IAPP Certified Information Privacy Professional/Europe CIPP-E Exam Questions

Page: 1 / 14
Total 295 questions
Question 1

According to the European Data Protection Board, which of the following concepts or practices does NOT follow from the principles relating to the processing of personal data under EU data protection law?



Answer : A

According to the European Data Protection Board, the principles relating to the processing of personal data under EU data protection law are: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability1.These principles imply certain concepts or practices that data controllers and processors should follow, such as access control management, frequent pseudonymization key rotation, and error propagation avoidance along the processing chain2.However, data ownership allocation is not a concept or practice that follows from these principles, as the GDPR does not recognize the notion of data ownership by either the data subject or the data controller3. Therefore, option A is the correct answer.Reference:

Data protection basics

Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects

CIPP/E Study Guide, page 11


Question 2

SCENARIO

Please use the following to answer the next question:

Jack worked as a Pharmacovigiliance Operations Specialist in the Irish office of a multinational pharmaceutical company on a clinical trial related to COVID-19. As part of his onboarding process Jack received privacy training He was explicitly informed that while he would need to process confidential patient data in the course of his work, he may under no circumstances use this data for anything other than the performance of work-related (asks This was also specified in the privacy policy, which Jack signed upon conclusion of the training.

After several months of employment, Jack got into an argument with a patient over the phone. Out of anger he later posted the patient's name and hearth information, along with disparaging comments, on a social media website. When this was discovered by his Pharmacovigilance supervisors. Jack was immediately dismissed

Jack's lawyer sent a letter to the company stating that dismissal was a disproportionate sanction, and that if Jack was not reinstated within 14 days his firm would have no alternative but to commence legal proceedings against the company. This letter was accompanied by a data access request from Jack requesting a copy of "all personal data, including internal emails that were sent/received by Jack or where Jack is directly or indirectly identifiable from the contents In relation to the emails Jack listed six members of the management team whose inboxes he required access.

The company conducted an initial search of its IT systems, which returned a large amount of information They then contacted Jack, requesting that he be more specific regarding what information he required, so that they could carry out a targeted search Jack responded by stating that he would not narrow the scope of the information requester.

Under Article 82 of the GDPR ("Right to compensation and liability-), which party is liable for the damage caused by the data breach?



Answer : D

Article 82 of the GDPR introduces a right to compensation for damage caused as a result of an infringement of the GDPR1.Article 82 (1) states that any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered1.Article 82 (2) states that any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR1.A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller1.Article 82 (3) states that a controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage1. In this case, Jack is liable for the damage caused by the data breach, as he violated the GDPR by posting the patient's name and health information, along with disparaging comments, on a social media website.This constitutes an infringement of the GDPR, as it violates the principles of lawfulness, fairness, and transparency (Article 5 (1) (a)), purpose limitation (Article 5 (1) (b)), data minimisation (Article 5 (1) ), accuracy (Article 5 (1) (d)), integrity and confidentiality (Article 5 (1) (f)), and the rights of the data subject (Articles 12-23)1. The pharmaceutical company is not liable for the damage caused by the data breach, as it can prove that it is not in any way responsible for the event giving rise to the damage. The company provided privacy training to Jack, informed him of the privacy policy, obtained his consent, and dismissed him as soon as the breach was discovered.Therefore, the company complied with the obligations of the GDPR, such as the accountability principle (Article 5 (2)), the data protection by design and by default principle (Article 25), the security of processing principle (Article 32), and the notification of a personal data breach to the supervisory authority principle (Article 33)1. Therefore, option D is the correct answer.Reference:Art. 82 GDPR -- Right to compensation and liability,Article 82 GDPR - GDPRhub


Question 3

SCENARIO

Please use the following to answer the next question:

Zandelay Fashion ('Zandelay') is a successful international online clothing retailer that employs approximately 650 people at its headquarters based in Dublin, Ireland. Martin is their recently appointed data protection officer, who oversees the company's compliance with the General Data Protection Regulation (GDPR) and other privacy legislation.

The company offers both male and female clothing lines across all age demographics, including children. In doing so, the company processes large amounts of information about such customers, including preferences and sensitive financial information such as credit card and bank account numbers.

In an aggressive bid to build revenue growth, Jerry, the CEO, tells Martin that the company is launching a new mobile app and loyalty scheme that puts significant emphasis on profiling the company's customers by analyzing their purchases. Martin tells the CEO that: (a) the potential risks of such activities means that Zandelay needs to carry out a data protection impact assessment to assess this new venture and its privacy implications; and (b) where the results of this assessment indicate a high risk in the absence of appropriate protection measures. Zandelay may have to undertake a prior consultation with the Irish Data Protection Commissioner before implementing the app and loyalty scheme.

Jerry tells Martin that he is not happy about the prospect of having to directly engage with a supervisory authority and having to disclose details of Zandelay's business plan and associated processing activities.

What must Zandelay provide to the supervisory authority during the prior consultation?



Answer : B

According to Article 36 of the GDPR, when a controller intends to process personal data that would result in a high risk to the rights and freedoms of data subjects, and a data protection impact assessment under Article 35 indicates that the risk cannot be mitigated by the controller, the controller must consult the supervisory authority before processing. The purpose of this prior consultation is to seek the advice of the supervisory authority on whether the processing complies with the GDPR and what measures can be taken to ensure compliance. During the prior consultation, the controller must provide the supervisory authority with the following information:

the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

the purposes and means of the intended processing;

the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;

the contact details of the data protection officer, if any;

the data protection impact assessment provided for in Article 35; and

any other information requested by the supervisory authority.

Therefore, the correct answer is B. An explanation of the purposes and means of the intended processing. This information is essential for the supervisory authority to understand the nature and scope of the processing and to assess its compliance with the GDPR. The other options are not required by Article 36, although they may be relevant for other aspects of the GDPR, such as the data protection by design and by default principle (A), the lawfulness of processing , or the designation of the data protection officer (D).Reference:

Article 36 of the GDPR, which regulates the prior consultation with the supervisory authority.

ICO guidance, which explains the process and requirements of the prior consultation.

EDPB guidelines, which provide further guidance on the criteria and procedure of the prior consultation.


Question 4

Start-up company MagicAl is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT team decides to collect data about users' ethnic origin, nationality, and gender.

Which would be the most appropriate legal basis for this processing under GDPR, Article 9 (Processing of special categories of personal data)?



Answer : C

Under Article 9 of the GDPR, processing of special category data (e.g., ethnicity, health data) is prohibited unless an exception applies.

Why is C the correct answer?

AI-based medical devices fall under 'preventive or occupational medicine' as per GDPR Article 9(2)(h).

The AI system is used to detect skin cancer, a form of preventive medicine, making this the appropriate basis.

Why are other answers incorrect?

A (Scientific research or statistical purposes) While scientific research can be a legal basis, it requires additional safeguards such as anonymization, which may not be feasible in this case.

B (Substantial public interest) While public health is important, this processing is specific to medical diagnosis, making Article 9(2)(h) more appropriate.

D (Defense of legal claims) Legal claims are not relevant here, as the processing is for bias mitigation in AI training.


Question 5

The Planet 49 CJEU Judgement applies to?



Answer : C


The Planet 49 CJEU Judgement applies to cookies regardless of whether the data accessed is personal or not. The Court of Justice of the European Union (the 'CJEU') delivered this judgement on 1 October 2019, in response to a request for a preliminary ruling from the German Federal Court of Justice (the 'Bundesgerichtshof') . The case concerned the validity of consent for the use of cookies and similar technologies under the e-Privacy Directive and the GDPR.

The CJEU ruled that Article 5 (3) of the e-Privacy Directive, which requires consent for the storage of, or access to, information stored in the user's terminal equipment, applies to any information installed or accessed from an individual's device, regardless of whether it constitutes personal data or not. The Court reasoned that the aim of the provision is to protect the user from interference with his or her private sphere, which may occur irrespective of the nature of the information stored or accessed. Therefore, the consent requirement applies to all cookies and similar technologies, except for those that are strictly necessary for the provision of a service explicitly requested by the user.

The CJEU also clarified that the consent required for cookies under the e-Privacy Directive must comply with the standard of consent under the GDPR, which means that it must be freely given, specific, informed and unambiguous, and given by a clear affirmative action. The Court held that a pre-ticked checkbox does not constitute valid consent, as it does not imply active behaviour by the user. The Court also stated that the user must be provided with clear and comprehensive information about the cookies, including their duration and whether third parties will have access to them.Reference:

Planet 49 Judgment -- takeaways for Cookie Monsters

The Planet 49 decision: Implications for organisations that use cookies

CURIA - List of results

Question 6

Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack into the system and take a copy of the data from its server. In this scenario, whom does Provider Y have the obligation to notify?



Answer : B

According to Article 33 of the GDPR, in the case of a personal data breach, the processor (Provider Y) shall notify the controller (Company X) without undue delay after becoming aware of the breach. The processor does not have the obligation to notify the supervisory authority, the public, or law enforcement, unless otherwise required by law. The controller is responsible for notifying the supervisory authority and, where necessary, the data subjects, unless the breach is unlikely to result in a risk to their rights and freedoms.Reference:

Article 33 of the GDPR, which regulates the notification of a personal data breach to the supervisory authority.

[Article 34 of the GDPR], which regulates the communication of a personal data breach to the data subject.

ICO guidance, which explains the roles and responsibilities of controllers and processors in relation to data breach notification.


Question 7

The GDPR specifies fines that may be levied against data controllers for certain infringements. Which of the following infringements would be subject to the less severe administrative fine of up to 10 million euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year)?



Answer : B

According to Article 83 of the GDPR, the less severe administrative fines of up to 10 million euros or 2% of the annual worldwide turnover apply to infringements of the articles governing controllers and processors, certification bodies, and monitoring bodies. These include Articles 8, 11, 25-39, 42, and 43. Among the answer choices, only option B falls under this category, as Article 25 requires controllers to implement data protection by design and by default. Option A is related to Article 7, which governs the conditions for consent. Option C is related to Article 5, which sets out the principles for processing personal data. Option D is related to Article 16, which grants the right to rectification to data subjects. These articles are subject to the more severe administrative fines of up to 20 million euros or 4% of the annual worldwide turnover.Reference:

GDPR Article 83

GDPR Article 25

GDPR Article 7

GDPR Article 5

GDPR Article 16


Page:    1 / 14   
Total 295 questions