IAPP CIPP-E Exam Practice Test Instant Access

Question 1

What is the main purpose of the EU Data Act?

ATo enable the processing and transfer of non-personal data within the EU.

BTo allow users of connected devices to access data generated by their use.

CTo facilitate the voluntary sharing of data between individuals and businesses.

DTo regulate individuals' privacy rights and the processing of their personal data.

Answer : B

The EU Data Act aims to increase access to data generated by connected devices (IoT devices), ensuring fair use and promoting data-driven innovation across the EU.

Key purposes of the EU Data Act:

Granting users access to data generated by their devices (Answer Choice B -- Correct Answer)

One of the Act's primary objectives is to allow users of smart devices, IoT systems, and connected industrial tools to access and control data generated by their devices.

Improving non-personal data sharing (Answer Choice A -- Incorrect)

While the Act does facilitate the transfer of non-personal data, its primary focus is on device-generated data access, rather than simply allowing free movement of non-personal data.

Encouraging data-sharing frameworks (Answer Choice C -- Incorrect)

The Act does promote data-sharing between businesses, but this is not its main goal. It primarily ensures that users retain control over data produced by their devices.

Not primarily about personal data protection (Answer Choice D -- Incorrect)

The GDPR (General Data Protection Regulation) is the primary regulation that deals with personal data protection. The Data Act does not introduce new privacy rules but instead focuses on non-personal data management.

Question 2

Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?

AData subject rights

BData access disputes

CCross-border processing

DSpecial categories of data

Answer : C

A lead supervisory authority (LSA) is the main point of contact for organisations that process personal data across multiple EU member states.The LSA is responsible for coordinating cross-border investigations, issuing binding decisions, and enforcing GDPR compliance1.Cross-border processing is the main concern of the LSA, as it involves data processing activities that affect data subjects in more than one member state, or that take place in more than one member state2. The other options are not the main concern of the LSA, as they are either covered by the national supervisory authorities of each member state, or are not specific to cross-border processing.Reference:Is it possible to choose your lead supervisory authority under the GDPR?,Art. 56 GDPR -- Competence of the lead supervisory authority,Navigating GDPR Compliance with a Lead Supervisory Authority,Guidelines 8/2022 on identifying a controller or processor's lead supervisory authority

Question 3

SCENARIO

Please use the following to answer the next question:

Sandy recently joined Market4U, an advertising technology company founded in 2016, as their VP of Privacy and Data Governance. Through her first initiative in conducting a data inventory, Sandy learned that Market4U maintains a list of 19 million global contacts that were collected throughout the course of Market4U's existence. Knowing the risk of having such a large amount of data, Sandy wanted to purge all contacts that were entered into Market4U's systems prior to May 2018, unless such contacts had a more recent interaction with Market4U content. However, Dan, the VP of Sales, informed Sandy that all of the contacts provide useful information regarding successful marketing campaigns and trends in industry verticals for Market4U's clients.

Dan also informed Sandy that he had wanted to focus on gaining more customers within the sports and entertainment industry. To assist with this behavior, Market4U's marketing team decided to add several new fields to Market4U's website forms, including forms for downloading white papers, creating accounts to participate in Market4U's forum, and attending events. Such fields include birth date and salary.

What should Sandy give as feedback to Dan and the marketing team regarding the new fields Dan wants to add to Market4U's forms?

AMake all the fields optional.

BOnly request the information in brackets (i.e., age group and salary range).

CEliminate the fields, as they are not proportional to the services being offered.

DEliminate the fields as they are not necessary for the purposes of providing white papers or registration for events.

Answer : D

Sandy should give this feedback to Dan and the marketing team, as it reflects the principle of data minimization, which requires that personal data collected must be adequate, relevant and limited to what is necessary for the purposes of the processing1. Collecting birth date and salary information from customers who want to download white papers or register for events is not necessary for those purposes, and may pose risks for data protection and security.Moreover, such information may fall under the category of special data, which requires explicit consent from the data subjects and can only be processed under certain conditions2. The other options do not comply with the principle of data minimization, as they still involve collecting more data than needed, even if they are optional or in brackets.Reference:

Free CIPP/E Study Guide, page 23, section 3.1

CIPP/E Certification, page 18, section 3.1

The Ultimate CIPP/E Study Guide for 2023, page 16, section 3.1

Principles - General Data Protection Regulation (GDPR), Article 5

Special categories of personal data - General Data Protection Regulation (GDPR), Article 9

Question 4

When collecting personal data in a European Union (EU) member state, what must a company do if it collects personal data from a source other than the data subjects themselves?

AInform the subjects about the collection

BProvide a public notice regarding the data

CUpgrade security to match that of the source

DUpdate the data within a reasonable timeframe

Answer : A

:According to Article 14 of the GDPR, when a controller collects personal data from a source other than the data subject, the controller must provide the data subject with certain information, such as the identity and contact details of the controller, the purposes and legal basis of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, and the rights of the data subject. This information must be provided within a reasonable period after obtaining the personal data, but at the latest within one month, or at the time of the first communication with the data subject, or before disclosing the data to another recipient. The purpose of this provision is to ensure fair and transparent processing of personal data and to respect the right of the data subject to be informed.Reference:

Article 14 of the GDPR, which specifies the information to be provided where personal data have not been obtained from the data subject.

ICO guidance, which explains the requirements and exceptions of Article 14 of the GDPR.

EDPB guidelines, which provide further guidance on the application of Article 14 of the GDPR.

Question 5

How does the GDPR now define ''processing''?

AAny act involving the collecting and recording of personal data.

BAny operation or set of operations performed on personal data or on sets of personal data.

CAny use or disclosure of personal data compatible with the purpose for which the data was collected.

DAny operation or set of operations performed by automated means on personal data or on sets of personal data.

Answer : B

The GDPR defines processing as ''any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction'' (Article 4(2)). This is a broad definition that covers almost any activity involving personal data, regardless of the method or means used. The GDPR also specifies that processing should be lawful, fair and transparent, and should respect the principles of data protection by design and by default (Article 5).Reference:CIPP/E Certification - International Association of Privacy Professionals,Free CIPP/E Study Guide - International Association of Privacy Professionals, [GDPR - EUR-Lex]

I hope this helps. If you have any other questions, please let me know.

Question 6

Which of the following describes a mandatory requirement for a group of undertakings that wants to appoint a single data protection officer?

AThe group of undertakings must obtain approval from a supervisory authority.

BThe group of undertakings must be comprised of organizations of similar sizes and functions.

CThe data protection officer must be located in the country where the data controller has its main establishment.

DThe data protection officer must be easily accessible from each establishment where the undertakings are located.

Answer : D

According to Article 37(2) of the GDPR, a group of undertakings may appoint a single data protection officer (DPO) provided that the DPO is easily accessible from each establishment12.This means that the DPO should be able to communicate effectively with the data subjects and the supervisory authorities in the relevant languages and jurisdictions, and to perform the tasks referred to in Article 39 of the GDPR34.The accessibility of the DPO does not necessarily depend on the physical location of the DPO, but rather on the availability of the DPO to the relevant stakeholders via various means of communication34. Therefore, the DPO does not have to be located in the country where the data controller has its main establishment, nor does the group of undertakings have to obtain approval from a supervisory authority or be comprised of organizations of similar sizes and functions to appoint a single DPO.Reference:CIPP/E Certification - International Association of Privacy Professionals,Free CIPP/E Study Guide - International Association of Privacy Professionals,GDPR - EUR-Lex,What's different about a group data protection officer?,Data Protection Officers: What US Companies Need to Know - Cooley

Question 7

SCENARIO - Please use the following to answer the next question:

It has been a tough season for the Spanish Handball League, with acts of violence and racism having increased exponentially during their last few matches.

In order to address this situation, the Spanish Minister of Sports, in conjunction with the National Handball League Association, issued an Administrative Order (the "Act") obliging all the professional clubs to install a fingerprint-reading system for accessing some areas of the sports halls, primarily the ones directly behind the goalkeepers. The rest of the areas would retain the current access system, which allows any spectators access as long as they hold valid tickets.

The Act named a selected hardware and software provider, New Digital Finger, Ltd., for the creation of the new fingerprint system. Additionally, it stipulated that any of the professional clubs that failed to install this system within a two-year period would face fines under the Act.

The Murla HB Club was the first to install the new system, renting the New Digital Finger hardware and software. Immediately afterward, the Murla HB Club automatically renewed current supporters' subscriptions, while introducing a new contractual clause requiring supporters to access specific areas of the hall through the new fingerprint reading system installed at the gates.

After the first match hosted by the Murla HB Club, a local supporter submitted a complaint to the club and to the Spanish Data Protection Authority (the AEPD), claiming that the new access system violates EU data protection laws. Having been notified by the AEPD of the upcoming investigation regarding this complaint, the Murla HB Club immediately carried out a Data Protection Impact Assessment (DPIA), the conclusions of which stated that the new access system did not pose any high risks to data subjects' privacy rights.

The Murla HB Club should have carried out a DPIA before the installation of the new access system and at what other time?

AAfter the complaint of the supporter.

BPeriodically, when new risks were foreseen.

CAt the end of every match of the season.

DAfter the AEPD notification of the investigation.

Answer : B

A DPIA is not a one-time activity. While it's crucial to conduct a DPIA before implementing a new system that processes personal data (like the fingerprint system), the GDPR requires organizations to review and update their DPIAs periodically, especially when there are changes that might affect the risk to data subjects.

Here's why the other options are incorrect:

A . After the complaint of the supporter: While a complaint might trigger a review of the processing, the DPIA should have been done proactively before any issues arose.

C . At the end of every match of the season: This frequency is excessive and doesn't align with the idea of assessing risks when changes occur.

D . After the AEPD notification of the investigation: Similar to option A, this is reactive rather than proactive.

GDPR Article 35 - Data protection impact assessment

IAPP CIPP/E textbook, Chapter 4: Accountability and Data Governance (specifically, sections on DPIAs and ongoing review)

WP29 Guidelines on Data Protection Impact Assessment (DPIA)

IAPP Certified Information Privacy Professional/Europe CIPP-E Exam Practice Test