CIPPE Scenario Practice

SCENARIO: Granchester University & Student Records - AnswersANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: Granchester University & Student Records Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records: Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information. · Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files). · Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. · Department for Education records, showing how certain demographic groups (such as fir - AnswersUSE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED Which of the University's records does Anna NOT have to include in her record of processing activities? A. Student records B. Staff and alumni records C. Frank's performance database D. Department for Education records - AnswersDepartment for Education records Before Anna determines whether Frank's performance database is permissible, what additional information does she need? A. More information about Frank's data protection training. B. More information about the extent of the information loss. C. More information about the algorithm Frank used to mask student numbers. D. More information about what students have been told and how the research will be used. - AnswersMore information about what students have been told and how the research will be used. Anna will find that a risk analysis is NOT necessary in this situation as long as? A. The data subjects are no longer current students of Frank's B. The processing will not negatively affect the rights of the data subjects C. The algorithms that Frank uses for the processing are technologically sound D. The data subjects gave their unambiguous consent for the original processing - AnswersThe processing will not negatively affect the rights of the data subjects SCENARIO: THE TOY MANUFACTURER - AnswersANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: THE TOY MANUFACTURER You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales. The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculatio - AnswersUSE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED Why is this company obligated to comply with the GDPR? A. The company has offices in the EU. B. The company employs staff in the EU. C. The company's data center is located in a country outside the EU. D. The company's products are marketed directly to EU customers. - AnswersThe company's products are marketed directly to EU customers. What presents the BIGGEST potential privacy issue with the company's practices? A. The NFC portal can read any data stored in the action figures B. The information about the data processing involved has not been specified C. The cloud service provider is in a country that has not been deemed adequate D. The RFID tag in the action figures has the potential for misuse because of the toy's evolving capabilities - AnswersThe information about the data processing involved has not been specified To ensure GDPR compliance, what should be the company's position on the issue of consent? A. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes. B. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority. C. Consent for data collection is implied through the parent's purchase of the action figure for the child. D. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected. - AnswersParental consent for a child's use of the action figures would have to be obtained before any data could be collected. In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute? A. Encrypt the data in transit over the wireless Bluetooth connection. B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security. C. Include three-factor authentication before each use by a child in order to ensure the best level of security possible. D. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union. - AnswersEncrypt the data in transit over the wireless Bluetooth connection. SCENARIO: THE INSURANCE COMPANY CUSTOMER - AnswersANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: THE INSURANCE COMPANY CUSTOMER Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers' data to third parties, and he's convinced that Erbium must have gotten his information from ABC. Jason has also been receiving an increased amount of marketing information from ABC, trying to sell him their full range of their insurance policies. Perturbed by this, Jason has started looking at price comparison sites on the Internet and has been shocked to find that other insurers offer much cheaper rates than ABC, even though he has been a loyal customer for many years. When his ABC policy comes up for renewal, he decides to switch to Xentron Insur - AnswersUSE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED Which statement accurately summarizes ABC's obligation in regard to Jason's data portability request? A. ABC does not have a duty to transfer Jason's data to Xentron if doing so is legitimately not technically feasible. B. ABC does not have to transfer Jason's data to Xentron because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest. C. ABC has failed to comply with the duty to transfer Jason's data to Xentron because the duty applies wherever personal data are processed by automated means and necessary for the performance of a contract with the customer. D. ABC has failed to comply with the duty to transfer Jason's data to Xentron because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request. - AnswersABC does not have a duty to transfer Jason's data to Xentron if doing so is legitimately not technically feasible. (See GDPR Article 20(2)) After Jason has exercised his right to restrict the use of his data, under what conditions would Erbium have grounds for refusing to comply? A. If Erbium is entitled to use of the data as an affiliate of ABC. B. If Erbium also uses the data to conduct public health research. C. If the data becomes necessary to defend Erbium's legal rights. D. If the accuracy of the data is not an aspect that Jason is disputing. - AnswersIf the data becomes necessary to defend Erbium's legal rights. (See Compendium - P.76) SCENARIO: Company A, B, & C - AnswersANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS SCENARIO: Company A, B, & C Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry. Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees: Name Address Date of Birth