CIPP/E exam UPDATED ACTUAL Exam
Questions and CORRECT Answers
The implementation of appropriate *technical and organisational measures* to ensure and be
able to *demonstrate* that the handling of personal data is performed in accordance with
relevant law, an idea codified in the EU General Data Protection Regulation and other
frameworks, including APEC's Cross Border Privacy Rules. Traditionally has been a *fair
information practices principle*, that due diligence and reasonable steps will be undertaken to
ensure that personal information will be protected and handled consistently with relevant law and
other fair use principles. - CORRECT ANSWER - Accountability
Organizations must take every *reasonable* step to ensure the data processed is this and, where
*necessary*, kept up to date. Reasonable measures should be understood as implementing
processes to prevent inaccuracies during the data collection process as well as during the ongoing
data processing in relation to the specific use for which the data is processed. The organization
must consider the type of data and the specific purposes to maintain the accuracy of personal
data in relation to the purpose. Also embodies the responsibility to respond to data subject
requests to correct records that contain incomplete information or misinformation. - CORRECT
ANSWER - Accuracy
A transfer of personal data from the European Union to a third country or an international
organisation may take place where the European Commission has decided that the third country,
a territory or one or more specified sectors within that third country, or the international
organisation in question, ensures this by taking into account the *following elements*: *(a)* the
rule of law, respect for *human rights* and fundamental freedoms, both *general and sectoral
legislation*, data protection rules, professional rules and security measures, effective and
*enforceable data subject rights* and *effective administrative and judicial redress* for the data
subjects whose personal data is being transferred; *(b)* the existence and *effective* functioning
of independent *supervisory authorities* with responsibility for ensuring and enforcing
compliance with the data protection rules; (c) the *international commitments* the - CORRECT
ANSWER - Adequate Level of Protection
The requirement under the GDPR that the European Data Protection Board and each supervisory
authority *periodically report on their activities*. The supervisory authority report should
include infringements and the activities that the authority conducted under their Article 58(2)
powers. The EDPB report should include *guidelines, recommendations, best practices and
binding decisions*. Additionally, the report should include the protection of natural persons with
regard to processing in the EU and, where relevant, in third countries and international
,organisations. Shall be *made public and be transmitted to the European Parliament, to the
Council and to the Commission*. - CORRECT ANSWER - Annual Reports
In contrast to personal data, this is not related to an identified or an identifiable natural person
and *cannot be combined with other information to re-identify individuals*. It has been rendered
unidentifiable and, as such, is not protected by the GDPR. - CORRECT ANSWER -
Anonymous Information
*indications of special classes* of personal *data*. If there exists law protecting against
discrimination based on a class or status, it is likely personal information relating to that class or
status is *subject to more stringent* data protection regulation, under the GDPR or otherwise. -
CORRECT ANSWER - Anti-discrimination Laws
The GDPR refers to these in a number of contexts, *including* the *transfer* of personal data
*to third countries* outside the European Union, the processing of *special categories* of data,
*and* the processing of personal data in a *law enforcement* context. This generally refers to
the application of the general data protection principles, in particular purpose limitation, data
minimisation, limited storage periods, data quality, data protection by design and by default,
legal basis for processing, processing of special categories of personal data, measures to ensure
data security, and the requirements in respect of onward transfers to bodies not bound by the
binding corporate rules. This *may* also *refer to* the use of *encryption or
pseudonymization*, *standard* data protection *clause*s adopted by the Commission,
contractual clauses authorized by a supervisory authority, or *certification schemes* or *codes of
- CORRECT ANSWER - Appropriate Safeguards
The GDPR requires a *risk-based approach* to data protection, whereby organizations *take into
account* the *nature*, *scope*, *context and purposes* of processing, as well as the risks of
varying *likelihood* and *severity to* the *rights and freedoms* of natural persons, and institute
policies, controls and certain technologies to mitigate those risks. These might help meet the
obligation to keep personal data secure, including technical safeguards against accidents and
negligence or deliberate and malevolent actions, or involve the implementation of data protection
policies. These measures should be demonstrable on demand to data protection authorities and
reviewed regularly. - CORRECT ANSWER - Appropriate Technical and Organizational
Measures
Was a European Union organization that functioned as an *independent advisory body* on data
protection and privacy and consisted of the collected data protection authorities of the member
,states. It was *replaced by* the similarly constituted European Data Protection Board (*EDPB*)
on May 25, 2018, *when* the *GDPR went into effect*. - CORRECT ANSWER - Article
29 Working Party
The process by which an entity (such as a person or computer system) determines whether
another entity is who it claims to be. *is required* by the GDPR *when* the data subject is
*exercising certain rights*, such as the rights to *deletion or rectification*, and might include
supplying log-in details or biometric information. However, the data controller should not be
obliged to acquire additional information in order to identify the data subject for the sole purpose
of complying with any provision of the Regulation. - CORRECT ANSWER -
Authentication
A processing operation that is performed without any human intervention. "Profiling" is defined
in the GDPR, for example, as the automated processing of personal data to evaluate certain
personal aspects relating to a natural person, in particular to *analyse or predict aspects
concerning that natural person's performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or movements*. Data subjects, under the
GDPR, have a *right to object* to such processing. - CORRECT ANSWER - Automated
Processing
Data is this if it is *accessible when needed* by the organization or data subject. The GDPR
requires that *a business* be able to ensure this of personal data and have the ability to *restore
it and access* to personal data in a *timely manner* in the event of a physical or technical
incident. - CORRECT ANSWER - Availability
Organizations may want to verify an applicant's ability to function in the working environment as
well as assuring the safety and security of existing workers. Range from checking a person's
educational background to checking on past criminal activity. *Employee consent requirements*
for such checks *vary by member state and may be negotiated with local works councils*. -
CORRECT ANSWER - Background Screening/Checks
Most often done via automated processing of personal data, or profiling, the GDPR requires that
*data subjects* be able to *opt-out of any automated processing, to be informed of the logic
involved in any automatic personal data processing and, at least when based on profiling, be
informed of the consequences of such processing*. If cookies are used to store or access
information for the purposes of behavioral advertising, the ePrivacy Directive requires that data
, subjects provide consent for the placement of such cookies, after having been provided with
clear and comprehensive information. - CORRECT ANSWER - Behavioral Advertising
An appropriate safeguard allowed by the GDPR to facilitate *cross-border transfers* of personal
data *between* the various *entities of a corporate group worldwide*. They do so by ensuring
that the same high level of protection of personal data is complied with by all members of the
organizational group by means of a single set of binding and enforceable rules. Compel
organizations to be able to demonstrate their compliance with all aspects of applicable data
protection legislation and *are approved by a member state data protection authority*. To date,
relatively few organizations have had these approved. - CORRECT ANSWER - Binding
Corporate Rules
Previously, the EU distinguished between these for controllers and processors. With the GDPR,
there is *now no distinction* made between the two in this context and *Binding Corporate
Rules are appropriate for both Controllers and Processors*. - CORRECT ANSWER -
Binding Safe Processor Rules
Data concerning the *intrinsic physical or behavioral characteristics* of an individual. Examples
include *DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke
technique* and *gait*. The GDPR, in Article 9, lists these for the purpose of uniquely identifying
a natural person as a special category of data for which processing is not allowed other than in
specific circumstances. - CORRECT ANSWER - Biometrics
One of the four classes of privacy, along with information privacy, territorial privacy and
communications privacy. It focuses on a person's physical being and any invasion thereof. Such
an invasion can take the form of *genetic testing, drug testing* or *body cavity searches*. -
CORRECT ANSWER - Bodily Privacy
The requirement that a data controller *notify regulators*, potentially within *72 hours* of
discovery, and/or victims, of incidents affecting the confidentiality and security of personal data,
depending on the assessed risks to the rights and freedoms of affected data subjects. - CORRECT
ANSWER - Breach Disclosure (EU specific)
*Germany's federal data protection act*, implementing the GDPR. With the passage of the
GDPR, it replaced a previous law with the same name and enhanced a series of other acts mainly
in areas of law enforcement and intelligence services. Furthermore, the *new version suggests a
Questions and CORRECT Answers
The implementation of appropriate *technical and organisational measures* to ensure and be
able to *demonstrate* that the handling of personal data is performed in accordance with
relevant law, an idea codified in the EU General Data Protection Regulation and other
frameworks, including APEC's Cross Border Privacy Rules. Traditionally has been a *fair
information practices principle*, that due diligence and reasonable steps will be undertaken to
ensure that personal information will be protected and handled consistently with relevant law and
other fair use principles. - CORRECT ANSWER - Accountability
Organizations must take every *reasonable* step to ensure the data processed is this and, where
*necessary*, kept up to date. Reasonable measures should be understood as implementing
processes to prevent inaccuracies during the data collection process as well as during the ongoing
data processing in relation to the specific use for which the data is processed. The organization
must consider the type of data and the specific purposes to maintain the accuracy of personal
data in relation to the purpose. Also embodies the responsibility to respond to data subject
requests to correct records that contain incomplete information or misinformation. - CORRECT
ANSWER - Accuracy
A transfer of personal data from the European Union to a third country or an international
organisation may take place where the European Commission has decided that the third country,
a territory or one or more specified sectors within that third country, or the international
organisation in question, ensures this by taking into account the *following elements*: *(a)* the
rule of law, respect for *human rights* and fundamental freedoms, both *general and sectoral
legislation*, data protection rules, professional rules and security measures, effective and
*enforceable data subject rights* and *effective administrative and judicial redress* for the data
subjects whose personal data is being transferred; *(b)* the existence and *effective* functioning
of independent *supervisory authorities* with responsibility for ensuring and enforcing
compliance with the data protection rules; (c) the *international commitments* the - CORRECT
ANSWER - Adequate Level of Protection
The requirement under the GDPR that the European Data Protection Board and each supervisory
authority *periodically report on their activities*. The supervisory authority report should
include infringements and the activities that the authority conducted under their Article 58(2)
powers. The EDPB report should include *guidelines, recommendations, best practices and
binding decisions*. Additionally, the report should include the protection of natural persons with
regard to processing in the EU and, where relevant, in third countries and international
,organisations. Shall be *made public and be transmitted to the European Parliament, to the
Council and to the Commission*. - CORRECT ANSWER - Annual Reports
In contrast to personal data, this is not related to an identified or an identifiable natural person
and *cannot be combined with other information to re-identify individuals*. It has been rendered
unidentifiable and, as such, is not protected by the GDPR. - CORRECT ANSWER -
Anonymous Information
*indications of special classes* of personal *data*. If there exists law protecting against
discrimination based on a class or status, it is likely personal information relating to that class or
status is *subject to more stringent* data protection regulation, under the GDPR or otherwise. -
CORRECT ANSWER - Anti-discrimination Laws
The GDPR refers to these in a number of contexts, *including* the *transfer* of personal data
*to third countries* outside the European Union, the processing of *special categories* of data,
*and* the processing of personal data in a *law enforcement* context. This generally refers to
the application of the general data protection principles, in particular purpose limitation, data
minimisation, limited storage periods, data quality, data protection by design and by default,
legal basis for processing, processing of special categories of personal data, measures to ensure
data security, and the requirements in respect of onward transfers to bodies not bound by the
binding corporate rules. This *may* also *refer to* the use of *encryption or
pseudonymization*, *standard* data protection *clause*s adopted by the Commission,
contractual clauses authorized by a supervisory authority, or *certification schemes* or *codes of
- CORRECT ANSWER - Appropriate Safeguards
The GDPR requires a *risk-based approach* to data protection, whereby organizations *take into
account* the *nature*, *scope*, *context and purposes* of processing, as well as the risks of
varying *likelihood* and *severity to* the *rights and freedoms* of natural persons, and institute
policies, controls and certain technologies to mitigate those risks. These might help meet the
obligation to keep personal data secure, including technical safeguards against accidents and
negligence or deliberate and malevolent actions, or involve the implementation of data protection
policies. These measures should be demonstrable on demand to data protection authorities and
reviewed regularly. - CORRECT ANSWER - Appropriate Technical and Organizational
Measures
Was a European Union organization that functioned as an *independent advisory body* on data
protection and privacy and consisted of the collected data protection authorities of the member
,states. It was *replaced by* the similarly constituted European Data Protection Board (*EDPB*)
on May 25, 2018, *when* the *GDPR went into effect*. - CORRECT ANSWER - Article
29 Working Party
The process by which an entity (such as a person or computer system) determines whether
another entity is who it claims to be. *is required* by the GDPR *when* the data subject is
*exercising certain rights*, such as the rights to *deletion or rectification*, and might include
supplying log-in details or biometric information. However, the data controller should not be
obliged to acquire additional information in order to identify the data subject for the sole purpose
of complying with any provision of the Regulation. - CORRECT ANSWER -
Authentication
A processing operation that is performed without any human intervention. "Profiling" is defined
in the GDPR, for example, as the automated processing of personal data to evaluate certain
personal aspects relating to a natural person, in particular to *analyse or predict aspects
concerning that natural person's performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or movements*. Data subjects, under the
GDPR, have a *right to object* to such processing. - CORRECT ANSWER - Automated
Processing
Data is this if it is *accessible when needed* by the organization or data subject. The GDPR
requires that *a business* be able to ensure this of personal data and have the ability to *restore
it and access* to personal data in a *timely manner* in the event of a physical or technical
incident. - CORRECT ANSWER - Availability
Organizations may want to verify an applicant's ability to function in the working environment as
well as assuring the safety and security of existing workers. Range from checking a person's
educational background to checking on past criminal activity. *Employee consent requirements*
for such checks *vary by member state and may be negotiated with local works councils*. -
CORRECT ANSWER - Background Screening/Checks
Most often done via automated processing of personal data, or profiling, the GDPR requires that
*data subjects* be able to *opt-out of any automated processing, to be informed of the logic
involved in any automatic personal data processing and, at least when based on profiling, be
informed of the consequences of such processing*. If cookies are used to store or access
information for the purposes of behavioral advertising, the ePrivacy Directive requires that data
, subjects provide consent for the placement of such cookies, after having been provided with
clear and comprehensive information. - CORRECT ANSWER - Behavioral Advertising
An appropriate safeguard allowed by the GDPR to facilitate *cross-border transfers* of personal
data *between* the various *entities of a corporate group worldwide*. They do so by ensuring
that the same high level of protection of personal data is complied with by all members of the
organizational group by means of a single set of binding and enforceable rules. Compel
organizations to be able to demonstrate their compliance with all aspects of applicable data
protection legislation and *are approved by a member state data protection authority*. To date,
relatively few organizations have had these approved. - CORRECT ANSWER - Binding
Corporate Rules
Previously, the EU distinguished between these for controllers and processors. With the GDPR,
there is *now no distinction* made between the two in this context and *Binding Corporate
Rules are appropriate for both Controllers and Processors*. - CORRECT ANSWER -
Binding Safe Processor Rules
Data concerning the *intrinsic physical or behavioral characteristics* of an individual. Examples
include *DNA, fingerprints, retina and iris patterns, voice, face, handwriting, keystroke
technique* and *gait*. The GDPR, in Article 9, lists these for the purpose of uniquely identifying
a natural person as a special category of data for which processing is not allowed other than in
specific circumstances. - CORRECT ANSWER - Biometrics
One of the four classes of privacy, along with information privacy, territorial privacy and
communications privacy. It focuses on a person's physical being and any invasion thereof. Such
an invasion can take the form of *genetic testing, drug testing* or *body cavity searches*. -
CORRECT ANSWER - Bodily Privacy
The requirement that a data controller *notify regulators*, potentially within *72 hours* of
discovery, and/or victims, of incidents affecting the confidentiality and security of personal data,
depending on the assessed risks to the rights and freedoms of affected data subjects. - CORRECT
ANSWER - Breach Disclosure (EU specific)
*Germany's federal data protection act*, implementing the GDPR. With the passage of the
GDPR, it replaced a previous law with the same name and enhanced a series of other acts mainly
in areas of law enforcement and intelligence services. Furthermore, the *new version suggests a
