CIPP/E EXAM LATEST
Data controllers are required to maintain a record of the following
information: - ANSWERS-(1) the controller's name and contact details
and, where applicable, the name and contact details of any joint
controller, representative and DPOs;
(2) the purposes of the processing;
(3) a description of the categories of data subjects and of the categories
of personal data;
(4) the categories of recipients to whom the personal data have been or
will be disclosed including recipients in third countries or international
organizations;
(5) where applicable, transfers of personal data to third countries,
including the identification of the transferee third country and, where
applicable, the documentation of appropriate safeguards;
(6) where possible, the retention periods for erasure/deletion of the
different categories of personal data; and
(7) where possible, a general description of the technical and
organizational security measures.
Data processors are required to maintain a record of the following
information: - ANSWERS-(1) the name and contact details of the
processor or processors and, where applicable, the name and contact
details of representatives and DPOs;
END OF
PAGE
1
, CIPP/E EXAM LATEST
(2) the name and contact details of each data controller for whom the
processor acts and, where applicable, the name and contact details of
representatives and DPOs;
(3) the categories of processing carried out on behalf of each controller;
(4) where applicable, details of the transfers of personal data to third
countries, including the identification of the transferee third country and,
where applicable, the documentation of appropriate safeguards; and
(5) where possible, a general description of the processor's technical and
organizational security measures.
When does the record keeping exemption for fewer than 250 employees
not apply? - ANSWERS-If the processing by a company, no matter the
number of employees:
(1) is likely to result in a risk to the rights and freedoms of data subjects;
(2) is frequent and not occasional; or
(3) involves special categories of data, including biometric and genetic
data, health data or data related to a person's sex life or sexual
orientation, criminal convictions and offenses.
Examples of 'risky' types of processing activities for which a DPIA
would be required under Article 35: - ANSWERS-(1) systematic and
extensive profiling that produces legal effects or significantly affects
individuals;
END OF
PAGE
2
, CIPP/E EXAM LATEST
(2) processing activities that use 'special categories of personal data' on a
large scale; and
(3) the systematic monitoring of a publicly accessible area on a large
scale (e.g., closed-circuit television (CCTV), other video surveillance in
public areas and potentially the use of drones).
DPIA must contain and document at least the following: - ANSWERS-
(1) a systematic description of the envisaged processing operations and
the purposes of the processing, including any legitimate interests
pursued by the controller;
(2) an assessment of the necessity and proportionality of the processing
operations in relation to the purposes;
(3) an assessment of the risks to the rights and freedoms of individuals;
and
(4) the measures adopted to address the risks, including safeguards,
security measures and mechanisms to ensure the protection of personal
data.
When do you have to consult with the DPA before processing? -
ANSWERS-When high risk activity and no measures capable of
mitigating risk.
END OF
PAGE
3
, CIPP/E EXAM LATEST
How much time does a DPA have to review matters referred to them by
a controller? - ANSWERS-Initial 8 weeks, with extension of additional
6 weeks. Suspension if waiting for info from controller.
The circumstances where data controllers and processors must designate
a DPO are: - ANSWERS-(1) where processing is carried out by a public
authority;
(2) if the core activities of the controller or processor consist of regular
and systematic monitoring of individuals on a large scale; or
(3) if the core activities consist of processing special categories of
personal data on a large scale.
WP29 identified the following 'large-scale' factors: - ANSWERS-(1)
The number of data subjects concerned—either as a specific number or
as a proportion of the relevant population
(2) The volume of data and/or the range of different data items being
processed
(3) The duration or permanence of the data processing activity
(4) The geographical extent of the processing activity
END OF
PAGE
4
Data controllers are required to maintain a record of the following
information: - ANSWERS-(1) the controller's name and contact details
and, where applicable, the name and contact details of any joint
controller, representative and DPOs;
(2) the purposes of the processing;
(3) a description of the categories of data subjects and of the categories
of personal data;
(4) the categories of recipients to whom the personal data have been or
will be disclosed including recipients in third countries or international
organizations;
(5) where applicable, transfers of personal data to third countries,
including the identification of the transferee third country and, where
applicable, the documentation of appropriate safeguards;
(6) where possible, the retention periods for erasure/deletion of the
different categories of personal data; and
(7) where possible, a general description of the technical and
organizational security measures.
Data processors are required to maintain a record of the following
information: - ANSWERS-(1) the name and contact details of the
processor or processors and, where applicable, the name and contact
details of representatives and DPOs;
END OF
PAGE
1
, CIPP/E EXAM LATEST
(2) the name and contact details of each data controller for whom the
processor acts and, where applicable, the name and contact details of
representatives and DPOs;
(3) the categories of processing carried out on behalf of each controller;
(4) where applicable, details of the transfers of personal data to third
countries, including the identification of the transferee third country and,
where applicable, the documentation of appropriate safeguards; and
(5) where possible, a general description of the processor's technical and
organizational security measures.
When does the record keeping exemption for fewer than 250 employees
not apply? - ANSWERS-If the processing by a company, no matter the
number of employees:
(1) is likely to result in a risk to the rights and freedoms of data subjects;
(2) is frequent and not occasional; or
(3) involves special categories of data, including biometric and genetic
data, health data or data related to a person's sex life or sexual
orientation, criminal convictions and offenses.
Examples of 'risky' types of processing activities for which a DPIA
would be required under Article 35: - ANSWERS-(1) systematic and
extensive profiling that produces legal effects or significantly affects
individuals;
END OF
PAGE
2
, CIPP/E EXAM LATEST
(2) processing activities that use 'special categories of personal data' on a
large scale; and
(3) the systematic monitoring of a publicly accessible area on a large
scale (e.g., closed-circuit television (CCTV), other video surveillance in
public areas and potentially the use of drones).
DPIA must contain and document at least the following: - ANSWERS-
(1) a systematic description of the envisaged processing operations and
the purposes of the processing, including any legitimate interests
pursued by the controller;
(2) an assessment of the necessity and proportionality of the processing
operations in relation to the purposes;
(3) an assessment of the risks to the rights and freedoms of individuals;
and
(4) the measures adopted to address the risks, including safeguards,
security measures and mechanisms to ensure the protection of personal
data.
When do you have to consult with the DPA before processing? -
ANSWERS-When high risk activity and no measures capable of
mitigating risk.
END OF
PAGE
3
, CIPP/E EXAM LATEST
How much time does a DPA have to review matters referred to them by
a controller? - ANSWERS-Initial 8 weeks, with extension of additional
6 weeks. Suspension if waiting for info from controller.
The circumstances where data controllers and processors must designate
a DPO are: - ANSWERS-(1) where processing is carried out by a public
authority;
(2) if the core activities of the controller or processor consist of regular
and systematic monitoring of individuals on a large scale; or
(3) if the core activities consist of processing special categories of
personal data on a large scale.
WP29 identified the following 'large-scale' factors: - ANSWERS-(1)
The number of data subjects concerned—either as a specific number or
as a proportion of the relevant population
(2) The volume of data and/or the range of different data items being
processed
(3) The duration or permanence of the data processing activity
(4) The geographical extent of the processing activity
END OF
PAGE
4
