CIPP/E Test Questions with 100% correct answers

Which role best describes the European Commission? Implements EU decisions & policies What data protection milestone is a treaty amongst member states of the Council of Europe? Convention 108 Which data protection milestone applies to public electronic communication services & networks? ePrivacy Directive The European Convention on Human Rights is a product of which institution? The Council of Europe What is the role of the European Parliament? Engaged in legislative development What best describes the European Union? Economic & political union What data privacy laws fall under the European Union? Charter of the Fundamental Rights of the EU (CFREU), Treaty on the Functioning of the EU (TFEU), GDPR, ePrivacy Directive, national data laws across EU What does the Council of Europe provide? Extends EU single markets to non-EU member states What privacy & data protection laws come under the Council of Europe? European Convention of Human Rights (ECHR), Convention 108 How is the European Economic Area (EEA) formed? Based on the Agreement of the European Economic Area What does the European Economic Area allow? Allows members of the European Free Trade Association (EFTA) to participate in internal markets What is the function of the four-step test? Determine if data qualifies as personal data Which criteria are used to identify personal data? Any information / relating to / an identified or identifiable / natural person What types of personal data elements belong to special categories under the GDPR? Personal data revealing political opinions, religious or philosophical beliefs & genetic data used to uniquely identify a natural person True or False: Anonymising personal data is always possible? False True or False: Pseudonymous data is protected by GDPR? True Is the collective & use of device dynamic IP addresses to allow data on a website to be transferred to the correct recipient considered personal data? Yes - because it could be combine with information from the ISP that could be linked to the individual True or False: A data controller may be a natural person or a legal entity, while a data processor must be a legal entity? False - processor can be a natural person True or False: A contract protects a processor from being held to the same legal obligations as the controller? False - legal obligations flow down in some aspects True or False: A processor may decide where and how to process personal data? False - that would make them the controller What actions can a controller take to manage vendor risk? Pre contractual due diligence, post contractual due diligence, reliable data processors, DPAs, contracts, audits Example: Using access control system to track employee punctuality. What GDPR processing principles have been violated? Transparency, purpose limitation, accuracy, accountability What is data processing? Any action performed upon data What are the criteria used to determine the territorial scope of the GDPR? Processing of personal data when a controller or processor established in the EU / Processing of personal data of EU subjects relating to offering G&S or monitoring behaviour / Processing of personal data by a controller not established in the EU but in a place where member state law applies True or False: Exclusions to the material scope of the GDPR should be broadly interpreted? False Which exception to the prohibition on processing special categories of special data must be explicit? Consent Which of the following data subjects' rights provides data subjects with entitlements to certain information, obtainable from the controller upon request? Right of access The right of access grants data subjects' access to which of the following types of information? The purpose of the processing / Retention periods / Recipients of the personal data Which is not listed by the GDPR as a method for restricting processing of personal data? Disabling the data management system Under which categories may a data subject object to processing personal data? Direct marketing / Public interest or legitimate interest / research of statistical purposes What is profiling? A form of automated decision making True or False: A controller may charge an administrative fee to data subjects if they request that the information provision be in an oral format False True or False: The transparency principle states that detail is more important than conciseness in a privacy notice False What information must be provided to data subjects when the controller's necessity is being used as the legal basis for processing? Controller's legitimate interest What information must be provided to data subjects when the personal data that will be processed was collected indirectly? Source of the data