IAPP CIPP-E Exam Practice Test Instant Access

Question 1

In the wake of the Schrems II ruling, which of the following actions has been recommended by the EDPB for companies transferring personal data to third countries?

AAdopting a risk-based approach and implementing supplementary measures as needed.

BEnsuring that all data transfers are encrypted with unbreakable encryption algorithms.

CObtaining explicit consent from each EU citizen for every individual data transfer.

DStoring all personal data within the borders of the European Union.

Answer : A

Question 2

ISO 31700 has set forth requirements relating to consumer products and services. In particular, this international standard focuses on the implementation of which of the following?

APrivacy by design.

BComprehensive ethical Al software.

CPrivacy notices for companies providing services to consumers.

DAutomated systems for identifying EU data subjects' personal data.

Answer : A

ISO 31700 is an international standard that provides high-level requirements and recommendations for organizations that use privacy by design (PbD) in the development, maintenance and operation of consumer goods and services. PbD is a concept that aims to integrate privacy into products, services and systems by default, following seven main principles: proactive not reactive, privacy as the default, privacy embedded into design, full functionality, end-to-end security, visibility and transparency, and respect for user privacy. PbD is also a legal requirement under many prominent privacy regulations across the world, such as the GDPR. ISO 31700 is based on a consumer-centric approach, where the consumer's privacy rights and preferences are placed at the center of product development and operation.

Question 3

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, if exfiltration of job application data (submitted through online application forms and stored on a webserver) resulted in personal information being accessible to unauthorized persons, this would be primarily considered what kind of breach?

AAn integrity breach.

BAn accuracy breach.

CAn availability breach.

DA confidentiality breach.

Answer : D

According to the EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, a confidentiality breach occurs when personal data is disclosed or made available to unauthorized persons. This is the case when exfiltration of job application data from a website results in personal information being accessible to unauthorized persons, such as hackers or competitors. This type of breach may pose a high risk to the rights and freedoms of the data subjects, as it may lead to identity theft, fraud, discrimination, or reputational damage. Therefore, the data controller should notify the data subjects without undue delay, unless the data is encrypted or anonymized, or the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize.

Question 4

In the Planet 49 case, what was the main judgement of the Court of Justice of the European Union (CJEU) regarding the issue of cookies?

AIf the cookies do not track personal data, then pre-checked boxes are acceptable.

BIf the ePrivacy Directive requires consent for cookies, then the GDPR's consent requirements apply.

CIf a website's cookie notice makes clear the information gathered and the lifespan of the cookie, then pre-checked boxes are acceptable.

DIf a data subject continues to scroll through a website after reading a cookie banner, this activity constitutes valid consent for the tracking described in the cookie banner.

Answer : B

The CJEU ruled that the consent required by the ePrivacy Directive for the use of cookies must comply with the conditions laid down in the GDPR, which means that it must be specific, informed, unambiguous, and freely given. Therefore, pre-checked boxes or implied consent by scrolling are not valid forms of consent for cookies. The CJEU also clarified that the ePrivacy Directive applies to any information stored or accessed on a user's device, regardless of whether it is personal data or not. Furthermore, the CJEU stated that the information provided to users about cookies must include the duration of the operation of cookies and the possibility of third parties accessing them.

Question 5

As a Data Protection Officer for a small bank in the European Union, you receive a data subject access request from one of your customers. The customer provides you with his

name, and has used the email address registered in your system.

What would be the most appropriate way to confirm the identity of the customer?

ARequest that the customer provide his bank account number.

BRequest that the customer answer additional security questions.

CRequest a copy of the customer's last bank account statement.

DRequest a copy of the customer's government-issued ID document.

Answer : B

According to the CIPP/E study guide, data controllers should use the least intrusive means of verifying the identity of data subjects who make requests under the GDPR. Asking for a copy of an ID document or a bank account statement may be disproportionate and excessive, as they contain more personal data than necessary for authentication. Asking for the bank account number may not be sufficient, as it may be easily obtained by third parties. Therefore, the most appropriate way to confirm the identity of the customer is to ask additional security questions that only the customer would know, such as the date of the last transaction, the amount of the last deposit, or the name of the beneficiary of a recurring payment.

Question 6

Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?

AOutside the material scope of the GDPR, because transactions do not include personal data about data subjects m the European Union.

BWithin the material scope of the GDPR but outside of the territorial scope, because blockchains are decentralized.

CWithin the material scope of the GDPR to the extent that transactions include data subjects in the European Union.

DOutside the material scope of the GDPR, because transactions are for personal or household purposes

Answer : C

Question 7

Which of the following is NOT one of the 4 principles developed by the European Al Alliance regarding the ethical use of Artificial Intelligence?

AIt should be fair.

BIt should be lawful

CIt should prevent harm

DIt should respect human autonomy.

Answer : B

IAPP Certified Information Privacy Professional/Europe Exam Practice Test