IAPP Certified Information Privacy Professional/Europe CIPP-E Exam Practice Test

Page: 1 / 14
Total 295 questions

Want more questions? Get Premium Access.
()

Question 1

In addition to the European Commission, who can adopt standard contractual clauses, assuming that all required conditions are met?

AApproved data controllers.

BThe Council of the European Union.

CNational data protection authorities.

DThe European Data Protection Supervisor.

Answer : C

According to Article 46(2) of the GDPR, standard contractual clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2) can be used as a legal basis for data transfers to third countries12. This means that, in addition to the European Commission, national data protection authorities can adopt standard contractual clauses, provided that they meet the conditions and requirements set out in the GDPR and obtain the approval of the Commission. The other options are not correct, as approved data controllers, the Council of the European Union and the European Data Protection Supervisor do not have the power to adopt standard contractual clauses under the GDPR.Reference:CIPP/E Certification - International Association of Privacy Professionals,Free CIPP/E Study Guide - International Association of Privacy Professionals,GDPR - EUR-Lex,Standard Contractual Clauses (SCC) - European Commission

I hope this helps. If you have any other questions, please let me know. .

Question 2

According to the AI Act, a provider of a high-risk AI system has all of the following obligations EXCEPT?

AEnsuring users understand how the system mitigates bias.

BRegistering the system in the European AI Board's database.

CProviding detailed documentation about the system to the users.

DConducting a conformity assessment before placing the system on the market.

Answer : A

The EU Artificial Intelligence Act (AI Act) introduces strict regulations for high-risk AI systems to ensure safety, fairness, and transparency. These regulations apply to both providers and users of AI systems within the EU and even globally under certain conditions.

Key obligations for providers of high-risk AI systems under the AI Act include:

Conformity Assessment (Answer Choice D)

Before placing a high-risk AI system on the market, the provider must conduct a conformity assessment to ensure compliance with EU legal and ethical standards.

Public Registration of High-Risk AI Systems (Answer Choice B)

The AI Act requires high-risk AI systems to be registered in an EU-wide database maintained by the European Commission to enhance transparency and oversight.

Providing Documentation (Answer Choice C)

Providers must supply detailed technical documentation about the AI system to users, ensuring they understand the system's functionality, risks, and compliance measures.

Why is Answer Choice A incorrect?

The AI Act does not explicitly require providers to ensure users understand how the system mitigates bias. Instead, providers must ensure the quality of training and testing data and implement safeguards to prevent bias, but this does not extend to user education on bias mitigation.

Question 3

A company is located in a country NOT considered by the European Union (EU) to have an adequate level of data protection. Which of the following is an obligation of the company if it imports personal data from another organization in the European Economic Area (EEA) under standard contractual clauses?

ASubmit the contract to its own government authority.

BEnsure that notice is given to and consent is obtained from data subjects.

CSupply any information requested by a data protection authority (DPA) within 30 days.

DEnsure that local laws do not impede the company from meeting its contractual obligations.

Answer : D

The GDPR allows the transfer of personal data to countries outside of the EEA that do not provide an adequate level of data protection, if appropriate safeguards are provided by the data exporter and the data importer1.One of these safeguards are standard contractual clauses (SCCs) adopted by the European Commission, which are model clauses that impose obligations on both parties to ensure that the transfer complies with the GDPR requirements2.The SCCs also include clauses on the rights of the data subjects, the obligations of the data protection authorities, and the liability and indemnification of the parties3.One of the obligations of the data importer under the SCCs is to warrant that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the SCCs, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract4. Therefore, option D is the correct answer, as it reflects the obligation of the data importer under the SCCs to ensure that local laws do not impede the company from meeting its contractual obligations. Options A, B and C are incorrect, as they are not obligations of the data importer under the SCCs.Option A is not required by the GDPR or the SCCs, as the data importer does not need to submit the contract to its own government authority, unless the law of the country where the data importer is established requires it to do so prior to the transfer or disclosure of personal data5.Option B is not an obligation of the data importer, but of the data exporter, who must provide the data subjects with the information required by Articles 13 and 14 of the GDPR, including the fact that the data will be transferred to a third country and the appropriate safeguards in place6.Option C is not specific to the SCCs, but a general obligation of any controller or processor under the GDPR, who must cooperate with the supervisory authority and make available all information necessary to demonstrate compliance with their obligations7.Reference:1: Article 46(1) of the GDPR2:Standard Contractual Clauses (SCC) - European Commission3:EU Standard Contractual Clauses (Word documents)4: Clause 5(a) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/6795: Clause 5(b) of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/6796: Clause 9 of the SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/6797: Article 31 of the GDPR

Question 4

Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-border transfers?

AThe European Commission can adopt an adequacy decision for individual companies.

BThe European Commission can adopt, repeal or amend an existing adequacy decision.

CEU member states are vested with the power to accept or reject a European Commission adequacy decision.

DTo be considered as adequate, third countries must implement the EU General Data Protection Regulation into their national legislation.

Answer : B

According to Article 45 of the GDPR, the European Commission has the power to determine whether a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection of personal data. This means that personal data can flow from the EU and the EEA to that third country without any further safeguard being necessary. The adequacy decision is based on an assessment of the legal framework, the enforcement mechanisms, the access by public authorities, the international commitments and the cooperation with the EU of the third country or organisation. The European Commission also monitors the functioning of the adequacy decisions and can repeal, amend or suspend them if the level of protection is no longer ensured. The European Commission has so far recognised several countries and organisations as providing adequate protection, such as Japan, Canada, Switzerland, the UK and the EU-US Data Privacy Framework.Reference:GDPR Article 45,Data protection adequacy for non-EU countries,Adequacy decisions | European Data Protection Board

Question 5

Under the Data Protection Law Enforcement Directive of the EU, a government can carry out covert investigations involving personal data, as long it is set forth by law and constitutes a measure that is both necessary and what?

APrudent.

BImportant.

CProportionate.

DDPA-approved.

Answer : C

According to the CIPP/E study guide, the Data Protection Law Enforcement Directive (LED) is a piece of EU legislation that ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects1.The LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties2.Article 4 of the LED sets out the principles relating to the processing of personal data, which include lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality3.Article 4 (1) (e) of the LED states that personal data shall be processed lawfully, where processing is necessary for the performance of a task carried out by a competent authority for the purposes of the LED, and where processing is based on Union or Member State law which shall meet an objective of general interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued3.Therefore, a government can carry out covert investigations involving personal data, as long as it is set forth by law and constitutes a measure that is both necessary and proportionate to the objective of general interest, such as the prevention or prosecution of criminal offences.Reference:1: CIPP/E study guide, page 1;Data protection in law enforcement2: CIPP/E study guide, page 2;Art. 2 LED3: CIPP/E study guide, page 3;Art. 4 LED.

Question 6

SCENARIO

Please use the following to answer the next question:

Javier is a member of the fitness club EVERFIT. This company has branches in many EU member states, but for the purposes of the GDPR maintains its primary establishment in France. Javier lives in Newry, Northern Ireland (part of the U.K.), and commutes across the border to work in Dundalk, Ireland. Two years ago while on a business trip, Javier was photographed while working out at a branch of EVERFIT in Frankfurt, Germany. At the time, Javier gave his consent to being included in the photograph, since he was told that it would be used for promotional purposes only. Since then, the photograph has been used in the club's U.K. brochures, and it features in the landing page of its U.K. website. However, the fitness club has recently fallen into disrepute due to widespread mistreatment of members at various branches of the club in several EU member states. As a result, Javier no longer feels comfortable with his photograph being publicly associated with the fitness club.

After numerous failed attempts to book an appointment with the manager of the local branch to discuss this matter, Javier sends a letter to EVETFIT requesting that his image be removed from the website and all promotional materials. Months pass and Javier, having received no acknowledgment of his request, becomes very anxious about this matter. After repeatedly failing to contact EVETFIT through alternate channels, he decides to take action against the company.

Javier contacts the U.K. Information Commissioner's Office ('ICO' -- the U.K.'s supervisory authority) to lodge a complaint about this matter. The ICO, pursuant to Article 56 (3) of the GDPR, informs the CNIL (i.e. the supervisory authority of EVERFIT's main establishment) about this matter. Despite the fact that EVERFIT has an establishment in the U.K., the CNIL decides to handle the case in accordance with Article 60 of the GDPR. The CNIL liaises with the ICO, as relevant under the cooperation procedure. In light of issues amongst the supervisory authorities to reach a decision, the European Data Protection Board becomes involved and, pursuant to the consistency mechanism, issues a binding decision.

Additionally, Javier sues EVERFIT for the damages caused as a result of its failure to honor his request to have his photograph removed from the brochure and website.

Assuming that multiple EVETFIT branches across several EU countries are acting as separate data controllers, and that each of those branches were responsible for mishandling Javier's request, how may Javier proceed in order to seek compensation?

AHe will have to sue the EVETFIT's head office in France, where EVETFIT has its main establishment.

BHe will be able to sue any one of the relevant EVETFIT branches, as each one may be held liable for the entire damage.

CHe will have to sue each EVETFIT branch so that each branch provides proportionate compensation commensurate with its contribution to the damage or distress suffered by Javier.

DHe will be able to apply to the European Data Protection Board in order to determine which particular EVETFIT branch is liable for damages, based on the decision that was made by the board.

Answer : B

According to Article 82 of the GDPR1, any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. Any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Therefore, Javier can sue any one of the EVETFIT branches that were involved in processing his personal data without his consent and in violation of his rights, and he can claim full compensation from that branch.The branch that pays the compensation can then claim back from the other branches involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.Reference:1Art. 82 GDPR -- Right to compensation and liability - General Data Protection Regulation (GDPR)

Question 7

According to the European Data Protection Board, controllers responding to a data subject access request can refuse to provide a copy of personal data under certain conditions. Which of the following is NOT one of these conditions?

AIf the data subject access request was sent to an employee that is not involved in the processing of such requests.

BIf there is such a large amount of data that the controller cannot identify the data subject of the request.

CIf the controller is unable to use end-to-end encrypted emails for responding to such requests.

DIf the personal data was processed in the past but is no longer at the controller's disposal at the time of the request.

Answer : C

The right of access is one of the fundamental rights of data subjects under the GDPR. It allows data subjects to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and certain information about the processing. The controller must provide a copy of the personal data undergoing processing to the data subject, unless the data subject requests otherwise. The right of access is not absolute and may be subject to limitations, restrictions or exceptions, in accordance with the GDPR and the national laws of the member states.

The EDPB has issued draft guidelines on the right of access, which provide more detailed guidance on how to handle data subject access requests and what are the possible grounds for refusing to provide a copy of the personal data. According to the draft guidelines, the controller can refuse to provide a copy of the personal data in the following situations:

If the data subject access request was sent to an employee that is not involved in the processing of such requests. In this case, the controller must inform the data subject of the appropriate contact point for submitting the request and must not consider the request as received until it reaches the designated person or unit. This does not mean that the controller can ignore or delay the request, but rather that the controller must ensure that the request is forwarded to the responsible person or unit as soon as possible.

If there is such a large amount of data that the controller cannot identify the data subject of the request. In this case, the controller can ask the data subject to provide additional information to enable the identification of the data subject, such as a unique identifier, a reference number, a specific time period, a location or a context of the processing. The controller must not ask for more information than is necessary and must not use the information for any other purpose than verifying the identity of the data subject.

If the personal data was processed in the past but is no longer at the controller's disposal at the time of the request. In this case, the controller must inform the data subject that the personal data are no longer available and explain the reasons why the personal data have been erased, anonymised, archived or otherwise disposed of. The controller must also provide the data subject with any relevant information about the retention period, the archiving policy, the anonymisation process or the disposal method of the personal data.

The controller cannot refuse to provide a copy of the personal data in the following situation:

If the controller is unable to use end-to-end encrypted emails for responding to such requests. In this case, the controller must still provide a copy of the personal data to the data subject, but must ensure that the communication is secure and that the personal data are protected from unauthorised or unlawful access, disclosure, alteration or destruction. The controller can use alternative means of communication, such as secure online platforms, password-protected files, encrypted devices or postal mail, depending on the preferences and circumstances of the data subject. The controller must also inform the data subject of the risks involved in the chosen communication method and obtain the data subject's consent before sending the personal data.

GDPR, Articles 12, 13, 14, 15, 23 and 34.

EDPB Guidelines 01/2022 on data subject rights - Right of access Version 2, pages 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 and 16.