requires companies to have a system in place to receive anonymous complaints about potential wrongdoing?
Sarbanes-Oxley Act (SOX)
Choose the characteristic that describes the European Council.
Sets the overall political agenda of the EU
What information must be provided to data subjects when the personal data that will be processed was collected indirectly?
Source of the data
Drag and drop the correct phase into the blank. 'Taking into account the ____, the costs of implementation and the nature, scope, context, and purposes of processing...'
State of the art
Who does the GDPR task with promoting, monitoring and enforcing the GDPR?
Supervisory authorities
Which European institution is composed of 47 member states?
The Council of Europe
The universal Declaration of human rights is a product of which institution?
The United Nations
A controller must notify the supervisory authority of a personal data breach if ____.
The breach is likely to result in a risk for the rights and freedoms of natural persons
Which of the following are circumstances that require an organization to appoint a DPO? Select all that apply.
The controller is a public authority; The core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale; The core activities of the controller or processor consist of large-scale processing of special categories of data.
_____ must be included in a processor contract. Check all that apply.
The subject matter and duration of the processing; The nature and purpose of the processing; The type of personal data; The categories of data subjects
Where would a full version of the privacy notice be located in a layered notice?
The third layer
Which of the following data protection milestones applies to public electronics communications services and networks?
e-Privacy Directive
A processor may process personal data only on documented instructions from the controller.
True
True of false. Pseudonymous data is protected by the GDPR.
True
True of false: Privacy notices should use visualization where appropriate.
True
True or False. Alternatives to employee monitoring should always be considered first.
True
True or false. A processor is responsible for implementing appropriate technical and organizational measures to keep personal data secure.
True
True or false. Some employers may be required to consult with works councils and/or trade unions to process employees' personal data.
True
True or false. Under the GDPR, individuals have the absolute right to object to any form of direct marketing at any time.
True
True or false. When personal data is being processed, there always is a controller.
True
True or false: A cloud services supplier may determine technical and organizational means of processing and remain a processor.
True
True or false: Both controllers and processors have accountability obligations under the GDPR.
True
True or false: Criteria for derogations are strict and should be nitrated narrowly.
True
True or false: Data protection by design begins prior to processing and incorporates data protection considerations into the planning phase.
True
True or false: Information provided to data subjects about the processing of their personal data should be written in clear and plain language that is understanable.
True
True or false: The GDPR requires a data protection policy to be used 'where proportionate in relation to processing activities'.
True
True or false: The data protection officer must be an expert in data protection law and practices.
True
True or false: When information is collected indirectly, data subjects should be informed within a reasonable period of time.
True
Drag and drop the correct phase into the blank. 'The controller and the processor shall implement ____' (Article 32).
appropriate technical and organizational measures
