CIPP/E EXAM QUESTIONS &
ANSWERS
IAPP - ANSWERInternational Association of Privacy Professionals - founded in 2000
GDPR - ANSWERGlobal Data Privacy Regulation - May 2018
- states can make further legislation
- stronger rights for online environment
- SA have increased powers
- broader application - anyone targeting EU cust
- 173 recitals, 99 articles, 11 chapters
Rational for Data Protection - ANSWERIncrease in computers in 1970 and cross-border
trade
EEC - ANSWEREuropean Economic Community
Human Rights Declaration - ANSWER1948 after WWII - right to private and family life
and freedom of expression (Art 12)
- created by Council of EU, adopted by United Nations
ECHR (Court) - ANSWEREuropean Court of Human Rights - binding decisions
- gives opinion on ECHR
- personal info to be private but not absolute right
ECHR - ANSWEREuropean Convention on Human Rights - 1953
- created by Council of EU (not just EU)
- open to member states (application)
- like HRD, recognizes the need for balance
- based on Universal Human Rights Declaration
OECD - ANSWEROrganization for Economic Cooperation and Development - 1980
- created OECD guidelines on transborder flow of personal data
- membership extends beyond Europe
- focused on economic growth, NOT BINDING
OECD Guidelines - ANSWER(1) Collection Limitation (consent, fair, lawful)
(2) Data Quality (complete, accurate, update-to-date)
(3)Purpose Specification (specified at collection)
(4) Use Limitation (consistent with purpose)
(5) Security Safeguards (against loss, destruction, modification, unauthorized access)
(6) Openness (use of info, Controller identity & loc)
(7) Individual Participation (entitled to receive from Controller)
(8) Accountability (controller complies with above)
,OECD Guidelines - Member state considerations - ANSWER- domestic processing &
re-export of data
- transborder flows are uninterrupted & secure
- don't engage with other members unless guidelines are observed
- member state can restrict if protection not provided
- avoid laws to restrict TB data flows
Convention 108 aka CoE Convention - ANSWER- 1981 - worldwide scope
- Convention for the Protection of Individuals in regard to automatic processing (not
profiling) of PD
- first legally binding international instrument in the area of data protection.
- requires signatories to take steps to ensure fundamental human rights with regard to
the processing of personal information.
- US was not signatory
Global privacy day (1/28)
- same as OECD except: (1) preserve info to identify person for no longer than needed
(2) Special categories - race, religion, sex/health life, political views, criminal conv not
auto processed without safeguards
Transborder Special Rules - ANSWERFor countries not signatory parties
Mutual Assistance - ANSWERdesignate SA to oversee compliance
Data Protection Directive - ANSWER- Direction 95/46/EC
- not law, framework
- 1995
- fragmented implementation across states
- replaced by GDPR
- only applied to Controllers
- 78 recitals, 34 articles, 7 chapters
Charter of Fundamental Rights of EU - ANSWER- 2000 in Nice
- created by EU
- Lisbon Treaty made this binding for EU states
- Art 7 - private life, family, home, comm
- Art 8 - separate right to data protection
- promotes individual civil, political, economic, and social rights for European citizens
- similar principles as ECHR but refers to protection of personal data
Treaty of Lisbon - ANSWER- Treaty signed in 2007 that made the European Parliament
the co-equal legislator for almost all European laws and also created the position of the
president of the European Council
- made Charter of Fundamental Rights binding
- Amended EU Treaty
,Convention 108+ - ANSWERAligns with GDPR
ePrivacy Directive - ANSWER- 2002 aka Cookie Directive
- Privacy & Electronic Communication Directive (2002/58/EC)
- processing data across public communication network (doesn't apply to private
network)
- telecomm, faxes, internet, email
- must get consent to store cookies
EU Institutions - ANSWER1. European Parliament - Oversight - House of Rep - vote on
legislation, elected by EU citizens
2. European Council - Direction - set priorities & political direction for EU
3. Council of EU - Decisions - Senate - minister from each state, main decision making
body (works with Parliament)
4. European Commission - Executive - implements EU decisions, 1 commissioner per
state, most active
European Courts - ANSWER1. CJEU - Court of Justice of European Union - decision on
EU laws - judicial body of EU
2. ECHR - European Court of Human Rights - not EU institution, intl court, applies
ECHR
Copeland vs UK - ANSWERmonitoring emails at work violates article 8 of ECHR
Google Spain vs AEPD & Mario Costeja) - ANSWERGoogle Spain sold advertising
space to fund Google Search Engine - SE outside EEA whose activities are
economically linked to SE core activities - Google had refused to address complaints
mainly on the basis that Google entity responsible for the search engine was outside of
the territorial scope of EU data protection law and, therefore, beyond the reach of the
AEPD.
- ECJ ruled SEs are also controllers of PD contained in 3rd party web pages
- Mario - right to be forgotten - house foreclosure
Weltimmo - ANSWERRE company - how laws protect citizens in cross-border activity
- Weltimmo found to be established in Hungary even though Slovakian company
because:
1. website targeting Hungary & using language
2. Rep in Hungary for court
3. letter box in Hungary
4. Hungarian bank account
Schrems - ANSWERinvalidated Safe Harbor for FB to transfer data to US
GDPR Chapters - ANSWER1. General Provisions
, 2. Principles
3. DS Rights
4. Controller & Processor
5. Transfer of data to 3rd parties
6. Independent SA
7. Cooperation & Consistency
8. Remedies, liabilities, penalties
9. Provisions relating to specific process situations
10. Delegated acts and implementing acts
11. Final provisions
Consent - ANSWERFreely Given
Specific
Informed
Unambiguous
- cannot be bundled with T&Cs
- clear and plain language
- main criteria for legitimate processing
Data Breach Reporting - ANSWERControllers and Processors have to report to DPA
within 72 hours unless no risk to rights and freedoms
Main changes in GDPR from Directive - ANSWER- directly applicable to all member
states
- stronger rights for individuals - data portability, right to be forgotten, profiling
- new accountability regime
- use of subprocessor requires consent of controller
LEDP - ANSWERLaw Enforcement Data Protection - better protection for citizens data
- must comply with necessity, proportionality, and legality
NIS Directive - ANSWER- Network & Information Systems - first EU-wide cybersecurity
law
- 3 Focus Areas: (1) National capabilities - response teams, recovery exercises, (2)
Cross-border collaboration, (3) National supervision of critical sectors
1. compel dev of cybersecurity strategies for EU
2. improve security levels of operators of essential services and digital service provides
3. enhance cooperation btw states and NIS group
- EU Directives are not directly applicable to member states - to become law, they have
to be implemented by national legislation
GDPR Opening Clauses - ANSWER- 50 open clauses allow for specific national laws -
ex. parental consent
ANSWERS
IAPP - ANSWERInternational Association of Privacy Professionals - founded in 2000
GDPR - ANSWERGlobal Data Privacy Regulation - May 2018
- states can make further legislation
- stronger rights for online environment
- SA have increased powers
- broader application - anyone targeting EU cust
- 173 recitals, 99 articles, 11 chapters
Rational for Data Protection - ANSWERIncrease in computers in 1970 and cross-border
trade
EEC - ANSWEREuropean Economic Community
Human Rights Declaration - ANSWER1948 after WWII - right to private and family life
and freedom of expression (Art 12)
- created by Council of EU, adopted by United Nations
ECHR (Court) - ANSWEREuropean Court of Human Rights - binding decisions
- gives opinion on ECHR
- personal info to be private but not absolute right
ECHR - ANSWEREuropean Convention on Human Rights - 1953
- created by Council of EU (not just EU)
- open to member states (application)
- like HRD, recognizes the need for balance
- based on Universal Human Rights Declaration
OECD - ANSWEROrganization for Economic Cooperation and Development - 1980
- created OECD guidelines on transborder flow of personal data
- membership extends beyond Europe
- focused on economic growth, NOT BINDING
OECD Guidelines - ANSWER(1) Collection Limitation (consent, fair, lawful)
(2) Data Quality (complete, accurate, update-to-date)
(3)Purpose Specification (specified at collection)
(4) Use Limitation (consistent with purpose)
(5) Security Safeguards (against loss, destruction, modification, unauthorized access)
(6) Openness (use of info, Controller identity & loc)
(7) Individual Participation (entitled to receive from Controller)
(8) Accountability (controller complies with above)
,OECD Guidelines - Member state considerations - ANSWER- domestic processing &
re-export of data
- transborder flows are uninterrupted & secure
- don't engage with other members unless guidelines are observed
- member state can restrict if protection not provided
- avoid laws to restrict TB data flows
Convention 108 aka CoE Convention - ANSWER- 1981 - worldwide scope
- Convention for the Protection of Individuals in regard to automatic processing (not
profiling) of PD
- first legally binding international instrument in the area of data protection.
- requires signatories to take steps to ensure fundamental human rights with regard to
the processing of personal information.
- US was not signatory
Global privacy day (1/28)
- same as OECD except: (1) preserve info to identify person for no longer than needed
(2) Special categories - race, religion, sex/health life, political views, criminal conv not
auto processed without safeguards
Transborder Special Rules - ANSWERFor countries not signatory parties
Mutual Assistance - ANSWERdesignate SA to oversee compliance
Data Protection Directive - ANSWER- Direction 95/46/EC
- not law, framework
- 1995
- fragmented implementation across states
- replaced by GDPR
- only applied to Controllers
- 78 recitals, 34 articles, 7 chapters
Charter of Fundamental Rights of EU - ANSWER- 2000 in Nice
- created by EU
- Lisbon Treaty made this binding for EU states
- Art 7 - private life, family, home, comm
- Art 8 - separate right to data protection
- promotes individual civil, political, economic, and social rights for European citizens
- similar principles as ECHR but refers to protection of personal data
Treaty of Lisbon - ANSWER- Treaty signed in 2007 that made the European Parliament
the co-equal legislator for almost all European laws and also created the position of the
president of the European Council
- made Charter of Fundamental Rights binding
- Amended EU Treaty
,Convention 108+ - ANSWERAligns with GDPR
ePrivacy Directive - ANSWER- 2002 aka Cookie Directive
- Privacy & Electronic Communication Directive (2002/58/EC)
- processing data across public communication network (doesn't apply to private
network)
- telecomm, faxes, internet, email
- must get consent to store cookies
EU Institutions - ANSWER1. European Parliament - Oversight - House of Rep - vote on
legislation, elected by EU citizens
2. European Council - Direction - set priorities & political direction for EU
3. Council of EU - Decisions - Senate - minister from each state, main decision making
body (works with Parliament)
4. European Commission - Executive - implements EU decisions, 1 commissioner per
state, most active
European Courts - ANSWER1. CJEU - Court of Justice of European Union - decision on
EU laws - judicial body of EU
2. ECHR - European Court of Human Rights - not EU institution, intl court, applies
ECHR
Copeland vs UK - ANSWERmonitoring emails at work violates article 8 of ECHR
Google Spain vs AEPD & Mario Costeja) - ANSWERGoogle Spain sold advertising
space to fund Google Search Engine - SE outside EEA whose activities are
economically linked to SE core activities - Google had refused to address complaints
mainly on the basis that Google entity responsible for the search engine was outside of
the territorial scope of EU data protection law and, therefore, beyond the reach of the
AEPD.
- ECJ ruled SEs are also controllers of PD contained in 3rd party web pages
- Mario - right to be forgotten - house foreclosure
Weltimmo - ANSWERRE company - how laws protect citizens in cross-border activity
- Weltimmo found to be established in Hungary even though Slovakian company
because:
1. website targeting Hungary & using language
2. Rep in Hungary for court
3. letter box in Hungary
4. Hungarian bank account
Schrems - ANSWERinvalidated Safe Harbor for FB to transfer data to US
GDPR Chapters - ANSWER1. General Provisions
, 2. Principles
3. DS Rights
4. Controller & Processor
5. Transfer of data to 3rd parties
6. Independent SA
7. Cooperation & Consistency
8. Remedies, liabilities, penalties
9. Provisions relating to specific process situations
10. Delegated acts and implementing acts
11. Final provisions
Consent - ANSWERFreely Given
Specific
Informed
Unambiguous
- cannot be bundled with T&Cs
- clear and plain language
- main criteria for legitimate processing
Data Breach Reporting - ANSWERControllers and Processors have to report to DPA
within 72 hours unless no risk to rights and freedoms
Main changes in GDPR from Directive - ANSWER- directly applicable to all member
states
- stronger rights for individuals - data portability, right to be forgotten, profiling
- new accountability regime
- use of subprocessor requires consent of controller
LEDP - ANSWERLaw Enforcement Data Protection - better protection for citizens data
- must comply with necessity, proportionality, and legality
NIS Directive - ANSWER- Network & Information Systems - first EU-wide cybersecurity
law
- 3 Focus Areas: (1) National capabilities - response teams, recovery exercises, (2)
Cross-border collaboration, (3) National supervision of critical sectors
1. compel dev of cybersecurity strategies for EU
2. improve security levels of operators of essential services and digital service provides
3. enhance cooperation btw states and NIS group
- EU Directives are not directly applicable to member states - to become law, they have
to be implemented by national legislation
GDPR Opening Clauses - ANSWER- 50 open clauses allow for specific national laws -
ex. parental consent
