CIPP/E IAPP ACTUAL QUESTIONS AND
CORRECT ANSWERS
Supervisory Authority - CORRECT ANSWERS DPA | promote, monitor
and enforce GDPR | Promote awareness | Conduct Investigations on DGPR
compliance | Protect fundamental human rights | Annual reports | facilitate free
flow of personal data in EU
SA | Investigative - CORRECT ANSWERS Order controller/provider to
provide information required for performance of their tasks | conduct data
protection audits |
SA | Corrective - CORRECT ANSWERS Issue warnings or reprimands |
Order compliance with data subject request | Order notification to data subject
of breach | Order to bring compliance | Ban processing | Order rectification,
restriction or erasure of data | Suspend international data transfers | Withdraw
certifications | Impose administrative fines | Suspend international data flows
SA | Authorisation and advisory - CORRECT ANSWERS Provide
advice | Issue opinions to institutions, bodies, public | Authorise processing of
personal data | Issue opinion/approve draft codes of conduct | Approve
certification criteria | Accredit certification bodies | Issue certifications and
approve criteria | Adopt standard data protection clauses | Authorise contractual
clauses | Authorise administrative arrangements between public
authorities/bodies for appropriate safeguards related to transfers | Approve
BCR's
Lead SA - CORRECT ANSWERS Primary regulator responsible for
cross-border processing activities of a controller/processor and coordinating
operations of all SA's concerned
Identifying the lead SA - CORRECT ANSWERS FIRST determine if
cross-border processing is taking place
,Lead SA when multiple establishments in the EU - CORRECT ANSWERS
SA of the place of main establishment / central administration - unless
decisions about purposes, means and implementation of processing take place at
a different location
EDPB Guidelines 8/2022 on identifying a controller or processor's lead SA -
CORRECT ANSWERS Advises the main establishment of a controller
cannot be considered as the main establishment of the joint controllers for
processing • Joint controllers cannot designate or bind supervisory authorities to
a common main establishment for both joint controllers
SA procedures - CORRECT ANSWERS Cooperation • Between lead SA
and other concerned SAs to reach consensus
Mutual assistance • Provision of relevant information between supervisory
authorities
Joint operations • Joint SA investigations and enforcement measures of
controllers or processors in several member states or when data subjects are in
more than one member state
Consistency mechanism • Specific collaborative process between SAs,
Commission and European Data Protection Board for adopting certain measures
and ensuring consistent GDPR application
Dispute resolution • Mechanism to dispute a decision (if not jointly agreed upon
by SA) • Issuance of binding decisions
Urgency procedure • For the immediate adoption of provisional measures within
a member state
, The European Data Protection Board (EDPB) - CORRECT ANSWERS
- replaces article 29 working party
- composition: Representatives of every Member State's SA
• Each of the 30 Member States of the EEA will appoint representative to sit on
the EDPB
• Only representatives from the 27 EU Member States may actively participate
• Presided over by chair elected by EDPB representatives
• Participation from European Data Protection Supervisor (EDPS) and
representatives of Commission
• EDPS limited voting rights
• Commission no voting rights
• Independence • EDPB must act independently
EDPB Tasks - CORRECT ANSWERS - Monitor for correct application
of GDPR
• Oversee consistency mechanism for ensuring consistent approach to data
protection by various supervisory authorities
• Issue guidance and advice to Commission for personal data protection on pan-
European basis
• Issue guidelines, recommendations and best practices (e.g., automated
decision-making and safeguards, establishing when a data breach has occurred,
notification requirements and further determining when a breach could result in
high risks to data subject's rights or freedoms)
• Preside over dispute-resolution process
CORRECT ANSWERS
Supervisory Authority - CORRECT ANSWERS DPA | promote, monitor
and enforce GDPR | Promote awareness | Conduct Investigations on DGPR
compliance | Protect fundamental human rights | Annual reports | facilitate free
flow of personal data in EU
SA | Investigative - CORRECT ANSWERS Order controller/provider to
provide information required for performance of their tasks | conduct data
protection audits |
SA | Corrective - CORRECT ANSWERS Issue warnings or reprimands |
Order compliance with data subject request | Order notification to data subject
of breach | Order to bring compliance | Ban processing | Order rectification,
restriction or erasure of data | Suspend international data transfers | Withdraw
certifications | Impose administrative fines | Suspend international data flows
SA | Authorisation and advisory - CORRECT ANSWERS Provide
advice | Issue opinions to institutions, bodies, public | Authorise processing of
personal data | Issue opinion/approve draft codes of conduct | Approve
certification criteria | Accredit certification bodies | Issue certifications and
approve criteria | Adopt standard data protection clauses | Authorise contractual
clauses | Authorise administrative arrangements between public
authorities/bodies for appropriate safeguards related to transfers | Approve
BCR's
Lead SA - CORRECT ANSWERS Primary regulator responsible for
cross-border processing activities of a controller/processor and coordinating
operations of all SA's concerned
Identifying the lead SA - CORRECT ANSWERS FIRST determine if
cross-border processing is taking place
,Lead SA when multiple establishments in the EU - CORRECT ANSWERS
SA of the place of main establishment / central administration - unless
decisions about purposes, means and implementation of processing take place at
a different location
EDPB Guidelines 8/2022 on identifying a controller or processor's lead SA -
CORRECT ANSWERS Advises the main establishment of a controller
cannot be considered as the main establishment of the joint controllers for
processing • Joint controllers cannot designate or bind supervisory authorities to
a common main establishment for both joint controllers
SA procedures - CORRECT ANSWERS Cooperation • Between lead SA
and other concerned SAs to reach consensus
Mutual assistance • Provision of relevant information between supervisory
authorities
Joint operations • Joint SA investigations and enforcement measures of
controllers or processors in several member states or when data subjects are in
more than one member state
Consistency mechanism • Specific collaborative process between SAs,
Commission and European Data Protection Board for adopting certain measures
and ensuring consistent GDPR application
Dispute resolution • Mechanism to dispute a decision (if not jointly agreed upon
by SA) • Issuance of binding decisions
Urgency procedure • For the immediate adoption of provisional measures within
a member state
, The European Data Protection Board (EDPB) - CORRECT ANSWERS
- replaces article 29 working party
- composition: Representatives of every Member State's SA
• Each of the 30 Member States of the EEA will appoint representative to sit on
the EDPB
• Only representatives from the 27 EU Member States may actively participate
• Presided over by chair elected by EDPB representatives
• Participation from European Data Protection Supervisor (EDPS) and
representatives of Commission
• EDPS limited voting rights
• Commission no voting rights
• Independence • EDPB must act independently
EDPB Tasks - CORRECT ANSWERS - Monitor for correct application
of GDPR
• Oversee consistency mechanism for ensuring consistent approach to data
protection by various supervisory authorities
• Issue guidance and advice to Commission for personal data protection on pan-
European basis
• Issue guidelines, recommendations and best practices (e.g., automated
decision-making and safeguards, establishing when a data breach has occurred,
notification requirements and further determining when a breach could result in
high risks to data subject's rights or freedoms)
• Preside over dispute-resolution process
