CIPP/E IAPP Practice Questions

Which of the following must be included in controllers personal data processing records, but not in the processors' records? -International data transfers being made and the measures put in place to ensure they are lawful -purpose of processing -A general description of technical and organisational security measures that have been implemented

purpose of processing

Which exception to the prohibition on processing special categories of data must be explicit? -Vital interests -Publicly available data -Consent

Consent

Which legitimate processing criteria is commonly used when a customer purchases a good or service? -Consent -Vital interests -Contract

Contract

What information must be provided to data subjects when the controller's necessity is being used as the legal basis for processing? -Source of the data -Controller's legitimate interest -Recipients of the data -Legal basis for transferring data internationally

Controller's legitimate interest

Which of the following data protection milestones is a treaty among member states of the Council of Europe: -Data Retention Directive -Charter of Fundamental Rights -Convention 108 -e-Privacy Directive -GDPR

Convention 108

True or false: the most cutting -edge security is always the best choice for security

False

True of false: The ePrivacy Directive governs the processing of data through both private and public carriers and communications networks.

False. it concerns only public carriers and communications networks.

Which of the following is true regarding direct marketing channels? -For postal marketing, opt-in is required -For telemarketing, opt-in is required -For business-to-consumer emailing and text-messaging, opt-in is required.

For business to consumer emailing and text-messaging, opt in is required.

Choose the characteristic that describes the European Commission. -Has the power to propose legislation -Is composed of a directly elected body

Has the power to propose legislation

The information that must be provided to data subjects will depend on the situation. What information must be provided to data subjects when their personal data will be stored on a database hosted in the United States? -Use of automated decision making -Source of the date -Intention to transfer data internationally -Controller's legitimate interest

Intention to transfer data internationally

Choose the characteristic that describes the Council of the EU -Is sometimes described as the executive body of the EU -Is one of the main decision-making bodies of the EU

Is one of the main decision making bodies of the EU.

True or false: upon indirect collection, information provision should happen within a reasonable period of time.

True

Under GDPR, which term is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"? a. consent b. expressed permission c. lawful agreement d. prior authorization

a

When should a controller notify the supervisory authority of a loss of personal information which is likely to result in harm to an individual? a. within 72 hours after having become aware b. no later than 5 calendar days after the incident is identified c. notice must be provided without unreasonable delay; no later than 30 days; law enforcement can delay notification d. there is no need to notify the supervisory authority of a loss of personal information.

a

Which of the following data subject rights provides data subjects with entitlements to certain information, obtainable from the controller upon request? Pick all that apply. -right of access -right of erasure -right to object -right to restriction of processing

right of access

Pick the correct phrase: "Taking into account the__________________, the cost of implementation ad the nature, scope, context and purposes of processing ...(Article 32). -state of the art -risk of varying likelihood -a level of security appropriate to the risk -appropriate technical and organisational measures

state of the art

Where would a full version of the privacy notice be located in a layered notice? -the top layer -the second layer -the third layer

the third layer

Which of the followig countries hav ebeen deemed adequate by the European Commission? Select all that apply. Argentina Uruguay New Zealand Switzerland

All

In what order should the following options for cross-border data transfers be considered? -Adequacy decisions -Appropriate Safeguards -Derogations

-Adequacy decisons -Appropriate Safeguards -Derogations

What are the main values of data protection impact assessment (DPIA)? Select all that apply. -Demonstrating compliance to supervisory authorities -Incorporating data protection consideration into organisational planning -Determining the purpose of processing personal data

-Demonstrating compliance to supervisory authorities -Incorporating data protection considerations into organisational planning

Which of the following are EU-US Privacy Shield requirements? Select all that apply. -Publicly disclose the organisation's privacy policy -Implement the Privacy Shield Principles -Update the organization's privacy Policy annually. -Publicize the commitment to the U.S. Department of Commerce to adhere to the Privacy Shield Principles

-Publicly disclose Privacy Policy -Implement Privacy Shield Principles -Publicize the commitment to the DoC

Right of access grants data subjects access to which of the following types of information? Select all that apply. -The means of data storage -Retention periods _The purpose of processing -Locations where the date is being processed

-The purpose of processing -Retention periods -Locations where the data is being processed

which of the following statements are true of private sector entities that conduct surveillance? Select all that apply. -The surveillance they conduct must be based on legitimate purposes. -The surveillance they conduct must comply wiht national laws. -They include bodies such as national security agencies and law enforcement authorities

-the surveillance must be based on legitimate purposes -The surveillance must comply with national laws.

How many active participants will the European Data Protection Board have? - 28 - 38 - 21 - 31

28

A controller must notify the supervisory authority of a personal data breach if __________. -A breach is likely to result in a risk to the rights and freedoms of natural persons -A breach is likely to result in a high risk for the rights and freedoms of natural persons

A breach likely to result in risk to the rights and freedoms of natural persons.

What is profiling? -the processing of personal data gathered from social media sites -a form of automated decision making -The act of enabling cookies -All of the above

A form of automated decision making

Which of the following options for cross-border data transfers is a determination by the European Commission that a third country has achieved an EU-level of personal data protection. -Adequacy decision -Appropriate safeguard -Derogation

Adequacy decisions

A controller must notify the data subjects of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of those individuals unless_________. Pick all that apply: -Individual notice require disproportionate effort -Prior implementation of appropriate technical and organisational measures rendered the personal data unintelligible or encrypted -Post-breach actions greatly reduce the risk to the rights and freedoms of the data subjects.

All

The ePrivacy Directive governs the processing of which types of data? Select all that apply. -Traffic data -Content data -Location data

All

Which of the following are circumstances that require an organisation to appoint a DPO? Select all that apply. -The core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale. -The core activities of the controller or processor consist of large scale processing of special categories of data. - The controller is a public authority.

All

Which types of laws should be considered when processing employees' personal data? Select all that apply. - Local employment law -EU data protection law -Member state data protection law

All

Select all that are potential solutions to lengthy privacy notices. -Key notices -Standardized Icons -Terms of Agreement -Just in time notices -Layered privacy notices

All EXCEPT -Key notices -Terms of Agreement

Select the types of personal data elements that belong to special categories under the GDPR. -Personal data revealing religious or philosophical beliefs -Data relating to personal interests and hobbies -Data concerning health -Personal data revealing political opinions -Personal data revealing financial information -Genetic data used to uniquely identify a natural person

All EXCEPT -personal interests and hobbies -financial information

Which criteria are used to identify personal data? Select all that apply -natural person -an identified or identifiable -any information -relating to - or anonymous

All EXCEPT "or anonymous

Which of the following are categories under which a data subject may object to processing his or her personal data? Select all that apply. -Establishment, exercise or defense of legal claims -Direct marketing -Public interest or legitimate interest -Research or statistical purposes

All EXCEPT Establishment, exercise or defense of legal claims.

__________must be included in a processor contract. Check all that apply: -the categories of data subjects - the nature and purpose of the processing -the subject matter and duration of the processing -the type of personal data -The method for destroying personal information following processing activities

All EXCEPT The method for destroying personal data. Contract should also contain the obligations and rights of the controller

Which of the following fall under the material scope of the GDPR? Select all that apply. -processing personal data without human intervention -processing anonymous data -Processing personal data that forms part of a filing system.

All EXCEPT anonymous data

What information must be provided to the data subjects in all circumstances? Select all that apply. - Identity of the controller -Controller's legitimate interest -Purpose of processing -Data subjects' rights

All EXCEPT legitimate interest

Which of the following should be considered for a holistic approach to data security? -A policy framework -Information technology -Incident detectoin and response -All of the above

All of the above Additional considerations may include management, and worker buy-in, and the physical environment.

What are the criteria used to determine the territorial scope of the GDPR: Select all that apply. -Processing of personal data of EU subjects relating to offering goods or services or monitoring behaviour -Processing of personal data by a controller not established in the EU but in a place where member state law applies -Processing of personal data when a controller or processor is established in the EU

All.

What is data processing: -Any action involved in securing and protecting data -Any action performed upon data -Any action involved in collecting personal data -Any action that adapts or alters data.

Any action performed upon data.

Which of the following are appropriate safeguards for cross-boarder data transfers? Select all that apply. -Public Interest -Binding corporate rules -Approved codes of conduct or certification mechanisms -standard contractual clauses

BCR Codes of conduct/certification standard clasues

Which appropriate safeguards allow large multinational companies to adopt a policy suite with rules for handling personal data? -Standard contractual clauses -Reliance on international agreements -Ad hoc contractual clauses -Binding corporate rules

Binding Corporate Rules

CIAR stands for..... -Confidentiality, information, availability and risk assessment -Continuity, integrity, access, and resilience -Confidentiality, integrity, availability and resilience -Continuity, information, access and risk assessment

Confidentiality, integrity, availability and resilience

_________ is/are a key part of the equation when assessing risk. -Controller obligatins -Expected loss -Purpose of processing -Data subject rights

Expected loss

Chose the characteristic that describes the European Parliament. -Is responsible for legislative development, supervisory oversight of other institutions, and development of the budget -Defines the EU priorities and sets the political direction for the EU.

Defines the EU priorities and sets the political direction for the EU

What is the function of the 4 step test? -Determine if data qualifies as personal data -Determine i personal data is anonymous -Determine if personal date belongs to special categories -Determine if personal data is pseudonymous.

Determine if data qualifies as personal data

Which of the following is not a method listed by the GDPR as a method for restricting processing of personal data. Select all that apply. -Noting the restriction in the system -Moving the data to a separate system -Temporarily blocking a website -Disabling the data management system

Disabling the data management system

Which of the following is not a data protection consideration associate with collecting personal data via CCTV? -Proportionality -Duration of the video -Lawfulness -Individual's rights -Prior checking -Information provision

Duration of the video

True or false: a contract protects a processor from being held to the same legal obligations as the controller.

False

Exclusions to the material scope of GDPR should be interpreted broadly. True or false?

False

True of False: A controller may charge an administrative fee to data subjects if they request that the information provision be in oral format.

False

True of false: BYOD policies are designed to protect employee's personal data.

False

True or False: A processor may decide wehre and how to process personal data.

False

True or False: Anonymising personal data is always possible.

False

True or False: Personal data either belongs to special categories or does not. There is no grey area.

False

True or false: A data controller may be a natural person or a legal entity, while a data processor must be a legal entity.

False

True or false: At least three of the legitimate processing criteria within the GDPR must ve met for personal data to be processed legally.

False

True or false: Information provision is required, even if it necessitates disproportionate effort.

False

True or false: The GDPR requires controllers to always contact the supervisory authority following a DPIA and before processing.

False

True or false: The transparency principle states that detail is more important that conciseness in a privacy notice.

False

True or false: Under GDPR, web cookies qualify as personal data by IP addresses do not.

False

Choose the characteristic that describes the Court of Justice of the EU -Makes decisions on issues of EU law -Is based in Strasbourg

Makes decisions on issues of EU law.

Which of the following mechanisms facilitates the provision of relevant information between supervisory authorities. -Urgency procedure -Mutual assistance -Cooperation -Consistency mechanism

Mutual Assistance

What must be provided to employees when processing their personal data? -Notice that their personal data will be processed -The supervisory authority's contact information -Opt-in -Opt-out

Notice

What information must be provided to data subjects when their personal data will be shared with an outside organisation to provide them with a promised service? -Use of automated decision making -Recipients of the data -Intention to transfer data internationally -Source of the data

Recipients of the data

The right to be forgotten is part of what data subjectc right? -Right to data portability -Right to erasure -Right to restriction of processing -Right to rectification

Right to erasure

What U.S. act requires companies to have a system in place to reciee anonymous complaints about potential wrongdoing? -Sarbanes-Oxley Act (SOX) -Young-Underthorn Act (YOU) -Washington's Whistle-blowing Act (WOW) -Barnes Laremey Act (BLAME)

Sarbanes-Oxley Act (SOX)

Choose the characteristic that describes the European Council. -Sets the overall political agenda of the EU -Negotiates and adopts laws

Sets the overall political agenda of the EU.

What information must be provided to data subjects when the personal data that will be processed was collected indirectly? -Source of the data -Storage period -Statutory or contractual requirement -Controller's legitimate interest

Source of the data

Who does the GDPR task with promoting monitoring and enforcing the GDPR? -The European Data protection Supervisor -Processors -Controllers -Supervisory authorities

Supervisory Authorities

Which European institutions is composed of 47 member states? -The Council of Europe -The European Union -The European Economic Area

The Council of Europe

The Universal Declaration of Human Rights is a product of which institution? -The United Nations -The Council of Europe -The European Union

The United Nations

Which statement describes a European best practices approach to the protection of employment data held by an organisation? a. Employers should avoid all types of monitoring when collection employee information within the workplace b. Organisations should seek legal advice from a privacy lawyer before processing employee data. c. Employee data should not be processed without expressed, verbal permission by the employee. d. Employers should consult with regulatory bodies such as works councils about proposed data processing activity

d

Which of the following data protection milestones applies to public electronics communications services and networks? -Data Retention Directive -Charter of Fundamental Rights -Convention 108 -e-Privacy Directive -GDPR

e-Privacy Directive

Read the following and select all the GDPR principles that have been violated: An access control system used by an organization's maintenance team for building security is later used by a manager in a different department to determine if employees are arriving late for work. The employees are not informed of this new processing action, and the manager does not create consistent records of the processing activities. -Integrity and confidentiality -Accountability -Data quality and accuracy

This violates -Integrity and confidentiality Accountability

A processor is responsible for implementing appropriate technical and organisational measures to keep personal data secure. True or false?

True

A processor may process personal data only on documented instructions from the controller. True or false?

True

Privacy notices should use visualisation where appropriate. True or false?

True

True or false. Both controllers and processors have accountability obligations under GDPR.

True

True or false. The data protection officer must be an expert in data protection law and practices.

True

True or false: Alternatives to employee monitoring should always be considered.

True

True or false: Criteria for derogations are strict and should be interpreted narrowly.

True

True or false: Data protection by design begins prior to processing and incorporates data protection considerations into the planning phase.

True

True or false: Information provided to data subjects about the processing of their personal data should be written in clear and plain language that is understandable.

True

True or false: Pseudonymous data is protected by the GDPR.

True

True or false: Some employers may be required to consult with works councils and or trade unions to process employee's personal data.

True

True or false: The GDPR requires a data protection policy to be used where proportionate in relation to processing activities.

True

True or false: Under the GDPR, individuals have the absolute right to object to any form of direct marketing at any time.

True

True or false: When personal data is being processed, there is always a controller.

True

Pick the correct phrase: "the Controller and the processor shall implement_______________"(Article 32). -appropriate technical and organisational measures -state of the art security -risks of varying likelihood -encryption appropriate to the risk

appropriate technical and organisational measures

The GDPR and its predecessor, the Data Protection Directive 95/46/EC, were allwoed to be set up as a harmonisation measure for European member staes by which? a. Lisbon Treaty b. Treaty of Rome c. Council of Europe Convention d. European Convention on Human Rights.

b

Under what conditions is processing sensitive employee data acceptable? a.The processing is necessary for the performance of a contract to which the individual is a party b. The processing is necessary for the data controller to carry out their obligation in the field of employment law. c. The processing is necessary for the interest of both the data controller and the employee. d, The processing is necessary for the interest pursued by the data controller

b

Which is an example of direct marketing? a. an email sent to an individual about an order she has placed. b. an email sent to an individual promoting an new book which is on sale c. a letter addressed to "the household" about a charity bookstore d. an advertisement on a website promoting a new book which is on sale

b

Which statement is correct concerning the information to be provided when collecting personal data directly from the data subject? a. There is one mandated form for such information which sets out all information requirements. b. data controllers are obliged to inform data subjects about the creation of copies of their personal data for backup reasons. c. the information needs to detail if the personal data will be passed to another organisation. d. An employer is not required to provide such information to its employees concerning the processing of their employment records.

c

Why do BCRs prohibit the transfer of employee names to teleom providers within the same country in order to provide then with mobile phone services? a. because BCRs only provide adequate safeguards for organisations who move data outside their corporaton b. because BCRs secure transfers to third parties without additional requirements c. because BCRs only deal with intra-organisational transfers and not with transfers to third parties d. because BCRs require contractual arrangements to legitimize international transfers of data

c

Which of the following mechanisms facilitates a specific collaborative process between supervisory authorities, the commission and the European Data Protection Board for adopting certain measures and ensuring consistent GDPR application? -Cooperation -Joint operations -Dispute resolution -Consistency mechanism

consistency mechanism

According to the GDPR, when does an organisation need to take action to legitimize cross border data transfers of personal data a. when the date is routed through another jurisdicion in or outside the EU b. when the date is transferred from one jurisdiction in the EU to another c. when the date is transferred from a jurisdiction outside the European Union to a member state of the EU d. when the date is transferred from a jurisdiction in the EU to a third country which is not deemed adequate.

d

Along with the name and contact details of the data controller processing the personal data, what other information must e included in the records of processing to be maintained by the data controller under the GDPR? a. retention period of each category of personal data, where possible. b. reason(s) for processing the personal data c. third countries to which the information may be transferred d. all of A, B, and C.

d

The ePrivacy Directive 2002/58/EC contains which provision? a. Location data may be freely processed. b. Unsolicited commercial telephone calls, emails and faxes need opt-out consent c. Corporate communicaton systems must have adequate security. d. Cookies require prior information and consent

d