IAPP CIPP-E Exam Questions Instant Access

Question 1

Select the answer below that accurately completes the following:

''The right to compensation and liability under the GDPR...

A...provides for an exemption from liability if the data controller (or data processor) proves that it is not in any way responsible for the event giving rise to the damage.''

B...precludes any subsequent recourse proceedings against other controllers or processors involved in the same processing.''

C...can only be exercised against the data controller, even if a data processor was involved in the same processing.''

D...is limited to a maximum amount of EUR 20 million per event of damage or loss.''

Answer : B

Question 2

In 2016's Guidance, the United Kingdom's Information Commissioner's Office (ICO) reaffirmed the importance of using a ''layered notice'' to provide data subjects with what?

AA privacy notice containing brief information whilst offering access to further detail.

BA privacy notice explaining the consequences for opting out of the use of cookies on a website.

CAn explanation of the security measures used when personal data is transferred to a third party.

DAn efficient means of providing written consent in member states where they are required to do so.

Answer : A

A layered notice is a privacy notice designed to respond to problems with excessively long notices1.A short notice --- the top layer --- provides a user with the key elements of the privacy notice, such as the identity of the organisation, the purposes of the processing, and the rights of the data subjects2.The full notice --- the bottom layer --- covers all the intricacies in full, such as the lawful basis, the retention periods, and the recipients of the personal data2.The ICO recommends using a layered approach to deliver privacy information in a concise, transparent, intelligible, and easily accessible way, as required by the UK GDPR3.A layered notice allows data subjects to access the information they need at the appropriate level of detail and helps organisations to comply with the right to be informed23.Reference:2

Question 3

Which of the following would most likely NOT be covered by the definition of ''personal data'' under the GDPR?

AThe payment card number of a Dutch citizen

BThe U.S. social security number of an American citizen living in France

CThe unlinked aggregated data used for statistical purposes by an Italian company

DThe identification number of a German candidate for a professional examination in Germany

Answer : C

The definition of personal data under the GDPR is broad and covers any information that relates to an identified or identifiable natural person. This means that personal data can include information such as name, email, phone number, address, date of birth, race, gender, political opinions and more. The GDPR protects personal data on all levels, platforms and technologies, and requires organizations to process it only for a specific purpose and keep it for a limited time.

The unlinked aggregated data used for statistical purposes by an Italian company would most likely NOT be covered by the definition of personal data under the GDPR. Aggregated data is data that has been processed in such a way that individual records are no longer identifiable. For example, if a company collects the names and email addresses of its customers and then calculates the average age of its customers, the resulting data is aggregated and not personal. Therefore, this type of data would not be subject to the GDPR.

However, this does not mean that the Italian company can use this type of data without any restrictions or obligations. The GDPR still applies to any processing activity that involves personal data in any form or manner. For example, if the Italian company uses this type of data to create a profile or a segment of its customers based on their characteristics or preferences, it may still need to comply with certain principles and conditions under the GDPR. For instance, it may need to obtain consent from its customers before using their aggregated data for marketing purposes; it may need to ensure that its aggregated data is accurate and up-to-date; it may need to limit the retention period of its aggregated data; and it may need to respect the rights of its customers regarding their personal data.

What is personal data? | ICO

What is considered personal data under the EU GDPR?

[GDPR personal data -- what information does this cover?]

Question 4

SCENARIO

Please use the following to answer the next question:

Jane Stan's her new role as a Data Protection Officer (DPO) at a Malta-based company that allows anyone to buy and sell cryptocurrencies via its online platform. The company stores and processes the personal data of its customers in a dedicated data center located in Malta (EU).

People wishing to trade cryptocurrencies are required to open an online account on the platform. They then must successfully pass a KYC due diligence procedure aimed at preventing money laundering and ensuring compliance with applicable financial regulations.

The non-European customers are also required to waive all their GDPR rights by reading a disclaimer written in bold and belong a checkbox on a separate page in order to get their account approved on the platform.

The customers must likewise accept the terms of service of the platform. The terms of service also include a privacy policy section, saying, among other things, that if a

Are the cybersecurity assessors required to sign a data processing agreement with the company in order to comply with the GDPR''

ANo, the assessors do not quality as data processors as they only have access to encrypted data.

BNo. the assessors do not quality as data processors as they do not copy the data to their facilities.

CYes. the assessors a-e considered to be joint data controllers and must sign a mutual data processing agreement.

DYes, the assessors are data processors and their processing of personal data must be governed by a separate contract or other legal act.

Answer : D

According to the GDPR, a data processor is any person or entity that processes personal data on behalf of a data controller1.A data controller is the one who determines the purposes and means of the processing of personal data1.A data processing agreement (DPA) is a contractual document that sets out the rights and obligations of both parties regarding data protection2.The GDPR requires that a data controller who engages a data processor must enter into a written contract or legal act along the lines set out in Article 28.3 of the GDPR3.The DPA must specify, among other things, the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller3.

In this scenario, the company is the data controller, as it determines the purposes and means of processing the personal data of its customers. The cybersecurity assessors are data processors, as they process the personal data of the customers on behalf of the company. The assessors have access to the personal data, even if it is encrypted, and they perform a specific technical service for the company. Therefore, the assessors are required to sign a DPA with the company in order to comply with the GDPR.The DPA will define the scope, nature and purpose of the processing, the security measures to be implemented, the notification procedures in case of a data breach, and the rights and obligations of both parties.Reference:1: Article 4 of the GDPR2: Data Processing Agreement (Template) - GDPR.eu3: Article 28 of the GDPR.

Question 5

A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website published an article about the prank at the time, and the article is still available on the newspaper's website. Unfortunately, the prank is the top search result when a user searches on the victim's name. The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology team to avoid scanning or indexing the article. What else must SearchCo do?

ANotify the newspaper that its article it is delisting the article.

BFully erase the URL to the content, as opposed to delist which is mainly based on data subject's name.

CIdentify other controllers who are processing the same information and inform them of the delisting request.

DPrevent the article from being listed in search results no matter what search terms are entered into the search engine.

Answer : A

According to theEuropean Data Protection Law & Practicetextbook, page 326, ''the CJEU held that the search engine operator is obliged to remove from the list of results displayed following a search made on the basis of a person's name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.'' However, the CJEU also stated that ''the operator of the search engine as the person responsible for that processing must, at the latest on the occasion of the erasure from its list of results, disclose to the operator of the web page containing that information the fact that that web page will no longer appear in the search engine's results following a search made on the basis of the data subject's name.'' Therefore, SearchCo must notify the newspaper that it is delisting the article, as part of its obligation to respect the data subject's right to be forgotten.Reference:

European Data Protection Law & Practice, page 326

CJEU Judgment in Case C-131/12 Google Spain SL, Google Inc. v Agencia Espaola de Proteccin de Datos, Mario Costeja Gonzlez, paragraphs 88 and 93

Question 6

When is data sharing agreement MOST likely to be needed?

AWhen anonymized data is being shared.

BWhen personal data is being shared between commercial organizations acting as joint data controllers.

CWhen personal data is being proactively shared by a controller to support a police investigation.

DWhen personal data is being shared with a public authority with powers to require the personal data to be disclosed.

Answer : B

A data sharing agreement is a contract that documents what data is being shared and how it can be used. It can be used to make data sharing lawful and to demonstrate compliance with the accountability principle under the GDPR. A data sharing agreement is most likely to be needed when personal data is being shared between commercial organizations acting as joint data controllers, because they have to determine and agree on their respective roles and responsibilities, such as the purpose and legal basis of the data sharing, the rights of the data subjects, the security measures, and the liability for any breaches. A data sharing agreement is not mandatory, but it is good practice and can help to avoid disputes and confusion. A data sharing agreement may not be needed or may be less detailed in the other scenarios, depending on the circumstances and the nature of the data. For example, anonymized data is not personal data under the GDPR and does not require a data sharing agreement, although it may still be subject to other contractual or ethical obligations. Personal data that is proactively shared by a controller to support a police investigation may be covered by a legal obligation or a public interest, and the controller may not have much control over how the data is used by the police. Personal data that is shared with a public authority with powers to require the personal data to be disclosed may also be subject to a legal obligation or a public interest, and the controller may have to comply with the authority's request without a data sharing agreement.Reference:

Data sharing agreements | ICO, which provides guidance on the benefits and contents of a data sharing agreement.

Data Sharing Agreement - the Definition - GDPR Summary, which explains what a data sharing agreement is and when it can be used.

The role of data sharing and the GDPR | Data Republic, which discusses the impact of the GDPR on data sharing practices.

Question 7

Which GDPR requirement will present the most significant challenges for organizations with Bring Your Own Device (BYOD) programs?

AData subjects must be sufficiently informed of the purposes for which their personal data is processed.

BProcessing of special categories of personal data on a large scale requires appointing a DPO.

CPersonal data of data subjects must always be accurate and kept up to date.

DData controllers must be in control of the data they hold at all times.

Answer : D

According to theFree CIPP/E Study Guide, page 12, ''the GDPR requires data controllers to implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. These measures should take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.'' The GDPR also requires data controllers to ensure the security of personal data, to notify data breaches to the supervisory authorities and data subjects, and to cooperate with the supervisory authorities in providing any information necessary for the performance of their tasks. Therefore, the GDPR requirement that data controllers must be in control of the data they hold at all times will present the most significant challenges for organizations with BYOD programs, as they will have to deal with the increased risks of data loss, theft, unauthorized access, or misuse that may arise from the use of personal devices by employees or contractors. The other options are not necessarily more challenging for organizations with BYOD programs, although they may involve other obligations under the GDPR, such as obtaining a valid legal basis, providing adequate safeguards, or informing the data subjects.Reference:

Free CIPP/E Study Guide, page 12

GDPR, Articles 24, 25, 28, 32, 33, 34 and 58

IAPP Certified Information Privacy Professional/Europe CIPP-E Exam Questions