CIPP/E PRACTICE QUESTIONS &
ANSWERS|| 2025 LATEST UPDATE
Which statement is correct when considering the right to privacy under article 8 of the
European Convention on Human Rights? - ANSWERThe right to privacy has to be
balanced against other rights under the ECHR
What is the one major goal that the OECD Guidelinges, Convention 108, and the
Directive all had in common but largely failed to achieve in Europe? - ANSWERThe
restriction of cross-border data flow
Which EU institution is vested with the competence to propose new data protection
legislation on its own initiative? - ANSWERCommission
Which institution has the power to adopt findings that confirm the adequacy of the data
protection level in a non-EU country? - ANSWEREuropean Commission
What type of data lies beyond the scope of the GDPR? - ANSWERAnonymised
What is the consequence if a processor makes an independent decision regarding the
purposes and means of processing it carries out on behalf of a controller? -
ANSWERThe processor will be considered to be a controller
With the issue of consent, the GDPR allows member states some choice regarding
what? - ANSWERThe age which children must be required to obtain parental consent
Which sentence BEST summarizes the concepts of Fairness, lawfullness, and
transparency, as expressly required by Article 5 of the GDPR? - ANSWERFairness and
transparency refer to the communication of key information before collecting data;
lawfulness refers to compliance with government regulations
Assuming that the "without undue delay" provison is followed, what is the time limit for
complying with a data access request? - ANSWER1 month + additional 2 months
Company X has entrusted the processing of their payroll data provider to Y. Provider Y
stores this encrypted data on its server. The IT department of Provider Y finds out that
someone managed to hack into the system and take a copy of the data from its server.
In this scenario, whom does Provider Y have the obligation to notify? -
ANSWERCompany X
Which of the following would require designationg a data protection officer? -
ANSWERThe core activites of the controller or processor consist of processing
operations that require systematic monitoring of data subjects on a large scale. (public
authority or large scal sensitive data would apply as well)
, When is a data sharing agreement MOST likely to be needed? - ANSWERWhen
personal data is being shared between commercial orgs acting as joint data controllers
An employee of company X has just noticed a memory stick containing records of client
data, including their names, addresses and full contact details has disappeared. The
data on the stick is unencrypted and in clear text. It is uncertain what has happened to
the stick as this stage, but it likely was lost during the travel of an employee. What
should the company do? - ANSWERNotify as soon as possible the data protection
supervisory authority that a data breach may have taken place
The GDPR specifies fines that may be levied against data controllers for certain
infringements. Which of the following infringements would be subject to the less severe
administrative fine of up to 10 million Euros? - ANSWERFailure to implement technical
and organisational measures to ensure data protection is enshrined by design and
default
Why is it advisable to avoid consent as a legal basis for an employer to process
employee data? - ANSWERConsent may not be valid if the employee feels compelled
to provide it
What is true about an employee who makes an access request to his employer for any
personal data held about him? - ANSWERThe employer must supply all the information
held about the employee unless there is an exemption
What must a data controller do in order to make personal data pseudonymous? -
ANSWERSeparately hold any information that would allow linking the data to the data
subject
Which of the following entities would most likely be exempt from complying with the
GDPR? - ANSWERA North American copany servicing customers in South Africa that
uses a cloud storage system made by a European company
Article 29 Working Party has emphasized that the GDPR forbids forum shopping, which
occurs when companies do what? - ANSWERDesignate their main establishment in a
member state with the most flexible practices
In which situation would a data controller most likely be able to justify the processing of
the data of a child without parental consent? - ANSWERWhen providing preventive or
counselling services to the child
The GDPR requires contollers to supply data subjects with detailed infomation about the
processing of their data. Where contoller obtains data directly from data subjects, which
of the following items of information does NOT legally have to be supplied? -
ANSWERThe categoris of personal data concerned
ANSWERS|| 2025 LATEST UPDATE
Which statement is correct when considering the right to privacy under article 8 of the
European Convention on Human Rights? - ANSWERThe right to privacy has to be
balanced against other rights under the ECHR
What is the one major goal that the OECD Guidelinges, Convention 108, and the
Directive all had in common but largely failed to achieve in Europe? - ANSWERThe
restriction of cross-border data flow
Which EU institution is vested with the competence to propose new data protection
legislation on its own initiative? - ANSWERCommission
Which institution has the power to adopt findings that confirm the adequacy of the data
protection level in a non-EU country? - ANSWEREuropean Commission
What type of data lies beyond the scope of the GDPR? - ANSWERAnonymised
What is the consequence if a processor makes an independent decision regarding the
purposes and means of processing it carries out on behalf of a controller? -
ANSWERThe processor will be considered to be a controller
With the issue of consent, the GDPR allows member states some choice regarding
what? - ANSWERThe age which children must be required to obtain parental consent
Which sentence BEST summarizes the concepts of Fairness, lawfullness, and
transparency, as expressly required by Article 5 of the GDPR? - ANSWERFairness and
transparency refer to the communication of key information before collecting data;
lawfulness refers to compliance with government regulations
Assuming that the "without undue delay" provison is followed, what is the time limit for
complying with a data access request? - ANSWER1 month + additional 2 months
Company X has entrusted the processing of their payroll data provider to Y. Provider Y
stores this encrypted data on its server. The IT department of Provider Y finds out that
someone managed to hack into the system and take a copy of the data from its server.
In this scenario, whom does Provider Y have the obligation to notify? -
ANSWERCompany X
Which of the following would require designationg a data protection officer? -
ANSWERThe core activites of the controller or processor consist of processing
operations that require systematic monitoring of data subjects on a large scale. (public
authority or large scal sensitive data would apply as well)
, When is a data sharing agreement MOST likely to be needed? - ANSWERWhen
personal data is being shared between commercial orgs acting as joint data controllers
An employee of company X has just noticed a memory stick containing records of client
data, including their names, addresses and full contact details has disappeared. The
data on the stick is unencrypted and in clear text. It is uncertain what has happened to
the stick as this stage, but it likely was lost during the travel of an employee. What
should the company do? - ANSWERNotify as soon as possible the data protection
supervisory authority that a data breach may have taken place
The GDPR specifies fines that may be levied against data controllers for certain
infringements. Which of the following infringements would be subject to the less severe
administrative fine of up to 10 million Euros? - ANSWERFailure to implement technical
and organisational measures to ensure data protection is enshrined by design and
default
Why is it advisable to avoid consent as a legal basis for an employer to process
employee data? - ANSWERConsent may not be valid if the employee feels compelled
to provide it
What is true about an employee who makes an access request to his employer for any
personal data held about him? - ANSWERThe employer must supply all the information
held about the employee unless there is an exemption
What must a data controller do in order to make personal data pseudonymous? -
ANSWERSeparately hold any information that would allow linking the data to the data
subject
Which of the following entities would most likely be exempt from complying with the
GDPR? - ANSWERA North American copany servicing customers in South Africa that
uses a cloud storage system made by a European company
Article 29 Working Party has emphasized that the GDPR forbids forum shopping, which
occurs when companies do what? - ANSWERDesignate their main establishment in a
member state with the most flexible practices
In which situation would a data controller most likely be able to justify the processing of
the data of a child without parental consent? - ANSWERWhen providing preventive or
counselling services to the child
The GDPR requires contollers to supply data subjects with detailed infomation about the
processing of their data. Where contoller obtains data directly from data subjects, which
of the following items of information does NOT legally have to be supplied? -
ANSWERThe categoris of personal data concerned
