CIPP-E Online Practice Questions and Answers

How is the retention of communications traffic data for law enforcement purposes addressed by European data protection law?

A. The ePrivacy Directive allows individual EU member states to engage in such data retention.

B. The ePrivacy Directive harmonizes EU member states' rules concerning such data retention.

C. The Data Retention Directive's annulment makes such data retention now permissible.

D. The GDPR allows the retention of such data for the prevention, investigation, detection or prosecution of criminal offences only.

How does the GDPR now define "processing"?

A. Any act involving the collecting and recording of personal data.

B. Any operation or set of operations performed on personal data or on sets of personal data.

C. Any use or disclosure of personal data compatible with the purpose for which the data was collected.

D. Any operation or set of operations performed by automated means on personal data or on sets of personal data.

SCENARIO Please use the following to answer the next question: The fitness company Vigotron has recently developed a new app called M-Health, which it wants to market on its website as a free download. Vigotron's marketing manager asks his assistant Emily to create a webpage that describes the app

and specifies the terms of use. Emily, who is new at Vigotron, is excited about this task. At her previous job she took a data protection class, and though the details are a little hazy, she recognizes that Vigotron is going to need to obtain user

consent for use of the app in some cases. Emily sketches out the following draft, trying to cover as much as possible before sending it to Vigotron's legal department.

Registration Form

Vigotron's new M-Health app makes it easy for you to monitor a variety of health-related activities, including diet, exercise, and sleep patterns. M-Health relies on your smartphone settings (along with other third-party apps you may already

have) to collect data about all of these important lifestyle elements, and provide the information necessary for you to enrich your quality of life. (Please click here to read a full description of the services that M-Health provides.)

Vigotron values your privacy. The M-Heaith app allows you to decide which information is stored in it, and which apps can access your data. When your device is locked with a passcode, all of your health and fitness data is encrypted with

your passcode. You can back up data stored in the Health app to Vigotron's cloud provider, Stratculous. (Read more about Stratculous here.)

Vigotron will never trade, rent or sell personal information gathered from the M-Health app. Furthermore, we will not provide a customer's name, email address or any other information gathered from the app to any third-party without a

customer's consent, unless ordered by a court, directed by a subpoena, or to enforce the manufacturer's legal rights or protect its business or property.

We are happy to offer the M-Health app free of charge. If you want to download and use it, we ask that you

first complete this registration form. (Please note that use of the M-Health app is restricted to adults aged 16 or older, unless parental consent has been given to minors intending to use it.)

First name:

Surname:

Year of birth:

Email:

Physical Address (optional*):

Health status:

*If you are interested in receiving newsletters about our products and services that we think may be of interest to you, please include your physical address. If you decide later that you do not wish to receive these newsletters, you can

unsubscribe by sending an email to [email protected] or send a letter with your request to the address listed at the bottom of this page.

Terms and Conditions

1.Jurisdiction. [...]

2.Applicable law. [...]

3.Limitation of liability. [...]

Consent

By completing this registration form, you attest that you are at least 16 years of age, and that you consent to the processing of your personal data by Vigotron for the purpose of using the M-Health app. Although you are entitled to opt out of

any advertising or marketing, you agree that Vigotron may contact you or provide you with any required notices, agreements, or other information concerning the services by email or other electronic means. You also agree that the Company

may send automated emails with alerts regarding any problems with the M-Health app that may affect your well being.

What is one potential problem Vigotron's age policy might encounter under the GDPR?

A. Age restrictions are more stringent when health data is involved.

B. Users are only required to be aged 13 or over to be considered adults.

C. Organizations must make reasonable efforts to verify parental consent.

D. Organizations that tie a service to marketing must seek consent for each purpose.

Which sentence best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

A. Employees must sign an ad hoc contractual agreement each time personal data is exported.

B. All employees are subject to the rules in their entirety, regardless of where the work is taking place.

C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

D. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive (Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

A. The establishment of a list of legitimate data processing criteria

B. The creation of legally binding data protection principles

C. The synchronization of approaches to data protection

D. The restriction of cross-border data flow

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents * In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

What would be the most appropriate response to Jacks data subject access request?

A. The company should not provide any information, as the company is headquartered outside of the EU.

B. The company should decline to provide any information, as the amount of information requested is too excessive to provide in one month.

C. The company should cite the need for an extension, and agree to provide the information requested in Jack's original DSAR within a period of 3 months.

D. The company should provide all requested information except for the emails, as they are excluded from data access request requirements under the GDPR.

Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?

A. It should be fair.

B. It should be lawful

C. It should prevent harm

D. It should respect human autonomy.

In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a "layered notice" to provide data subjects with what?

A. A privacy notice containing brief information whilst offering access to further detail.

B. A privacy notice explaining the consequences for opting out of the use of cookies on a website.

C. An explanation of the security measures used when personal data is transferred to a third party.

D. An efficient means of providing written consent in member states where they are required to do so.

Under the GDPR, which essential pieces of information must be provided to data subjects before collecting their personal data?

A. The authority by which the controller is collecting the data and the third parties to whom the data will be sent.

B. The name/s of relevant government agencies involved and the steps needed for revising the data.

C. The identity and contact details of the controller and the reasons the data is being collected.

D. The contact information of the controller and a description of the retention policy.

SCENARIO

Please use the following to answer the next question:

Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories

like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing

agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.

Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to

demonstrate compliance with GDPR obligations.

Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of

individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine

learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only

over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by

removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.

Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two

companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding

Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.

Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

A. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.

B. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.

C. JaphSoft is the sole processor because it processes personal data on behalf of its clients.

D. Liem and EcoMick are joint controllers because they carry out joint marketing activities.

Under what circumstances might the "soft opt-in" rule apply in relation to direct marketing?

A. When an individual has not consented to the marketing.

B. When an individual's details are obtained from their inquiries about buying a product.

C. Where an individual's details have been obtained from a bought-in marketing list.

D. Where an individual is given the ability to unsubscribe from marketing emails sent to him.

As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

A. Supervised by the same Data Protection Officer.

B. Consistent with Privacy Shield requirements

C. Bound by a standard contractual clause.

D. Inextricably linked in their businesses.

Which of the following statements is inconsistent with the EDPB's position on qualifying a given processing as a “transfer” under Chapter V of the GDPR?

A. Transfers subject to the GDPR can only occur when two separate parties – each of them a controller, joint controller or processor – are involved.

B. Transfers subject to the GDPR may involve data disclosures between entities belonging to the same corporate group (intra-group data disclosures).

C. Transfers subject to the GDPR may involve remote access of personal data from a third country during a business trip of an employee of the controller for the given processing.

D. Transfers in which a controller or processor makes personal data available to another controller, joint controller, or processor needs to be subject to the GDPR for the given processing.

The GDPR's list of processor obligations regarding cloud computing includes all of the following EXCEPT?

A. Controllers must be given notice of any subprocessors and have a right of objection.

B. Individuals authorized to process the personal data are subject to an obligation of confidentiality.

C. Any personal data related to data subjects must be securely maintained for a maximum of ten years.

D. Processors must implement technical and organizational measures to ensure a level of security appropriate to the risk.

SCENARIO

Please use the following to answer the next question:

Financially, it has been a very good year at ARRA Hotels: Their 21 hotels, located in Greece (5), Italy (15) and Spain (1), have registered their most profitable results ever. To celebrate this achievement, ARRA Hotels' Human Resources

office, based in ARRA's main Italian establishment, has organized a team event for its 420 employees and their families at its hotel in Spain.

Upon arrival at the hotel, each employee and family member is given an electronic wristband at the reception desk. The wristband serves a number of functions:

1.

Allows access to the "party zone" of the hotel, and emits a buzz if the user approaches any unauthorized areas

2.

Allows up to three free drinks for each person of legal age, and emits a buzz once this limit has been reached

3.

Grants a unique ID number for participating in the games and contests that have been planned.

Along with the wristband, each guest receives a QR code that leads to the online privacy notice describing the use of the wristband. The page also contains an unchecked consent checkbox. In the case of employee family members under the age of 16, consent must be given by a parent. Among the various activities planned for the event, ARRA Hotels' HR office has autonomously set up a photocall area, separate from the main event venue, where employees can come and have their pictures taken in traditional carnival

costume. The photos will be posted on ARRA Hotels' main website for general marketing purposes.

On the night of the event, an employee from one of ARRA's Greek hotels is displeased with the results of the photos in which he appears. He intends to file a complaint with the relevant supervisory authority in regard to the following:

1.

The lack of any privacy notice in the separate photocall area

2.

The unlawful cross-border processing of his personal data

3.

The unacceptable aesthetic outcome of his photos

Which of the following principles has likely been violated in the processing of the photocall photos containing personal data?

A. Adequacy.

B. Lawfulness.

C. Transparency.

D. Data minimization.