CIPP E Exam Questions
and Complete Solutions
Graded A+
A key component of the OECD Guidelines is the 'individual participation principle.' What parts of the
GDPR provide the closest equivalent? - Answer: Rights granted to data subjects under Articles 12 to 23
Under the GDPR, when processing data for direct marketing activities, data controllers must do which of
the following? - Answer: Provide info explaining how personal data will be used for marketing purposes
How does the GDPR define processing? - Answer: Any operation or set of operations performed on
personal data or on sets of personal data
Which of the following is a right/freedom that must be considered when balancing privacy rights under
the GDPR? - Answer: Freedom of expression
Which of the following is a right/freedom that must be considered when balancing privacy rights under
the GDPR? - Answer: Freedom to conduct lawful business
Much of the GDPR builds upon the Data Protection Directive. Which of the following data subject rights
is the only right that did NOT exist in some form in the Directive? - Answer: Right to data portability
Under the right to be forgotten, what is a controller required to do when they receive a proper request
for erasure from a data subject? - Answer: Inform all third party controllers processing shared personal
data that they must delete it
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive had
in common but largely failed to achieve in Europe? - Answer: Synchronization of the approaches to data
protection
, Which of the following is one of the seven EU-US and Swiss-US Privacy Shield Principles? - Answer:
Security
Which of the following is one of the seven EU-US and Swiss-US Privacy Shield Principles? - Answer:
Access
Which of the following is a piece of criteria that the supervisory authority may take into account when
determining the amount of a fine? - Answer: Actions taken by the controller to mitigate the damage
suffered by the data subjects
According to the GDPR, how is pseudonymous personal data defined? - Answer: Data that cannot be
attributed to a specific data subject without the use of additional information kept separately
Processing of biometric data requires both a lawful basis and ________________, otherwise, it is
generally prohibited by the GDPR. - Answer: condition for processing
True / False: Article 30's record keeping requirement has absolutely no exceptions for companies
employing fewer than 250 people. - Answer: False: There are three exceptions
A company must appoint a DPO, whether it is a controller or processor, if its core activities involve
______________. - Answer: processing of sensitive data on a large scale
Which treaty created the European Union? - Answer: 1992 Maastricht Treaty
When is a data sharing agreement most likely to be needed? - Answer: When personal data is being
shared between commercial organisations acting as joint data controllers.
What should an organisation consider when determining appropriate periods for retaining personal
data? - Answer: Whether the stated purpose for collecting the personal data still applies.
True / False: The GDPR sets specific guidelines for background checks. - Answer: False: The GDPR does
not set specific guidelines for background checks, but privacy principles must be taken into account
and Complete Solutions
Graded A+
A key component of the OECD Guidelines is the 'individual participation principle.' What parts of the
GDPR provide the closest equivalent? - Answer: Rights granted to data subjects under Articles 12 to 23
Under the GDPR, when processing data for direct marketing activities, data controllers must do which of
the following? - Answer: Provide info explaining how personal data will be used for marketing purposes
How does the GDPR define processing? - Answer: Any operation or set of operations performed on
personal data or on sets of personal data
Which of the following is a right/freedom that must be considered when balancing privacy rights under
the GDPR? - Answer: Freedom of expression
Which of the following is a right/freedom that must be considered when balancing privacy rights under
the GDPR? - Answer: Freedom to conduct lawful business
Much of the GDPR builds upon the Data Protection Directive. Which of the following data subject rights
is the only right that did NOT exist in some form in the Directive? - Answer: Right to data portability
Under the right to be forgotten, what is a controller required to do when they receive a proper request
for erasure from a data subject? - Answer: Inform all third party controllers processing shared personal
data that they must delete it
What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive had
in common but largely failed to achieve in Europe? - Answer: Synchronization of the approaches to data
protection
, Which of the following is one of the seven EU-US and Swiss-US Privacy Shield Principles? - Answer:
Security
Which of the following is one of the seven EU-US and Swiss-US Privacy Shield Principles? - Answer:
Access
Which of the following is a piece of criteria that the supervisory authority may take into account when
determining the amount of a fine? - Answer: Actions taken by the controller to mitigate the damage
suffered by the data subjects
According to the GDPR, how is pseudonymous personal data defined? - Answer: Data that cannot be
attributed to a specific data subject without the use of additional information kept separately
Processing of biometric data requires both a lawful basis and ________________, otherwise, it is
generally prohibited by the GDPR. - Answer: condition for processing
True / False: Article 30's record keeping requirement has absolutely no exceptions for companies
employing fewer than 250 people. - Answer: False: There are three exceptions
A company must appoint a DPO, whether it is a controller or processor, if its core activities involve
______________. - Answer: processing of sensitive data on a large scale
Which treaty created the European Union? - Answer: 1992 Maastricht Treaty
When is a data sharing agreement most likely to be needed? - Answer: When personal data is being
shared between commercial organisations acting as joint data controllers.
What should an organisation consider when determining appropriate periods for retaining personal
data? - Answer: Whether the stated purpose for collecting the personal data still applies.
True / False: The GDPR sets specific guidelines for background checks. - Answer: False: The GDPR does
not set specific guidelines for background checks, but privacy principles must be taken into account
