Certified Information Privacy Professional/Europe (CIPP/E) Question and Answers

Certified Information Privacy Professional/Europe (CIPP/E)

Last Update Sep 23, 2025
Total Questions : 307

We are offering FREE CIPP-E IAPP exam questions. All you do is to just go and sign up. Give your details, prepare CIPP-E free exam questions and then go for complete pool of Certified Information Privacy Professional/Europe (CIPP/E) test questions that will help you more.

CIPP-E PDF

$42 ~~$104.99~~

Add to Cart

CIPP-E Testing Engine

$50 ~~$124.99~~

Add to Cart

CIPP-E PDF + Testing Engine

$66 ~~$164.99~~

Add to Cart

Questions 1

SCENARIO

Please use the following to answer the next question:

TripBliss Inc. is a travel service company which has lost substantial revenue over the last few years. Their new manager, Oliver, suspects that this is partly due to the company’s outdated website. After doing some research, he meets with a sales representative from the up-and-coming IT company Techiva, hoping that they can design a new, cutting-edge website for TripBliss Inc.’s foundering business.

During negotiations, a Techiva representative describes a plan for gathering more customer information through detailed Questionaires, which could be used to tailor their preferences to specific travel destinations. TripBliss Inc. can choose any number of data categories – age, income, ethnicity – that would help them best accomplish their goals. Oliver loves this idea, but would also like to have some way of gauging how successful this approach is, especially since the Questionaires will require customers to provide explicit consent to having their data collected. The Techiva representative suggests that they also run a program to analyze the new website’s traffic, in order to get a better understanding of how customers are using it. He explains his plan to place a number of cookies on customer devices. The cookies will allow the company to collect IP addresses and other information, such as the sites from which the customers came, how much time they spend on the TripBliss Inc. website, and which pages on the site they visit. All of this information will be compiled in log files, which Techiva will analyze by means of a special program. TripBliss Inc. would receive aggregate statistics to help them evaluate the website’s effectiveness. Oliver enthusiastically engages Techiva for these services.

Techiva assigns the analytics portion of the project to longtime account manager Leon Santos. As is standard practice, Leon is given administrator rights to TripBliss Inc.’s website, and can authorize access to the log files gathered from it. Unfortunately for TripBliss Inc., however, Leon is taking on this new project at a time when his dissatisfaction with Techiva is at a high point. In order to take revenge for what he feels has been unfair treatment at the hands of the company, Leon asks his friend Fred, a hobby hacker, for help. Together they come up with the following plan: Fred will hack into Techiva’s system and copy their log files onto a USB stick. Despite his initial intention to send the USB to the press and to the data protection authority in order to denounce Techiva, Leon experiences a crisis of conscience and ends up reconsidering his plan. He decides instead to securely wipe all the data from the USB stick and inform his manager that the company’s system of access control must be reconsidered.

After Leon has informed his manager, what is Techiva’s legal responsibility as a processor?

Options:

They must report it to TripBliss Inc.

They must conduct a full systems audit.

They must report it to the supervisory authority.

They must inform customers who have used the website.

Discussion 0

Questions 2

In which situation would a data controller most likely be able to justify the processing of the data of a child without parental consent?

Options:

When the data is to be processed for market research.

When providing preventive or counselling services to the child.

When providing the child with materials purely for educational use.

When a legitimate business interest makes obtaining consent impractical.

Discussion 0

Questions 3

Articles 13 and 14 of the GDPR provide details on the obligation of data controllers to inform data subjects when collecting personal data. However, both articles specify an exemption for situations in which the data subject already has the information.

Which other situation would also exempt the data controller from this obligation under Article 14?

Options:

When providing the information would go against a police order.

When providing the information would involve a disproportionate effort

When the personal data was obtained through multiple source in the public domain

When the personal data was obtained 5 years before the entry into force of the GDPR

Discussion 0

Questions 4

The GDPR's list of processor obligations regarding cloud computing includes all of the following EXCEPT?

Options:

Controllers must be given notice of any subprocessors and have a right of objection.

Individuals authorized to process the personal data are subject to an obligation of confidentiality.

Any personal data related to data subjects must be securely maintained for a maximum of ten years.

Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk.

Discussion 0

Questions 5

Which of the following elements does NOT need to be presented to a data subject in order to collect valid consent for the use of cookies?

Options:

A "Cookies Settings" button.

A "Reject All" cookies button.

A list of cookies that may be placed.

Information on the purpose of the cookies.

Discussion 0

Questions 6

What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory authority”?

Options:

To encourage the consistency of local data processing activity.

To give corporations a choice about who their supervisory authority will be.

To ensure the GDPR covers controllers that do not have an establishment in the EU but have a representative in a member state.

To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are represented.

Discussion 0

Questions 7

Which failing of Privacy Shield, cited by the CJEU as a reason for its invalidation, is the Trans-Atlantic Data Privacy Framework intended to address?

Options:

Data Subject Rights.

Right of Action.

Necessity.

Consent.

Discussion 0

Questions 8

SCENARIO

Please use the following to answer the next question:

The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron’s marketing manager asks his assistant Emily to create a webpage that describes the app and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron’s legal department.

Registration Form

Vigotron’s new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with your passcode. You can back up data stored in the Health app to Vigotron’s cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer’s name, email address or any other information gathered from the app to any third- party without a customer’s consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer’s legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name:

Surname:

Year of birth:

Email:

Physical Address (optional*):

Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can unsubscribe by sending an email to unsubscribe@vigotron.com or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. […]

2.Applicable law. […]

3.Limitation of liability. […]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

If a user of the M-Health app were to decide to withdraw his consent, Vigotron would first be required to do what?

Options:

Provide the user with logs of data collected through use of the app.

Erase any data collected from the time the app was first used.

Inform any third parties of the user’s withdrawal of consent.

Cease processing any data collected through use of the app.

Discussion 0

Questions 9

An entity’s website stores text files on EU users’ computer and mobile device browsers. Prior to doing so, the entity is required to provide users with notices containing information and consent under which of the following frameworks?

Options:

General Data Protection Regulation 2016/679.

E-Privacy Directive 2002/58/EC.

E-Commerce Directive 2000/31/E

Data Protection Directive 95/46/EC.

Discussion 0

Questions 10

Under which of the following conditions does the General Data Protection Regulation NOT apply to the processing of personal data?

Options:

When the personal data is processed only in non-electronic form

When the personal data is collected and then pseudonymised by the controller

When the personal data is held by the controller but not processed for further purposes

When the personal data is processed by an individual only for their household activities

Discussion 0

Questions 11

According to Article 14 of the GDPR, how long does a controller have to provide a data subject with necessary privacy information, if that subject’s personal data has been obtained from other sources?

Options:

As soon as possible after obtaining the personal data.

As soon as possible after the first communication with the data subject.

Within a reasonable period after obtaining the personal data, but no later than one month.

Within a reasonable period after obtaining the personal data, but no later than eight weeks.

Discussion 0

Questions 12

A company plans to transfer employee health information between two of its entities in France. To maintain the security of the processing, what would be the most important security measure to apply to the health data transmission?

Options:

Inform the data subject of the security measures in place.

Ensure that the receiving entity has signed a data processing agreement.

Encrypt the transferred data in transit and at rest.

Conduct a data protection impact assessment.

Discussion 0

Questions 13

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick’s instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its

clients’ data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies’ websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem’s as well as EcoMick’s latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem’s products, she has never shopped EcoMick, nor provided her personal data to that company.

Under the GDPR, Liem and EcoMick’s contract with MarketIQ must include all of the following provisions EXCEPT?

Options:

Processing the personal data upon documented instructions regarding data transfers outside of the EE

Notification regarding third party requests for access to Liem and EcoMick’s personal data.

Assistance to Liem and EcoMick in their compliance with data protection impact assessments.

Returning or deleting personal data after the end of the provision of the services.

Discussion 0

Questions 14

Assuming that the “without undue delay” provision is followed, what is the time limit for complying with a data access request?

Options:

Within 40 days of receipt

Within 40 days of receipt, which may be extended by up to 40 additional days

Within one month of receipt, which may be extended by up to an additional month

Within one month of receipt, which may be extended by an additional two months

Discussion 0

Questions 15

Which of the following is NOT a role of works councils?

Options:

Determining the monetary fines to be levied against employers for data breach violations of employee data.

Determining whether to approve or reject certain decisions of the employer that affect employees.

Determining whether employees’ personal data can be processed or not.

Determining what changes will affect employee working conditions.

Discussion 0

Questions 16

What is the main purpose of the EU Data Act?

Options:

To enable the processing and transfer of non-personal data within the EU.

To allow users of connected devices to access data generated by their use.

To facilitate the voluntary sharing of data between individuals and businesses.

To regulate individuals' privacy rights and the processing of their personal data.

Discussion 0

Questions 17

Article 9 of the GDPR lists exceptions to the general prohibition against processing biometric data. Which of the following is NOT one of these exceptions?

Options:

The processing is done by a non-profit organization and the results are disclosed outside the organization.

The processing is necessary to protect the vital interests of the data subject when he or she is incapable of giving consent.

The processing is necessary for the establishment, exercise or defense of legal claims when courts are acting in a judicial capacity.

The processing is explicitly consented to by the data subject and he or she is allowed by Union or Member State law to lift the prohibition.

Discussion 0

Questions 18

In the EDPB's Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, all of the following practices follow from the principles relating to the processing of personal data under EU data protection law EXCEPT?

Options:

Data ownership allocation.

Access control management.

Frequent pseudonymization key rotation.

Error propagation avoidance along the processing chain.

Discussion 0

Questions 19

If a multi-national company wanted to conduct background checks on all current and potential employees, including those based in Europe, what key provision would the company have to follow?

Options:

Background checks on employees could be performed only under prior notice to all employees.

Background checks are only authorized with prior notice and express consent from all employees including those based in Europe.

Background checks on European employees will stem from data protection and employment law, which can vary between member states.

Background checks may not be allowed on European employees, but the company can create lists based on its legitimate interests, identifying individuals who are ineligible for employment.

Discussion 0

Questions 20

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information – name, location, and prior purchase history – with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight’s security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy’s data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight’s machine learning algorithms.

Under the GDPR, what are Natural Insight’s security obligations with respect to the customer information it received from BHealthy?

Options:

Appropriate security that takes into account the industry practices for protecting customer contact information and purchase history.

Only the security measures assessed by BHealthy prior to entering into the data processing contract.

Absolute security since BHealthy is sharing personal data, including purchase history, with Natural Insight.

The level of security that a reasonable data subject whose data is processed would expect in relation to the data subject’s purchase history.

Discussion 0

Questions 21

If two controllers act as joint controllers pursuant to Article 26 of the GDPR, which of the following may NOT be validly determined by said controllers?

Options:

The definition of a central contact point for data subjects.

The rules regarding the exercising of data subjects" rights.

The rules to provide information to data subjects in Articles 13 and 14.

The non-disclosure of the essence of their arrangement to data subjects

Discussion 0

Questions 22

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, USA. Today, it is a multi-billion-dollar candy company operating in every continent. All of the company’s IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father’s company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company’s online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers’ philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer’s personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend’s daughter, Alice, who just graduated from law school in the U.S., to be the company’s new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company’s operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company’s IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone’s information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

The data transfer mechanism that Alice drafted violates the GDPR because the company did not first get approval from?

Options:

The Court of Justice of the European Union.

The European Data Protection Board.

The Data Protection Authority.

The European Commission.

Discussion 0

Questions 23

For which of the following operations would an employer most likely be justified in requesting the data subject’s consent?

Options:

Posting an employee’s bicycle race photo on the company’s social media.

Processing an employee’s health certificate in order to provide sick leave.

Operating a CCTV system on company premises.

Assessing a potential employee’s job application.

Discussion 0

Questions 24

Article 29 Working Party has emphasized that the GDPR forbids “forum shopping”, which occurs when companies do what?

Options:

Choose the data protection officer that is most sympathetic to their business concerns.

Designate their main establishment in member state with the most flexible practices.

File appeals of infringement judgments with more than one EU institution simultaneously.

Select third-party processors on the basis of cost rather than quality of privacy protection.

Discussion 0

Questions 25

SCENARIO

Please use the following to answer the next question:

Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers’ data to third parties, and he’s convinced that Accidentable must have gotten his information from Bedrock Insurance.

Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.

Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.

In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.

Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible. Bedrock also explains that Louis’s contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.

In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.

Accidentable’s response letter confirms Louis’s suspicions. Accidentable is Bedrock Insurance’s wholly owned subsidiary, and they received information about Louis’s accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis’s contract included, a provision in which he agreed to share his information with Bedrock’s affiliates for business purposes.

Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.

Which statement accurately summarizes Bedrock’s obligation in regard to Louis’s data portability request?

Options:

Bedrock does not have a duty to transfer Louis’s data to Zantrum if doing so is legitimately not technically feasible.

Bedrock does not have to transfer Louis’s data to Zantrum because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer.

Bedrock has failed to comply with the duty to transfer Louis’s data to Zantrum because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.

Discussion 0

Questions 26

What ruling did the Planet 49 CJEU judgment make regarding the issue of pre-ticked boxes?

Options:

They are allowed if determined to be technically necessary.

They do not amount to valid consent under any circumstances.

They are allowed if recorded In the register of processing activities.

They constitute valid consent if the processing is necessary for purposes of legitimate interest

Discussion 0

Questions 27

SCENARIO

Please use the following to answer the next question:

Dynaroux Fashion (‘Dynaroux’) is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Ronan is their recently appointed data protection officer, who oversees the company’s compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jonas, the CEO, tells Ronan that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company’s customers by analyzing their purchases. Ronan tells the CEO that: (a) the potential risks of such activities means that

Dynaroux needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures, Dynaroux may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jonas tells Ronan that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Dynaroux’s business plan and associated processing activities.

Which of the following facts about Dynaroux would trigger a data protection impact assessment under the GDPR?

Options:

The company will be undertaking processing activities involving sensitive data categories such as financial and children’s data.

The company employs approximately 650 people and will therefore be carrying out extensive processing activities.

The company plans to undertake profiling of its customers through analysis of their purchasing patterns.

The company intends to shift their business model to rely more heavily on online shopping.

Discussion 0

Questions 28

SCENARIO

Please use the following to answer the next question:

Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The first plan, collegially called We-Track-U, will use an app to collect information about its current Canadian customer base. The expansion will allow its Canadian customers to use the app while traveling abroad. He suggests that the company use this app to gather location information. If the plan shows promise, Bob proposes to use push notifications and text messages to encourage existing customers to pre-register for an EU version of the service. Bob calls this work plan, We-Text-U. Once the company has gathered enough pre- registrations, it will develop EU-specific content and services.

Another plan is called Customer for Life. The idea is to offer additional services through the company’s app, like storage and sharing of DNA information with other applications and medical providers. The company’s contract says that it can keep customer DNA indefinitely, and use it to offer new services and market them to customers. It also says that customers agree not to withdraw direct marketing consent. Paul, the marketing director, suggests that the company should fully exploit these provisions, and that it can work around customers’ attempts to withdraw consent because the contract invalidates them.

The final plan is to develop a brand presence in the EU. The company has already begun this process. It is in the process of purchasing the naming rights for a building in Germany, which would come with a few offices that Who-R-U executives can use while traveling internationally. The office doesn’t include any technology or infrastructure; rather, it’s simply a room with a desk and some chairs.

On a recent trip concerning the naming-rights deal, Bob’s laptop is stolen. The laptop held unencrypted DNA reports on 5,000 Who-R-U customers, all of whom are residents of Canada. The reports include customer name, birthdate, ethnicity, racial background, names of relatives, gender, and occasionally health information.

If Who-R-U decides to track locations using its app, what must it do to comply with the GDPR?

Options:

Get consent from the app users.

Provide a transparent notice to users.

Anonymize the data and add latency so it avoids disclosing real time locations.

Obtain a court order because location data is a special category of personal data.

Discussion 0

Questions 29

The GDPR requires controllers to supply data subjects with detailed information about the processing of their data. Where a controller obtains data directly from data subjects, which of the following items of information does NOT legally have to be supplied?

Options:

The recipients or categories of recipients.

The categories of personal data concerned.

The rights of access, erasure, restriction, and portability.

The right to lodge a complaint with a supervisory authority.

Discussion 0

Questions 30

Which of the following would require designating a data protection officer?

Options:

Processing is carried out by an organization employing 250 persons or more.

Processing is carried out for the purpose of providing for-profit goods or services to individuals in the EU.

The core activities of the controller or processor consist of processing operations of financial information or information relating to children.

The core activities of the controller or processor consist of processing operations that require systematic monitoring of data subjects on a large scale.

Discussion 0

Questions 31

A U.S. company’s website sells widgets. Which of the following factors would NOT in itself subject the company to the GDPR?

Options:

The widgets are offered in EU and priced in euro.

The website is in English and French, and is accessible in France.

An affiliate office is located in France but the processing is in the U.S.

The website places cookies to monitor the EU website user behavior.

Discussion 0

Questions 32

A dynamic Internet Protocol (IP) address is considered persona! data when it is combined with what?

Options:

Other data held by the processor.

Other data held by the controller

Other data held by recipients of the data.

Other data held by Internet Service Providers (ISPs).

Discussion 0

Questions 33

SCENARIO

Please use the following to answer the next question:

Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U’s existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U’s systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U’s clients.

Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U’s marketing team decided to add several new fields to Market4U’s website forms, including forms for downloading white papers, creating accounts to participate in Market4U’s forum, and attending events. Such fields include birth date and salary.

What is the best way that Sandy can gain the insights that Dan seeks while still minimizing risks for Market4U?

Options:

Conduct analysis only on anonymized personal data.

Conduct analysis only on pseudonymized personal data.

Delete all data collected prior to May 2018 after conducting the trend analysis.

Procure a third party to conduct the analysis and delete the data from Market4U’s systems.

Discussion 0

Questions 34

According to the GDPR, how is pseudonymous personal data defined?

Options:

Data that can no longer be attributed to a specific data subject without the use of additional information

kept separately.

Data that can no longer be attributed to a specific data subject, with no possibility of re-identifying the data.

Data that has been rendered anonymous in such a manner that the data subject is no longer identifiable.

Data that has been encrypted or is subject to other technical safeguards.

Discussion 0

Questions 35

The GDPR forbids the practice of “forum shopping”, which occurs when companies do what?

Options:

Choose the data protection officer that is most sympathetic to their business concerns.

Designate their main establishment in member state with the most flexible practices.

File appeals of infringement judgments with more than one EU institution simultaneously.

Select third-party processors on the basis of cost rather than quality of privacy protection.

Discussion 0

Questions 36

What is the main task of the European Data Protection Board?

Options:

To assess adequacy of data protection in third countries

To ensure consistent application of the GDPR.

To proactively prevent disputes between national supervisory authorities.

To publish guidelines tor data subjects on how to property enforce their rights

Discussion 0

Questions 37

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

Options:

Outside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

Within the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

Within the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

Outside the material scope of the GDPR, because transactions are for personal or household purposes

Discussion 0

Questions 38

Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended that the company encrypt all personal data at rest. Which GDPR principle is she following?

Options:

Accuracy

Storage Limitation

Integrity and confidentiality

Lawfulness, fairness and transparency

Discussion 0

Questions 39

SCENARIO - Please use the following to answer the next question:

It has been a tough season for the Spanish Handball League, with acts of violence and racism having increased exponentially during their last few matches.

In order to address this situation, the Spanish Minister of Sports, in conjunction with the National Handball League Association, issued an Administrative Order (the "Act") obliging all the professional clubs to install a fingerprint-reading system for accessing some areas of the sports halls, primarily the ones directly behind the goalkeepers. The rest of the areas would retain the current access system, which allows any spectators access as long as they hold valid tickets.

The Act named a selected hardware and software provider, New Digital Finger, Ltd., for the creation of the new fingerprint system. Additionally, it stipulated that any of the professional clubs that failed to install this system within a two-year period would face fines under the Act.

The Murla HB Club was the first to install the new system, renting the New Digital Finger hardware and software. Immediately afterward, the Murla HB Club automatically renewed current supporters' subscriptions, while introducing a new contractual clause requiring supporters to access specific areas of the hall through the new fingerprint reading system installed at the gates.

After the first match hosted by the Murla HB Club, a local supporter submitted a complaint to the club and to the Spanish Data Protection Authority (the AEPD), claiming that the new access system violates EU data protection laws. Having been notified by the AEPD of the upcoming investigation regarding this complaint, the Murla HB Club immediately carried out a Data Protection Impact Assessment (DPIA), the conclusions of which stated that the new access system did not pose any high risks to data subjects’ privacy rights.

The Murla HB Club should have carried out a DPIA before the installation of the new access system and at what other time?

Options:

After the complaint of the supporter.

Periodically, when new risks were foreseen.

At the end of every match of the season.

After the AEPD notification of the investigation.

Discussion 0

Questions 40

Pursuant to Article 17 and EDPB Guidelines S'2019 on RTBF criteria in search engines cases, all of the following would be valid grounds for data subject delisting requests EXCEPT?

Options:

The personal dale has been collected in relation to the offer of Information society services (ISS) to a child.

The data subject withdraws consent and there is no other legal basis for the processing.

The personal data is no longer necessary in relation to the search engine provider's processing

The processing s necessary for exercising the right of freedom of expression and information

Discussion 0

Questions 41

SCENARIO

Please use the following to answer the next question:

Building Block Inc. is a multinational company, headquartered in Chicago with offices throughout the United States, Asia, and Europe (including Germany, Italy, France and Portugal). Last year the company was the victim of a phishing attack that resulted in a significant data breach. The executive board, in coordination with the general manager, their Privacy Office and the Information Security team, resolved to adopt additional security measures. These included training awareness programs, a cybersecurity audit, and use of a new software tool called SecurityScan, which scans employees’ computers to see if they have software that is no longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.

Since these measures would potentially impact employees, Building Block’s Privacy Office decided to issue a general notice to all employees indicating that the company will implement a series of initiatives to enhance information security and prevent future data breaches.

After the implementation of these measures, server performance decreased. The general manager instructed the Security team on how to use SecurityScan to monitor employees’ computers activity and their location. During these activities, the Information Security team discovered that one employee from Italy was daily connecting to a video library of movies, and another one from Germany worked remotely without authorization. The Security team reported these incidents to the Privacy Office and the general manager. In their report, the team concluded that the employee from Italy was the reason why the server performance decreased.

Due to the seriousness of these infringements, the company decided to apply disciplinary measures to both employees, since the security and privacy policy of the company prohibited employees from installing software on the company’s computers, and from working remotely without authorization.

What would be the MOST APPROPRIATE way for Building Block to handle the situation with the employee from Italy?

Options:

Since the GDPR does not apply to this situation, the company would be entitled to apply any disciplinary measure authorized under Italian labor law.

Since the employee was the cause of a serious risk for the server performance and their data, the company would be entitled to apply disciplinary measures to this employee, including fair dismissal.

Since the employee was not informed that the security measures would be used for other purposes such as monitoring, the company could face difficulties in applying any disciplinary measures to this employee.

Since this was a serious infringement, but the employee was not appropriately informed about the consequences the new security measures, the company would be entitled to apply some disciplinary measures, but not dismissal.

Discussion 0

Questions 42

Under the GDPR, where personal data is not obtained directly from the data subject, a controller is exempt from directly providing information about processing to the data subject if?

Options:

The data subject already has information regarding how his data will be used

The provision of such information to the data subject would be too problematic

Third-party data would be disclosed by providing such information to the data subject

The processing of the data subject’s data is protected by appropriate technical measures

Discussion 0

Questions 43

Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited from data processing?

Options:

Personal data revealing ethnic origin.

Personal data revealing genetic data.

Personal data revealing financial data.

Personal data revealing trade union membership.

Discussion 0

Questions 44

Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?

Options:

It should be fair.

It should be lawful

It should prevent harm

It should respect human autonomy.

Discussion 0

Questions 45

According to Art 23 GDPR, which of the following data subject rights can NOT be restricted?

Options:

Right to restriction of processing.

Right to erasure ("Right to be forgotten").

Right to lodge a complaint with a supervisory authority.

Right not to be subject to automated individual decision-making

Discussion 0

Questions 46

A private company has establishments in France, Poland, the United Kingdom, and most prominently, Germany, where its headquarters is established. The company offers its services worldwide. Most of the services are designed in Germany and supported in the other establishments. However, one of the services, a Software as a Service (SaaS) application, was defined and implemented by the Polish establishment. It is also supported by the other establishments.

What is the lead supervisory authority for the SaaS service?

Options:

The supervisory authority of Germany at the federal level.

The supervisory authority of Germany at the regional level.

The supervisory authority of the Republic of Poland.

The supervisory authority of the European Union.

Discussion 0

Questions 47

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

Options:

No, the assessors do not quality as data processors as they only have access to encrypted data.

No. the assessors do not quality as data processors as they do not copy the data to their facilities.

Yes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.

Yes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.

Discussion 0

Questions 48

According to the Personal Data Protection Commission's (PDPC) "Guide to basic data anonymization techniques," recently adopted by the Spanish

Data Protection Agency, which of the following is NOT a valid basic anonymization technique?

Options:

Swapping.

Generalization.

Data Adjustment.

Attribute Suppression.

Discussion 0

Questions 49

In the Planet 49 case, what was the main judgement of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?

Options:

If the cookies do not track personal data, then pre-checked boxes are acceptable.

If the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

If a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

If a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Discussion 0

Questions 50

An online company’s privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?

Options:

Use a layered privacy notice on its website and in its email communications.

Identify uses of data in a privacy notice mailed to the data subject.

Provide only general information about its processing activities and offer a toll-free number for more information.

Place a banner on its website stipulating that visitors agree to its privacy policy and terms of use by visiting the site.

Discussion 0

Questions 51

There are three domains of security covered by Article 32 of the GDPR that apply to both the controller and the processor. These include all of the following EXCEPT?

Options:

Consent management and withdrawal.

Incident detection and response.

Preventative security.

Remedial security.

Discussion 0

Questions 52

What is the key difference between the European Council and the Council of the European Union?

Options:

The Council of the European Union is helmed by a president.

The Council of the European Union has a degree of legislative power.

The European Council focuses primarily on issues involving human rights.

The European Council is comprised of the heads of each EU member state.

Discussion 0

Questions 53

A mobile device application that uses cookies will be subject to the consent requirement of which of the

following?

Options:

The ePrivacy Directive

The E-Commerce Directive

The Data Retention Directive

The EU Cybersecurity Directive

Discussion 0

Questions 54

How can the relationship between the GDPR and the Digital Services Act, the Data Governance Act and the Digital Markets Act most accurately be described?

Options:

The aforementioned legal acts do not refer to (i.e., do not mention) the GDPR.

The aforementioned legal acts apply without prejudice (i.e., in parallel) to the GDPR.

The aforementioned legal acts change specific provisions (i.e., certain articles) of the GDPR.

The aforementioned legal acts contain some sector-specific exemptions (i.e., only for certain businesses) from the GDPR.

Discussion 0

Questions 55

According to the GDPR, what is the main task of a Data Protection Officer (DPO)?

Options:

To create and maintain records of processing activities.

To conduct Privacy Impact Assessments on behalf of the controller or processor.

To monitor compliance with other local or European data protection provisions.

To create procedures for notification of personal data breaches to competent supervisory authorities.

Discussion 0

Questions 56

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Which of the following is NOT necessarily considered a factor in identifying whether

the processing could be considered a "cross-border processing"?

Options:

The total number of the data subjects interested.

The potential harm for the data subjects affected.

The limitation of rights of the data subjects concerned.

The exposure of the information of the data subjects involved.

Discussion 0

Questions 57

Pursuant to the EDPB Guidelines 8/2022, all of the following criteria must be considered when identifying a lead supervisory authority of a controller EXCEPT?

Options:

Determining where the controller has its place of central administration in the EE

Determining the supervisory authority where the place of central administration of the controller is located.

Determining the supervisory authority according to what has been identified by the controller as the authority to which data subjects can lodge complaints.

Determining if decisions on the processing are taken in another establishment in the EEA, and if that establishment has the power to implement those decisions.

Discussion 0

Questions 58

It a company receives an anonymous email demanding ransom for the stolen personal data of its clients, what must the company do next, per GDPR requirements'3

Options:

Notify the police and Tile a criminal complaint about the incident

Start an investigation to understand the incident's possible scope, duration and nature

Send a notification to the competent supervisory authority describing the incident.

Send an email about the incident to all clients and ask them to change their passwords

Discussion 0

Questions 59

SCENARIO

Please use the following to answer the next question:

Jane starts her new role as a Data Protection Officer (DPO) at a Malta-based

company that allows anyone to buy and sell cryptocurrencies via its online platform.

The company stores and processes the personal data of its customers in a

dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on

the platform. They then must successfully pass a Know Your Customer (KYC) due

diligence procedure aimed at preventing money laundering and ensuring

compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by

reading a disclaimer written in bold and ticking a checkbox on a separate page in

order to get their account approved on the platform.

All customers must likewise accept the terms of service of the platform. The terms

of service also include a privacy policy section, saying, among other things, that if a

customer fails the KYC process, its KYC data will be automatically shared with the

national anti-money laundering agency.

The KYC procedure requires customers to answer many questions, including

whether they have any criminal convictions, whether they use recreational drugs or

have problems with alcohol, and whether they have a terminal illness. While

providing this data, customers see a conspicuous message saying that this data is

meant only to prevent fraud and account takeover, and will be never shared with

private third parties.

The company regularly conducts external security testing of its online systems by

independent cybersecurity companies from the EU. At the final stage of testing, the

company provides cybersecurity assessors with access to its central database to

review security permissions, roles and policies. Personal data in the database is

encrypted; however, cybersecurity assessors usually have access to the decryption

keys obtained while running initial security testing. The assessors must strictly

follow the guidelines imposed by the company during the entire testing and auditing

process.

All customer data, including trading activities and all internal communications with

technical support, are permanently stored in a secured AWS S3 Glacier cloud data

storage, located in Ireland, for backup and compliance purposes. The data is

securely transferred to the cloud and then is properly encrypted while at rest by

using AWS-native encryption mechanisms. These mechanisms give AWS the

necessary technical means to encrypt and decrypt the data when such is required

by the company. There is no data processing agreement between AWS and the

company.

Should Jane modify the required GDPR rights waiver for non-European residents?

Options:

Yes, the waiver must not apply to any residents of countries with an adequacy decision from the EC.

Yes, this clause must be entirely removed as all customers,

regardless of residence or nationality, shall enjoy the same individual rights granted under GDPR.

No, the non-EU residents are not protected by GDPR unless they are physically located in the EU.

No, but all non-EU residents must manually sign a separate waiver to ensure its lawfulness and enforceability under GDPR.

Discussion 0

Questions 60

What is true if an employee makes an access request to his employer for any personal data held about him?

Options:

The employer can automatically decline the request if it contains personal data about a third person.

The employer can decline the request if the information is only held electronically.

The employer must supply all the information held about the employee.

The employer must supply any information held about an employee unless an exemption applies.

Discussion 0

Questions 61

An organization conducts body temperature checks as a part of COVID-19 monitoring. Body temperature is measured manually and is not followed by registration, documentation or other processing of an individual’s personal data.

Which of the following best explain why this practice would NOT be subject to the GDPR?

Options:

Body temperature is not considered personal data.

The practice does not involve completion by automated means.

Body temperature is considered pseudonymous data.

The practice is for the purpose of alleviating extreme risks to public health.

Discussion 0

Questions 62

In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

Options:

The predicted consequences of the breach.

The measures being taken to address the breach.

The type of security safeguards used to protect the data.

The contact details of the appropriate data protection officer.

Discussion 0

Questions 63

SCENARIO

Please use the following to answer the next question:

In which case would Natural Insight’s use of BHealthy’s data for improvement of its algorithms be considered data processor activity?

Options:

If Natural Insight uses BHealthy’s data for improving price point predictions only for BHealthy.

If Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms.

If Natural Insight agrees to be fully liable for its use of BHealthy’s customer information in its product improvement activities.

If Natural Insight satisfies the transparency requirement by notifying BHealthy’s customers of its plans to use their information for its product improvement activities.

Discussion 0

Questions 64

ISO 31700 has set forth requirements relating to consumer products and services. In particular, this international standard focuses on the implementation of which of the following?

Options:

Privacy by design.

Comprehensive ethical Al software.

Privacy notices for companies providing services to consumers.

Automated systems for identifying EU data subjects' personal data.

Discussion 0

Questions 65

To comply with the GDPR and the EU Court of Justice's decision in Schrems II, the European Commission issued what are commonly referred to as the new standard contractual clauses (SCCs). As a result, businesses must do all of the following EXCEPT?

Options:

Consider the new optional docking clause, which expressly permits adding new parties to the SCCs.

Migrate all contracts entered into before September 27, 2021, that use the old SCCs to the new SCCs by December 27, 2022.

Take steps to flow down the new SCCs to relevant parts of their supply chain using the new SCCs as of September 27, 2021, if the business is a data importer.

Implement the new SCCs in the U.K. following Brexit, as the U.K. Information Commissioner's Office does not have the authority to publish its own set of SCCs.

Discussion 0

Questions 66

When may browser settings be relied upon for the lawful application of cookies?

Options:

When a user rejects cookies that are strictly necessary.

When users are aware of the ability to adjust their settings.

When users are provided with information about which cookies have been set.

When it is impossible to bypass the choices made by users in their browser settings.

Discussion 0

Questions 67

SCENARIO

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:

Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.

Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).

Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal. Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.

Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a

program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has

done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Anna will find that a risk analysis is NOT necessary in this situation as long as?

Options:

The data subjects are no longer current students of Frank’s

The processing will not negatively affect the rights of the data subjects

The algorithms that Frank uses for the processing are technologically sound

The data subjects gave their unambiguous consent for the original processing

Discussion 0

Questions 68

SCENARIO

Please use the following to answer the next question:

ABC Hotel Chain and XYZ Travel Agency are U.S.-based multinational companies. They use an internet-based common platform for collecting and sharing their customer data with each other, in order to integrate their marketing efforts. Additionally, they agree on the data to be stored, how reservations will be booked and confirmed, and who has access to the stored data.

Mike, an EU resident, has booked travel itineraries in the past through XYZ Travel Agency to stay at ABC Hotel Chain’s locations. XYZ Travel Agency offers a rewards program that allows customers to sign up to accumulate points that can later be redeemed for free travel. Mike has signed the agreement to be a rewards program member.

Now Mike wants to know what personal information the company holds about him. He sends an email requesting access to his data, in order to exercise what he believes are his data subject rights.

In which of the following situations would ABC Hotel Chain and XYZ Travel Agency NOT have to honor Mike’s data access request?

Options:

The request is to obtain access and correct inaccurate personal data in his profile.

The request is to obtain access and information about the purpose of processing his personal data.

The request is to obtain access and erasure of his personal data while keeping his rewards membership.

The request is to obtain access and the categories of recipients who have received his personal data to process his rewards membership.

Discussion 0

Questions 69

Which sentence BEST summarizes the concepts of “fairness,” “lawfulness” and “transparency”, as expressly required by Article 5 of the GDPR?

Options:

Fairness and transparency refer to the communication of key information before collecting data; lawfulness refers to compliance with government regulations.

Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the approval of company guidelines by the state; transparency solely relates to communication of key information before collecting data.

Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of ordinances to ensure they are uniformly enforced.

Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal rules to be uniform; transparency refers to giving individuals access to their data.

Discussion 0

Questions 70

Which of the following was the first to implement national law for data protection in 1973?

Options:

France

Sweden

Germany

United Kingdom

Discussion 0

Questions 71

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in

Greece (5), Italy (15) and Spain (1), have registered their most profitable results

ever. To celebrate this achievement, ARRA Hotels' Human Resources office, based

in ARRA's main Italian establishment, has organized a team event for its 420

employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic

wristband at the reception desk. The wristband serves a number of functions:

. Allows access to the "party zone" of the hotel, and emits a buzz if the user

approaches any unauthorized areas

. Allows up to three free drinks for each person of legal age, and emits a

buzz once this limit has been reached

. Grants a unique ID number for participating in the games and contests that

have been planned.

Along with the wristband, each guest receives a QR code that leads to the online

privacy notice describing the use of the wristband. The page also contains an

unchecked consent checkbox. In the case of employee family members under the

age of 16, consent must be given by a parent.

Among the various activities planned for the event, ARRA Hotels' HR office has

autonomously set up a photocall area, separate from the main event venue, where

employees can come and have their pictures taken in traditional carnival costume.

The photos will be posted on ARRA Hotels' main website for general marketing

purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is

displeased with the results of the photos in which he appears. He intends to file a

complaint with the relevant supervisory authority in regard to the following:

. The lack of any privacy notice in the separate photocall area

The unlawful cross-border processing of his personal data

. The unacceptable aesthetic outcome of his photos

Assuming that there is a cross-border processing of personal data, which of the

following criteria would NOT be useful to the lead supervisory authority responsible

for the Greek employee's complaint when trying to determine the location of the

controller's main establishment?

Options:

Where the controller is registered as a company.

Where the processor is registered as a company.

Where decisions about the processing activities are made.

Where the director with responsibility for processing activities is located.

Discussion 0

Questions 72

When hiring a data processor, which action would a data controller NOT be able to depend upon to avoid liability in the event of a security breach?

Options:

Documenting due diligence steps taken in the pre-contractual stage.

Conducting a risk assessment to analyze possible outsourcing threats.

Requiring that the processor directly notify the appropriate supervisory authority.

Maintaining evidence that the processor was the best possible market choice available.

Discussion 0

Questions 73

Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

Options:

The service’s infrastructure is shared among the supplier’s customers and can be located in a number of countries.

The supplier determines the location, security measures, and service standards applicable to the processing.

The supplier allows customer data to be transferred around the infrastructure according to capacity.

The supplier assumes the vendor’s business risk associated with data processed by the supplier.

Discussion 0

Questions 74

SCENARIO

Please use the following to answer the next question:

Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry.

Company B’s payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A’s factories. Company B won’t hold any biometric data itself, but the related data will be uploaded to Company B’s UK servers and used to provide the payroll service. Company B’s live systems will contain the following information for each of Company A’s employees:

Name

Address

Date of Birth

Payroll number

National Insurance number

Sick pay entitlement

Maternity/paternity pay entitlement

Holiday entitlement

Pension and benefits contributions

Trade union contributions

Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn’t sure whether or not this is required.

Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection officer. The company doesn’t have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract.

Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B’s live systems in order to create a new database for Company B.

This database will be stored in a test environment hosted on Company C’s U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes.

Unfortunately, Company C’s U.S. server is only protected by an outdated IT security system, and suffers a cyber security incident soon after Company C begins work on the project. As a result, data relating to Company A’s employees is visible to anyone visiting Company C’s website. Company A is unaware of this until Jenny receives a letter from the supervisory authority in connection with the investigation that ensues. As soon as Jenny is made aware of the breach, she notifies all affected employees.

The GDPR requires sufficient guarantees of a company’s ability to implement adequate technical and organizational measures. What would be the most realistic way that Company B could have fulfilled this requirement?

Options:

Hiring companies whose measures are consistent with recommendations of accrediting bodies.

Requesting advice and technical support from Company A’s IT team.

Avoiding the use of another company’s data to improve their own services.

Vetting companies’ measures with the appropriate supervisory authority.

Discussion 0

Questions 75

What obligation does a data controller or processor have after appointing a data protection officer?

Options:

To ensure that the data protection officer receives sufficient instructions regarding the exercise of his or her defined tasks.

To provide resources necessary to carry out the defined tasks of the data protection officer and to maintain his or her expert knowledge.

To ensure that the data protection officer acts as the sole point of contact for individuals’ Questions: about their personal data.

To submit for approval to the data protection officer a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.

Discussion 0

Questions 76

Which of the following is NOT exempt from the material scope of the GDPR. insofar as the processing of personal data is concerned?

Options:

A natural person in the course of a large-scale but purely personal or household activity.

A natural person processing data foe a small-scale, purely personal or household activity.

A natural person in the course of processing purely personal or household data on behalf of a spouse who is beyond the age of majority.

A natural person in the course of activity conducted purely tor a personally-owned sole proprietorship.

Discussion 0

Questions 77

SCENARIO

Please use the following to answer the next question:

longer being supported by a vendor and therefore not getting security updates. However, this software also provides other features, including the monitoring of employees’ computers.

To comply with the GDPR, what should Building Block have done as a first step before implementing the SecurityScan measure?

Options:

Assessed potential privacy risks by conducting a data protection impact assessment.

Consulted with the relevant data protection authority about potential privacy violations.

Distributed a more comprehensive notice to employees and received their express consent.

Consulted with the Information Security team to weigh security measures against possible server impacts.

Discussion 0

Questions 78

What is a reason the European Court of Justice declared the Data Retention Directive invalid in 2014?

Options:

The requirements affected individuals without exception.

The requirements were financially burdensome to EU businesses.

The requirements specified that data must be held within the EU.

The requirements had limitations on how national authorities could use data.

Discussion 0

Questions 79

Once an organization has conducted an internal investigation to determine the scope of a ransomware attack, what is the appropriate next step in the process?

Options:

Assess the risks associated with the breach and, if necessary, notify affected individuals and regulatory bodies within the relevant timeframes.

Notify law enforcement and consult with legal counsel to understand the implications of the breach and the notification requirements.

Inform all customers and the public via social media platforms to ensure rapid dissemination of relevant information.

Wait for law enforcement to provide guidance on notification procedures before taking any further action.

Discussion 0

Questions 80

What must a data controller do in order to make personal data pseudonymous?

Options:

Separately hold any information that would allow linking the data to the data subject.

Encrypt the data in order to prevent any unauthorized access or modification.

Remove all indirect data identifiers and dispose of them securely.

Use the data only in aggregated form for research purposes.

Discussion 0

Questions 81

In which scenario is a Controller most likely required to undertake a Data Protection Impact Assessment?

Options:

When the controller is collecting email addresses from individuals via an online registration form for marketing purposes.

When personal data is being collected and combined with other personal data to profile the creditworthiness of individuals.

When the controller is required to have a Data Protection Officer.

When personal data is being transferred outside of the EEA.

Discussion 0

Questions 82

What should a controller do after a data subject opts out of a direct marketing activity?

Options:

Without exception, securely delete all personal data relating to the data subject.

Without undue delay, provide information to the data subject on the action that will be taken.

Refrain from processing personal data relating to the data subject for the relevant type of communication.

Take reasonable steps to inform third-party recipients that the data subject’s personal data should be deleted and no longer processed.

Discussion 0

Questions 83

Under Article 30 of the GDPR, controllers are required to keep records of all of the following EXCEPT?

Options:

Incidents of personal data breaches, whether disclosed or not.

Data inventory or data mapping exercises that have been conducted.

Categories of recipients to whom the personal data have been disclosed.

Retention periods for erasure and deletion of categories of personal data.

Discussion 0

Questions 84

In relation to third countries and international organizations, which of the following shall, along with the supervisory authorities, take appropriate steps to develop international cooperation mechanisms for the enforcement of data protection legislation?

Options:

The European Parliament

The Council of the European Union.

The designated Data Protection Officers

The European Commission

Discussion 0

Questions 85

SCENARIO

Please use the following to answer the next question:

Joe is the new privacy manager for Who-R-U, a Canadian business that provides DNA analysis. The company is headquartered in Montreal, and all of its employees are located there. The company offers its services to Canadians only: Its website is in English and French, it accepts only Canadian currency, and it blocks internet traffic from outside of Canada (although this solution doesn’t prevent all non-Canadian traffic). It also declines to process orders that request the DNA report to be sent outside of Canada, and returns orders that show a non-Canadian return address.

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

Who-R-U is NOT required to notify the local German DPA about the laptop theft because?

Options:

The company isn’t a controller established in the Union.

The laptop belonged to a company located in Canada.

The data isn’t considered personally identifiable financial information.

There is no evidence that the thieves have accessed the data on the laptop.

Discussion 0

Questions 86

SCENARIO

Please use the following to answer the next question:

information from the contact information. JaphSoft’s engineers, however, maintain all contact information in the same database as the identifying information.

JaphSoft’s use of pseudonymization is NOT in compliance with the CDPR because?

Options:

JaphSoft failed to first anonymize the personal data.

JaphSoft pseudonymized all the data instead of deleting what it no longer needed.

JaphSoft was in possession of information that could be used to identify data subjects.

JaphSoft failed to keep personally identifiable information in a separate database.

Discussion 0

Questions 87

SCENARIO

Please use the following to answer the next question:

Bob, the President of Who-R-U, thinks there is a lot of interest for the product in the EU, and the company is exploring a number of plans to expand its customer base.

The Customer for Life plan may conflict with which GDPR provision?

Options:

Article 6, which requires processing to be lawful.

Article 7, which requires consent to be as easy to withdraw as it is to give.

Article 16, which provides data subjects with a rights to rectification.

Article 20, which gives data subjects a right to data portability.

Discussion 0

Questions 88

Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to third countries under Article 42?

Options:

Approved certifications.

Binding corporate rules.

Law enforcement requests.

Standard contractual clauses.

Discussion 0

Summer Special Discount 60% Offer - Ends in 0d 00h 00m 00s - Coupon code: brite60

examsbrite logo

Navigation:

Certified Information Privacy Professional/Europe (CIPP/E) CIPP-E Exam Questions with Experts Answers Updated Recently

Certified Information Privacy Professional/Europe (CIPP/E) Question and Answers

CIPP-E PDF

CIPP-E Testing Engine

CIPP-E PDF + Testing Engine

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options: