CIPPE Scenario Practice Test 2023

CIPPE Scenario Practice Test 1. SCENARIO: Granchester University & Student Records: ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUES- TIONS 2. SCENARIO: Granchester University & Student Records Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records: Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of spe- cial educational needs and financial information. · Staff records, including autobiographical materials (such as curricula, pro- fessional contact files, student evaluations and other relevant teaching files). · Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester's Alumni portal. · Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers. Under their security policy, the University encrypts all of its personal data records in transit and at rest. In order to improve his teaching, Frank wants to investigate how his en- gineering students perform in relational to Department for Education ex- pectations. He has attended one of Anna's data protection training cours- es and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna's training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time. One of Anna's tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database. Ann explains to Frank that, as well as minimizing personal data, the Univer- sity has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research. Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.: USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED 3. Which of the University's records does Anna NOT have to include in her record of processing activities? A. Student records B. Staff and alumni records C. Frank's performance database D. Department for Education records: Department for Education records 4. Before Anna determines whether Frank's performance database is permis- sible, what additional information does she need? A. More information about Frank's data protection training. B. More information about the extent of the information loss. C. More information about the algorithm Frank used to mask student num- bers. D. More information about what students have been told and how the re- search will be used.: More information about what students have been told and how the research will be used. 5. Anna will find that a risk analysis is NOT necessary in this situation as long as? A. The data subjects are no longer current students of Frank's B. The processing will not negatively affect the rights of the data subjects C. The algorithms that Frank uses for the processing are technologically sound D. The data subjects gave their unambiguous consent for the original pro- cessing: The processing will not negatively affect the rights of the data subjects 6. SCENARIO: THE TOY MANUFACTURER: ANSWER THESE CARDS IN OR- DER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS 7. SCENARIO: THE TOY MANUFACTURER You have just been hired by a toy manufacturer based in Hong Kong. The company sells a broad range of dolls, action figures and plush toys that can be found internationally in a wide variety of retail stores. Although the manufacturer has no offices outside Hong Kong and in fact does not employ any staff outside Hong Kong, it has entered into a number of local distribution contracts. The toys produced by the company can be found in all popular toy stores throughout Europe, the United States and Asia. A large portion of the company's revenue is due to international sales. The company now wishes to launch a new range of connected toys, ones that can talk and interact with children. The CEO of the company is touting these toys as the next big thing, due to the increased possibilities offered: The figures can answer children's questions on various subjects, such as mathematical calculations or the weather. Each figure is equipped with a microphone and speaker and can connect to any smartphone or tablet via Bluetooth. Any mobile device within a 10-meter radius can connect to the toys via Bluetooth as well. The figures can also be associated with other figures (from the same manufacturer) and interact with each other for an enhanced play experience. When a child asks the toy a question, the request is sent to the cloud for analysis, and the answer is generated on cloud servers and sent back to the figure. The answer is given through the figure's integrated speakers, making it appear as though that the toy is actually responding to the child's question. The packaging of the toy does not provide technical details on how this works, nor does it mention that this feature requires an internet connection. The necessary data processing for this has been outsourced to a data center located in South Africa. However, your company has not yet revised its consumer-facing privacy policy to indicate this. In parallel, the company is planning to introduce a new range of game systems through which consumers can play the characters they acquire in the course of playing the game. The system will come bundled with a portal that includes a NearField Communications (NFC) reader. This device will read an RFID tag in the action figure, making the figure come to life onscreen. Each character has its own stock features and abilities, but it is also possible to earn additional ones by accomplishing game goals. The only information stored in the tag relates to the figures' abilities. It is easy to switch characters during the game, and it is possible to bring the figure to locations outside of the home and have the character's abilities remain intact.: USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED 8. Why is this company obligated to comply with the GDPR? A. The company has offices in the EU. B. The company employs staff in the EU. C. The company's data center is located in a country outside the EU. D. The company's products are marketed directly to EU customers.: The company's products are marketed directly to EU customers. 9. What presents the BIGGEST potential privacy issue with the company's practices? A. The NFC portal can read any data stored in the action figures B. The information about the data processing involved has not been specified C. The cloud service provider is in a country that has not been deemed adequate D. The RFID tag in the action figures has the potential for misuse because of the toy's evolving capabilities: The information about the data processing involved has not been specified 10. To ensure GDPR compliance, what should be the company's position on the issue of consent? A. The child, as the user of the action figure, can provide consent himself, as long as no information is shared for marketing purposes. B. Written authorization attesting to the responsible use of children's data would need to be obtained from the supervisory authority. C. Consent for data collection is implied through the parent's purchase of the action figure for the child. D. Parental consent for a child's use of the action figures would have to be obtained before any data could be collected.: Parental consent for a child's use of the action figures would have to be obtained before any data could be collected. 11. In light of the requirements of Article 32 of the GDPR (related to the Security of Processing), which practice should the company institute? A. Encrypt the data in transit over the wireless Bluetooth connection. B. Include dual-factor authentication before each use by a child in order to ensure a minimum amount of security. C. Include three-factor authentication before each use by a child in order to ensure the best level of security possible. D. Insert contractual clauses into the contract between the toy manufacturer and the cloud service provider, since South Africa is outside the European Union.: Encrypt the data in transit over the wireless Bluetooth connection. 12. SCENARIO: THE INSURANCE COMPANY CUSTOMER: ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUES- TIONS 13. SCENARIO: THE INSURANCE COMPANY CUSTOMER Jason, a long-time customer of ABC insurance, was involved in a minor car accident a few months ago. Although no one was hurt, Jason has been plagued by texts and calls from a company called Erbium Insurance offering to help him recover compensation for personal injury. Jason has heard about insurance companies selling customers' data to third parties, and he's convinced that Erbium must have gotten his information from ABC. Jason has also been receiving an increased amount of marketing informa- tion from ABC, trying to sell him their full range of their insurance policies. Perturbed by this, Jason has started looking at price comparison sites on the Internet and has been shocked to find that other insurers offer much cheaper rates than ABC, even though he has been a loyal customer for many years. When his ABC policy comes up for renewal, he decides to switch to Xentron Insurance. In order to activate his new insurance policy, Jason needs to supply Xentron with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask ABC to transfer his information directly to Xentron. He also takes this opportunity to ask ABC to stop using his personal data for marketing purposes. ABC supplies Jason with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Jason it cannot transfer his data directly to Xentron at this is not technically feasible. ABC also explains that Jason's contract included a provision whereby Jason agreed that his data could be used for marketing purposes; according to ABC, it is too late for Jason to change his mind about this. It angers Jason when he recalls the wording of the contract, which was filled with legal jargon and very confusing. In the meantime, Jason is still receiving unwanted calls from Erbium In- surance. He writes to Erbium to ask for the name of the organization that supplied his details to them. He warns Erbium that he plans to complain to the data protection authority because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way. Erbium's response letter confirms Jason's suspicions. Erbium is ABC's wholly owned subsidiary, and they received information about Jason's ac- cident from ABC shortly after Jason submitted his accident claim. Erbium assures Jason that there has been no breach of the GDPR, as Jason's contract included a provision in which he agreed to share his information with ABC's affiliates for business purposes. Jason is disgusted by the way in which he has been treated by ABC, and writes to them insisting that all his information be erased from their computer system.: USE THIS PARAGRAPH FOR THE NEXT FEW QUESTIONS UNTIL THE NEXT SCENARIO IS LISTED 14. Which statement accurately summarizes ABC's obligation in regard to Jason's data portability request? A. ABC does not have a duty to transfer Jason's data to Xentron if doing so is legitimately not technically feasible. B. ABC does not have to transfer Jason's data to Xentron because the right to data portability does not apply where personal data are processed in order to carry out tasks in the public interest. C. ABC has failed to comply with the duty to transfer Jason's data to Xentron because the duty applies wherever personal data are processed by automat- ed means and necessary for the performance of a contract with the customer. D. ABC has failed to comply with the duty to transfer Jason's data to Xentron because it has an obligation to develop commonly used, machine-readable and interoperable formats so that all customer data can be ported to other insurers on request.: ABC does not have a duty to transfer Jason's data to Xentron if doing so is legitimately not technically feasible. (See GDPR Article 20(2)) 15. After Jason has exercised his right to restrict the use of his data, under what conditions would Erbium have grounds for refusing to comply? A. If Erbium is entitled to use of the data as an affiliate of ABC. B. If Erbium also uses the data to conduct public health research. C. If the data becomes necessary to defend Erbium's legal rights. D. If the accuracy of the data is not an aspect that Jason is disputing.: If the data becomes necessary to defend Erbium's legal rights. (See Compendium - P.76) 16. SCENARIO: Company A, B, & C: ANSWER THESE CARDS IN ORDER AND USE THE NEXT CARD FOR THE FOLLOWING QUESTIONS 17. SCENARIO: Company A, B, & C Due to rapidly expanding workforce, Company A has decided to outsource its payroll function to Company B. Company B is an established payroll service provider with a sizable client base and a solid reputation in the industry. Company B's payroll solution for Company A relies on the collection of time and attendance data obtained via a biometric entry system installed in each of Company A's factories. Company B won't hold any biometric data itself, but the related data will be uploaded to Company B's UK servers and used to provide the payroll service. Company B's live systems will contain the following information for each of Company A's employees: Name Address Date of Birth Payroll number National Insurance number Sick pay entitlement Maternity/paternity pay entitlement Holiday entitlement Pension and benefits contributions Trade union contributions Jenny is the compliance officer at Company A. She first considers whether Company A needs to carry out a data protection impact assessment in relation to the new time and attendance system, but isn't sure whether or not this is required. Jenny does know, however, that under the GDPR there must be a formal written agreement requiring Company B to use the time and attendance data only for the purpose of providing the payroll service, and to apply appropriate technical and organizational security measures for safeguarding the data. Jenny suggests that Company B obtain advice from its data protection offi- cer. The company doesn't have a DPO but agrees, in the interest of finalizing the contract, to sign up for the provisions in full. Company A enters into the contract. Weeks later, while still under contract with Company A, Company B embarks upon a separate project meant to enhance the functionality of its payroll service, and engages Company C to help. Company C agrees to extract all personal data from Company B's live systems in order to create a new database for Company B. This database will be stored in a test environment hosted on Company C's U.S. server. The two companies agree not to include any data processing provisions in their services agreement, as data is only being used for IT testing purposes. Unfortunately, Company C's U.S. server is only protected by an outdated I