CIPP/E IAPP Practice Questions

在线学习quizlet.com/_6wzsu0

1. Which of the following data protection Convention 108 8. Choose the characteristic that describes Has the
milestones is a treaty among member the European Commission. power to
states of the Council of Europe: -Has the power to propose legislation propose
-Data Retention Directive -Is composed of a directly elected body legislation
-Charter of Fundamental Rights
9. Choose the characteristic that describes Makes
-Convention 108
the Court of Justice of the EU decisions on
-e-Privacy Directive
-Makes decisions on issues of EU law issues of EU
-GDPR
-Is based in Strasbourg law.
2. Which of the following data protection e-Privacy Directive
10. What is the function of the 4 step test? Determine if
milestones applies to public
-Determine if data qualifies as personal data qualifies
electronics communications services
data as personal
and networks?
-Determine i personal data is anonymous data
-Data Retention Directive
-Determine if personal date belongs to
-Charter of Fundamental Rights
special categories
-Convention 108
-Determine if personal data is
-e-Privacy Directive
pseudonymous.
-GDPR
11. Which criteria are used to identify personal All EXCEPT
3. The Universal Declaration of Human The United Nations
data? Select all that apply "or
Rights is a product of which
anonymous
institution?
-natural person
-The United Nations
-an identified or identifiable
-The Council of Europe
-any information
-The European Union
-relating to
4. Which European institutions is The Council of - or anonymous
composed of 47 member states? Europe
12. Select the types of personal data All EXCEPT
-The Council of Europe
elements that belong to special categories -personal
-The European Union
under the GDPR. interests and
-The European Economic Area
hobbies
5. Chose the characteristic that describes Defines the EU -Personal data revealing religious or -financial
the European Parliament. priorities and sets philosophical beliefs information
-Is responsible for legislative the political -Data relating to personal interests and
development, supervisory oversight of direction for the EU hobbies
other institutions, and development of -Data concerning health
the budget -Personal data revealing political opinions
-Defines the EU priorities and sets the -Personal data revealing financial
political direction for the EU. information
-Genetic data used to uniquely identify a
6. Choose the characteristic that Sets the overall
natural person
describes the European Council. political agenda of
-Sets the overall political agenda of the EU. 13. True or False: Personal data either belongs False
the EU to special categories or does not. There is
-Negotiates and adopts laws no grey area.
7. Choose the characteristic that Is one of the main 14. True or False: Anonymising personal data is False
describes the Council of the EU decision making always possible.
-Is sometimes described as the bodies of the EU.
15. True or false: Pseudonymous data is True
executive body of the EU
protected by the GDPR.
-Is one of the main decision-making
bodies of the EU 16. True or false: A data controller may be a False
natural person or a legal entity, while a
data processor must be a legal entity.
17. True or false: a contract protects a processor False 25. Read the following and select all the This violates
from being held to the same legal obligations GDPR principles that have been violated: -Integrity and
as the controller. An access control system used by an confidentiality
organization's maintenance team for Accountability
18. True or False: A processor may decide wehre False
building security is later used by a
and how to process personal data.
manager in a different department to
19. True or false: When personal data is being True determine if employees are arriving late
processed, there is always a controller. for work. The employees are not informed
20. What is data processing: Any action of this new processing action, and the
-Any action involved in securing and performed manager does not create consistent
protecting data upon data. records of the processing activities.
-Any action performed upon data
-Any action involved in collecting personal -Integrity and confidentiality
data -Accountability
-Any action that adapts or alters data. -Data quality and accuracy

21. What are the criteria used to determine the All. 26. Which legitimate processing criteria is Contract
territorial scope of the GDPR: Select all that commonly used when a customer
apply. purchases a good or service?
-Consent
-Processing of personal data of EU subjects -Vital interests
relating to offering goods or services or -Contract
monitoring behaviour 27. Which exception to the prohibition on Consent
-Processing of personal data by a controller processing special categories of data must
not established in the EU but in a place where be explicit?
member state law applies
-Processing of personal data when a -Vital interests
controller or processor is established in the -Publicly available data
EU -Consent
22. Which of the following fall under the material All EXCEPT 28. Select all that are potential solutions to All EXCEPT
scope of the GDPR? Select all that apply. anonymous lengthy privacy notices. -Key notices
data -Key notices -Terms of
-processing personal data without human Agreement
intervention -Standardized Icons
-processing anonymous data -Terms of Agreement
-Processing personal data that forms part of -Just in time notices
a filing system. -Layered privacy notices
23. Exclusions to the material scope of GDPR False 29. True of False: A controller may charge an False
should be interpreted broadly. True or false? administrative fee to data subjects if they
24. True or false: At least three of the legitimate False request that the information provision be
processing criteria within the GDPR must ve in oral format.
met for personal data to be processed 30. Privacy notices should use visualisation True
legally. where appropriate. True or false?
31. True or false: Information provided to data True
subjects about the processing of their
personal data should be written in clear
and plain language that is understandable.
32. True or false: The transparency principle False
states that detail is more important that
conciseness in a privacy notice.
33. The information that must be provided to Intention to 39. True or false: upon indirect collection, True
data subjects will depend on the situation. transfer data information provision should happen within
What information must be provided to data internationally a reasonable period of time.
subjects when their personal data will be
40. True or false: Information provision is False
stored on a database hosted in the United
required, even if it necessitates
States?
disproportionate effort.

-Use of automated decision making 41. CIAR stands for..... Confidentiality,

-Source of the date -Confidentiality, information, availability integrity,
-Intention to transfer data internationally and risk assessment availability
-Controller's legitimate interest -Continuity, integrity, access, and and resilience
resilience
34. What information must be provided to data Controller's
-Confidentiality, integrity, availability and
subjects when the controller's necessity is legitimate
resilience
being used as the legal basis for interest
-Continuity, information, access and risk
processing?
assessment

-Source of the data 42. Pick the correct phrase: "Taking into state of the art
-Controller's legitimate interest account the__________________, the cost of
-Recipients of the data implementation ad the nature, scope,
-Legal basis for transferring data context and purposes of processing ...
internationally (Article 32).

35. What information must be provided to data Source of the

-state of the art
subjects when the personal data that will data
-risk of varying likelihood
be processed was collected indirectly?
-a level of security appropriate to the risk
-appropriate technical and organisational
-Source of the data
measures
-Storage period
-Statutory or contractual requirement 43. Pick the correct phrase: "the Controller appropriate
-Controller's legitimate interest and the processor shall technical and
implement_______________"(Article 32). organisational
36. What information must be provided to data Recipients of
measures
subjects when their personal data will be the data
-appropriate technical and organisational
shared with an outside organisation to
measures
provide them with a promised service?
-state of the art security
-risks of varying likelihood
-Use of automated decision making
-encryption appropriate to the risk
-Recipients of the data
-Intention to transfer data internationally 44. True or false: the most cutting -edge False
-Source of the data security is always the best choice for
security
37. What information must be provided to the All EXCEPT
data subjects in all circumstances? Select legitimate 45. _________ is/are a key part of the equation Expected loss
all that apply. interest when assessing risk.
-Controller obligatins
- Identity of the controller -Expected loss
-Controller's legitimate interest -Purpose of processing
-Purpose of processing -Data subject rights
-Data subjects' rights
38. Where would a full version of the privacy the third layer
notice be located in a layered notice?
-the top layer
-the second layer
-the third layer
46. Which of the following should be All of the above 51. A controller must notify the data subjects of All
considered for a holistic approach a personal data breach if the breach is likely
to data security? Additional to result in a high risk to the rights and
considerations may freedoms of those individuals unless_________.
-A policy framework include management, Pick all that apply:
-Information technology and worker buy-in, and
-Incident detectoin and response the physical -Individual notice require disproportionate
-All of the above environment. effort
47. __________must be included in a All EXCEPT The
-Prior implementation of appropriate
processor contract. method for destroying
technical
Check all that apply: personal data.
and organisational measures rendered the
personal data unintelligible or encrypted
-the categories of data subjects Contract should also
- the nature and purpose of the contain the obligations
-Post-breach actions greatly reduce the risk
processing and rights of the
to the rights and freedoms of the data
-the subject matter and duration controller
subjects.
of the processing
-the type of personal data 52. Which of the following data subject rights right of
-The method for destroying provides data subjects with entitlements to access
personal information following certain information, obtainable from the
processing activities controller upon request? Pick all that apply.
48. A processor is responsible for True
-right of access
implementing appropriate
-right of erasure
technical and organisational
-right to object
measures to keep personal data
-right to restriction of processing
secure. True or false?
53. Right of access grants data subjects access -The
49. A processor may process True
to which of the following types of purpose of
personal data only on
information? Select all that apply. processing
documented instructions from the
-Retention
controller. True or false?
-The means of data storage periods
50. A controller must notify the A breach likely to result -Retention periods -Locations
supervisory authority of a in risk to the rights and _The purpose of processing where the
personal data breach if __________. freedoms of natural -Locations where the date is being data is being
persons. processed processed
-A breach is likely to result in a
54. The right to be forgotten is part of what Right to
risk to the rights and freedoms of
data subjectc right? erasure
natural persons
-A breach is likely to result in a
-Right to data portability
high risk for the rights and
-Right to erasure
freedoms of natural persons
-Right to restriction of processing
-Right to rectification
55. Which of the following is not a method Disabling
listed by the GDPR as a method for the data
restricting processing of personal data. management
Select all that apply. system

-Noting the restriction in the system

-Moving the data to a separate system
-Temporarily blocking a website
-Disabling the data management system
56. Which of the following are categories All EXCEPT 63. Which of the following must be included in purpose of
under which a data subject may object Establishment, controllers personal data processing processing
to processing his or her personal data? exercise or records, but not in the processors' records?
Select all that apply. defense of legal
claims. -International data transfers being made and
-Establishment, exercise or defense of the measures put in place to ensure they are
legal claims lawful
-Direct marketing -purpose of processing
-Public interest or legitimate interest -A general description of technical and
-Research or statistical purposes organisational security measures that have
been implemented
57. What is profiling? A form of
automated 64. True or false. The data protection officer True
-the processing of personal data decision making must be an expert in data protection law and
gathered from social media sites practices.
-a form of automated decision making
65. Which of the following are circumstances All
-The act of enabling cookies
that require an organisation to appoint a
-All of the above
DPO? Select all that apply.
58. True or false. Both controllers and True
processors have accountability -The core activities of the controller or
obligations under GDPR. processor include regular and systematic
monitoring of data subjects on a large scale.
59. True or false: Data protection by True
design begins prior to processing and
-The core activities of the controller or
incorporates data protection
processor consist of large scale processing
considerations into the planning
of special categories of data.
phase.
60. What are the main values of data -Demonstrating - The controller is a public authority.
protection impact assessment (DPIA)? compliance to
66. In what order should the following options -Adequacy
Select all that apply. supervisory
for cross-border data transfers be decisons
authorities
considered? -
-Demonstrating compliance to -Incorporating
Appropriate
supervisory authorities data protection
-Adequacy decisions Safeguards
-Incorporating data protection considerations into
-Appropriate Safeguards -
consideration into organisational organisational
-Derogations Derogations
planning planning
-Determining the purpose of 67. Which of the following options for cross- Adequacy
processing personal data border data transfers is a determination by decisions
the European Commission that a third
61. True or false: The GDPR requires False
country has achieved an EU-level of
controllers to always contact the
personal data protection.
supervisory authority following a DPIA
and before processing.
-Adequacy decision
62. True or false: The GDPR requires a True -Appropriate safeguard
data protection policy to be used -Derogation
where proportionate in relation to
68. Which of the followig countries hav ebeen All
processing activities.
deemed adequate by the European
Commission? Select all that apply.

Argentina
Uruguay
New Zealand
Switzerland
69. Which of the following are EU-US -Publicly disclose 74. How many active participants will the 28
Privacy Shield requirements? Select Privacy Policy European Data Protection Board have?
all that apply. -Implement Privacy
Shield Principles - 28
-Publicly disclose the organisation's -Publicize the - 38
privacy policy commitment to the - 21
DoC - 31
-Implement the Privacy Shield
75. Which of the following mechanisms facilitates Mutual
Principles
the provision of relevant information Assistance
between supervisory authorities.
-Update the organization's privacy
Policy annually.
-Urgency procedure
-Mutual assistance
-Publicize the commitment to the
-Cooperation
U.S. Department of Commerce to
-Consistency mechanism
adhere to the Privacy Shield
Principles 76. Which of the following mechanisms facilitates consistency
a specific collaborative process between mechanism
70. Which of the following are BCR
supervisory authorities, the commission and
appropriate safeguards for cross- Codes of
the European Data Protection Board for
boarder data transfers? Select all conduct/certification
adopting certain measures and ensuring
that apply. standard clasues
consistent GDPR application?

-Public Interest
-Cooperation
-Binding corporate rules
-Joint operations
-Approved codes of conduct or
-Dispute resolution
certification mechanisms
-Consistency mechanism
-standard contractual clauses
77. Which types of laws should be considered All
71. Which appropriate safeguards allow Binding Corporate
when processing employees' personal data?
large multinational companies to Rules
Select all that apply.
adopt a policy suite with rules for
handling personal data?
- Local employment law
-EU data protection law
-Standard contractual clauses
-Member state data protection law
-Reliance on international
agreements 78. What must be provided to employees when Notice
-Ad hoc contractual clauses processing their personal data?
-Binding corporate rules
-Notice that their personal data will be
72. True or false: Criteria for derogations True
processed
are strict and should be interpreted
narrowly.
-The supervisory authority's contact
73. Who does the GDPR task with Supervisory information
promoting monitoring and enforcing Authorities
the GDPR? -Opt-in

-The European Data protection -Opt-out

Supervisor
79. True or false: Some employers may be True
-Processors
required to consult with works councils and
-Controllers
or trade unions to process employee's
-Supervisory authorities
personal data.
80. True of false: BYOD policies are False 86. Which of the following is not a data Duration of the
designed to protect employee's protection consideration associate video
personal data. with collecting personal data via
CCTV?
81. True or false: Alternatives to employee True
monitoring should always be
-Proportionality
considered.
-Duration of the video
82. What U.S. act requires companies to Sarbanes-Oxley -Lawfulness
have a system in place to reciee Act (SOX) -Individual's rights
anonymous complaints about potential -Prior checking
wrongdoing? -Information provision
87. True or false: Under the GDPR, True
-Sarbanes-Oxley Act (SOX)
individuals have the absolute right to
-Young-Underthorn Act (YOU)
object to any form of direct
-Washington's Whistle-blowing Act
marketing at any time.
(WOW)
-Barnes Laremey Act (BLAME) 88. Which of the following is true For business to
regarding direct marketing channels? consumer emailing
83. which of the following statements are -the surveillance
and text-messaging,
true of private sector entities that must be based on
-For postal marketing, opt-in is opt in is required.
conduct surveillance? Select all that legitimate
required
apply. purposes

-For telemarketing, opt-in is required

-The surveillance they conduct must be -The surveillance
based on legitimate purposes. must comply with
-For business-to-consumer emailing
national laws.
and text-messaging, opt-in is
-The surveillance they conduct must
required.
comply wiht national laws.
89. True or false: Under GDPR, web False
-They include bodies such as national cookies qualify as personal data by IP
security agencies and law enforcement addresses do not.
authorities
90. According to the GDPR, when does d
84. The ePrivacy Directive governs the All an organisation need to take action
processing of which types of data? to legitimize cross border data
Select all that apply. transfers of personal data

-Traffic data a. when the date is routed through

-Content data another jurisdicion in or outside the
-Location data EU
85. True of false: The ePrivacy Directive False. it concerns
b. when the date is transferred from
governs the processing of data through only public
one jurisdiction in the EU to another
both private and public carriers and carriers and
communications networks. communications
c. when the date is transferred from a
networks.
jurisdiction outside the European
Union to a member state of the EU

d. when the date is transferred from a

jurisdiction in the EU to a third
country which is not deemed
adequate.
91. The GDPR and its predecessor, the Data Protection b 95. When should a controller notify the supervisory a
Directive 95/46/EC, were allwoed to be set up as a authority of a loss of personal information which is
harmonisation measure for European member staes by likely to result in harm to an individual?
which?
a. within 72 hours after having become aware
a. Lisbon Treaty
b. Treaty of Rome b. no later than 5 calendar days after the incident is
c. Council of Europe Convention identified
d. European Convention on Human Rights.
c. notice must be provided without unreasonable delay;
92. Which is an example of direct marketing? b
no later than 30 days; law enforcement can delay
notification
a. an email sent to an individual about an order she has
placed.
d. there is no need to notify the supervisory authority
of a loss of personal information.
b. an email sent to an individual promoting an new
book which is on sale 96. Under what conditions is processing sensitive b
employee data acceptable?
c. a letter addressed to "the household" about a charity
bookstore a.The processing is necessary for the performance of a
contract to which the individual is a party
d. an advertisement on a website promoting a new
book which is on sale b. The processing is necessary for the data controller
to carry out their obligation in the field of employment
93. The ePrivacy Directive 2002/58/EC contains which d
law.
provision?

c. The processing is necessary for the interest of both

a. Location data may be freely processed.
the data controller and the employee.
b. Unsolicited commercial telephone calls, emails and
d, The processing is necessary for the interest pursued
faxes need opt-out consent
by the data controller
c. Corporate communicaton systems must have 97. Under GDPR, which term is defined as "any freely a
adequate security. given, specific, informed and unambiguous indication of
the data subject's wishes by which he or she, by a
d. Cookies require prior information and consent statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating
94. Which statement describes a European best practices d
to him or her"?
approach to the protection of employment data held
by an organisation?
a. consent
a. Employers should avoid all types of monitoring when
b. expressed permission
collection employee information within the workplace

c. lawful agreement
b. Organisations should seek legal advice from a
privacy lawyer before processing employee data.
d. prior authorization
c. Employee data should not be processed without
expressed, verbal permission by the employee.

d. Employers should consult with regulatory bodies

such as works councils about proposed data processing
activity
98. Why do BCRs prohibit the transfer of employee names c 101. Under the GDPR, would a European company be c
to teleom providers within the same country in order allowed to use video surveillance to monitor
to provide then with mobile phone services? employee access to inventory?

a. because BCRs only provide adequate safeguards for a. No, under the GDPR this is never allowed
organisations who move data outside their corporaton
b. No, video surveillance is too introsuve a solution
b. because BCRs secure transfers to third parties
without additional requirements c. Yes, provided that certain conditions have been met

c. because BCRs only deal with intra-organisational d. Yes, without any further conditions to be taken into
transfers and not with transfers to third parties account.
102. Which institution is responsible for ensuring that b
d. because BCRs require contractual arrangements to
directive are implemented properly by the member
legitimize international transfers of data
states?
99. Along with the name and contact details of the data d
controller processing the personal data, what other a. European Court of Justice
information must e included in the records of
processing to be maintained by the data controller b. European Commission
under the GDPR?
c. European Parliament
a. retention period of each category of personal data,
where possible. d. European Data Protection Supervisor
103. What is true for a contract based on European a
b. reason(s) for processing the personal data
Commission Standard Contractual Clauses with a
processor outside the European Economic Area?
c. third countries to which the information may be
transferred
a. for subcontracting, the processor must inform the
controller and obtain written approval.
d. all of A, B, and C.
100. Which statement is correct concerning the information c b. Before the processing starts, the processor must
to be provided when collecting personal data directly provide proof of compliance with technical and
from the data subject? organisational measures.

a. There is one mandated form for such information c. The data subject must consent to processing by the
which sets out all information requirements. processor

b. data controllers are obliged to inform data subjects d. the processor must provide a compliance statement
about the creation of copies of their personal data for from its data protections authority
backup reasons.
104. Which type of data subject is NOT covered by the d
GDPR?
c. the information needs to detail if the personal data
will be passed to another organisation.
a. Newborn children

d. An employer is not required to provide such

b. person under 18
information to its employees concerning the
processing of their employment records.
c. person over 65

c. deceased individuals
105. The GDPR requires that the data controller notify the c 109. Which is an example of cloud computing? b
supervisory authority of personal data breach unless:
a. a software package installed on a laptop
a. there is no disclosure of financial account
information b. a web-based email platform

b. the number of personal data records affected is c. a portable mass storage device
under 500
c a single web-server
c. the breach is unlikely to result in a risk to the rights
110. According to the GDPR, the right to data portability b
and freedoms of natural persons
applies:

d. the controller has already addressed the breach,

a. when the processing was based on a public interest
including mitigation efforts
106. How is an employer obliged to proceed before c b. when processing was originally based on the user's
engaging in the general monitoring of email traffic and consent
internet use of all of its employees?
c. when the processing was done through automated
a. The employer must provide a prior opt-out option. means

b. The employer must seek prior legal advice d. when the processing was based on the controller's
legitimate interests.
c. The employer must provide prior notice
111. The collection is part of a historical research initiative. c
Which is the mot accurate statement concerning the
d. The employer must seek prior verbal consent.
obligations imposed by the GDPR?
107. Which is NOT a compatible purpose for processing a
data beyond the purpose originally specified at the a. as a Regulation rather than a Directive, GDPR sets
time of collection? forth binding provisions for EU member states to
follow without discretion.
a. performance of a contract
b. transferring data to an archive b. The GDPR provides a framework which member
c. statistical purposes states can choose to use as a basis for national
d. historical or scientific research legislation.
108. Along with legitimacy, what is another condition that b
c. As a Regulation rather than a Directive, the GDPR
must be met when carrying out employee monitoring?
sets forth binding provisions for EU member states to
follow but it leaves them discretion in some areas.
a. The monitoring must e in the public interest

d. The GDPR imposes binding obligations on all EU

b. The monitoring must e limited to what is necessary
member state as well as on all countries deemed
for the purposes
adequate by the European Commission.
c. The monitoring must be under an employment
contract

d. The monitoring must be held to time constraints.

112. Which is the most accurate statement concerning the obligations imposed by the GDPR? c

a. Notification is now optional but is recommended in order to foster the transparency of any organisiations data
processing activities.

b. Notification remains mandatory in order to finance the national DPSA's operations

c. Notification is no longer required as the GDPR has switched to an accountability framework.

d. Notification is only required of Processors but not Controllers.

113. Which, according to the GDPR, is NOT a special category of data? d

a. political affiliate
b. health informtin
c. ethnic origin
d. Social Security Number
114. Which institution has the power to adopt adequacy findings for the Euorpean Union? b

a. Working Party 29
b. European Commission
c. European Data Protection Supervisor
d. European Court of Justice
115. Which exemption to the e-Privacy Directive 2002/58/EC allows the data controller to send electronic marketing a
information?

a. The recipients are existing customers

b. The controller is a non-profit organisation.

c. The data subject and controller work in the same industry

d. The recipients' email address is taken from a public register.

116. Which according the the GDPR is NOT one of the considerations that should be taken into account to determine the d
appropriate technical and organisational measures to ensure a level of data security appropriate to the risk?

a. cost of implementation
b. the state of the art
c scope of processing
d. the size of the organization