IAPP CIPP-E Certified Information Privacy Professional/Europe Exam Practice Test

Page: 1 / 14
Total 295 questions
Question 1

Which of the following is an example of direct marketing that would be subject to European data protection laws?



Answer : D

According to the definition of direct marketing in the context of data protection law, it is personal data processed to communicate a marketing or advertising message. This includes messages from commercial organisations, as well as from charities and political organisations. Therefore, option D is an example of direct marketing that would be subject to European data protection laws, as it involves sending a marketing message by SMS to an individual. The other options are not examples of direct marketing, as they do not involve marketing or advertising messages, but rather information or service messages that are not intended to promote any product or service.Reference:

[IAPP article on direct marketing (EU specific)]

Lexology article on direct marketing requirements under the GDPR


Question 2

SCENARIO

Please use the following to answer the next question:

Joe started the Gummy Bear Company in 2000 from his home in Vermont, US

A . Today, it is a multi-billion-dollar candy company operating in every continent. All of the company's IT servers are located in Vermont. This year Joe hires his son Ben to join the company and head up Project Big, which is a major marketing strategy to triple gross revenue in just 5 years. Ben graduated with a PhD in computer software from a top university. Ben decided to join his father's company, but is also secretly working on launching a new global online dating website company called Ben Knows Best.

Ben is aware that the Gummy Bear Company has millions of customers and believes that many of them might also be interested in finding their perfect match. For Project Big, Ben redesigns the company's online web portal and requires customers in the European Union and elsewhere to provide additional personal information in order to remain a customer. Project Ben begins collecting data about customers' philosophical beliefs, political opinions and marital status.

If a customer identifies as single, Ben then copies all of that customer's personal data onto a separate database for Ben Knows Best. Ben believes that he is not doing anything wrong, because he explicitly asks each customer to give their consent by requiring them to check a box before accepting their information. As Project Big is an important project, the company also hires a first year college student named Sam, who is studying computer science to help Ben out.

Ben calls out and Sam comes across the Ben Knows Best database. Sam is planning on going to Ireland over Spring Beak with 10 of his friends, so he copies all of the customer information of people that reside in Ireland so that he and his friends can contact people when they are in Ireland.

Joe also hires his best friend's daughter, Alice, who just graduated from law school in the U.S., to be the company's new General Counsel. Alice has heard about the GDPR, so she does some research on it. Alice approaches Joe and informs him that she has drafted up Binding Corporate Rules for everyone in the company to follow, as it is important for the company to have in place a legal mechanism to transfer data internally from the company's operations in the European Union to the U.S.

Joe believes that Alice is doing a great job, and informs her that she will also be in-charge of handling a major lawsuit that has been brought against the company in federal court in the U.S. To prepare for the lawsuit, Alice instructs the company's IT department to make copies of the computer hard drives from the entire global sales team, including the European Union, and send everything to her so that she can review everyone's information. Alice believes that Joe will be happy that she did the first level review, as it will save the company a lot of money that would otherwise be paid to its outside law firm.

In preparing the company for its impending lawsuit, Alice's instruction to the company's IT Department violated Article 5 of the GDPR because the company failed to first do what?



Answer : B


Question 3

The origin of privacy as a fundamental human right can be found in which document?



Answer : A

The Universal Declaration of Human Rights (UDHR) was adopted by the United Nations General Assembly in 1948 as a response to the atrocities of World War II. It is considered the first global expression of human rights and fundamental freedoms. Article 12 of the UDHR states that ''No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.'' This article is the origin of privacy as a fundamental human right that has influenced many subsequent international and regional instruments, such as the European Convention of Human Rights (ECHR), the OECD Guidelines on the Protection of Privacy, and the Charter of Fundamental Rights of the European Union (CFREU).Reference:

IAPP CIPP/E Study Guide, page 7

[Universal Declaration of Human Rights]

[Article 12 of the UDHR]


Question 4

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located m Malta |EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

What is potentially wrong with the backup system operated in the AWS cloud?



Question 5

Which kind of privacy notice, originally advocated by the Article 29 Working Party, is commonly recommended tor Al-based technologies because of the way it provides processing information at specific points of data collection?



Answer : A

According to the Article 29 Working Party, a just-in-time notice is a type of privacy notice that provides processing information at specific points of data collection, such as when the user clicks on a certain feature or enters personal data1.This kind of notice is commonly recommended for AI-based technologies because it allows the user to receive relevant and timely information about the processing of their data, without being overwhelmed by lengthy and complex privacy statements1.A just-in-time notice can also be combined with other types of notices, such as layered notices or privacy dashboards, to provide a more comprehensive and user-friendly transparency framework1. Therefore, option C is the correct answer.Option A is incorrect because a privacy dashboard notice is a type of notice that provides the user with a centralised and interactive overview of the processing of their data, and allows them to manage their privacy settings and preferences1.Option B is incorrect because a visualization notice is a type of notice that uses graphical elements, such as icons, symbols, colours, or animations, to convey the processing information in a more intuitive and engaging way1.Option D is incorrect because a layered notice is a type of notice that provides the processing information in a hierarchical and modular way, starting with the most essential information and allowing the user to access more details if they wish1.Reference:

What's new in WP29's final guidelines on transparency?


Question 6

Which judicial body makes decisions on actions taken by individuals wishing to enforce their rights under EU law?



Question 7

SCENARIO

Please use the following to answer the next question:

BHealthy, a company based in Italy, is ready to launch a new line of natural products, with a focus on sunscreen. The last step prior to product launch is for BHealthy to conduct research to decide how extensively to market its new line of sunscreens across Europe. To do so, BHealthy teamed up with Natural Insight, a company specializing in determining pricing for natural products. BHealthy decided to share its existing customer information -- name, location, and prior purchase history -- with Natural Insight. Natural Insight intends to use this information to train its algorithm to help determine the price point at which BHealthy can sell its new sunscreens.

Prior to sharing its customer list, BHealthy conducted a review of Natural Insight's security practices and concluded that the company has sufficient security measures to protect the contact information. Additionally, BHealthy's data processing contractual terms with Natural Insight require continued implementation of technical and organization measures. Also indicated in the contract are restrictions on use of the data provided by BHealthy for any purpose beyond provision of the services, which include use of the data for continued improvement of Natural Insight's machine learning algorithms.

In which case would Natural Insight's use of BHealthy's data for improvement of its algorithms be considered data processor activity?



Answer : B

According to the General Data Protection Regulation (GDPR), a data processor is a natural or legal person, agency, public authority, or any other body who processes personal data on behalf of a data controller. A data controller is a natural or legal person, agency, public authority, or any other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. The GDPR imposes specific obligations and responsibilities on both data controllers and data processors, and requires them to enter into a written contract or other legal act that sets out the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of the data controller.

In this scenario, BHealthy is the data controller, as it determines the purpose and means of collecting and sharing its customer information with Natural Insight. Natural Insight is the data processor, as it processes the customer information on behalf of BHealthy for the purpose of determining the price point for BHealthy's new sunscreens. However, Natural Insight also intends to use the customer information for its own purpose of improving its algorithms, which may not be aligned with BHealthy's purpose or instructions. This may constitute a breach of the data processing contract and the GDPR, as the data processor must only process the personal data on documented instructions from the data controller, unless required to do so by EU or member state law (Article 28(3)(a) of the GDPR).

Therefore, the only case in which Natural Insight's use of BHealthy's data for improvement of its algorithms would be considered data processor activity is if Natural Insight receives express contractual instructions from BHealthy to use its data for improving its algorithms. This would mean that BHealthy has given its consent and authorization for Natural Insight to process the data for that specific purpose, and that Natural Insight is acting in accordance with BHealthy's instructions. In this case, Natural Insight would still be bound by the data processing contract and the GDPR, and would have to comply with the other obligations and requirements of a data processor, such as ensuring the security of the data, respecting the conditions for engaging another processor, assisting the data controller in ensuring compliance with the GDPR, and deleting or returning the data to the data controller after the end of the service.

The other options are not valid cases for data processor activity, as they do not involve the data controller's instructions or consent. If Natural Insight uses BHealthy's data for improving price point predictions only for BHealthy, it may still be processing the data for a different purpose than the one for which it was collected and shared, and without BHealthy's knowledge or approval. If Natural Insight agrees to be fully liable for its use of BHealthy's customer information in its product improvement activities, it may still be violating the data processing contract and the GDPR, as it is not acting on behalf of the data controller, but for its own benefit. If Natural Insight satisfies the transparency requirement by notifying BHealthy's customers of its plans to use their information for its product improvement activities, it may still be infringing the data controller's rights and obligations, as it is not the data controller's role to inform the data subjects of the processing activities, and it may not have a lawful basis for processing the data for its own purpose.


GDPR

Data Controllers and Processors - GDPR EU

Who does the UK GDPR apply to? | ICO

What Activities Count as Processing Under the GDPR?

What constitutes data processing? - European Commission

Page:    1 / 14   
Total 295 questions