Full CIPP/E Exam Questions and Answers
1. Accountability
Answer The implementation of appropriate *technical and organizational measures* to ensure
and be able to *demonstrate* that the handling of personal data is performed in accordance with
relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks,
including APEC's Cross Border Privacy Rules. Traditionally has been a *fair information practices
principle*, that due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other fair use principles.
2. Accuracy
Answer Organizations must take every *reasonable* step to ensure the data processed is this and,
where
*necessary*, kept up to date. Reasonable measures should be understood as implementing processes
to prevent inaccuracies during the data collection process as well as during the ongoing data processing
in relation to the specific use for which the data is processed. The organization must consider the type
of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose.
Also embodies the responsibility to respond to data subject requests to correct records that contain
incomplete information or misinformation.
3. Adequate Level of Protection
Answer A transfer of personal data from the European Union to a third country
or an international organisation may take place where the European Commission has decided that the
third country, a territory or one or more specified sectors within that third country, or the international
,organisation in question, ensures this by taking into account the *following elements*; *(a)* the rule of
law, respect for *human rights* and fundamental freedoms, both *general and sectoral legislation*,
data protection rules, professional rules and security measures, effective and *enforceable data subject
rights* and *ettective administrative and judicial redress* for the data subjects whose personal data is
being transferred; *(b)* the existence and *effective* functioning of independent
*supervisory authorities* with responsibility for ensuring and enforcing compliance with the data
protection rules; (c) the *international commitments* the third country or international organisation
concerned has entered into in relation
*to the protection of personal data*.
4. Annual Reports
Answer The requirement under the GDPR that the European Data Protection Board and each
supervisory authority *periodically report on their activities*. The supervisory authority report should
include in- fringements and the activities that the authority conducted under their Article 58(2) powers.
The EDPB report should include *guidelines, recommendations, best practices and binding decisions*.
Additionally, the report should include the protection of natural persons with regard to processing in
the EU and, where relevant, in third countries and international organisations. Shall be *made public and
be transmitted to the European Parliament, to the Council and to the Commission*.
5. Anonymous Information
Answer In contrast to personal data, this is not related to an identified or an identifi-
able natural person and *cannot be combined with other information to re-identify individuals*. It has
been rendered unidentifiable and, as such, is not protected by the GDPR.
6. Anti-discrimination Laws
,Answer *indications of special classes* of personal *data*. If there exists law protect- ing
against discrimination based on a class or status, it is likely personal information relating to that class
or status is
*subject to more stringent* data protection regulation, under the GDPR or otherwise.
7. Appropriate Safeguards
Answer The GDPR refers to these in a number of contexts, *including* the *transfer* of
personal data *to third countries* outside the European Union, the processing of *special categories* of
data, *and* the processing of personal data in a *law enforcement* context. This generally refers to the
application of the general data protection principles, in particular purpose limitation, data minimisation,
limited storage periods, data quality, data protection by design and by default, legal basis for
processing, processing of special categories of personal data, measures to ensure data security, and
the requirements in respect of onward transfers to bodies not bound
by the binding corporate rules. This *may* also *refer to* the use of *encryption or pseudonymization*,
*standard* data protection *clause*s adopted by the Commission, contractual clauses authorized by a
supervisory authority, or
*certification schemes* or *codes of conduct* authorized by the Commission or a supervisory authority.
Should ensure compliance with data protection requirements and the rights of the data subjects
appropriate to processing within the European Union.
8. Appropriate Technical and Organizational Measures
Answer The GDPR requires a *risk-based
approach* to data protection, whereby organizations *take into account* the *nature*, *scope*,
*context and purposes* of processing, as well as the risks of varying *likelihood* and *severity to* the
*rights and freedoms* of natural persons, and institute policies, controls and certain technologies to
, mitigate those risks. These might help meet the obligation to keep personal data secure, including
technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve
the implementation of data protection policies. These measures should be demonstrable on demand to
data protection authorities and reviewed regularly.
9. Article 29 Working Party
Answer Was a European Union organization that functioned as an *independent
advisory body* on data protection and privacy and consisted of the collected data protection authorities
of the member states. It was *replaced by* the similarly constituted European Data Protection Board
(*EDPB*) on May 25, 2018, *when* the *GDPR went into effect*.
10. Authentication
Answer The process by which an entity (such as a person or computer system) determines
whether
another entity is who it claims to be. *is required* by the GDPR *when* the data subject is *exercising
certain rights*, such as the rights to *deletion or rectification*, and might include supplying log-in
details or biometric information. However, the data controller should not be obliged to acquire additional
information in order to identify the data subject for the sole purpose of complying with any provision of
the Regulation.
11. Automated Processing
Answer A processing operation that is performed without any human intervention.
"Profiling" is defined in the GDPR, for example, as the automated processing of personal data to evaluate
certain
1. Accountability
Answer The implementation of appropriate *technical and organizational measures* to ensure
and be able to *demonstrate* that the handling of personal data is performed in accordance with
relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks,
including APEC's Cross Border Privacy Rules. Traditionally has been a *fair information practices
principle*, that due diligence and reasonable steps will be undertaken to ensure that personal
information will be protected and handled consistently with relevant law and other fair use principles.
2. Accuracy
Answer Organizations must take every *reasonable* step to ensure the data processed is this and,
where
*necessary*, kept up to date. Reasonable measures should be understood as implementing processes
to prevent inaccuracies during the data collection process as well as during the ongoing data processing
in relation to the specific use for which the data is processed. The organization must consider the type
of data and the specific purposes to maintain the accuracy of personal data in relation to the purpose.
Also embodies the responsibility to respond to data subject requests to correct records that contain
incomplete information or misinformation.
3. Adequate Level of Protection
Answer A transfer of personal data from the European Union to a third country
or an international organisation may take place where the European Commission has decided that the
third country, a territory or one or more specified sectors within that third country, or the international
,organisation in question, ensures this by taking into account the *following elements*; *(a)* the rule of
law, respect for *human rights* and fundamental freedoms, both *general and sectoral legislation*,
data protection rules, professional rules and security measures, effective and *enforceable data subject
rights* and *ettective administrative and judicial redress* for the data subjects whose personal data is
being transferred; *(b)* the existence and *effective* functioning of independent
*supervisory authorities* with responsibility for ensuring and enforcing compliance with the data
protection rules; (c) the *international commitments* the third country or international organisation
concerned has entered into in relation
*to the protection of personal data*.
4. Annual Reports
Answer The requirement under the GDPR that the European Data Protection Board and each
supervisory authority *periodically report on their activities*. The supervisory authority report should
include in- fringements and the activities that the authority conducted under their Article 58(2) powers.
The EDPB report should include *guidelines, recommendations, best practices and binding decisions*.
Additionally, the report should include the protection of natural persons with regard to processing in
the EU and, where relevant, in third countries and international organisations. Shall be *made public and
be transmitted to the European Parliament, to the Council and to the Commission*.
5. Anonymous Information
Answer In contrast to personal data, this is not related to an identified or an identifi-
able natural person and *cannot be combined with other information to re-identify individuals*. It has
been rendered unidentifiable and, as such, is not protected by the GDPR.
6. Anti-discrimination Laws
,Answer *indications of special classes* of personal *data*. If there exists law protect- ing
against discrimination based on a class or status, it is likely personal information relating to that class
or status is
*subject to more stringent* data protection regulation, under the GDPR or otherwise.
7. Appropriate Safeguards
Answer The GDPR refers to these in a number of contexts, *including* the *transfer* of
personal data *to third countries* outside the European Union, the processing of *special categories* of
data, *and* the processing of personal data in a *law enforcement* context. This generally refers to the
application of the general data protection principles, in particular purpose limitation, data minimisation,
limited storage periods, data quality, data protection by design and by default, legal basis for
processing, processing of special categories of personal data, measures to ensure data security, and
the requirements in respect of onward transfers to bodies not bound
by the binding corporate rules. This *may* also *refer to* the use of *encryption or pseudonymization*,
*standard* data protection *clause*s adopted by the Commission, contractual clauses authorized by a
supervisory authority, or
*certification schemes* or *codes of conduct* authorized by the Commission or a supervisory authority.
Should ensure compliance with data protection requirements and the rights of the data subjects
appropriate to processing within the European Union.
8. Appropriate Technical and Organizational Measures
Answer The GDPR requires a *risk-based
approach* to data protection, whereby organizations *take into account* the *nature*, *scope*,
*context and purposes* of processing, as well as the risks of varying *likelihood* and *severity to* the
*rights and freedoms* of natural persons, and institute policies, controls and certain technologies to
, mitigate those risks. These might help meet the obligation to keep personal data secure, including
technical safeguards against accidents and negligence or deliberate and malevolent actions, or involve
the implementation of data protection policies. These measures should be demonstrable on demand to
data protection authorities and reviewed regularly.
9. Article 29 Working Party
Answer Was a European Union organization that functioned as an *independent
advisory body* on data protection and privacy and consisted of the collected data protection authorities
of the member states. It was *replaced by* the similarly constituted European Data Protection Board
(*EDPB*) on May 25, 2018, *when* the *GDPR went into effect*.
10. Authentication
Answer The process by which an entity (such as a person or computer system) determines
whether
another entity is who it claims to be. *is required* by the GDPR *when* the data subject is *exercising
certain rights*, such as the rights to *deletion or rectification*, and might include supplying log-in
details or biometric information. However, the data controller should not be obliged to acquire additional
information in order to identify the data subject for the sole purpose of complying with any provision of
the Regulation.
11. Automated Processing
Answer A processing operation that is performed without any human intervention.
"Profiling" is defined in the GDPR, for example, as the automated processing of personal data to evaluate
certain
