Read the following steps:
✑ Discover which employees are accessing cloud services and from which devices and apps Lock down the data in those apps and devices
✑ Monitor and analyze the apps and devices for compliance
✑ Manage application life cycles
✑ Monitor data sharing
An organization should perform these steps to do which of the following?
- A . Pursue a GDPR-compliant Privacy by Design process.
- B . Institute a GDPR-compliant employee monitoring process.
- C . Maintain a secure Bring Your Own Device (BYOD) program.
- D . Ensure cloud vendors are complying with internal data use policies.
C
Explanation:
Reference: https://www.itproportal.com/features/heading-off-the-spectre-of-gdpr-compliance-with-secure-byod/
What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?
- A . The requirements affected individuals without exception.
- B . The requirements were financially burdensome to EU businesses.
- C . The requirements specified that data must be held within the EU.
- D . The requirements had limitations on how national authorities could use data.
A
Explanation:
In 2014, the European Court of Justice (ECJ) declared the Data Retention Directive (2006/24/EC) invalid. The Directive required communication service providers to retain certain categories of data (related to electronic communications) for a period of between 6 months and 2 years, so as to ensure that the data would be available for the purpose of the investigation, detection, and prosecution of serious crime.
The ECJ found the directive to be invalid because it constituted a serious interference with fundamental rights to respect for private life and to the protection of personal data. The Directive affected all individuals without any exception, lacked clear criteria, and did not provide sufficient safeguards against the risk of abuse and unlawful access. It did not require any relationship between the data whose retention was provided for and a threat to public security, which meant even individuals not suspected of any wrongdoing had their data retained.
Option B is incorrect because the decision was not primarily based on financial burdens to businesses.
Option C is incorrect as the decision did not relate to data localization or where data must be held.
Option D is incorrect because the Directive’s problem was that it lacked sufficient limitations and safeguards rather than having them.
Which of the following countries will continue to enjoy adequacy status under the GDPR, pending any future European Commission decision to the contrary?
- A . Greece
- B . Norway
- C . Australia
- D . Switzerland
B
Explanation:
Norway is not a member of the European Union (EU) but is a member of the European Economic Area (EEA). The EEA consists of the EU Member States plus Norway, Liechtenstein, and Iceland. These EEA countries have incorporated the GDPR into their national laws, ensuring that the same level of data protection is upheld. Therefore, data transfers between the EU and these EEA countries, including Norway, occur seamlessly without the need for any specific adequacy decision by the European Commission.
Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?
- A . The group of undertakings must obtain approval from a supervisory authority.
- B . The group of undertakings must be comprised of organizations of similar sizes and functions.
- C . The data protection officer must be located in the country where the data controller has its main establishment.
- D . The data protection officer must be easily accessible from each establishment where the undertakings are located.
D
Explanation:
Reference: https://www.privacy-regulation.eu/en/article-37-designation-of-the-data-protection-officer- GDPR.htm
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first levelreview, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
Ben’s collection of additional data from customers created several potential issues for the company, which would most likely require what?
- A . New corporate governance and code of conduct.
- B . A data protection impact assessment.
- C . A comprehensive data inventory.
- D . Hiring a data protection officer.
A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European customers and predict future purchases. It also shares this information with third parties.
Under the GDPR, what is the online shop’s PRIMARY obligation while engaging in this kind of profiling?
- A . It must solicit informed consent through a notice on its website
- B . It must seek authorization from the European supervisory authorities
- C . It must be able to demonstrate a prior business relationship with the customers
- D . It must prove that it uses sufficient security safeguards to protect customer data
SCENARIO
Please use the following to answer the next question:
Dynaroux Fashion (‘Dynaroux’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that Dynaroux needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Dynaroux mayhave to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.
Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Dynaroux’s business plan and associated processing activities.
Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?
- A . The company will be undertaking processing activities involving sensitive data categories such as financial and children’s data.
- B . The company employs approximately 650 people and will therefore be carrying out extensive processing activities.
- C . The company plans to undertake profiling of its customers through analysis of their purchasing patterns.
- D . The company intends to shift their business model to rely more heavily on online shopping.
Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?
- A . Data subjects must be sufficiently informed of the purposes for which their personal data is processed.
- B . Processing of special categories of personal data on a large scale requires appointing a DPO.
- C . Personal data of data subjects must always be accurate and kept up to date.
- D . Data controllers must be in control of the data they hold at all times.
D
Explanation:
Reference: https://blog.rsisecurity.com/why-byod-is-bad-for-gdpr-compliance/
What are the obligations of a processor that engages a sub-processor?
- A . The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
- B . The processor must obtain the controller’s specific written authorization and provide annual reports on the sub-processor’s performance.
- C . The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
- D . The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.
D
Explanation:
According to Article 28(2) and (4) of the GDPR:
A processor cannot engage a sub-processor without the prior specific or general written authorization of the controller. In the case of general written authorization, the processor must inform the controller of any intended changes concerning the addition or replacement of other processors, giving the controller the opportunity to object to such changes.
The same data protection obligations as set out in the contract or other legal act between the controller and the processor as per Article 28(3) shall be imposed on that sub-processor by way of a contract or other legal act under Union or Member State law. In essence, this means that the obligations the processor has towards the controller must also be imposed on the sub-processor.
What type of data lies beyond the scope of the General Data Protection Regulation?
- A . Pseudonymized
- B . Anonymized
- C . Encrypted
- D . Masked
B
Explanation:
Reference: https://www.datainspektionen.se/other-lang/in-english/the-general-data-protection-regulation-gdpr/the-purposes-and-scope-of-the-general-data-protection-regulation/
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?
- A . The European Council
- B . The European Parliament
- C . The European Commission
- D . The Council of the European Union
C
Explanation:
Reference: https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501
What is the main task of the European Data Protection Board?
- A . To assess adequacy of data protection in third countries
- B . To ensure consistent application of the GDPR.
- C . To proactively prevent disputes between national supervisory authorities.
- D . To publish guidelines tor data subjects on how to property enforce their rights
An entity’s website stores text files on EU users’ computer and mobile device browsers.
Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?
- A . General Data Protection Regulation 2016/679.
- B . E-Privacy Directive 2002/58/EC.
- C . E-Commerce Directive 2000/31/EC.
- D . Data Protection Directive 95/46/EC.
Which of the following Convention 108+ principles, as amended in 2018, is NOT consistent with a principle found in the GDPR?
- A . The obligation of companies to declare data breaches.
- B . The requirement to demonstrate compliance to a supervisory authority.
- C . The necessity of the bulk collection of personal data by the government.
C
Explanation:
Convention 108+ (the modernized version of Convention 108) is the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Both Convention 108+ and the GDPR aim to enhance personal data protection, but they might not mirror each other in all provisions.
Which of the following was the first to implement national law for data protection in 1973?
- A . France
- B . Sweden
- C . Germany
- D . United Kingdom
B
Explanation:
Reference: https://scandinavianlaw.se/pdf/47-18.pdf
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?
- A . The ability to enact new laws by executive order.
- B . The right to access data for investigative purposes.
- C . The discretion to carry out goals of elected officials within the member state.
- D . The authority to select penalties when a controller is found guilty in a court of law.
According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a company providing services via an Internet website confirmed by the GDPR?
- A . Where the technology supporting the website is located
- B . Where the website is accessed
- C . Where the decisions about processing are made
- D . Where the customer’s Internet service provider is located
C
Explanation:
The E-Commerce Directive 2000/31/EC provides rules for online services in the EU. One of its key principles is the "country of origin" principle, which establishes that online service providers are subject to the laws of the country where they are established, rather than the laws of the countries where their services are accessed.
The concept of "establishment" under the E-Commerce Directive is closely related to where the company exercises its real and effective activity, especially with respect to decisions about the processing of data. This interpretation is in line with the GDPR, where the establishment is interpreted in terms of where the main decisions about data processing are made.
A, B, and D are not the primary criteria used to determine the establishment. It’s more about where the central administration of the company is or where decisions about the purposes and means of processing are made.
Article 29 Working Party has emphasized that the GDPR forbids “forum shopping”, which occurs when companies do what?
- A . Choose the data protection officer that is most sympathetic to their business concerns.
- B . Designate their main establishment in member state with the most flexible practices.
- C . File appeals of infringement judgments with more than one EU institution simultaneously.
- D . Select third-party processors on the basis of cost rather than quality of privacy protection.
B
Explanation:
Reference: https://gdprinformer.com/gdpr-articles/forum-shopping-illegal-gdpr
When is data sharing agreement MOST likely to be needed?
- A . When anonymized data is being shared.
- B . When personal data is being shared between commercial organizations acting as joint data controllers.
- C . When personal data is being proactively shared by a controller to support a police investigation.
- D . When personal data is being shared with a public authority with powers to require the personal data to be disclosed.
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to
Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?
- A . Get consent from the app users.
- B . Provide a transparent notice to users.
- C . Anonymize the data and add latency so it avoids disclosing real time locations.
- D . Obtain a court order because location data is a special category of personal data.
How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?
- A . The ePrivacy Directive allows individual EU member states to engage in such data retention.
- B . The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.
- C . The Data Retention Directive’s annulment makes such data retention now permissible.
- D . The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.
A
Explanation:
The ePrivacy Directive (2002/58/EC), often referred to as the Cookie Directive, focuses on the confidentiality of communications and the protection of personal data in the electronic communications sector. Article 15(1) of the ePrivacy Directive allows EU member states to adopt legislative measures to restrict the scope of certain rights and obligations when necessary to safeguard, among other things, national security, defense, and public security, and for the prevention, investigation, detection, and prosecution of criminal offenses. This means that individual EU member states can engage in data retention for law enforcement purposes, but any such retention must respect the fundamental principles of necessity and proportionality.
To provide further clarity:
B. The ePrivacy Directive does not harmonize EU member states’ rules concerning data retention; rather, it provides a framework within which member states can legislate.
C. The Data Retention Directive (2006/24/EC) was introduced to harmonize member states’ approaches to data retention for law enforcement purposes. However, in 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid because it disproportionately infringed upon fundamental rights. Its annulment doesn’t make data retention permissible per se; rather, the legal landscape went back to relying on the provisions of the ePrivacy Directive and national legislation.
D. The GDPR primarily addresses the protection of personal data and its processing. While it does mention processing for law enforcement purposes, the directive specifically governing data processing for law enforcement is the Directive (EU) 2016/680 (often referred to as the Law Enforcement Directive). The GDPR itself does not set out provisions specifically for the retention of communications traffic data for law enforcement.
Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?
- A . Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.
- B . Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.
- C . Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.
- D . Outside the material scope of the GDPR, because transactions are for personal or household purposes
Which change was introduced by the 2009 amendments to the e-Privacy Directive 2002/58/EC?
- A . A voluntary notification for personal data breaches applicable to all data controllers.
- B . A voluntary notification for personal data breaches applicable to electronic communication providers.
- C . A mandatory notification for personal data breaches applicable to all data controllers.
- D . A mandatory notification for personal data breaches applicable to electronic communication providers.
D
Explanation:
Reference: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32009L0136
Bioface is a company based in the United States. It has no servers, personnel or assets in the European Union. By collecting photographs from social media and other web-based services, such as newspapers and blogs, it uses machine learning to develop a facial recognition algorithm. The algorithm identifies individuals in photographs who are not in its data set based the algorithm and its existing data. The service collects photographs of data subjects in the European Union and will identify them if presented with their photographs. Bioface offers its service to government agencies and companies in the United States and Canada, but not to those in the European Union. Bioface does not offer the service to individuals.
Why is Bioface subject to the territorial scope of the General Data Protection Regulation?
- A . It collects data from European Union websites, which constitutes an establishment in the European Union.
- B . It offers services in the European Union by identifying data subjects in the European Union.
- C . It collects data from subjects and uses it for automated processing.
- D . It monitors the behavior of data subjects in the European Union.
After detecting an intrusion involving the theft of unencrypted personal data, who shall the breached company notify first under GDPR requirements?
- A . Any parents of children whose personal data was compromised.
- B . Any affected customers whose data was compromised.
- C . A competent supervisory authority.
- D . A local law enforcement agency
SCENARIO
Please use the following to answer the next question:
Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club’s U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.
After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.
Javier contacts the U.K. Information Commissioner’s Office (‘ICO’ C the U.K.’s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT’s main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.
Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.
Under the cooperation mechanism, what should the lead authority (the CNIL) do after it has formed its view on the matter?
- A . Submit a draft decision to other supervisory authorities for their opinion.
- B . Request that the other supervisory authorities provide the lead authority with a draft decision for its consideration.
- C . Submit a draft decision directly to the Commission to ensure the effectiveness of the consistency mechanism.
- D . Request that members of the seconding supervisory authority and the host supervisory authority co-draft a decision.
Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?
- A . Advertisements passively displayed on a website.
- B . The use of cookies to collect data about an individual.
- C . A text message to individuals from a company offering concert tickets for sale.
- D . An email from a retail outlet promoting a sale to one of their previous customer.
A
Explanation:
The Privacy and Electronic Communications Regulations (PECR) – based on the EU Directive 2002/58/EC, often referred to as the ePrivacy Directive – deals primarily with the processing of personal data and the protection of privacy in the electronic communications sector.
Let’s look at each of the options:
Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?
- A . When the personal data is processed only in non-electronic form
- B . When the personal data is collected and then pseudonymised by the controller
- C . When the personal data is held by the controller but not processed for further purposes
- D . When the personal data is processed by an individual only for their household activities
D
Explanation:
The General Data Protection Regulation (GDPR) includes a number of exceptions or exclusions, and one of these is for personal or household activities.
Let’s break down the options:
Pursuant to Article 17 and EDPB Guidelines S’2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?
- A . The personal dale has been collected in relation to the offer of Information society services (ISS) to a child.
- B . The data subject withdraws consent and there is no other legal basis for the processing.
- C . The personal data is no longer necessary in relation to the search engine provider’s processing
- D . The processing s necessary for exercising the right of freedom of expression and information
SCENARIO
Please use the following to answer the next question:
Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.
Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.
If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.
Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.
Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.
Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.
As a result of Sam’s actions, the Gummy Bear Company potentially violated Articles 33 and 34 of the GDPR and will be required to do what?
- A . Notify its Data Protection Authority about the data breach.
- B . Analyze and evaluate the liability for customers in Ireland.
- C . Analyze and evaluate all of its breach notification obligations.
- D . Notify all of its customers that reside in the European Union.
Which statement provides an accurate description of a directive?
- A . A directive speo5es certain results that must be achieved, but each member state is free to decide how to turn it into a national law
- B . A directive has binding legal force throughout every member state and enters into force on a set date in all the member states.
- C . A directive is a legal act relating to specific cases and directed towards member states, companies 0′ private individuals.
- D . A directive is a legal act that applies automatically and uniformly to all EU countries as soon as it enters into force.
What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?
- A . They are allowed if determined to be technically necessary.
- B . They do not amount to valid consent under any circumstances.
- C . They are allowed if recorded In the register of processing activities.
- D . They constitute valid consent if the processing is necessary for purposes of legitimate interest
Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?
- A . Approved certifications.
- B . Binding corporate rules.
- C . Law enforcement requests.
- D . Standard contractual clauses.
A
Explanation:
Reference: https://www.anonos.com/gdpr-chapter-5-transfers-of-personal-data-to-third-countries-or-international-organisations
What is an important difference between the European Court of Human Rights (ECHR) and the Court of Justice of the European Union (CJEU) in relation to their roles and functions?
- A . ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.
- B . CJEU can force national governments to implement and honor EU law, while the ECHR cannot.
- C . CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.
- D . ECHR can enforce human rights laws against governments that fail to implement them, while the CJEU cannot.
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.
What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?
- A . Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.
- B . Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.
- C . Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.
- D . Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.
SCENARIO
Please use the following to answer the next question:
ProStorage is a multinational cloud storage provider headquartered in the Netherlands. Its CEO. Ruth Brown, has developed a two-pronged strategy for growth: 1) expand ProStorage s global customer base and 2) increase ProStorage’s sales force by efficiently onboarding effective teams. Enacting this strategy has recently been complicated by Ruth’s health condition, which has limited her working hours, as well as her ability to travel to meet potential customers. ProStorage’s Human Resources department and Ruth’s Chief of Staff now work together to manage her schedule and ensure that she is able to make all her medical appointments The latter has become especially crucial after Ruth’s last trip to India, where she suffered a medical emergency and was hospitalized m New Delhi Unable to reach Ruths family, the hospital reached out to ProStorage and was able to connect with her Chief of Staff, who in coordination with Mary, the head of HR. provided information to the doctors based on accommodate on requests Ruth made when she started a: ProStorage
What transfer mechanism did ProStorage most likely rely on to transfer Ruth’s medical information to the hospital?
- A . Ruth’s implied consent.
- B . Protecting the vital interest of Ruth
- C . Performance of a contract with Ruth.
- D . Protecting against legal liability from Ruth.
WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides examples of ways to communicate data breaches transparently.
Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?
- A . A postal notification
- B . A direct electronic message
- C . A notice on a corporate blog
- D . A prominent advertisement in print media
C
Explanation:
Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwih19CSx9LqAhVQe8AKHe-VDQEQFjAAegQIAhAB&url=https%3A%2F%2Fec.europa.eu%2Fnewsroom%2Farticle29%2Fdocument.cfm% 3Fdoc_id%3D49827&usg=AOvVaw2uhYsKyRzJ6lwhQyiMURJF (21)
A company has collected personal data tor direct marketing purpose on the basis of consent. It is now considering using this data to develop new products through analytics.
What is the company first required to do?
- A . Obtain specific consent for the new processing
- B . Only inform the data subjects of the new purpose.
- C . Proceed no further, as such repurposing is unlawful
- D . Update the privacy notice upon which consent was given
In which of the following cases would an organization MOST LIKELY be required to follow both ePrivacy and data protection rules?
- A . When creating an untargeted pop-up ad on a website.
- B . When calling a potential customer to notify her of an upcoming product sale.
- C . When emailing a customer to announce that his recent order should arrive earlier than expected.
- D . When paying a search engine company to give prominence to certain products and services within specific search results.
B
Explanation:
Both ePrivacy and data protection rules (like the GDPR) can be applicable simultaneously in certain scenarios, particularly when it comes to direct marketing.
A brief overview of each option:
In which case would a controller who has undertaken a DPIA most likely need to consult with a supervisory authority?
- A . Where the DPIA identifies that personal data needs to be transferred to other countries outside of the EEA.
- B . Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can take steps to reduce.
- C . Where the DPIA identifies that the processing being proposed collects the sensitive data of EU citizens.
- D . Where the DPIA identifies risks that will require insurance for protecting its business interests.
B
Explanation:
Reference: https://www.dataguidance.com/opinion/eu-how-when-and-why-carrying-out-dpia
How does the GDPR now define “processing”?
- A . Any act involving the collecting and recording of personal data.
- B . Any operation or set of operations performed on personal data or on sets of personal data.
- C . Any use or disclosure of personal data compatible with the purpose for which the data was collected.
- D . Any operation or set of operations performed by automated means on personal data or on sets of personal data.
B
Explanation:
Reference: https://gdpr-info.eu/issues/processing/
What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?
- A . To encourage the consistency of local data processing activity.
- B . To give corporations a choice about who their supervisory authority will be.
- C . To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.
- D . To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.
Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?
- A . The behavior of suspected terrorists being monitored by EU law enforcement bodies.
- B . Personal data of EU citizens being processed by a controller or processor based outside the EU.
- C . The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
- D . Personal data of EU residents being processed by a non-EU business that targets EU customers.
D
Explanation:
Article 3 of the GDPR specifies the territorial scope of the regulation. According to Article 3(2), the GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behavior as far as their behavior takes place within the Union.
Option D aligns with the criteria specified in Article 3(2)(a). If a non-EU business targets EU customers (or offers goods or services to individuals in the EU), then it falls under the territorial scope of the GDPR.
While option B may sound plausible, the mere fact of processing personal data of EU citizens outside the EU doesn’t automatically bring an entity under the GDPR’s scope. It’s the targeting of services or monitoring of behavior of individuals in the EU that triggers the GDPR’s extraterritorial effect.
It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements’3
- A . Notify the police and Tile a criminal complaint about the incident
- B . Start an investigation to understand the incident’s possible scope, duration and nature
- C . Send a notification to the competent supervisory authority describing the incident.
- D . Send an email about the incident to all clients and ask them to change their passwords
A company in France suffers a robbery over the weekend owing to a faulty alarm system. When it is determined that the break-in involves the loss of a substantial amount of data, the company decides on a CCTV system to monitor for future incidents. Company technicians install cameras in the entrance of the building, hallways and offices. Footage is recorded continuously, and is monitored by the home office in the United States.
What is the most realistic step the company could take to address their security concerns and comply with the personal data processing principles set out in Article 5 of the GDPR?
- A . Seek informed consent from company employees.
- B . Have cameras recording during work hours only.
- C . Retain captured footage for no more than 30 days.
- D . Restrict camera placement to building entrances only.
SCENARIO
Please use the following to answer the next question:
T-Craze, a German-headquartered specialty t-shirt company, was successfully selling to large German metropolitan cities. However, after a recent merger with another German-based company that was selling to a broader European market, T-Craze revamped its marketing efforts to sell to a wider audience. These efforts included a complete redesign of its logo to reflect the recent merger, and improvements to its website meant to capture more information about visitors through the use of cookies.
T-Craze also opened various office locations throughout Europe to help expand its business. While Germany continued to host T-Craze’s headquarters and main product-design office, its French affiliate became responsible for all marketing and sales activities. The French affiliate recently procured the services of Right Target, a renowned marketing firm based in the Philippines, to run its latest marketing campaign. After thorough research, Right Target determined that T-Craze is most successful with customers between the ages of 18 and 22. Thus, its first campaign targeted university students in several European capitals, which yielded nearly 40% new customers for T-Craze in one quarter. Right Target also ran subsequent campaigns for T- Craze, though with much less success.
The last two campaigns included a wider demographic group and resulted in countless unsubscribe requests, including a large number in Spain. In fact, the Spanish data protection authority received a complaint from Sofia, a mid-career investment banker. Sofia was upset after receiving a marketing communication even after unsubscribing from such communications from the Right Target on behalf of T-Craze.
Why does the Spanish supervisory authority notify the French supervisory authority when it opens an investigation into T-Craze based on Sofia’s complaint?
- A . T-Craze has a French affiliate.
- B . The French affiliate procured the services of Right Target.
- C . T-Craze conducts its marketing and sales activities in France.
- D . The Spanish supervisory authority is providing a courtesy notification not required under the GDPR.
SCENARIO
Please use the following to answer the next question:
Zandelay Fashion (‘Zandelay’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.
The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.
In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases.
Martin tells the CEO that:
(a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and
(b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Zandelay may have to undertake a prior consultation with the Irish
Data Protection Commissioner before implementing the app and loyalty scheme.
Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay’s business plan and associated processing activities.
What would MOST effectively assist Zandelay in conducting their data protection impact assessment?
- A . Information about DPIAs found in Articles 38 through 40 of the GDPR.
- B . Data breach documentation that data controllers are required to maintain.
- C . Existing DPIA guides published by local supervisory authorities.
- D . Records of processing activities that data controllers are required to maintain.
What is true if an employee makes an access request to his employer for any personal data held about him?
- A . The employer can automatically decline the request if it contains personal data about a third person.
- B . The employer can decline the request if the information is only held electronically.
- C . The employer must supply all the information held about the employee.
- D . The employer must supply any information held about an employee unless an exemption applies.
Which of the following is the weakest lawful basis for processing employee personal data?
- A . Processing based on fulfilling an employment contract.
- B . Processing based on employee consent.
- C . Processing based on legitimate interests.
- D . Processing based on legal obligation.
B
Explanation:
Reference: https://www.itgovernance.co.uk/blog/gdpr-lawful-bases-for-processing-with-examples
Which of the following regulates the use of electronic communications services within the European Union?
- A . Regulator (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015.
- B . Regulation (EU) 2017/1953 of the European Parliament and of the Council of 25 October 2017.
- C . Directive 2002/58’EC of the European Parliament and of the Council of 12 July 2002.
- D . Directive (EU) 2019.789 of the European Parliament and of the Council of 17 April 2019.
Which of the following is NOT an explicit right granted to data subjects under the GDPR?
- A . The right to request access to the personal data a controller holds about them.
- B . The right to request the deletion of data a controller holds about them.
- C . The right to opt-out of the sale of their personal data to third parties.
- D . The right to request restriction of processing of personal data, under certain scenarios.
C
Explanation:
Under the GDPR, the following rights are explicitly granted to data subjects:
A U.S. company’s website sells widgets.
Which of the following factors would NOT in itself subject the company to the GDPR?
- A . The widgets are offered in EU and priced in euro.
- B . The website is in English and French, and is accessible in France.
- C . An affiliate office is located in France but the processing is in the U.S.
- D . The website places cookies to monitor the EU website user behavior.
Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?
- A . The European Commission can adopt an adequacy decision for individual companies.
- B . The European Commission can adopt, repeal or amend an existing adequacy decision.
- C . EU member states are vested with the power to accept or reject a European Commission adequacy decision.
- D . To be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.
B
Explanation:
Under the GDPR, regarding adequacy decisions involving cross-border transfers:
For which of the following operations would an employer most likely be justified in requesting the data subject’s consent?
- A . Posting an employee’s bicycle race photo on the company’s social media.
- B . Processing an employee’s health certificate in order to provide sick leave.
- C . Operating a CCTV system on company premises.
- D . Assessing a potential employee’s job application.
SCENARIO
Please use the following to answer the next question:
Jane Stan’s her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).
People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.
The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.
The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR”
- A . No, the assessors do not quality as data processors as they only have access to encrypted data.
- B . No. the assessors do not quality as data processors as they do not copy the data to their facilities.
- C . Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.
- D . Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.
Which of the following is NOT considered a fair processing practice in relation to the transparency principle?
- A . Providing a multi-layered privacy notice, in a website environment.
- B . Providing a QR code linking to more detailed privacy notice, in a CCTV sign.
- C . Providing a hyperlink to the organization’s home page, in a hard copy application form.
- D . Providing a “just-in-time” contextual pop-up privacy notice, in an online application from field.
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?
- A . If the cookies do not track personal data, then pre-checked boxes are acceptable.
- B . If the ePrivacy Directive requires consent for cookies, then the GDPR’s consent requirements apply.
- C . If a website’s cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
- D . If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?
- A . If the cookies do not track personal data, then pre-checked boxes are acceptable.
- B . If the ePrivacy Directive requires consent for cookies, then the GDPR’s consent requirements apply.
- C . If a website’s cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
- D . If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?
- A . If the cookies do not track personal data, then pre-checked boxes are acceptable.
- B . If the ePrivacy Directive requires consent for cookies, then the GDPR’s consent requirements apply.
- C . If a website’s cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
- D . If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
In the Planet 49 case, what was the man judgement of the Coon of Justice of the European Union (CJEU) regarding the issue of cookies?
- A . If the cookies do not track personal data, then pre-checked boxes are acceptable.
- B . If the ePrivacy Directive requires consent for cookies, then the GDPR’s consent requirements apply.
- C . If a website’s cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.
- D . If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.
Limitation of liability. […]
Consent
By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.
What is one potential problem Vigotron’s age policy might encounter under the GDPR?
- A . Age restrictions are more stringent when health data is involved.
- B . Users are only required to be aged 13 or over to be considered adults.
- C . Organizations must make reasonable efforts to verify parental consent.
- D . Organizations that tie a service to marketing must seek consent for each purpose.
Based on GDPR Article 35, which of the following situations would trigger the need to complete a DPIA?
- A . A company wants to combine location data with other data in order to offer more personalized service for the customer.
- B . A company wants to use location data to infer information on a person’s clothes purchasing habits.
- C . A company wants to build a dating app that creates candidate profiles based on location data and data from third-party sources.
- D . A company wants to use location data to track delivery trucks in order to make the routes more efficient.
C
Explanation:
Reference: http://webcache.googleusercontent.com/search?q=cache:aQkU17eX9sQJ:https://www.shlegal.com/insights/article-29-data-protection-working-party-gdpr-guidelines-on-data-protection-impact-assessments&client=firefox-b-e&hl=en&gl=pk&strip=1&vwsrc=0
SCENARIO
Please use the following to answer the next question:
Brady is a computer programmer based in New Zealand who has been running his own business for two years. Brady’s business provides a low-cost suite of services to customers throughout the European Economic Area (EEA). The services are targeted towards new and aspiring small business owners. Brady’s company, called Brady Box, provides web page design services, a Social Networking Service (SNS) and consulting services that help people manage their own online stores.
Unfortunately, Brady has been receiving some complaints. A customer named Anna recently uploaded her plans for a new product onto Brady Box’s chat area, which is open to public viewing. Although she realized her mistake two weeks later and removed the document, Anna is holding Brady Box responsible for not noticing the error through regular monitoring of the website. Brady believes he should not be held liable.
Another customer, Felipe, was alarmed to discover that his personal information was transferred to a third- party contractor called Hermes Designs and worries that sensitive information regarding his business plans may be misused. Brady does not believe he violated European privacy rules. He provides a privacy notice to all of his customers explicitly stating that personal data may be transferred to specific third parties in fulfillment of a requested service. Felipe says he read the privacy notice but that it was long and complicated
Brady continues to insist that Felipe has no need to be concerned, as he can personally vouch for the integrity of Hermes Designs. In fact, Hermes Designs has taken the initiative to create sample customized banner advertisements for customers like Felipe. Brady is happy to provide a link to the example banner ads, now posted on the Hermes Designs webpage. Hermes Designs plans on following up with direct marketing to these customers.
Brady was surprised when another customer, Serge, expressed his dismay that a quotation by him is being used within a graphic collage on Brady Box’s home webpage. The quotation is attributed to Serge by first and last name. Brady, however, was not worried about any sort of litigation. He wrote back to Serge to let him know that he found the quotation within Brady Box’s Social Networking Service (SNS), as Serge himself had posted the quotation. In his response, Brady did offer to remove the quotation as a courtesy.
Despite some customer complaints, Brady’s business is flourishing. He even supplements his income through online behavioral advertising (OBA) via a third-party ad network with whom he has set clearly defined roles. Brady is pleased that, although some customers are not explicitly aware of the OBA, the advertisements contain useful products and services.
Based on current trends in European privacy practices, which aspect of Brady Box’ Online Behavioral Advertising (OBA) is most likely to be insufficient if the company becomes established in Europe?
- A . The lack of the option to opt in.
- B . The level of security within the website.
- C . The contract with the third-party advertising network.
- D . The need to have the contents of the advertising approved.
Which of the following is NOT recognized as being a common characteristic of cloud-computing services?
- A . The service’s infrastructure is shared among the supplier’s customers and can be located in a number of countries.
- B . The supplier determines the location, security measures, and service standards applicable to the processing.
- C . The supplier allows customer data to be transferred around the infrastructure according to capacity.
- D . The supplier assumes the vendor’s business risk associated with data processed by the supplier.
D
Explanation:
Reference: https://www.softwaremajor.com/news-articles/64-gdpr-how-does-it-apply-to-the-cloud
There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?
- A . Consent management and withdrawal.
- B . Incident detection and response.
- C . Preventative security.
- D . Remedial security.
A company wishes to transfer personal data to a country outside of the European Union/EEA In order to do so, they are planning an assessment of the country’s laws and practices, knowing that these may impinge upon the transfer safeguards they intend to use All of the following factors would be relevant for the company to consider EXCEPT’?
- A . Any onward transfers, such as transfers of personal data to a sub-processor in the same or another third country.
- B . The process of modernization in the third country concerned and their access to emerging technologies that rely on international transfers of personal data
- C . The technical, financial, and staff resources available to an authority m the third country concerned that may access the personal data to be transferred
- D . The contractual clauses between the data controller or processor established in the European Union/EEA and the recipient of the transfer established in the third country concerned
Which of the following would NOT be relevant when determining if a processing activity would be considered profiling?
- A . If the processing is to be performed by a third-party vendor
- B . If the processing involves data that is considered personal data
- C . If the processing of the data is done through automated means
- D . If the processing is used to predict the behavior of data subjects
SCENARIO
Please use the following to answer the next question:
You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company’s revenue is due to international sales.
The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children’s Questions: on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience.
When a child asks the toy a QUESTION, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure’s integrated speakers, making it appear as though that the toy is actually responding to the child’s QUESTION. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this.
In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a Near-Field Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures’ abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character’s abilities remain intact.
In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute?
- A . Encrypt the data in transit over the wireless Bluetooth connection.
- B . Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security.
- C . Include three-factor authentication before each use by a child in order to ensure the best level of security possible.
- D . Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.
When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?
- A . Documenting due diligence steps taken in the pre-contractual stage.
- B . Conducting a risk assessment to analyze possible outsourcing threats.
- C . Requiring that the processor directly notify the appropriate supervisory authority.
- D . Maintaining evidence that the processor was the best possible market choice available.
Data retention in the EU was underpinned by a legal framework established by the Data Retention Directive (2006/24/EC).
Why is the Directive no longer part of EU law?
- A . The Directive was superseded by the EU Directive on Privacy and Electronic Communications.
- B . The Directive was superseded by the General Data Protection Regulation.
- C . The Directive was annulled by the Court of Justice of the European Union.
- D . The Directive was annulled by the European Court of Human Rights.
In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?
- A . When the data is to be processed for market research.
- B . When providing preventive or counselling services to the child.
- C . When providing the child with materials purely for educational use.
- D . When a legitimate business interest makes obtaining consent impractical.
A news website based m (he United Slates reports primarily on North American events The website is accessible to any user regardless of location, as the website operator does not block connections from outside of the U.S. The website offers a pad subscription that requires the creation of a user account; this subscription can only be paid in U.S. dollars.
Which of the following explains why the website operator, who is the responsible for all processing related to account creation and subscriptions, is NOT required to comply with the GDPR?
- A . Payments cannot be made in a European Union currency.
- B . The controller does not have an establishment in the European Union.
- C . The website is not available in several official languages of European Un on Member States
- D . The website cannot block connections from outside the U.S. that use a Virtual Private Network (VPN) to simulate a US location.
A homeowner has installed a motion-detecting surveillance system that films his front doc and entryway. The camera does not film any public areas only areas that are the property of the homeowner. The system has seen declared to the authorities per the homeowner’s country law, and a placard indicating the area is being video monitored is visible when entering the property
Why can the homeowner NOT depend on the household exemption with regards to the processing of the video images recorded by the surveillance camera system?
- A . The surveillance camera system can potentially capture biometric information of the homeowner’s family, which would be considered a processing of special categories of personal data.
- B . The homeowner has not specified which security measures ore in place as part of the surveillance camera system
- C . The GDPR specifically excludes surveillance camera images from the household exemption
- D . The surveillance camera system can potentially film individuals who enter its filming perimeter
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketingdirector, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
If Who-R-U adopts the We-Track-U pilot plan, why is it likely to be subject to the territorial scope of the GDPR?
- A . Its plan would be in the context of the establishment of a controller in the Union.
- B . It would be offering goods or services to data subjects in the Union.
- C . It is engaging in commercial activities conducted in the Union.
- D . It is monitoring the behavior of data subjects in the Union.
When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?
- A . When the data has been pseudonymized.
- B . When the data is protected by technological safeguards.
- C . When the data serves legitimate interest of third parties.
- D . When the data subject has failed to use a provided opt-out mechanism.
Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?
- A . The data subject already has information regarding how his data will be used
- B . The provision of such information to the data subject would be too problematic
- C . Third-party data would be disclosed by providing such information to the data subject
- D . The processing of the data subject’s data is protected by appropriate technical measures
A
Explanation:
Reference: https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide-information-to-the-individual-data-subject/
The origin of privacy as a fundamental human right can be found in which document?
- A . Universal Declaration of Human Rights 1948.
- B . European Convention of Human Rights 1953.
- C . OECD Guidelines on the Protection of Privacy 1980.
- D . Charier of Fundamental Rights of the European Union 2000.
SCENARIO
Please use the following to answer the next question:
Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.
Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.
After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.
Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.
In addition to notifying employees about the purpose of the monitoring, the potential uses of their data and their privacy rights, what information should Building Block have provided them before implementing the security measures?
- A . Information about what is specified in the employment contract.
- B . Information about who employees should contact with any queries.
- C . Information about how providing consent could affect them as employees.
- D . Information about how the measures are in the best interests of the company.
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). Italso declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany,
which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
The Customer for Life plan may conflict with which GDPR provision?
- A . Article 6, which requires processing to be lawful.
- B . Article 7, which requires consent to be as easy to withdraw as it is to give.
- C . Article 16, which provides data subjects with a rights to rectification.
- D . Article 20, which gives data subjects a right to data portability.
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
- A . The controller will be liable to pay an administrative fine
- B . The processor will be liable to pay compensation to affected data subjects
- C . The processor will be considered to be a controller in respect of the processing concerned
- D . The controller will be required to demonstrate that the unauthorized processing negatively affected one or more of the parties involved
C
Explanation:
If a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller, the consequence is:
C. The processor will be considered to be a controller in respect of the processing concerned.
According to the GDPR, if a processor starts to determine the purposes and means of the processing, it steps out of its role as a processor and takes on the responsibilities of a controller for that particular processing activity.
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?
- A . JaphSoft failed to first anonymize the personal data.
- B . JaphSoft pseudonymized all the data instead of deleting what it no longer needed.
- C . JaphSoft was in possession of information that could be used to identify data subjects.
- D . JaphSoft failed to keep personally identifiable information in a separate database.
Under Article 80(1) of the GDPR, individuals can elect to be represented by not-for-profit organizations in a privacy group litigation or class action.
These organizations are commonly known as?
- A . Law firm organizations.
- B . Civil society organizations.
- C . Human rights organizations.
- D . Constitutional rights organizations.
B
Explanation:
Reference: https://gdpr-info.eu/art-80-gdpr/
According to the GDPR, how is pseudonymous personal data defined?
- A . Data that can no longer be attributed to a specific data subject without the use of additional information kept separately.
- B . Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.
- C . Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.
- D . Data that has been encrypted or is subject to other technical safeguards.
A
Explanation:
Reference: https://www.chino.io/blog/what-is-pseudonymous-data-according-to-the-gdpr/
When would a data subject NOT be able to exercise the right to portability?
- A . When the processing is necessary to perform a task in the exercise of authority vested in the controller.
- B . When the processing is carried out pursuant to a contract with the data subject.
- C . When the data was supplied to the controller by the data subject.
- D . When the processing is based on consent.
A
Explanation:
Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/
A well-known video production company, based in Spain but specializing in documentaries filmed worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of Madrid. Under what condition would the company NOT be required to obtain the consent of everyone whose image they use for their documentary?
- A . If obtaining consent is deemed to involve disproportionate effort.
- B . If obtaining consent is deemed voluntary by local legislation.
- C . If the company limits the footage to data subjects solely of legal age.
- D . If the company’s status as a documentary provider allows it to claim legitimate interest.
As per the GDPR, which legal basis would be the most appropriate for an online shop that wishes to process personal data for the purpose of fraud prevention?
- A . Protection of the interests of the data subjects.
- B . Performance of a contact
- C . Legitimate interest
- D . Consent
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.
For what reason would JaphSoft be considered a controller under the GDPR?
- A . It determines how long to retain the personal data collected.
- B . It has been provided access to personal data in the MarketIQ database.
- C . It uses personal data to improve its products and services for its client-base through machine learning.
- D . It makes decisions regarding the technical and organizational measures necessary to protect the personal data.
Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data.
Which of the following is NOT one of these exceptions?
- A . The processing is done by a non-profit organization and the results are disclosed outside the organization.
- B . The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.
- C . The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.
- D . The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.
A
Explanation:
Reference: https://dataprivacymanager.net/sensitive-personal-data-special-category-under-the-gdpr/
Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?
- A . Employees must sign an ad hoc contractual agreement each time personal data is exported.
- B . All employees are subject to the rules in their entirety, regardless of where the work is taking place.
- C . All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
- D . Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
If a French controller has a car-sharing app available only in Morocco, Algeria and Tunisia, but the data processing activities are carried out by the appointed processor in Spain, the GDPR will apply to the processing of the personal data so long as?
- A . The individuals are European citizens or residents.
- B . The data processing activities are in Spain.
- C . The data controller is in France.
- D . The EU individuals are targeted.
A worker in a European Union (EU) member state has ceased his employment with a company.
What should the employer most likely do in regard to the worker’s personal data?
- A . Destroy sensitive information and store the rest per applicable data protection rules.
- B . Store all of the data in case the departing worker makes a subject access request.
- C . Securely store the data that is required to be kept under local law.
- D . Provide the employee the reasons for retaining the data.
A worker in a European Union (EU) member state has ceased his employment with a company.
What should the employer most likely do in regard to the worker’s personal data?
- A . Destroy sensitive information and store the rest per applicable data protection rules.
- B . Store all of the data in case the departing worker makes a subject access request.
- C . Securely store the data that is required to be kept under local law.
- D . Provide the employee the reasons for retaining the data.
Which of the following does NOT have to be included in the records most processors must maintain in relation to their data processing activities?
- A . Name and contact details of each controller on behalf of which the processor is acting.
- B . Categories of processing carried out on behalf of each controller for which the processor is acting.
- C . Details of transfers of personal data to a third country carried out on behalf of each controller for which the processor is acting.
- D . Details of any data protection impact assessment conducted in relation to any processing activities carried out by the processor on behalf of each controller for which the processor is acting.
D
Explanation:
While processors are required to maintain records of their processing activities, details of any data protection impact assessment (DPIA) are the responsibility of the controller, not the processor. The GDPR does not mandate that processors include details of DPIAs in their records of processing activities.
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?
- A . The establishment of a list of legitimate data processing criteria
- B . The creation of legally binding data protection principles
- C . The synchronization of approaches to data protection
- D . The restriction of cross-border data flow
C
Explanation:
Reference: https://ico.org.uk/media/about-the-ico/documents/1042349/review-of-eu-dp-directive.pdf (99)
What obligation does a data controller or processor have after appointing a data protection officer?
- A . To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.
- B . To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.
- C . To ensure that the data protection officer acts as the sole point of contact for individuals’ Questions: about their personal data.
- D . To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.
B
Explanation:
According to the GDPR, after appointing a data protection officer (DPO), the controller or processor must support the DPO by providing necessary resources to carry out their tasks and to maintain their expertise. The DPO should be involved in all issues related to the protection of personal data and must be given the necessary independence to perform their tasks without any conflicts of interest.
SCENARIO
Please use the following to answer the next question:
Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.
After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient’s name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed Jack’s lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.
The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.
Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?
- A . Both parties are exempt, as the company is involved in human health research
- B . Jack and the pharmaceutical company are jointly liable.
- C . The pharmaceutical company is liable.
- D . Jack is liable
According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?
- A . Right to restriction of processing.
- B . Right to erasure ("Right to be forgotten").
- C . Right to lodge a complaint with a supervisory authority.
- D . Right not to be subject to automated individual decision-making
According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?
- A . As soon as possible after obtaining the personal data.
- B . As soon as possible after the first communication with the data subject.
- C . Within a reasonable period after obtaining the personal data, but no later than one month.
- D . Within a reasonable period after obtaining the personal data, but no later than eight weeks.
C
Explanation:
Reference: https://dataprivacymanager.net/gdpr-exemptions-from-the-obligation-to-provide-information-to-the-individual-data-subject/
Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest.
Which GDPR principle is she following?
- A . Accuracy
- B . Storage Limitation
- C . Integrity and confidentiality
- D . Lawfulness, fairness and transparency
C
Explanation:
Reference: https://www.icaew.com/technical/technology/data/data-protection/data-protection-articles/do-i- have-to-encrypt-personal-data-to-comply-with-dpa-2018
Which statement is correct when considering the right to privacy under Article 8 of the European Convention on Human Rights (ECHR)?
- A . The right to privacy is an absolute right
- B . The right to privacy has to be balanced against other rights under the ECHR
- C . The right to freedom of expression under Article 10 of the ECHR will always override the right to privacy
- D . The right to privacy protects the right to hold opinions and to receive and impart ideas without interference
B
Explanation:
Reference: https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf (15)
SCENARIO
Please use the following to answer the next question:
Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees arelocated there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.
Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.
The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre-registrations, it will develop EU-specific content and services.
Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.
The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.
On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.
Who-R-U is NOT required to notify the local German DPA about the laptop theft because?
- A . The company isn’t a controller established in the Union.
- B . The laptop belonged to a company located in Canada.
- C . The data isn’t considered personally identifiable financial information.
- D . There is no evidence that the thieves have accessed the data on the laptop.
Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?
- A . The public
- B . Company X
- C . Law enforcement
- D . The supervisory authority
The Planet 49 CJEU Judgement applies to?
- A . Cookies used only by third parties.
- B . Cookies that are deemed technically necessary.
- C . Cookies regardless of whether the data accessed is personal or not.
- D . Cookies where the data accessed is considered as personal data only.
C
Explanation:
Reference: https://www.twobirds.com/en/news/articles/2019/global/planet49-cjeu-rules-on-cookie-consent