PUBLIC

1. Which statement is correct when considering the right to privacy under Article 8 of the European
Convention on Human Rights (ECHR)?

A. The right to privacy is an absolute right

B. The right to privacy has to be balanced against other rights under the ECHR

C. The right to freedom of expression under Article 10 of the ECHR will always override the right to
privacy

D. The right to privacy protects the right to hold opinions and to receive and impart ideas without
interference

2. What is one major goal that the OECD Guidelines, Convention 108 and the Data Protection Directive
(Directive 95/46/EC) all had in common but largely failed to achieve in Europe?

A. The establishment of a list of legitimate data processing criteria

B. The creation of legally binding data protection principles

C. The synchronization of approaches to data protection

D. The restriction of cross-border data flow

3. A key component of the OECD Guidelines is the “Individual Participation Principle”.

What parts of the General Data Protection Regulation (GDPR) provide the closest equivalent to that
principle?

A. The lawful processing criteria stipulated by Articles 6 to 9

B. The information requirements set out in Articles 13 and 14

C. The breach notification requirements specified in Articles 33 and 34 D. The rights granted to data
subjects under Articles 12 to 22

4. Which EU institution is vested with the competence to propose new data protection legislation on its
own initiative?

A. The European Council

B. The European Parliament

 PUBLIC

C. The European Commission

D. The Council of the European Union

5. What is an important difference between the European Court of Human Rights (ECHR) and the Court
of Justice of the European Union (CJEU) in relation to their roles and functions?

A. ECHR can rule on issues concerning privacy as a fundamental right, while the CJEU cannot.

B. CJEU can force national governments to implement and honor EU law, while the ECHR

cannot

C. CJEU can hear appeals on human rights decisions made by national courts, while the ECHR cannot.

D. ECHR can enforce human rights laws against governments that fail to implement them, while the
CJEU cannot.

6. Which institution has the power to adopt findings that confirm the adequacy of the data protection
level in a non-EU country?

A. The European Parliament

B. The European Commission

C. The Article 29 Working Party D. The European Council

7. What is true of both the General Data Protection Regulation (GDPR) and the Council of Europe
Convention 108?

A. Both govern international transfers of personal data

B. Both govern the manual processing of personal data

C. Both only apply to European Union countries

D. Both require notification of processing activities to a supervisory authority

 PUBLIC

8. Which aspect of the GDPR will likely have the most impact on the consistent implementation of data
protection laws throughout the European Union?

A. That it essentially functions as a one-stop shop mechanism

B. That it takes the form of a Regulation as opposed to a Directive

C. That it makes notification of large-scale data breaches mandatory D. That it makes appointment of a
data protection officer mandatory

9. How is the retention of communications traffic data for law enforcement purposes addressed by
European data protection law?

A. The ePrivacy Directive allows individual EU member states to engage in such data

retention.

B. The ePrivacy Directive harmonizes EU member states’ rules concerning such data retention.

C. The Data Retention Directive’s annulment makes such data retention now permissible.

D. The GDPR allows the retention of such data for the prevention, investigation, detection or

prosecution of criminal offences only.

10. WhattypeofdataliesbeyondthescopeoftheGeneralDataProtectionRegulation? A. Pseudonymized

B. Anonymized

C. Encrypted

D. Masked

11. Under what circumstances would the GDPR apply to personal data that exists in physical form, such
as information contained in notebooks or hard copy files?

A. Only where the personal data is produced as a physical output of specific automated

processing activities, such as printing, labelling, or stamping.

B. Only where the personal data is to be subjected to specific computerized processing, such as
 PUBLIC

image scanning or optical character recognition.

C. Only where the personal data is treated by automated means in some way, such as computerized
distribution or filing.

D. Only where the personal data is handled in a sufficiently structured manner so as to form part of a
filing system.

12. Which of the following would most likely NOT be covered by the definition of “personal data” under
the GDPR?

A. The payment card number of a Dutch citizen

B. The U.S. social security number of an American citizen living in France

C. The unlinked aggregated data used for statistical purposes by an Italian company

13. Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified
by Article 3?

A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.

B. Personal data of EU citizens being processed by a controller or processor based outside the

EU.

C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement

bodies.

D. Personal data of EU residents being processed by a non-EU business that targets EU customers.

14. How does the GDPR now define “processing”?

A. Any act involving the collecting and recording of personal data.

B. Any operation or set of operations performed on personal data or on sets of personal

data.

C. Any use or disclosure of personal data compatible with the purpose for which the data was collected.
 PUBLIC

D. Any operation or set of operations performed by automated means on personal data or on sets of
personal data.

15. What is the consequence if a processor makes an independent decision regarding the purposes and
means of processing it carries out on behalf of a controller?

A. The controller will be liable to pay an administrative fine

B. The processor will be liable to pay compensation to affected data subjects

C. The processor will be considered to be a controller in respect of the processing concerned

D. The controller will be required to demonstrate that the unauthorized processing negatively affected
one or more of the parties involved

16. According to the GDPR, how is pseudonymous personal data defined?

A. Data that can no longer be attributed to a specific data subject without the use of additional
information kept separately.

B. Data that can no longer be attributed to a specific data subject, with no possibility of re- identifying
the data.

C. Data that has been rendered anonymous in such a manner that the data subject is no longer
identifiable.

D. Data that has been encrypted or is subject to other technical safeguards.

17. Under which of the following conditions does the General Data Protection Regulation NOT apply to
the processing of personal data?

A. When the personal data is processed only in non-electronic form

B. When the personal data is collected and then pseudonymised by the controller

C. When the personal data is held by the controller but not processed for further purposes

D. When the personal data is processed by an individual only for their household activities
 PUBLIC

18. According to the E-Commerce Directive 2000/31/EC, where is the place of “establishment” for a
company providing services via an Internet website confirmed by the GDPR?

A. Where the technology supporting the website is located

B. Where the website is accessed

C. Where the decisions about processing are made

D. Where the customer’s Internet service provider is located

19. Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and
disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or
consent?

A. A member of the judiciary involved in adjudicating a legal dispute involving the data subject

and concerning the health of the data subject.

C. A health professional involved in the medical care for the data subject, where the data subject’s life
hinges on the timely dissemination of such information.

D. A journalist writing an article relating to the medical condition in question, who believes that the
publication of such information is in the public interest.

20. With the issue of consent, the GDPR allows member states some choice regarding what? A. The
mechanisms through which consent may be communicated

B. The circumstances in which silence or inactivity may constitute consent

C. The age at which children must be required to obtain parental consent

D. The timeframe in which data subjects are allowed to withdraw their consent

21. Which sentence BEST summarizes the concepts of “fairness,” “lawfulness” and “transparency”, as
expressly required by Article 5 of the GDPR?

A. Fairness and transparency refer to the communication of key information before

collecting data; lawfulness refers to compliance with government regulations.

 PUBLIC

B. Fairness refers to limiting the amount of data collected from individuals; lawfulness refers to the
approval of company guidelines by the state; transparency solely relates to communication of key
information before collecting data.

C. Fairness refers to the security of personal data; lawfulness and transparency refers to the analysis of
ordinances to ensure they are uniformly enforced.

D. Fairness refers to the collection of data from diverse subjects; lawfulness refers to the need for legal
rules to be uniform; transparency refers to giving individuals access to their data.

22. Article 5(1)(b) of the GDPR states that personal data must be “collected for specified, explicit and
legitimate purposes and not further processed in a way incompatible with those purposes.” Based on
Article 5(1)(b), what is the impact of a member state’s interpretation of the word “incompatible”?

A. It dictates the level of security a processor must follow when using and storing personal data for two
different purposes.

B. It guides the courts on the severity of the consequences for those who are convicted of the
intentional misuse of personal data.

C. It sets the standard for the level of detail a controller must record when documenting the purpose for
collecting personal data.

23. Tanya is the Data Protection Officer for Curtains Inc., a GDPR data controller. She has recommended
that the company encrypt all personal data at rest.

Which GDPR principle is she following?

A. Accuracy

B. Storage Limitation

C. Integrity and confidentiality

D. Lawfulness, fairness and transparency

24. A well-known video production company, based in Spain but specializing in documentaries filmed
worldwide, has just finished recording several hours of footage featuring senior citizens in the streets of
Madrid. Under what condition would the company NOT be required to obtain the consent of everyone
whose image they use for their documentary?

A. If obtaining consent is deemed to involve disproportionate effort.

 PUBLIC

B. If obtaining consent is deemed voluntary by local legislation.

C. If the company limits the footage to data subjects solely of legal age.

D. If the company’s status as a documentary provider allows it to claim legitimate interest.

25. A Spanish electricity customer calls her local supplier with questions about the company’s upcoming
merger. Specifically, the customer wants to know the recipients to whom her personal data will be
disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do
before providing the customer with the requested information?

A. Verify that the request is applicable to the data collected before the GDPR entered into force.

B. Verify that the purpose of the request from the customer is in line with the GDPR.

C. Verify that the personal data has not already been sent to the customer.

D. Verify that the identity of the customer can be proven by other means.

26. Under the GDPR, where personal data is not obtained directly from the data subject, a controller is
exempt from directly providing information about processing to the data subject if?

A. The data subject already has information regarding how his data will be used

B. The provision of such information to the data subject would be too problematic

C. Third-party data would be disclosed by providing such information to the data subject

D. The processing of the data subject’s data is protected by appropriate technical measures

27. In 2016’s Guidance, the United Kingdom’s Information Commissioner’s Office (ICO) reaffirmed the
importanceofusinga“layerednotice”toprovidedatasubjectswithwhat?

A. A privacy notice containing brief information whilst offering access to further detail.

B. A privacy notice explaining the consequences for opting out of the use of cookies on a

website.

C. An explanation of the security measures used when personal data is transferred to a third

party.
 PUBLIC

D. An efficient means of providing written consent in member states where they are required to

do so.

28. When collecting personal data in a European Union (EU) member state, what must a company do if
it collects personal data from a source other than the data subjects themselves?

A. Inform the subjects about the collection

B. Provide a public notice regarding the data

C. Upgrade security to match that of the source

D. Update the data within a reasonable timeframe

29. Under the GDPR, which essential pieces of information must be provided to data subjects before
collecting their personal data?

A. The authority by which the controller is collecting the data and the third parties to whom the

data will be sent.

B. The name/s of relevant government agencies involved and the steps needed for revising the

data.

C. The identity and contact details of the controller and the reasons the data is being collected.

D. The contact information of the controller and a description of the retention policy.

30. Assuming that the “without undue delay” provision is followed, what is the time limit for complying
with a data access request?

A. Within 40 days of receipt

B. Within 40 days of receipt, which may be extended by up to 40 additional days

C. Within one month of receipt, which may be extended by up to an additional month

D. Within one month of receipt, which may be extended by an additional two months
 PUBLIC

31. A U.S.-based online shop uses sophisticated software to track the browsing behavior of its European
customers and predict future purchases. It also shares this information with third parties. Under the
GDPR,

What is the online shop’s PRIMARY obligation while engaging in this kind of profiling?

A. It must solicit informed consent through a notice on its website

B. It must seek authorization from the European supervisory authorities

C. It must be able to demonstrate a prior business relationship with the customers D. It must prove that
it uses sufficient security safeguards to protect customer data

32. Which of the following would NOT be relevant when determining if a processing activity would be
considered profiling?

A. If the processing is to be performed by a third-party vendor

B. If the processing involves data that is considered personal data

C. If the processing of the data is done through automated means D. If the processing is used to predict
the behavior of data subjects

33. Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject,
unless it can demonstrate compelling legitimate grounds that override the interests of the individual.

In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller
needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?

A. Carry out an exercise that weighs the interests of the controller and the basis for the data subject’s
objection.

B. Consider the impact of the profiling on the data subject’s interest, rights and freedoms.

C. Demonstrate that the profiling is for the purposes of direct marketing.

D. Consider the importance of the profiling to their particular objective.

34. Company X has entrusted the processing of their payroll data to Provider Y. Provider Y stores this
encrypted data on its server. The IT department of Provider Y finds out that someone managed to hack
into the system and take a copy of the data from its server.
 PUBLIC

In this scenario, whom does Provider Y have the obligation to notify?

A. The public

B. Company X

C. Law enforcement

D. The supervisory authority

35. When hiring a data processor, which action would a data controller NOT be able to depend upon

to avoid liability in the event of a security breach?

A. Documenting due diligence steps taken in the pre-contractual stage.

B. Conducting a risk assessment to analyze possible outsourcing threats.

C. Requiring that the processor directly notify the appropriate supervisory authority.

D. Maintaining evidence that the processor was the best possible market choice available.

36. WP29’s “Guidelines on Personal data breach notification under Regulation 2016/679’’ provides
examples of ways to communicate data breaches transparently.

Which of the following was listed as a method that would NOT be effective for communicating a breach
to data subjects?

A. A postal notification

B. A direct electronic message

C. A notice on a corporate blog

D. A prominent advertisement in print media

37. Which of the following would require designating a data protection officer?

A. Processing is carried out by an organization employing 250 persons or more.

B. Processing is carried out for the purpose of providing for-profit goods or services to
 PUBLIC

individuals in the EU.

C. The core activities of the controller or processor consist of processing operations of financial

information or information relating to children.

D. The core activities of the controller or processor consist of processing operations that require
systematic monitoring of data subjects on a large scale.

38. Which of the following describes a mandatory requirement for a group of undertakings that wants to
appoint a single data protection officer?

A. The group of undertakings must obtain approval from a supervisory authority.

B. The group of undertakings must be comprised of organizations of similar sizes and functions.

C. The data protection officer must be located in the country where the data controller has its

main establishment.

D. The data protection officer must be easily accessible from each establishment where the
undertakings are located.

39. What obligation does a data controller or processor have after appointing a data protection officer?

A. To ensure that the data protection officer receives sufficient instructions regarding the exercise of his
or her defined tasks.

B. To provide resources necessary to carry out the defined tasks of the data protection officer and to
maintain his or her expert knowledge.

C. To ensure that the data protection officer acts as the sole point of contact for individuals’ questions
about their personal data.

D. To submit for approval to the data protection officer a code of conduct to govern organizational
practices and demonstrate compliance with data protection principles.

40. When is data sharing agreement MOST likely to be needed?

A. When anonymized data is being shared.

B. When personal data is being shared between commercial organizations acting as joint
 PUBLIC

data controllers.

C. When personal data is being proactively shared by a controller to support a police investigation.

D. When personal data is being shared with a public authority with powers to require the personal data
to be disclosed.

41. An employee of company ABCD has just noticed a memory stick containing records of client data,
including their names, addresses and full contact details has disappeared. The data on the stick is
unencrypted and in clear text. It is uncertain what has happened to the stick at this stage, but it likely
was lost during the travel of an employee.

What should the company do?

A. Notify as soon as possible the data protection supervisory authority that a data breach may have
taken place.

B. Launch an investigation and if nothing is found within one month, notify the data protection
supervisory authority.

C. Invoke the “disproportionate effort” exception under Article 33 to postpone notifying data subjects
until more information can be gathered.

D. Immediately notify all the customers of the company that their information has been accessed by an
unauthorized person.

42. Which of the following does NOT have to be included in the records most processors must maintain
in relation to their data processing activities?

A. Name and contact details of each controller on behalf of which the processor is acting.

B. Categories of processing carried out on behalf of each controller for which the processor is

acting.

C. Details of transfers of personal data to a third country carried out on behalf of each controller

for which the processor is acting.

D. Details of any data protection impact assessment conducted in relation to any processing activities
carried out by the processor on behalf of each controller for which the processor is acting.
 PUBLIC

43. An unforeseen power outage results in company Z’s lack of access to customer data for six hours.
According to article 32 of the GDPR, this is considered a breach. Based on the WP 29’s February, 2018
guidance, company Z should do which of the following?

A. Notify affected individuals that their data was unavailable for a period of time.

B. Document the loss of availability to demonstrate accountability

C. Notify the supervisory authority about the loss of availability

D. Conduct a thorough audit of all security systems

44. In addition to the European Commission, who can adopt standard contractual clauses, assuming that
all required conditions are met?

A. Approved data controllers.

B. The Council of the European Union.

C. National data protection authorities.

D. The European Data Protection Supervisor.

45. A company is located in a country NOT considered by the European Union (EU) to have an adequate
level of data protection.

Which of the following is an obligation of the company if it imports personal data from another
organization in the European Economic Area (EEA) under standard contractual clauses?

A. Submit the contract to its own government authority.

B. Ensure that notice is given to and consent is obtained from data subjects.

C. Supply any information requested by a data protection authority (DPA) within 30 days.

D. Ensure that local laws do not impede the company from meeting its contractual

obligations.

46. Which of the following countries will continue to enjoy adequacy status under the GDPR, pending
any future European Commission decision to the contrary?

A. Greece
 PUBLIC

B. Norway

C. Australia

D. Switzerlan d

47. A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a
global data transfer solution.

Which of the following statements would help the company make an effective decision?

A. Binding Corporate Rules are especially recommended for small and medium companies.

B. The data exporter does not need to be located in the EU for the standard Contractual Clauses.

C. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by
the intra-group agreement.

D. The company will need the prior authorization of all EU data protection authorities for concluding
Standard Contractual Clauses.

48. Under the GDPR, which of the following is true in regard to adequacy decisions involving cross-
border transfers?

A. The European Commission can adopt an adequacy decision for individual companies.

B. The European Commission can adopt, repeal or amend an existing adequacy decision.

C. EU member states are vested with the power to accept or reject a European Commission adequacy
decision.

D. To be considered as adequate, third countries must implement the EU General Data Protection
Regulation into their national legislation.

49. Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in
European Union (EU) member states?

A. The ability to enact new laws by executive order.

B. The right to access data for investigative purposes.

 PUBLIC

C. The discretion to carry out goals of elected officials within the member state.

D. The authority to select penalties when a controller is found guilty in a court of law.

50. The GDPR specifies fines that may be levied against data controllers for certain infringements. Which
of the following infringements would be subject to the less severe administrative fine of up to 10 million
euros (or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the
preceding financial year)?

A. Failure to demonstrate that consent was given by the data subject to the processing of their personal
data where it is used as the basis for processing.

B. Failure to implement technical and organizational measures to ensure data protection is enshrined by
design and default.

C. Failure to process personal information in a manner compatible with its original purpose.

D. Failure to provide the means for a data subject to rectify inaccuracies in personal data.

51. What is the MAIN reason GDPR Article 4(22) establishes the concept of the “concerned supervisory
authority”?

A. To encourage the consistency of local data processing activity.

B. To give corporations a choice about who their supervisory authority will be.

C. To ensure the GDPR covers controllers that do not have an establishment in the EU but have a
representative in a member state.

D. To ensure that the interests of individuals residing outside the lead authority’s jurisdiction are
represented.

52. Whichareaofprivacyisaleadsupervisoryauthority’s(LSA)MAINconcern? A. Data subject rights

B. Data access disputes

C. Cross-border processing

D. Special categories of data

53. If a multi-national company wanted to conduct background checks on all current and potential
employees, including those based in Europe, what key provision would the company have to follow?

A. Background checks on employees could be performed only under prior notice to all

employees.
 PUBLIC

B. Background checks are only authorized with prior notice and express consent from all

employees including those based in Europe.

C. Background checks on European employees will stem from data protection and employment law,
which can vary between member states.

D. Background checks may not be allowed on European employees, but the company can create lists
based on its legitimate interests, identifying individuals who are ineligible for employment.

54. Why is advisable to avoid consent as a legal basis for an employer to process employee data? A.
Employee data can only be processed if there is an approval from the data protection officer. B. Consent
may not be valid if the employee feels compelled to provide it.

C. An employer might have difficulty obtaining consent from every employee.

D. Data protection laws do not apply to processing of employee data.

55. What is true if an employee makes an access request to his employer for any personal data held
about him?

A. The employer can automatically decline the request if it contains personal data about a third person.

B. The employer can decline the request if the information is only held electronically.

C. The employer must supply all the information held about the employee.

D. The employer must supply any information held about an employee unless an exemption applies.

56. Readthefollowingsteps:

- Discover which employees are accessing cloud services and from which devices and apps - Lock down
the data in those apps and devices

- Monitor and analyze the apps and devices for compliance

- Manage application life cycles

- Monitor data sharing

An organization should perform these steps to do which of the following?

A. Pursue a GDPR-compliant Privacy by Design process.

B. Institute a GDPR-compliant employee monitoring process.

C. Maintain a secure Bring Your Own Device (BYOD) program.

 PUBLIC

D. Ensure cloud vendors are complying with internal data use policies.

57. If a company is planning to use closed-circuit television (CCTV) on its premises and is concerned with
GDPR compliance, it should first do all of the following EXCEPT?

A. Notify the appropriate data protection authority.

B. Perform a data protection impact assessment (DPIA).

C. Create an information retention policy for those who operate the system.

D. Ensure that safeguards are in place to prevent unauthorized access to the footage.

58. Based on GDPR Article 35, which of the following situations would trigger the need to complete a
DPIA?

A. A company wants to combine location data with other data in order to offer more personalized
service for the customer.

B. A company wants to use location data to infer information on a person’s clothes purchasing habits.

C. A company wants to build a dating app that creates candidate profiles based on location data and
data from third-party sources.

D. A company wants to use location data to track delivery trucks in order to make the routes more
efficient.

59. In which of the following cases would an organization MOST LIKELY be required to follow both
ePrivacy and data protection rules?

A. When creating an untargeted pop-up ad on a website.

B. When calling a potential customer to notify her of an upcoming product sale.

C. When emailing a customer to announce that his recent order should arrive earlier than expected.

D. When paying a search engine company to give prominence to certain products and services within
specific search results.

60. What permissions are required for a marketer to send an email marketing message to a consumer in
the EU?

A. A prior opt-in consent for consumers unless they are already customers.

B. A pre-checked box stating that the consumer agrees to receive email marketing.

C. A notice that the consumer’s email address will be used for marketing purposes.
 PUBLIC

D. No prior permission required, but an opt-out requirement on all emails sent to consumers.

61. Underwhatcircumstancesmightthe“softopt-in”ruleapplyinrelationtodirectmarketing?

A. When an individual has not consented to the marketing.

B. When an individual’s details are obtained from their inquiries about buying a product.

C. Where an individual’s details have been obtained from a bought-in marketing list.

D. Where an individual is given the ability to unsubscribe from marketing emails sent to him.

62. What should a controller do after a data subject opts out of a direct marketing activity?

A. Without exception, securely delete all personal data relating to the data subject.

B. Without undue delay, provide information to the data subject on the action that will be taken.

C. Refrain from processing personal data relating to the data subject for the relevant type

of communication.

D. Take reasonable steps to inform third-party recipients that the data subject’s personal data should be
deleted and no longer processed.

63. How is the GDPR’s position on consent MOST likely to affect future app design and implementation?

A. App developers will expand the amount of data necessary to collect for an app’s functionality.

B. Users will be given granular types of consent for particular types of processing.

C. App developers’ responsibilities as data controllers will increase. D. Users will see fewer
advertisements when using apps.

64. A mobile device application that uses cookies will be subject to the consent requirement of which of
the following?

A. The ePrivacy Directive

B. The E-Commerce Directive

C. The Data Retention Directive D. The EU Cybersecurity Directive

65. What term BEST describes the European model for data protection? A. Sectoral

B. Self-regulatory C. Market-based
 PUBLIC

D. Comprehensive

66. WhatwastheaimoftheEuropeanDataProtectionDirective95/46/EC?

A. To harmonize the implementation of the European Convention of Human Rights across all

member states.

B. To implement the OECD Guidelines on the Protection of Privacy and trans-border flows of

Personal Data.

C. To completely prevent the transfer of personal data out of the European Union.

D. To further reconcile the protection of the fundamental rights of individuals with the free

flow of data from one member state to another.

67. What is the key difference between the European Council and the Council of the European Union?

A. The Council of the European Union is helmed by a president.

B. The Council of the European Union has a degree of legislative power.

C. The European Council focuses primarily on issues involving human rights. D. The European Council is
comprised of the heads of each EU member state.

68. Whichchangewasintroducedbythe2009amendmentstothee-PrivacyDirective2002/58/EC?

A. A voluntary notification for personal data breaches applicable to all data controllers.

B. A voluntary notification for personal data breaches applicable to electronic communication

providers.

C. A mandatory notification for personal data breaches applicable to all data controllers.

D.A mandatory notification for personal data breaches applicable to electronic

communication providers.

69. What is a reason the European Court of Justice declared the Data Retention Directive invalid in
2014?

A. The requirements affected individuals without exception.

 PUBLIC

B. The requirements were financially burdensome to EU businesses.

C. The requirements specified that data must be held within the EU.

D. The requirements had limitations on how national authorities could use data.

70. WhichtypeofpersonaldatadoestheGDPRdefineasa“specialcategory”ofpersonaldata? A. Educational

history.

B. Trade-union membership.

C. Closed Circuit Television (CCTV) footage.

D. Financial information.

71. After leaving the EU under the terms of Brexit, the United Kingdom will seek an adequacy
determination.

What is the reason for this?

A. The Insurance Commissioner determined that an adequacy determination is required by the

Data Protection Act.

B. Adequacy determinations automatically lapse when a Member State leaves the EU.

C. The UK is now a third country because it’s no longer subject to the GDPR.

D. The UK is less trustworthy now that it’s not part of the Union.

72. TowhichofthefollowingpartiesdoestheterritorialscopeoftheGDPRNOTapply?

A. All member countries of the European Economic Area.

B. All member countries party to the Treaty of Lisbon. C. All member countries party to the Paris
Agreement. D. All member countries of the European Union.

73. Whatmustadatacontrollerdoinordertomakepersonaldatapseudonymous?

A. Separately hold any information that would allow linking the data to the data subject.

B. Encrypt the data in order to prevent any unauthorized access or modification. C. Remove all indirect
data identifiers and dispose of them securely.

D. Use the data only in aggregated form for research purposes.

74. WhichofthefollowingentitieswouldmostlikelybeexemptfromcomplyingwiththeGDPR?
 PUBLIC

A. A South American company that regularly collects European customers’ personal data.

B. A company that stores all customer data in Australia and is headquartered in a European

Union (EU) member state.

C. A Chinese company that has opened a satellite office in a European Union (EU) member

state to service European customers.

D. A North American company servicing customers in South Africa that uses a cloud storage system
made by a European company.

75. Article29WorkingPartyhasemphasizedthattheGDPRforbids“forumshopping”,whichoccurs when

companies do what?

A. Choose the data protection officer that is most sympathetic to their business concerns.

B. Designate their main establishment in member state with the most flexible practices.

C. File appeals of infringement judgments with more than one EU institution simultaneously. D. Select
third-party processors on the basis of cost rather than quality of privacy protection.

76. Under Article 9 of the GDPR, which of the following categories of data is NOT expressly prohibited
from data processing?

A. Personal data revealing ethnic origin.

B. Personal data revealing genetic data.

C. Personal data revealing financial data.

D. Personal data revealing trade union membership.

77. When does the GDPR provide more latitude for a company to process data beyond its original
collection purpose?

A. When the data has been pseudonymized.

B. When the data is protected by technological safeguards.

C. When the data serves legitimate interest of third parties.

D. When the data subject has failed to use a provided opt-out mechanism.

78. In which situation would a data controller most likely be able to justify the processing of the data of
a child without parental consent?
 PUBLIC

A. When the data is to be processed for market research.

B. When providing preventive or counselling services to the child.

C. When providing the child with materials purely for educational use.

D. When a legitimate business interest makes obtaining consent impractical.

79. An organization receives a request multiple times from a data subject seeking to exercise his rights
with respect to his own personal data.

Under what condition can the organization charge the data subject for processing the request?

A. Only where the organization can show that it is reasonable to do so because more than one

request was made.

B. Only to the extent this is allowed under the restrictions on data subjects’ rights introduced

under Art 23 of GDPR.

C. Only where the administrative costs of taking the action requested exceeds a certain threshold.

D. Only if the organization can demonstrate that the request is clearly excessive or misguided.

80. Which GDPR principle would a Spanish employer most likely depend upon to annually send the
personal data of its employees to the national tax authority?

A. The consent of the employees.

B. The legal obligation of the employer.

C. The legitimate interest of the public administration. D. The protection of the vital interest of the
employees.

81. An online company’s privacy practices vary due to the fact that it offers a wide variety of services.
How could it best address the concern that explaining them all would make the policies
incomprehensible?

A. Use a layered privacy notice on its website and in its email communications.

B. Identify uses of data in a privacy notice mailed to the data subject.

C. Provide only general information about its processing activities and offer a toll-free number for

more information.
 PUBLIC

D. Place a banner on its website stipulating that visitors agree to its privacy policy and terms of

use by visiting the site.

82. The GDPR requires controllers to supply data subjects with detailed information about the
processing of their data. Where a controller obtains data directly from data subjects, which of the
following items of information does NOT legally have to be supplied?

A. The recipients or categories of recipients.

B. The categories of personal data concerned.

C. The rights of access, erasure, restriction, and portability. D. The right to lodge a complaint with a
supervisory authority.

83. According to Article 14 of the GDPR, how long does a controller have to provide a data subject with
necessary privacy information, if that subject’s personal data has been obtained from other sources?

A. As soon as possible after obtaining the personal data.

B. As soon as possible after the first communication with the data subject.

C. Within a reasonable period after obtaining the personal data, but no later than one month.

D. Within a reasonable period after obtaining the personal data, but no later than eight weeks.

84. WhenwouldadatasubjectNOTbeabletoexercisetherighttoportability?

A. When the processing is necessary to perform a task in the exercise of authority vested in the
controller.

B. When the processing is carried out pursuant to a contract with the data subject.

C. When the data was supplied to the controller by the data subject.

D. When the processing is based on consent.

85. In

consent for processing?

A. When she is leaving her bank and moving to another bank.

B. When she has recently changed jobs and no longer works for the same company.

C. When she disagrees with a diagnosis her doctor has recorded on her records.
 PUBLIC

D. When she no longer wishes to be sent marketing materials from an organization.

86. .As a result of the European Court of Justice’s ruling in the case of Google v. Spain, search engines
outside the EEA are also likely to be subject to the Regulation’s right to be forgotten. This holds true if
the activities of an EU subsidiary and its U.S. parent is what?

A. Supervised by the same Data Protection Officer.

B. Consistent with Privacy Shield requirements C. Bound by a standard contractual clause.

D. Inextricably linked in their businesses.

87. A German data subject was the victim of an embarrassing prank 20 years ago. A newspaper website
published an article about the prank at the time, and the article is still available on the newspaper’s
website. Unfortunately, the prank is the top search result when a user searches on the victim’s name.
The data subject requests that SearchCo delist this result. SearchCo agrees, and instructs its technology
team to avoid scanning or indexing the article.

What else must SearchCo do?

A. Notify the newspaper that its article it is delisting the article.

B. Fully erase the URL to the content, as opposed to delist which is mainly based on data

subject’s name.

C. Identify other controllers who are processing the same information and inform them of the delisting
request.

D. Prevent the article from being listed in search results no matter what search terms are entered into
the search engine.

88. What are the obligations of a processor that engages a sub-processor?

A. The processor must give the controller prior written notice and perform a preliminary audit of

the sub-processor.

B. The processor must obtain the controller’s specific written authorization and provide annual

reports on the sub-processor’s performance.

C. The processor must receive a written agreement that the sub-processor will be fully liable to

the controller for the performance of its obligations in relation to the personal data concerned.

D. The processor must obtain the consent of the controller and ensure the sub-processor complies with
d
 PUBLIC

89. What must be included in a written agreement between the controller and processor in relation to
processing conducted on the controller’s behalf?

A. An obligation on the processor to report any personal data breach to the controller within 72

hours.

B. An obligation on both parties to report any serious personal data breach to the supervisory

authority.

C. An obligation on both parties to agree to a termination of the agreement if the other party is

responsible for a personal data breach.

D. An obligation on the processor to assist the controller in complying with the controller’s obligations
to notify the supervisory authority about personal data breaches.

90. To provide evidence of GDPR compliance, a company performs an internal audit. As a result, it finds
a data base, password-protected, listing all the social network followers of the client. Regarding the
domain of the controller-processor relationships, how is this situation considered?

A. Compliant with the security principle, because the data base is password-protected.

B. Non-compliant, because the storage of the data exceeds the tasks contractually authorized by the
controller.

C. Not applicable, because the data base is password protected, and therefore is not at risk of identifying
any data subject.

D. Compliant with the storage limitation principle, so long as the internal auditor permanently deletes
the data base.

91. There are three domains of security covered by Article 32 of the GDPR that apply to both the
controller and the processor. These include all of the following EXCEPT?

A. Consent management and withdrawal.

B. Incident detection and response.

C. Preventative security. D. Remedial security.

92. In the event of a data breach, which type of information are data controllers NOT required to
provide to either the supervisory authorities or the data subjects?

A. The predicted consequences of the breach.

 PUBLIC

B. The measures being taken to address the breach.

C. The type of security safeguards used to protect the data.

D. The contact details of the appropriate data protection officer.

93. In which case would a controller who has undertaken a DPIA most likely need to consult with a
supervisory authority?

A. Where the DPIA identifies that personal data needs to be transferred to other countries

outside of the EEA.

B. Where the DPIA identifies high risks to individuals’ rights and freedoms that the controller can

take steps to reduce.

C. Where the DPIA identifies that the processing being proposed collects the sensitive data of EU
citizens.

D. Where the DPIA identifies risks that will require insurance for protecting its business interests.

94. AccordingtotheGDPR,whatisthemaintaskofaDataProtectionOfficer(DPO)?

A. To create and maintain records of processing activities.

B. To conduct Privacy Impact Assessments on behalf of the controller or processor.

C. To monitor compliance with other local or European data protection provisions.

D. To create procedures for notification of personal data breaches to competent supervisory

authorities.

95. In which of the following cases, cited as an example by a WP29 guidance, would conducting a single
data protection impact assessment to address multiple processing operations be allowed?

A. A medical organization that wants to begin genetic testing to support earlier research for

which they have performed a DPIA.

B. A data controller who plans to use a new technology product that has already undergone a

DPIA by the product’s provider.

C. A marketing team that wants to collect mailing addresses of customers for whom they already
 PUBLIC

have email addresses.

D. A railway operator who plans to evaluate the same video surveillance in all the train stations of his
company.

96. Under Article 30 of the GDPR, controllers are required to keep records of all of the following
EXCEPT?

A. Incidents of personal data breaches, whether disclosed or not.

B. Data inventory or data mapping exercises that have been conducted.

C. Categories of recipients to whom the personal data have been disclosed. D. Retention periods for
erasure and deletion of categories of personal data.

97. In which scenario is a Controller most likely required to undertake a Data Protection Impact
Assessment?

A. When the controller is collecting email addresses from individuals via an online registration form for
marketing purposes.

B. When personal data is being collected and combined with other personal data to profile the
creditworthiness of individuals.

C. When the controller is required to have a Data Protection Officer.

D. When personal data is being transferred outside of the EEA.

98. Which of the following demonstrates compliance with the accountability principle found in Article 5,
Section 2 of the GDPR?

A. Anonymizing special categories of data.

B. Conducting regular audits of the data protection program.

C. Getting consent from the data subject for a cross border data transfer. D. Encrypting data in transit
and at rest using strong encryption algorithms.

99. Which mechanism, new to the GDPR, now allows for the possibility of personal data transfers to
third countries under Article 42?

A. Approved certifications.

B. Binding corporate rules.

C. Law enforcement requests. D. Standard contractual clauses.

 PUBLIC

100.Which sentence best describes proper compliance for an international organization using Binding
Corporate Rules (BCRs) as a controller or processor?

A. Employees must sign an ad hoc contractual agreement each time personal data is exported.

B. All employees are subject to the rules in their entirety, regardless of where the work is

taking place.

C. All employees must follow the privacy regulations of the jurisdictions where the current scope of their
work is established.

D. Employees who control personal data must complete a rigorous certification procedure, as they are
exempt from legal enforcement.