Full CIPP/E Exam 2023 with complete solutions

Accountability - Answer- The implementation of appropriate *technical and organisational measures* to ensure and be able to *demonstrate* that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules. Traditionally has been a *fair information practices principle*, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles. Accuracy - Answer- Organizations must take every *reasonable* step to ensure the data processed is this and, where *necessary*, kept up to date. Reasonable measures should be understood as implementing processes to prevent inaccuracies during the data collection process as well as during the ongoing data processing in relation to the specific use for which the data is processed. The organization must consider the type of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose. Also embodies the responsibility to respond to data subject requests to correct records that contain incomplete information or misinformation. Adequate Level of Protection - Answer- A transfer of personal data from the European Union to a third country or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures this by taking into account the *following elements*: *(a)* the rule of law, respect for *human rights* and fundamental freedoms, both *general and sectoral legislation*, data protection rules, professional rules and security measures, effective and *enforceable data subject rights* and *effective administrative and judicial redress* for the data subjects whose personal data is being transferred; *(b)* the existence and *effective* functioning of independent *supervisory authorities* with responsibility for ensuring and enforcing compliance with the data protection rules; (c) the *international commitments* the third country or international organisation concerned has entered into in relation *to the protection of personal data*. Annual Reports - Answer- The requirement under the GDPR that the European Data Protection Board and each supervisory authority *periodically report on their activities*. The supervisory authority report should include infringements and the activities that the authority conducted under their Article 58(2) powers. The EDPB report should include *guidelines, recommendations, best practices and binding decisions*. Additionally, the report should include the protection of natural persons with regard to processing in the EU and, where relevant, in third countries and international organisations. Shall be *made public and be transmitted to the European Parliament, to the Council and to the Commission*. Anonymous Information - Answer- In contrast to personal data, this is not related to an identified or an identifiable natural person and *cannot be combined with other information to re-identify individuals*. It has been rendered unidentifiable and, as such, is not protected by the GDPR. Anti-discrimination Laws - Answer- *indications of special classes* of personal *data*. If there exists law protecting against discrimination based on a class or status, it is likely personal information relating to that class or status is *subject to more stringent* data protection regulation, under the GDPR or otherwise. Appropriate Safeguards - Answer- The GDPR refers to these in a number of contexts, *including* the *transfer* of personal data *to third countries* outside the European Union, the processing of *special categories* of data, *and* the processing of personal data in a *law enforcement* context. This generally refers to the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules. This *may* also *refer to* the use of *encryption or pseudonymization*, *standard* data protection *clause*s adopted by the Commission, contractual clauses authorized by a supervisory authority, or *certification schemes* or *codes of conduct* authorized by the Commission or a supervisory authority. Should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the European Union. Appropriate Technical and Organizational Measures - Answer- The GDPR requires a *risk-based approach* to data protection, whereby organizations *take into account* the *nature*, *scope*, *context and purposes* of processing, as well as the risks of varying *likelihood* and *severity to* the *rights and freedoms* of natural persons, and institute policies, controls and certain technologies to mitigate those risks. These might help meet the obligation to keep personal data secure, including technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve the implementation of data protection policies. These measures should be demonstrable on demand to data protection authorities and reviewed regularly. Article 29 Working Party - Answer- Was a European Union organization that functioned as an *independent advisory body* on data protection and privacy and consisted of the collected data protection authorities of the member states. It was *replaced by* the similarly constituted European Data Protection Board (*EDPB*) on May 25, 2018, *when* the *GDPR went into effect*. Authentication - Answer- The process by which an entity (such as a person or computer system) determines whether another entity is who it claims to be. *is required* by the GDPR *when* the data subject is *exercising certain rights*, such as the rights to *deletion or rectification*, and might include supplying log-in details or biometric information. However, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of the Regulation. Automated Processing - Answer- A processing operation that is performed without any human intervention. "Profiling" is defined in the GDPR, for example, as the automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to *analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements*. Data subjects, under the GDPR, have a *right to object* to such processing. Availability - Answer- Data is this if it is *accessible when needed* by the organization or data subject. The GDPR requires that *a business* be able to ensure this of personal data and have the ability to *restore it and access* to personal data in a *timely manner* in the event of a physical or technical incident. Background Screening/Checks - Answer- Organizations may want to verify an applicant's ability to function in the working environment as well as assuring the safety and security of existing workers. Range from checking a person's educational background to checking on past criminal activity. *Employee consent requirements* for such checks *vary by member state and may be negotiated with local works councils*. Behavioral Advertising - Answer- Most often done via automated processing of personal data, or profiling, the GDPR requires that *data subjects* be able to *opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing*. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information. Binding Corporate Rules - Answer- An appropriate safeguard allowed by the GDPR to facilitate *cross-border transfers* of personal data *between* the various *entities of a corporate group worldwide*. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. Compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and *are approved by a member state data protection authority*. To date, relatively few organizations have had these approved. Binding Safe Processor Rules - Answer- Previously, the EU distinguished between these for controllers and processors. With the GDPR, there is *now no distinction* made between the two in this context and *Binding Corporate Rules are appropriate for both Controllers and Processors*. Biometrics - Answer- Data concerning the *intrinsic physical or behavioral characteristics* of an individual. Examples include *DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke technique* and *gait*. The GDPR, in Article 9, lists these for the purpose of uniquely identifying a natural person as a special category of data for which processing is not allowed other than in specific circumstances. Bodily Privacy - Answer- One of the four classes of privacy, along with information privacy, territorial privacy and communications privacy. It focuses on a person's physical being and any invasion thereof. Such an invasion can take the form of *genetic testing, drug testing* or *body cavity searches*. Breach Disclosure (EU specific) - Answer- The requirement that a data controller *notify regulators*, potentially within *72 hours* of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects. Bundesdatenschutzgesetz-neu - Answer- *Germany's federal data protection act*, implementing the GDPR. With the passage of the GDPR, it replaced a previous law with the same name and enhanced a series of other acts mainly in areas of law enforcement and intelligence services. Furthermore, the *new version suggests a procedure* for national data protection authorities *to challenge adequacy decisions* of the EU Commission. CCTV - Answer- Has come to be shorthand for any video surveillance system. *Originally*, such systems relied on coaxial cable and was truly *only accessible on premise*. *Today*, most surveillance systems are *hosted via TCP/IP networks* and can be *accessed remotely*, and the footage much more *easily shared*, eliciting new and different privacy concerns. Certification Mechanisms - Answer- Introduced by the GDPR, a *new valid adequacy mechanism for* the *transfer* of personal data outside of the European Union *in* the *absence of an adequacy decision* and instead of other mechanisms such as binding corporate rules or contractual clauses. These *must be developed by certifying bodies*, *approved by data protection authorities or the EDPB* (European Data Protection Board), *and* have *a methodology for auditing* compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation. Charter of Fundamental Rights - Answer- A treaty that consolidates human rights within the EU. The treaty states that *everyone has a right to protect their personal data*, that *data must be processed for legitimate and specified purposes* and that *compliance is subject to control by an authority*. Choice - Answer- In the context of consent, this refers to the idea that consent must be freely given and that data subjects must have a *genuine ____________* as to whether to provide personal data or not. If this is not truly given it is unlikely the consent will be deemed valid under the GDPR. Cloud Computing - Answer- The provision of information technology services over the Internet. These services may be provided by a company for its internal users in private or by third-party suppliers. The *services can include software, infrastructure (i.e., servers), hosting and platforms (i.e., operating systems)*. Has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models. Codes of Conduct - Answer- Introduced by the GDPR, these are a new valid adequacy mechanism for the transfer of personal data outside of the European Union in the absence of an adequacy decision and instead of other mechanisms such as binding corporate rules or contractual clauses. these must be *developed by industry trade groups, associations or other bodies* representing categories of controllers or processors. They *must be approved by supervisory authorities or the European Data Protection Board*, and have a methodology for auditing compliance. Similar to binding corporate rules, they compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation. Collection Limitation - Answer- A *fair information practices* principle, it is the principle stating *there should be limits to* the *collection* of personal data, that any such *data should be obtained by lawful and fair means and*, where appropriate, *with* the knowledge or consent* of the data subject. Communications Privacy - Answer- One of the four classes of privacy, along with information privacy, bodily privacy and territorial privacy. It encompasses protection of the means of correspondence, including *postal mail, telephone conversations, electronic e-mail* and *other forms of communicative behavior and apparatus*. Confidentiality - Answer- Data is this if it is *protected against unauthorised or unlawful* processing. The GDPR requires that an organization be able to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as part of its requirements for appropriate security. In addition, the GDPR requires that *persons authorised to process* the personal data *have committed* themselves *to confidentiality* or are under an appropriate statutory obligation of this. Consent (EU specific) - Answer- This privacy requirement is one of the *fair information practices*. In the GDPR, however, it is specifically one of the legal bases for processing personal data. According to the GDPR, *for it to be valid*, it must be: *clearly distinguishable* from other matters, intelligible, and in *clear and plain language*; *freely given*; as *easy to withdraw* as it was to provide; *specific; informed; and unambiguous*. Further, it must be a *positive, affirmative action* (e.g., checking opt-in or choosing technical settings for web applications), with pre-ticked boxes expressly not allowed. For certain *special categories of data*, as outlined in Article 9, *explicit _________ is required* for processing, a higher standard than unambiguous consent. Consistency Mechanism - Answer- In order to ensure the consistent application of the GDPR throughout the European Union, the GDPR establishes this which *allows member state supervisory authorities to cooperate* with one another. The mechanism *applies particularly* where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which *substantially affect a significant number of data subjects in several member states*. *When a* member state *supervisory authority* intends to take action, such as *approving a code of conduct or certification mechanism*, it shall *provide a draft to the EDPB* (European Data Protection Board, and the *EDPB's* members *shall* render an *opinion* on that draft, which the *supervisory authority* shall take into account and *then either amend or decide* to go forward with the *draft in its original form*. Should there be *significant difference in opinion*, the *dispute resolution mechanism* will be triggered. Content Data - Answer- The text, images, etc., contained within any communication message, such as an email, text, or instant message on any given communications platform. Specifically used often to distinguish from metadata. The *ePrivacy Directive and draft ePrivacy Regulation protect the confidentiality of this*. Contractual Clauses - Answer- *Adopted either directly by the European Commission or by a supervisory authority* in accordance with the consistency mechanism *and then adopted by the Commission*, these are mechanisms by which organisations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers. Convention 108 - Answer- A legally binding international instrument that requires signatory countries to take the *necessary steps* in their *domestic legislation* to *apply the principles* it lays down ensuring *fundamental human rights with regard to the processing of personal information*. Cookie - Answer- A small text file stored on a client machine that may later be retrieved by a web server from the machine. Allow web servers to keep track of the end user's browser activities, and connect individual web requests into a session. Can also be used to prevent users from having to be authorized for every password protected page they access during a session by recording that they have successfully supplied their username and password already. May be referred to as *"first-party"* (if they are *placed by the website that is visited*) or *"third-party"* (if they are *placed by a party other than the visited website*). Additionally, they may be referred to as *"session ___________"* if they are *deleted when a session ends*, *or "persistent ___________" if they remain longer*. Notably, the GDPR lists this latter category, so-called *"identifiers,"* as an example of *personal information*. The use is *regulated both by* the *GDPR* and the* ePrivacy Directive* Cookie Directive - Answer- An *amendment* made *to* the European Union's *Directive 2002/58*, also known as (*a.k.a*) the *ePrivacy Directive*, that *requires* organizations to get *consent before placing* and other tracking technologies on digital devices. With the passage of the GDPR, this definition of consent has changed and *opt-out consent is no longer viable in this area*. Cooperation - Answer- Part of the *consistency mechanism* of the GDPR, this is required between *supervisory authorities* when working with controllers or processors handling the personal data of *data subjects in multiple member states*. This is often referred to as (*a.k.a.* the "*one-stop shop*," whereby a lead supervisory authority works with the supervisory authorities of other member states with affected data subjects. Copland v. United Kingdom - Answer- A case in which the *ECHR* (European Court of Human Rights) held that *monitoring* an applicant's *email at work* was *contrary to Article 8* of the *Convention on Human Rights*. Costeja - Answer- Shorthand for (*a.k.a.*)the case where Costeja *successfully sued Google Spain, Google Inc. and La Vanguardia newspaper*. When the Court of Justice of the EU ruled that Google Spain must remove the links to the article, the "*right to be forgotten*" was effectively established in the European Union. The GDPR subsequently more formally granted data subjects the right to deletion in certain circumstances. Council of Europe - Answer- The CoE, launched in *1949*, is a *human rights organization* with *47 member* countries, including the *28 member states* of the European Union. The members have *all signed* the *European Convention on Human Rights and* are *subject to the ECHR* (European Court of Human Rights). The Council's *Convention 108* was the first legally binding international agreement to protect the human right of privacy and data protection. Council of the European Union - Answer- A council of ministers from the 28 member states, this is *the main decision-making body of the EU*, with a central role in both political and legislative decisions. The council was established by the treaties of the 1950s, which laid the foundations for the EU, and *works with* the *European Parliament* to *create EU law*. Cross-border Data Transfers (EU specific) - Answer- Transfers of personal data to any country outside the European Economic Area (EEA) may only take place subject to the condition that the third country ensures an adequate level of protection for the personal data as determined by the European Commission. It *also applies to onward transfers* — from one third country or international organisation to another (outside the EEA). In the absence of an adequacy finding, organizations must use other mechanisms, such as binding corporate rules, contractual clauses, or certification, for lawful transfer. Data Breach Notification (EU specific) - Answer- The requirement that a data controller notify regulators, potentially within *72 hours* of discovery, and/or victims, of incidents affecting the confidentiality and security of personal data, depending on the assessed risks to the rights and freedoms of affected data subjects. Data Elements - Answer- A *unit of data* that cannot be broken down further or has a distinct meaning. This may be a *date of birth, a numerical identifier, or location coordinates*. In the context of data protection, it is important to understand that these in isolation *may* not be personal data but, *when combined, become personally identifiable* and therefore personal data. Data Controller - Answer- The natural or legal person, public authority, agency or any other body which alone or jointly with others *determines the purposes and means* of the processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, this or the specific criteria for its nomination may be provided for by EU or member state law. Data Portability - Answer- In certain circumstances, generally where data processing is done on the basis of consent or a contract, data subjects have the right to receive their personal data, which they have provided to a controller, in a *structured, commonly used and machine-readable format* and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided. Data Processor - Answer- A natural or legal person (*other than an employee* of the controller), public authority, agency or other body which *processes personal data on behalf of the controller*. An organization can be both a controller and a processor at the same time, depending on the function the organization is performing. Data Protection Authority (EU specific) - Answer- A term often used to refer to a *supervisory authority* Data Protection by Default - Answer- The implementation of appropriate *technical and organisational* measures for ensuring *that, by default, only* personal *data* which are *necessary for each specific purpose* of the processing *are processed*. That obligation *applies to* the *amount* of personal data collected, the *extent* of their processing, the *period* of their storage and their *accessibility*. In particular, such measures shall ensure that by default personal data are *not made accessible* without the individual's intervention *to an indefinite number* of natural persons. Such organizational *measures could consist*, inter alia, *of minimising* the processing of personal data, *pseudonymising* personal data as soon as possible, *transparency* with regard to the functions and processing of personal data, *and enabling the data subject to monitor* the data processing. Data Protection by Design - Answer- When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to *take into account the right to data protection when developing and designing* such *products, services and applications* and, *with due regard to* the *state of the art*, to make sure that controllers and processors are able to fulfil their data protection obligations. Data Protection Commissioner - Answer- The *title* given in *some member states* to the *supervisory authority* EU Data Protection Directive (*95/46/EC*) - Answer- Was replaced by the GDPR in 2018. The Directive was adopted in 1995, became effective in 1998 and was the *first EU-wide legislation that protected individuals' privacy* and personal data use. Data Protection Impact Assessment - Answer- The process by which companies can *systematically assess and identify* the *privacy* and data protection *impacts of* any *products* they offer *and services* they provide. It enables them to *identify the impact* and *take* the *appropriate actions* to prevent or, at the very least, *minimise the risk* of those impacts. *are required* by the General Data Protection Regulation in some instances, particularly *where a* new *product or service is likely to result in a high risk* to the rights and freedoms of natural persons. Data Protection Officer - Answer- While the title has long been in use, particularly in Germany and France, the GDPR introduced a *new legal definition of this with specific tasks*. Certain *organizations*, particularly those *that process personal data as part of their business model or* those who *process special categories* of data as outlined in Article 9, *are obligated to designate one* on the basis of *professional qualities* and, in particular, *expert knowledge* of data protection law and practices. Has a variety of *mandated tasks, including communication with* the *supervisory authority*, *conducting DPIAs*, and *advising the organization on* the mandates of the *GDPR* and how to comply with it. Data Protection Policy - Answer- Outline the basic contours of the measures an organization takes in the processing and handling of personal data. Key matters the *policy should address* include: *Scope*, which explains both to whom the internal policy applies and the type of processing activities it covers; *Policy statement*; *Employee responsibilities*; *Management responsibilities*; *Reporting incidents*; *Policy compliance*. Data Protection Principles - Answer- Article 5 of the GDPR lists: *L*awfulness, fairness and transparency; *P*urpose limitation; *D*ata minimisation; *A*ccuracy; *S*torage limitation; *I*ntegrity and confidentiality. *LPD ASI* Data Recipient - Answer- A natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether a third party or not. *Public authorities that receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients*, however. The processing of that data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. Data Subject - Answer- An identified or *identifiable* natural person. De-identification - Answer- An action that one takes to *remove identifying characteristics* from data. Derogation - Answer- In the context of European Union legislation interacting with member state law, a place in an EU-wide regulation where *individual member states are left to make their own law or have the option to deviate*. Can also simply refer to an exception to a certain basic rule or principle. Direct Marketing (EU specific) - Answer- In the context of data protection law, can be defined as *personal data processed to communicate a marketing or advertising message*. This definition includes messages from commercial organisations, as well as from charities and political organisations. While it *is offered* in the GDPR as *an example* of processing for the *legitimate interest* of an organization, it also says the data subject shall have the *right to object at any time* to processing of personal data concerning him or her for such marketing, which *includes profiling* to the extent that it is related to such marketing. Disclosure - Answer- The provision of *access* to personal data. Dispute Resolution - Answer- In the context of the consistency mechanism (see Consistency Mechanism), the European Data Protection Board, *EDPB, can issue binding decisions on: objections to lead authority decisions*, on *disputes about* which supervisory authority should be *the lead authority*, and where there has been a *failure to request the EDPB's opinion* under Article 64 *or the opinion is not followed*. Durant v. Financial Services Authority - Answer- A court case in which the Court of Appeal of the United Kingdom *narrowed the definition of personal data* under the Data Protection Act of 1998. It established a *two-stage test*; the information must be biographical in a significant sense and the individual must be the focus of the information. Electronic Communications Network - Answer- Transmission systems, and, where applicable, switching or routing equipment and other resources that permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks; fixed and mobile terrestrial networks; electricity cable systems, to the extent that they are used for the purpose of transmitting signals; networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed. *In the* discussions surrounding the *update of the ePrivacy Directive* to the ePrivacy Regulation, *so-called "over the top" providers, like app-based messaging services, are beginning to be considered as part of the ECN*. Employee Personal Data - Answer- *Article 88 of the General Data Protection Regulation recognises that member states may provide for more specific rules around processing this*. These rules must include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. Consent and Employee Personal Data - Answer- Because of the power imbalance between employer and employee, consent is generally not considered a legal basis for processing employee data. Erasure - Answer- *Article 17(1)* of the GDPR establishes that data subjects have this right of their personal data *if*: the data is *no longer needed* for its *original purpose* and no new lawful purpose exists; the *lawful basis* for the processing *is* the data subject's *consent, the data subject withdraws that consent*, and no other lawful ground exists; the data subject *exercises the right to object*, and the controller has *no overriding grounds* for continuing the processing; the data has been *processed unlawfully*; *or this* is *necessary for compliance with* EU *law* or the national law of the relevant member state. Established Service Provider - Answer- The GDPR establishes *direct legal obligations applicable to service providers acting as "processors"*, whilst giving an increased emphasis to the contractual obligations in place between customers and data processing service providers. Establishment - Answer- Implies the *effective and real exercise of activity through stable arrangements*. The *legal form* of such arrangements, whether *through a branch or a subsidiary with a legal personality, is not the determining factor* in that respect. EU-U.S. Safe Harbor Agreement - Answer- An agreement that was *invalidated by the Court of Justice of the European Union in 2015*, that allowed for the legal transfer of personal data between in the absence of a c